Sponsored by
ENISA is the EU's cybersecurity agency.
Its email routes through a US company subject to the CLOUD Act.
EuroScanner started as a question I could not find a clean answer to: what infrastructure are EU institutions actually running on, and how would you know?
The existing coverage of this topic is almost entirely policy. Speeches, white papers, Digital Decade targets, sovereignty roadmaps. What nobody had published was the infrastructure layer. Not what institutions planned to run on, but what their DNS records said they were running on right now.
The tool is straightforward. It queries each domain for IP ranges (cross-referenced against ASN data from RIPE Stat), MX records for email provider signatures, and SSL inspection for additional hosting signals. No scraping, no login, no private data. Everything is public. The methodology is documented and reproducible with basic command-line tools.
The current dataset covers 210 domains: EU institutions and agencies, national data protection authorities, EU energy infrastructure operators, and a selection of SaaS tools commonly used in the European market. The scan runs daily. Results are graded A through F based on whether the hosting jurisdiction falls inside or outside EU sovereignty.
Of 210 domains scanned, 164 are Grade F. Eleven are confirmed EU sovereign.
How 2M+ Professionals Stay Ahead on AI
AI is moving fast and most people are falling behind.
The Rundown AI keeps you ahead of the curve.
It's a free AI newsletter that keeps you up-to-date on the latest AI news, and teaches you how to apply it in just 5 minutes a day.
Plus, complete the quiz after signing up and they’ll recommend the best AI tools, guides, and courses — tailored to your needs.
Three things surprised me in the build.
The first was how concentrated the email dependency is. I expected variation across institutions, different vendors, different procurement decisions made at different times. What I found was a single company across all 68 EU institutions I scanned. Procurement at scale, it turns out, produces monoculture. The same security vendor, the same MX pattern, the same CLOUD Act exposure, across the Council, the Commission, the Parliament, the Court of Justice, and both GDPR enforcement bodies.
The second was the energy sector. I added TSOs (transmission system operators) to the scan because energy infrastructure sovereignty is a separate question from data protection sovereignty, and in the current European security environment it is arguably the more urgent one. Fingrid, the Finnish TSO, grades A. PSE in Poland grades A. Red Eléctrica in Spain grades Unknown. Terna in Italy grades Unknown. The variation across national energy operators is larger than I expected, and the pattern is not what the policy discourse suggests.
The third was CERT-EU. The EU's computer emergency response team, the body responsible for cybersecurity incident response across EU institutions, has its own email running through Proofpoint. I checked this three times before publishing it.
The infrastructure runs on Codeberg, statichost.eu, and Mistral, all European companies, all outside US CLOUD Act jurisdiction. This was a deliberate choice made before the first line of code, not something retrofitted later. The stack is slower to set up than reaching for Vercel or Cloudflare. It is also the only stack that lets me publish a report about CLOUD Act exposure without the report itself sitting on CLOUD Act infrastructure.
GridSignal follows the same principle. It pulls active procurement notices from TED, the EU's official tender database, covering energy infrastructure: nuclear services, solar, offshore wind, grid construction. 47 active tenders this week across 10 countries. The ingestion pipeline runs daily at 06:00 UTC. Also on EU-sovereign hosting.
Paljon Puhetta is different in kind. It covers Finnish parliamentary speeches, not EU sovereignty, but it runs on the same principle: open data, public APIs, reproducible methodology, hosted in Europe. The Finnish parliament publishes its proceedings through api.eduskunta.fi under a CC BY 4.0 licence. The site indexes 30,000 speeches from all 200 MPs, updated nightly. Välihuudot, the interjections, are tracked separately because they are the part of parliamentary record that the official summaries tend to clean up.
The best marketing ideas come from marketers who live it. That’s what The Marketing Millennials delivers: real insights, fresh takes, and no fluff. Written by Daniel Murray, a marketer who knows what works, this newsletter cuts through the noise so you can stop guessing and start winning. Subscribe and level up your marketing game.
None of these tools required significant engineering. EuroScanner is DNS queries and ASN lookups. GridSignal is a filtered TED API call. Paljon Puhetta is a nightly pull from a public endpoint.
What they required was deciding what question to ask and being willing to publish the answer.
The EuroScanner data is available under CC BY 4.0. If you are building compliance tooling, procurement analysis, or sovereign infrastructure products for European institutional clients, the full dataset is at euroscanner.eu. The GridSignal tender data is at gridsignal.eu.
404 Found covers AI and digital infrastructure developments from a European Insider, three times a week.