CipherCue study finds US vendors front most UK and Dutch company websites
Chris McCabe's analysis of 19,450 European company domains puts Cloudflare first in every sampled market.
By Ryan Merket ยท Published
Why it matters
European sovereignty debates often start with cloud regions and contracts. CipherCue's data says the vendor dependency can begin at the public web edge.

Chris McCabe's CipherCue published a July 7th study that puts a sharper number on a familiar European sovereignty problem: the public websites of many European companies are served at the internet-facing layer by US-headquartered infrastructure vendors.
CipherCue examined the primary apex and www DNS records for 19,450 European company entities across the United Kingdom, the Netherlands, Italy, Spain, France, Germany, and Poland. CipherCue says US-headquartered vendors serve the majority of sampled primary company websites in the UK and the Netherlands, with shares of 67.5% and 53.6%, respectively. In Italy, Spain, and France, US vendors were the largest cluster, even without crossing 50%.
The finding matters because McCabe's analysis focuses on the public web perimeter, the layer a buyer, regulator, adversary, or customer can observe before getting anywhere near a cloud-region contract or a subprocessor schedule. CipherCue's own product pitch is built around that exact visibility gap: its demo page says the company continuously observes European organizations' public-facing infrastructure, including tech stacks, DNS posture, open services, certificate history, and CISA-listed software.
The strongest result in the post is the consistency of Cloudflare (@Cloudflare)'s position. CipherCue says Cloudflare was the largest single internet-facing infrastructure vendor in all seven sampled countries, ahead of US peers, European hosting companies, and domestic ISPs. Its reported share ranged from 15.2% in Poland and 17.9% in Germany to 31.6% in the UK and 36.8% in the Netherlands.
What CipherCue measured
CipherCue frames the work as a vendor attribution study. For each apex domain, CipherCue says it resolved DNS A and AAAA records, mapped the answering IP addresses to their announcing autonomous system, then classified vendors by AS operator name. The measurement window ran from April 28th, 2026 to June 29th, 2026, ending eight days before publication.
That method makes the numbers useful, and also limits them. A site behind Cloudflare is counted as Cloudflare-fronted because Cloudflare is the vendor answering at the internet-facing layer. The study does not identify the origin hosting provider behind a CDN or reverse proxy. It also does not establish physical data-center location, customer-specific configuration, regional data-plane isolation, control-plane arrangements, or subprocessor terms.
That distinction is central to the story. A French company using Cloudflare may be serving a French visitor from a nearby Cloudflare edge location. CipherCue's point is that the vendor relationship at the public perimeter is still with a US-incorporated company. For companies trying to map third-country exposure, concentration risk, and switching constraints, the visible vendor can matter even when packet geography looks local.
The classified US set in the study included Cloudflare, Amazon, Google (@Google), Microsoft (@Microsoft), Fastly, Akamai, Squarespace, Wix, and Shopify. CipherCue explicitly warns that the "Other / regional" bucket should not be read as European. It includes European hosting companies, domestic ISPs, in-house infrastructure, and international vendors outside the keyword-matched set.
The country split
The UK was the most US-dependent market in CipherCue's sample. Of 918 UK entities, 620 were served by US-headquartered vendors, including 290 attributed to Cloudflare and 115 to Amazon. In the Netherlands, 1,201 of 2,241 sampled entities were served by US vendors, including 825 attributed to Cloudflare.
Italy, Spain, and France sat in the middle. CipherCue found US-headquartered vendor shares of 48.4% in Italy, 44.6% in Spain, and 44.2% in France. In absolute terms, Cloudflare accounted for 663 of 2,350 Italian entities, 329 of 1,427 Spanish entities, and 706 of 2,504 French entities.
Germany and Poland were the counterweights. Germany had the largest sample in the study, with 5,679 entities, and a US-headquartered vendor share of 31.0%. Poland had 4,331 entities and a US-headquartered vendor share of 18.8%. CipherCue attributes the difference to deeper domestic hosting markets, naming Hetzner, IONOS, STRATO, and Mittwald in Germany, and Home.pl, NetArt, ATMAN, and Beyond in Poland.
Those two markets give the study its most useful comparison. European vendor share is not an abstract policy preference there. It shows up in the DNS observations because local providers still have enough distribution to sit in front of a meaningful number of company websites.
A sovereignty sales map
CipherCue is not presenting the research as an academic census. CipherCue sells infrastructure observation to sovereign EU cybersecurity vendors, and the study doubles as a map of where replacement campaigns might be most obvious.
The demo page says CipherCue is built for vendors that want to identify European accounts "still running foreign incumbents" and push observed infrastructure changes into sales workflows such as HubSpot or Attio. That positioning explains the narrowness of the study. CipherCue is measuring the vendor a company relies on at the public web edge because that is the part a challenger vendor can observe, segment, and turn into an account list.
That commercial incentive does not make the data useless. It does mean the numbers should be read for what they are: a public-infrastructure attribution snapshot based on CipherCue's directory and classification rules, rather than a complete map of European hosting dependency. The post does not disclose the full entity source list beyond saying country fields come from registered addresses in country registrars such as Companies House for Britain, KRS for Poland, and HRB for Germany. It also does not show how representative the sampled entities are within each market.
The numbers still cut through a lot of loose sovereignty language. European buyers can localize cloud regions, negotiate processing terms, or demand EU support models while leaving their public web estate behind a US-headquartered edge provider. McCabe's post argues that inventory has to start earlier: before procurement teams debate the cloud stack, they need to know which vendor already sits between the public internet and the company's main domain.
For Cloudflare, the study is a reminder of how deeply its edge network has become default infrastructure, even in markets where domestic hosting remains strong. For European infrastructure vendors, the country table is a prospecting guide. For policymakers, it is a base rate: in five of seven sampled markets, US-headquartered vendors were either the majority provider group or the largest provider group at the internet-facing layer.