The EU Data Protection Board enforces GDPR across 27 member states.
Every email it sends routes through infrastructure controlled by US companies.
EuroScanner, an automated infrastructure audit tool, scanned 68 EU institutions and agencies last week. The methodology is simple: query the MX DNS record for each domain, cross-reference the mail exchanger hostname against known provider signatures. The result was consistent across all 68 institutions. Every domain resolved to US-controlled email infrastructure, primarily Microsoft and Proofpoint, both headquartered in the United States.
The split: roughly half of EU institutions route email through Microsoft 365 mail.protection.outlook.com. A significant portion use Proofpoint Inc. (pphosted.com), headquartered in Sunnyvale, California. Several use Symantec MessageLabs, now owned by Broadcom, a US company. A small number run their own mail servers but still resolve through US-adjacent infrastructure.
The confirmed Proofpoint domains include the European Commission, the European External Action Service, and the Publications Office. The confirmed Microsoft 365 domains include Europol, Frontex, ENISA, the European Defence Agency, the European Environment Agency, the European Banking Authority, and CERT-EU.
When an organisation uses Proofpoint or Microsoft, every inbound and outbound email passes through that company's infrastructure before it reaches anyone. Both companies have full access to the content and metadata of every message they process. Both operate under US law.
The US CLOUD Act of 2018 requires US companies to hand data to US government agencies on valid legal demand, regardless of where that data physically sits. There is no contractual mechanism that overrides this. EU standard contractual clauses do not override a US statute.
The 68 institutions scanned include the European Commission, the Council of the EU, the Court of Justice, Europol, Frontex, ENISA, the European Defence Agency, and CERT-EU.
euroscanner.euThey also include the EU Data Protection Board and the EU Data Protection Supervisor, the bodies that issue GDPR enforcement decisions. The bodies that fined Meta €1.2 billion. The bodies that ruled Schrems II. Their institutional email runs through US companies subject to US government access requests.
This is an infrastructure observation. It is not a legal determination. It does not prove any communication has been accessed. What it does prove is that the option exists, on the US side, by statute, with no EU override mechanism in place.
The finding takes about four minutes to verify independently. dig ec.europa.eu MX returns mxa-00244802.gslb.pphosted.com, a Proofpoint hostname. dig frontex.europa.eu MX returns frontex-europa-eu.mail.protection.outlook.com, Microsoft. The data is public. Anyone with a terminal can reproduce it.
What is harder to explain is why no one has published this before.
EU institutions have spent three years arguing about cloud vendor selection. The Digital Decade policy targets sovereignty. The European Data Strategy has a chapter on institutional data flows. The European Parliament has a dedicated intergroup on digital sovereignty. None of it touched the MX record.
The gap between what European institutions say about sovereignty and what their DNS records show is not a scandal. It is, more likely, procurement inertia at institutional scale. Microsoft 365 works. Proofpoint works. Both have worked for a long time. Changing either requires a procurement process, a security review, a migration, and someone willing to own the decision. That is significant friction for a problem that produces no visible incident.
Until a CLOUD Act request produces a visible incident. At which point the MX record becomes the exhibit.
Most coverage tells you what happened. Fintech Takes is the free newsletter that tells you why it matters. Each week, I break down the trends, deals, and regulatory shifts shaping the industry — minus the spin. Clear analysis, smart context, and a little humor so you actually enjoy reading it. Subscribe free.
For builders developing email security infrastructure, compliance tooling, or sovereign communication products for European institutional clients: the procurement gap here is confirmed and documented. The decision-makers inside these institutions already know the dependency exists. What they do not yet have is an alternative that clears their procurement requirements and matches the feature set of Microsoft or Proofpoint. That is the product question worth answering.
The full list of all 68 domains, with infrastructure grades and methodology, is at
404 Found covers AI and digital infrastructure developments from a European Insider, three times a week.
Your competitors already read this every morning.
The AI Report keeps 400,000+ executives ahead of every major AI move — in 5 minutes a day. Trusted by leaders at the world's top companies. The question isn't whether AI is changing your industry. It's whether you'll see it coming.