CIPHERCUE
We fingerprinted the public web stacks of 9,916 European organisations. 6,839 of those returned at least one classified vendor component. What stood out was not the dominance of any single product. It was how predictable the rest of a site's stack becomes once you can see one piece of it.
Of the 239 sites in the sample running Meta's advertising pixel, 184 (77.0%) also exposed Google Analytics. 149 (62.3%) exposed Google Tag Manager. Meta Pixel sites were 2.67 times as likely as the sample baseline to expose Google Tag Manager. The pattern repeats: 246 sites used the Cookiebot consent banner, and 72.4% of those also exposed Google Analytics with 60.2% exposing Google Tag Manager. Two products from different categories, but an almost identical surrounding stack.
The sample is weighted toward Poland, Germany and the United Kingdom, which together account for 60.3% of the analysed entities. The figures below describe what was observed in this sample, not a representative estimate of the European web as a whole. Full per-country breakdown and methodology are at the bottom of the article.
Why lift matters
The most useful question for understanding stack design is conditional: given that a site uses one detected component, how much more likely is another component to appear than its baseline rate across the whole sample?
Three numbers help here:
- Support: how often two products appear together. The raw count of co-occurrence.
- Conditional rate: the percentage of sites using product X that also use product Y.
- Lift: the conditional rate divided by the baseline prevalence of product Y. Under statistical independence, lift equals 1. A lift above 1 means the two products co-occur more often than independence would imply; a lift below 1 means less often.
The lift values matter because they correct for the fact that a very common product will frequently co-occur with anything. Google Analytics appears on 43.5% of sample sites; almost any subset of the sample will show it often.
| Relationship | Conditional rate | Target baseline | Lift |
|---|---|---|---|
| Meta Pixel → Google Tag Manager | 62.3% | 23.3% | 2.67× |
| Cookiebot → Google Tag Manager | 60.2% | 23.3% | 2.58× |
| OneTrust → Google Tag Manager | 48.4% | 23.3% | 2.08× |
| Meta Pixel → Google Analytics | 77.0% | 43.5% | 1.77× |
| Cookiebot → Google Analytics | 72.4% | 43.5% | 1.66× |
| Cloudflare → Google Analytics | 35.9% | 43.5% | 0.83× |
The 77% headline figure is the most shareable, but the 2.67× relationship between Meta Pixel and Google Tag Manager is statistically more revealing. A Meta Pixel site is more than two and a half times more likely than a random sample site to expose Google Tag Manager. The same is true, almost identically, for sites running Cookiebot. The two products serve completely different purposes, advertising attribution and cookie consent, and yet they sit alongside the same surrounding stack.
The bottom row of the table is the useful counterpoint. Cloudflare + Google Analytics is the eighth most common pair in the sample (510 sites, 7.5%), which makes the relationship look strong on a raw-count chart. The lift of 0.83 says the opposite: Cloudflare sites were slightly less likely than the 43.5% baseline to expose Google Analytics. Cloudflare appears frequently in combination tables because Cloudflare itself is common (20.8% of the sample), not because it positively predicts Google. This is the entire reason lift matters as a measure.
Google sits at the centre of the most common combinations
Three Google products sit in the top ten individual detections: Google Analytics on 43.5% of sample sites, Google Tag Manager on 23.3%, and Google reCAPTCHA on 10.9%. The pull-through into co-occurring combinations dominates the entire pair table.
| Two-component combination | Sites | Share of sample |
|---|---|---|
| Google Analytics + WordPress | 1,202 | 17.6% |
| Apache + Google Analytics | 873 | 12.8% |
| Google Analytics + Google Tag Manager | 857 | 12.5% |
| Google Analytics + Nginx | 842 | 12.3% |
| Apache + WordPress | 757 | 11.1% |
| Google Tag Manager + WordPress | 597 | 8.7% |
| Nginx + WordPress | 589 | 8.6% |
| Cloudflare + Google Analytics | 510 | 7.5% |
| Google Analytics + Google reCAPTCHA | 448 | 6.6% |
| Google reCAPTCHA + WordPress | 420 | 6.1% |
All ten of the most common two-component combinations in the sample include either Google Analytics or WordPress. The most common pair, Google Analytics + WordPress, appears on 1,202 sites: roughly one in six of the entities with any detected component. Google Analytics is the component most frequently present across the sample's largest technology combinations.
The default stack is still surprisingly traditional
Strip down to three-component combinations and the recurring pattern becomes a 1990s LAMP-era stack with a modern tracking layer on top.
| Three-component stack | Sites | Share of sample |
|---|---|---|
| Apache + Google Analytics + WordPress | 378 | 5.5% |
| Google Analytics + Google Tag Manager + WordPress | 361 | 5.3% |
| Google Analytics + Nginx + WordPress | 349 | 5.1% |
| Google Analytics + Google reCAPTCHA + WordPress | 266 | 3.9% |
| Google Analytics + Google Tag Manager + Nginx | 226 | 3.3% |
| Cloudflare + Google Analytics + Google Tag Manager | 215 | 3.1% |
| Cloudflare + Google Analytics + WordPress | 202 | 3.0% |
WordPress, served from Apache or Nginx, with Google Analytics layered on top: that is the most common three-component combination across multiple slices of the data. It is older than half of the consent banner industry that sits above it.
Modern frameworks barely feature. Vercel's Next.js was detected on 169 sites, or 2.5% of the sample. That is a real detection, but it is one-thirteenth as common as WordPress in the same data. Next.js can be served behind a CDN that strips the framework's identifying response headers, so the figure should be read as "detected on 2.5% of this sample", not as a definitive measure of Next.js adoption across the European web.
What the bundles may mean
Cookiebot, OneTrust and Meta Pixel are three products from three separate companies serving three different functions. They share no contractual relationship. And yet a site running any one of them is two to three times more likely than the baseline to also expose Google Tag Manager.
The plausible mechanism is not vendor coordination. European organisations assemble their public web from recognisable recipes. A marketing team that deploys Meta Pixel may have done so through the same tag-management workflow used for other trackers, which is why Tag Manager is so often present on the same site. A site that adopts a consent banner typically does so because it already has multiple trackers that need consent. The consent layer is downstream of the tracking layer, not upstream.
The data shows how often these products coexist. It does not measure contractual lock-in, organisations' willingness to switch, the cost or difficulty of replacement, or whether these combinations are increasing over time. What the data does show is that the individual components frequently sit inside a recognisable surrounding ecosystem, which means a replacement decision involves more than removing a single product.
Europe is investing in sovereign-cloud procurement, but that procurement is aimed elsewhere
The procurement rules that explicitly favour European-resident technology concern public-sector cloud infrastructure and sensitive-data hosting, not the public-facing marketing technologies measured in this article. They are still relevant context for European technology buyers because they describe the current shape of public procurement policy. France's "Cloud au Centre" doctrine, reinforced by the SREN law of May 2024, requires French administrations handling sensitive data to use providers not subject to extraterritorial law, with ANSSI's SecNumCloud qualification as the operative benchmark. Italy's Polo Strategico Nazionale has been live since 2022 and is the destination for sensitive central-government workloads, with a further €150m PNRR migration tender opened in April 2025 for 165 central public administrations. The European Commission's Cloud Sovereignty Framework introduced graded sovereignty assurance levels (SEAL-0 through SEAL-4) for EU institutional procurement, and in April 2026 the Commission awarded a €180m sovereign cloud contract to Proximus, Scaleway, StackIT and Post Telecom. None of these rules apply to the analytics, advertising, consent and CMS products that the article measures, which sit on public marketing sites outside the regulated procurement scope.
What the public web cannot reveal
Fingerprinting from the public surface picks up vendors that leave evidence in response headers, HTML, MX records, script tags or static asset paths. It systematically under-detects:
- Transparent proxies and enterprise WAFs that strip identifying headers (some Akamai, F5, Imperva, DataDome and hCaptcha deployments).
- Identity providers used only on authenticated subdomains. The auth category accounts for 0.5% of the sample at the apex level; SSO and IAM use is largely behind login pages this method does not probe.
- Endpoint protection, SIEM and email security products that are not exposed on the public site at all.
The central findings involving analytics, CMS, advertising and consent products are less exposed to these blind spots because these products usually leave detectable markers in public pages, scripts or response data. Readers should treat figures for enterprise WAF and IAM products with more caution, and should not read the absence of a security vendor from this data as evidence the vendor is not in use.
How we scanned 9,916 organisations
Primary data source. CipherCue's own technology fingerprint scans, run from a single observation node against the apex domain of each tracked entity. One scan per entity within the snapshot window; the most recent successful scan was used. Scans observe HTTP response headers, body content and DNS records.
Snapshot window. 28 April 2026 to 23 June 2026. Most records (38,641 of 45,025 technology fingerprint observations in this period) were captured in June 2026 as scan coverage expanded.
Scope. Entities with a country code in the EU, EFTA or United Kingdom set: AT, BE, BG, CH, CY, CZ, DE, DK, EE, ES, FI, FR, GB, GR, HR, HU, IE, IS, IT, LI, LT, LU, LV, MT, NL, NO, PL, PT, RO, SE, SI, SK. 9,916 distinct entities returned a fingerprint observation in the window. 6,839 of those had at least one classified vendor component detected and are the basis for every percentage in this article. The remaining 3,077 were either unreachable (DNS failure, connection refused, TLS error) or reachable but did not match any vendor signature.
Sample skew. The 6,839-entity sample is not a uniform sample of European websites. Poland accounts for 31.1% of the sample, Germany 17.3%, the United Kingdom 11.9%, France 9.6%, Italy 7.7%, the Netherlands 6.6%, Spain 5.0%, and the remaining 24 countries together 10.8%. This reflects CipherCue's current entity seeding, not the underlying composition of the European web. Readers should treat the figures as descriptive of the observed sample rather than a population estimate.
Definitions used in this article. General prevalence percentages use the 6,839 entities with at least one detected component as denominator. Conditional rates use the technology on the left of the relationship as the denominator. Lift is the conditional rate divided by the baseline prevalence of the right-side technology across the full 6,839-entity sample. Meta's "Facebook Pixel" and "Meta Pixel" detections are produced by the same rule and have been treated as a single observation labelled Meta Pixel; this affects only the component label, not the underlying entity count.
Caveats. Fingerprinting is observational and will miss vendors that do not leave a public surface marker. Some vendors, particularly enterprise WAFs and IAM products, are systematically under-represented for this reason. The conditional rates above are computed on the observed sample only and should not be extrapolated to sites outside it.
Reproducibility. The underlying observations for each entity are visible on its directory page on CipherCue. The methodology page at ciphercue.com/methodology/observations describes the scan procedure.
Reference: per-vendor entity lists from CipherCue's directory.
Analytics and tracking: Google Analytics, Google Tag Manager, Meta Pixel. CMS: WordPress, Drupal. Web servers and framework: Apache HTTP Server, Nginx, Next.js. CDN: Cloudflare, Amazon CloudFront, Fastly, Akamai. Consent and security: Cookiebot, OneTrust, Google reCAPTCHA, Imperva WAF.
The organisations in this sample do not look like thousands of entirely independent technology decisions. They look like a limited number of recurring recipes. Once one ingredient is visible, the rest of the stack becomes easier to predict.
The underlying observations and entity-level results are available through CipherCue's public directory.