CIPHERCUE
CipherCue observes the public-facing infrastructure of organisations across multiple jurisdictions. We fingerprint web servers, content delivery networks, web application firewalls, hosted mail providers, DNS records, and shipped JavaScript on the apex domain of each tracked entity. Every observation links to a primary source: an HTTP response header, a DNS query, a BGP routing record.
As of 16 June 2026 we have observed at least one perimeter fact on 2,165 Polish organisations, drawn from public-sector, financial, healthcare, and private-sector verticals. This article reports two findings from that snapshot, both relevant to European cyber, infrastructure and trust vendors selling sovereign alternatives:
- At the hosting layer, Polish organisations already use European providers heavily. The largest foreign hosting destination is France (OVHcloud), not the United States.
- At the outsourced perimeter layer, US-headquartered vendors dominate the observable choices. In CDN and hosted mail specifically, every observed provider was US-headquartered.
What we are and are not claiming
This does not mean every Polish organisation uses a US CDN or US hosted mail provider. It means that among organisations where CipherCue detected a commercial CDN at the apex domain, every observed provider was US-headquartered. And among organisations where CipherCue detected a hosted mail provider in MX records, every observed provider was Microsoft or Google. Many Polish organisations have no detectable commercial CDN at the apex, or self-host their mail infrastructure rather than use a hosted provider. They are not counted in either denominator. The number "100%" in this article always refers to the population where a choice was made and that choice was observable.
Why this matters for European vendors
The Polish data describes a market where sovereignty preference is real but inconsistently applied. Polish organisations already use European infrastructure where credible European options exist. The hosting layer is the clearest evidence: roughly 82% of observed organisations host inside Poland, and the single largest foreign hosting destination is France (OVHcloud), with the United States third behind both. That is a measurable European preference, exercised at scale.
Many organisations that use European hosting still expose US-headquartered vendors at the observable perimeter. Of the 1,985 Polish organisations in this sample hosted in Poland or France, 329 (16.6%) also expose at least one US-headquartered component at the perimeter layer. Where the choice is a commercial CDN, it is Cloudflare, Amazon CloudFront, Akamai or Fastly. Where it is a hosted mail provider, it is Microsoft 365 or Google Workspace. Where it is consent management, it is OneTrust or Cookiebot (Denmark, the only European-headquartered vendor with double-digit Polish presence in this layer).
For European cyber, trust and public-perimeter infrastructure vendors, this is an account prioritisation map. The Polish organisations that already chose European hosting are the population most likely to engage with a sovereign perimeter conversation. The Polish organisations currently exposed to US CDN, mail and consent vendors are the addressable set. CipherCue's data identifies both groups at entity level.
CDN: four vendors observed, all US-headquartered
Of 2,165 Polish organisations observed, 128 have a detectable commercial CDN in front of their apex domain. That is 5.9% of the sample. Among those 128:
| CDN vendor | HQ | Polish organisations | Share of observed CDN |
|---|---|---|---|
| Cloudflare | United States | 115 | 89.8% |
| Amazon CloudFront | United States | 9 | 7.0% |
| Akamai | United States | 3 | 2.3% |
| Fastly | United States | 1 | 0.8% |
| Any European-HQ commercial CDN | EU | 0 | 0% |
Most of the concentration is Cloudflare. The 115 Polish organisations observed using Cloudflare account for nearly 90% of the observed commercial CDN footprint in this sample. Amazon CloudFront and Fastly appear in single digits. We searched specifically for European-headquartered CDN vendors (Bunny.net, Gcore's EU operating entity, regional players) and found none at the apex layer in this sample.
Hosted mail provider: two vendors observed, both US-headquartered
Of 2,165 Polish organisations observed, 140 have a detectable hosted mail provider in their MX records. Among those 140:
| Mail provider | HQ | Polish organisations | Share of observed providers |
|---|---|---|---|
| Microsoft 365 | United States | 115 | 82.1% |
| Google Workspace | United States | 25 | 17.9% |
| Any European-HQ hosted mail provider | EU | 0 | 0% |
Microsoft 365 Mail exposure and Google Workspace Mail together account for every observed hosted mail provider in the Polish sample. We searched specifically for European alternatives (Mailfence, Tutanota, ProtonMail Business, Mailo, GMX/1&1, Hetzner Mail, Wirtualna Polska business mail) and found none at the apex MX layer in this snapshot.
The denominator (140) is significantly smaller than the full sample (2,165) because a meaningful share of Polish organisations, particularly in public sector and academia, run their own on-premise or self-hosted mail infrastructure (visible as institution-controlled MX hosts, and in some cases open-source mail server fingerprints such as Postfix, Dovecot or Exim). That self-hosted population is the layer where European software genuinely competes. Where the choice was made to use a commercial hosted provider in this sample, the choice was binary and US-headquartered.
The wider non-European footprint, by industry
Outside CDN and hosted mail, US-vendor presence on the Polish perimeter varies by sector. The figures below count any Polish organisation observed running at least one US-headquartered component classified as security, authentication, CDN, network gear, or SaaS.
| Industry slice | Polish organisations observed | With observed US-HQ component | Share |
|---|---|---|---|
| All industries | 2,165 | 400 | 18.5% |
| Public Sector + Government + Education | 1,239 | 131 | 10.6% |
| Financial Services + Insurance | 553 | 109 | 19.7% |
| Healthcare | 210 | 41 | 19.5% |
Public-sector entities show the lowest exposure at 10.6%. This is consistent with the hosting picture: Polish government and academic entities self-host or use national infrastructure providers more often than private-sector peers, and ship less commercial SaaS in their public web stack.
Regulated finance and healthcare both sit just under 20%. These figures count any observed US-headquartered component, including Google reCAPTCHA, Cloudflare, Amazon CloudFront, OneTrust, and Microsoft 365 mail.
Where Polish websites actually live
Hosting attribution adds the second dimension. We resolve each apex domain to an IP, then map that IP to an autonomous system and country via public BGP data (iptoasn.com routeviews-derived). For the 2,165 Polish organisations observed:
| Hosting country | Polish organisations hosted there |
|---|---|
| Poland | 1,775 |
| France | 516 |
| United States | 338 |
| Germany | 98 |
| Netherlands | 26 |
| Luxembourg | 9 |
Roughly 82% of Polish organisations host on Polish infrastructure (totals exceed 100% because some organisations resolve to multiple ASNs across countries). The single largest foreign hosting destination is France, almost entirely OVHcloud. The United States is third, behind both Poland and France.
This is the key contrast in the dataset. At the hosting layer, Polish organisations have meaningful European choice and exercise it. At the outsourced perimeter layer, that choice is not present in our observations.
European vendors observed at the perimeter layer
The only European-headquartered vendor with double-digit Polish presence in our observed security and trust layer is Cookiebot (Cybot, Denmark) at 30 organisations. Sophos SFOS (UK) appears for 10.
| Vendor | HQ classification | Polish organisations observed |
|---|---|---|
| Google reCAPTCHA | United States | 145 |
| Cloudflare | United States | 115 (+6 Turnstile) |
| Cookiebot | Denmark | 30 |
| Imperva WAF | US/Israel origin; now French-owned (Thales) | 11 |
| Sophos SFOS | United Kingdom | 10 |
| Amazon CloudFront | United States | 9 |
| OneTrust | United States | 6 |
| Barracuda Email Protection | United States | 4 |
| Akamai | United States | 3 |
| F5 BIG-IP | United States | 1 |
| Ivanti Connect Secure | United States | 1 |
Imperva WAF appears 11 times in the Polish sample. We classify it separately because the product has US/Israeli origins but is now part of Thales, headquartered in France. Whether a Thales-owned WAF qualifies as a sovereign European alternative is a procurement-policy question rather than a technical one, and the answer depends on the buyer's regime.
Below double digits, only consent management and email filtering vendors appear, and even there US-headquartered competitors dominate at higher volumes. The observable European cyber, trust and public-perimeter infrastructure footprint on Polish apex domains is thin.
What this finding does and does not show
This article measures the public web perimeter of Polish organisations. It does not measure the back-office stack, the internal CRM, the data warehouse, the SIEM, or the EDR. Those layers may have a different European-vendor share. We cannot see them from outside.
It does measure what any internet user, any procurement officer, any regulator, and any threat actor can observe by looking at the public-facing infrastructure of a Polish organisation. At that layer, two specific services (content delivery and hosted email) are sourced exclusively from US-headquartered companies in our sample.
The European cyber-sovereignty conversation has produced policy frameworks (France SecNumCloud, Germany BSI C5, Italy PSN, EU EUCS proposals) aimed at reducing dependence on non-European infrastructure. Whether those frameworks have shifted the observable layer in other Western European countries is a separate question we are working through. Initial coverage of France, Germany, Italy and Spain suggests the observable CDN and hosted mail layer is similarly US-dominated across Western Europe, but coverage is still in flight. We will publish the cross-country comparison once the samples support it.
Method note
Snapshot date: 16 June 2026.
Polish entity graph: 4,421 entities seeded from public sources including the Polish KNF (financial supervision register), WIG and WIG20 (Warsaw Stock Exchange), UODO (data-protection authority), CERT.pl entity references, ministerial and regional government rosters, public hospital systems (NFZ), and universities. Of these, 2,165 had at least one perimeter observation as of the snapshot date; the remainder are still in the scan queue.
Method: Apex domain HTTP fingerprinting (reachable from the public internet, polite scanning under our compliance posture), DNS resolution for MX and TXT records, BGP-derived hosting attribution via iptoasn.com. Tech-component identification uses our published rule set. Every observation links to its primary source on the entity page.
Denominators: The "100%" findings use entities-with-an-observed-commercial-CDN (n=128) and entities-with-an-observed-hosted-mail-provider (n=140) as their respective denominators. An organisation with no detectable commercial CDN at its apex domain is not counted in the CDN figure. This is the right denominator for the question "given the choice was made to use a commercial CDN, which vendor was chosen". For the question "what fraction of Polish organisations rely on a US CDN at all", the answer is 128/2,165 = 5.9%. Both framings appear in this article.
Vendor HQ classification: Vendor headquarters per public corporate filings. Imperva is classified as US/Israel origin, now French-owned (Thales). Where a vendor's HQ jurisdiction is genuinely ambiguous, we flag it inline. "European-headquartered" in this article means headquarters inside the European Union or European Economic Area; UK-headquartered vendors are flagged separately.
Caveats: Apex-domain fingerprinting does not observe VPN portals, internal applications, or subdomain-only services. Self-hosted mail (visible only as Postfix, Dovecot or similar MX targets) is not counted in the "hosted mail provider" denominator. Sample is biased toward the public-sector and financial entities we have seeded most heavily. Coverage of French, German, Italian and Spanish entities is still in progress; the brief cross-country reference in this article is noted as preliminary.
Reference: per-vendor entity lists from CipherCue's directory.
CDN: Cloudflare, Amazon CloudFront, Akamai, Fastly. Hosted mail providers: Microsoft 365 Mail, Google Workspace Mail. Perimeter security and trust: Google reCAPTCHA, Imperva WAF, OneTrust, Cookiebot, Sophos SFOS, Barracuda Email Protection.
Find your sovereign replacement opportunities
Want to find your sovereign replacement opportunities? CipherCue maps which organisations are currently exposed to non-European vendors across CDN, hosted mail, WAF, authentication, DNS, JavaScript and other public-perimeter infrastructure, so European cyber, trust and infrastructure vendors can prioritise the accounts most likely to care. Request a demo to see the Polish account list, or extend coverage to your target European market.