H
Hokhori
Retour au blog
audit cloud digital sovereignty practical guide SME

5 Steps to Audit Your Dependency on American Cloud Providers

A practical guide to assess and reduce your dependency on American hyperscalers. Map your risks and build a digital sovereignty strategy tailored to your SME.

Par Hokho

Why Audit Your Cloud Dependency?

Most European SMEs use around ten cloud services daily — often without realising that the majority are operated by American companies. Microsoft 365 for email, Google Workspace for collaboration, AWS for hosting, Salesforce for CRM, Slack for internal communication: the list goes on.

This concentration creates a triple exposure: legal (CLOUD Act, Schrems II), operational (dependency on decisions made across the Atlantic), and strategic (critical data beyond your control). The first step to regaining control is to precisely measure the extent of this dependency.

Here is a 5-step guide to conducting this audit yourself.

Step 1: Inventory All Your Cloud Services

Build Your Register

Start by drawing up an exhaustive list of all cloud services used in your organisation. Do not limit yourself to officially sanctioned tools: shadow IT — services adopted without management approval — often accounts for 30 to 50% of tools actually in use.

Sources to consult:

  • Invoices and subscriptions from your accounting department
  • DNS and proxy logs from your network
  • Applications installed on workstations
  • Browser extensions
  • Active integrations in your existing tools (connectors, APIs, webhooks)

Classify Each Service

For each service identified, document:

  • Service name and provider
  • Provider headquarters (country of jurisdiction)
  • Server location (if known)
  • Type of data processed (personal data, financial data, intellectual property, operational data)
  • Number of users in your organisation
  • Criticality: what happens if this service is unavailable for 24 hours? 48 hours? A week?

Tip: create a shared spreadsheet with these columns. This register will become your reference document for the entire process.

Identify the Actual Jurisdiction

Server location is not enough. What matters is the jurisdiction to which the provider is subject. An American company hosting your data in Europe remains subject to the CLOUD Act. Conversely, a European company using an American subcontractor may expose your data to the same jurisdiction.

For each service in your inventory, ask yourself:

  1. Is the provider an American company or a subsidiary of an American company?
  2. Does the provider use American subcontractors for data processing?
  3. What contractual clauses govern the processing of your data?
  4. Does the provider rely on the Data Privacy Framework for EU-US transfers?

Classify each service according to three levels:

  • High risk: American provider processing personal or sensitive data
  • Medium risk: American provider processing non-sensitive data, or European provider with American subcontractors
  • Low risk: European provider with no dependency on non-European subcontractors

Step 3: Measure Operational Dependency

The Shutdown Test

For each critical service, imagine it becomes inaccessible tomorrow morning. Assess:

  • Time to impact: how long before business operations are affected?
  • Processes impacted: which departments and workflows are blocked?
  • Workaround: is there a plan B? How quickly can it be activated?
  • Data recovery: can you export your data? In what format? How quickly?

Assess Vendor Lock-in

Vendor lock-in manifests in several ways:

  • Technical lock-in: proprietary formats, non-standard APIs, closed integrations
  • Contractual lock-in: long-term commitments, exit penalties, degressive pricing that makes migration costly
  • Organisational lock-in: internal skills centred on a single ecosystem (e.g., your entire IT team is certified only on Azure)

For each service, assign a lock-in score from 1 (easily replaceable) to 5 (extremely complex and costly migration).

Step 4: Map Data Flows

Trace Your Data’s Journey

Your data does not sit still in a single service. It flows between your tools, your partners, and your clients. Map these flows to identify exit points from European territory.

Example of a typical flow:

  • A client fills in a form on your website (hosted on AWS)
  • The data is sent to your CRM (Salesforce, US servers)
  • A confirmation email is sent via your mail service (Gmail/Microsoft)
  • The data is synchronised with your invoicing tool (hosted in the EU)
  • A report is generated and stored on Google Drive (US servers)

In this example, the client’s personal data passes through three American services before reaching a European service. Each transit represents a risk point.

Identify Sensitive Data in Transit

Pay particular attention to:

  • Personal data (name, email, address, phone) — subject to GDPR
  • Health data — special category under GDPR
  • Financial data (invoices, bank details, balance sheets)
  • Intellectual property (patents, source code, trade secrets)
  • Strategic data (business plans, competitive intelligence)

Step 5: Build Your Roadmap

Prioritise Migrations

Based on your audit, you now have a clear picture of your exposure. Prioritise your actions using a matrix that crosses risk with migration effort:

Low EffortHigh Effort
High RiskMigrate immediatelyPlan the migration (6–12 months)
Medium RiskMigrate short-termEvaluate alternatives
Low RiskMonitorNo action required

Quick Wins: Easy Migrations with High Impact

Some migrations are simple to carry out and deliver immediate benefit:

  • Analytics: switch from Google Analytics to Plausible or Matomo (migration in a few hours)
  • Video conferencing: replace Zoom/Teams with Jitsi or BigBlueButton for non-critical meetings
  • File storage: migrate to Nextcloud for sensitive documents
  • Instant messaging: adopt Element (Matrix) or Rocket.Chat alongside Slack
  • Web hosting: migrate to Hetzner, OVHcloud, or Scaleway

Structural Migrations

Other migrations require more preparation but are essential:

  • Email and calendar: migrate from Microsoft 365 or Google Workspace to a European solution (Infomaniak, Proton)
  • CRM: migrate from Salesforce to Odoo or a European CRM
  • Cloud infrastructure: migrate from AWS/Azure/GCP to a European cloud provider

For these projects, plan for professional support and a realistic timeline.

Document and Measure

Your audit is not a one-off exercise. It should become a recurring process:

  • Update your register each time a new service is adopted
  • Reassess quarterly your dependency score
  • Track regulatory developments (NIS2, Data Act, EUCS)
  • Measure your progress towards digital sovereignty

Automate Your Assessment

Conducting this audit manually takes time and rigour. For a quick, structured initial assessment, use our Sovereign Score tool. In just a few minutes, you will receive an evaluation of your dependency on non-European providers, along with personalised recommendations.

Launch your Sovereign Score for free

And if you want to go further with an in-depth audit and tailored support, our consultants are here to guide you on your digital sovereignty journey.

Schedule a discovery call