From a competitive advantage to a matter of survival: Why the origin of your software matters more than ever
Johannes Schulz3/31/2026
Will your software soon become unsellable? An expert analysis of data sovereignty and what you need to do to stay relevant in a regulated market
Table of contents
- Why the origin of your software matters for your business
- Changing purchasing criteria: What buyers really ask today
- Not all industries and company sizes are the same
- The questions your sales team needs answers to
- What this means for software companies in Germany, Austria, and Switzerland (DACH) and across the EU
- What this means for US software companies
- What works and what doesn’t
- The Big Opportunity
- Recommendations for Action: what you can do in the next 18 months
- Conclusion: The window of opportunity is open, but it’s closing
Why the origin of your software matters for your business
You have a solid product and a well-executed go-to-market strategy, yet you’re still losing deals without knowing why. It’s not a pricing issue. No feature gap. The question hanging in the air was a different one: “Where is your company actually based?”
76 of the 100 highest-rated software tools on OMR Reviews come from Germany, according to our Top 100 Guide 2026. This is no coincidence. It’s the result of a shift currently taking place in your customers’ decision-making rooms.
At the same time, according to the 2026 Lünendonk Study, 96% of IT decision-makers expect digital sovereignty to remain a key issue even if geopolitical tensions ease. 80% are already increasing their IT budgets specifically for this purpose.
For 67% of German companies, country of origin is already a mandatory purchasing criterion (Bitkom Cloud Report 2025). However, 48% of IT decision-makers still rule out switching to EU software due to doubts about its performance (Myra Security 2025). And 70% have already received external inquiries requiring them to demonstrate their digital sovereignty (Lünendonk Study 2026). The pressure is mounting, even if the willingness to act is still lacking.
This is the critical arena where the winner in the DACH market over the next few years will be decided.
What is driving this change? Not nostalgia, not patriotism. Searches for “European alternatives” will rise by 660% in 2025 (according to an analysis by European Alternatives / Wire, 2025). Trust in the U.S. as a technology partner is crumbling: 98% of German companies say Trump’s election victory has at least weakened it (according to the Bitkom study Digital Sovereignty 2025). Geopolitics, legal uncertainty, and growing compliance requirements are shifting purchasing decisions from product comparisons to the legal department.
Whether you’re a European software company with a home-field advantage or a U.S. provider that takes the DACH market seriously: This article shows you what has changed, what that means for your product and your messaging, and where the real opportunities lie.
This article distinguishes between two levels: the origin of the software you use or sell, and the origin of the infrastructure on which it runs. Your customers are asking both of these questions today.
Key Points
- 96% of IT decision-makers expect digital sovereignty to remain a key issue in the long term, and 80% are already increasing their IT budgets specifically for this purpose (Lünendonk Study 2026)
- For 67% of German companies, the country of origin is a mandatory purchasing criterion when selecting cloud services (2024: 58%) (Bitkom Cloud Report 2025)
- The CLOUD Act requires U.S. companies to disclose data to government authorities, regardless of where it is stored. Simply stating that “the data is located in Frankfurt” is not sufficient from a legal standpoint
- 70% of IT managers have already received external requests requiring them to demonstrate their digital sovereignty, so the pressure is coming directly from the market (Lünendonk Study 2026)
- 48% of IT decision-makers rule out switching to EU software due to doubts about its performance (Myra Security 2025). The awareness issue is more significant than the feature issue
Changing purchasing criteria: What buyers really ask today
In the past, the question was simple: Does this tool solve my problem, and at what price? Today, a second layer has been added, one that has now taken precedence over the first in many companies.
Your customers now ask: “Where is our data?” “Who has access to it?” “Can we justify this to our works council, our legal department, and our enterprise customers?” This isn’t paranoia. It’s a rational response to real legal risks, and these are questions your sales team needs answers to.
The CLOUD Act: The Overlooked Foundation
The U.S. CLOUD Act requires U.S. companies to grant U.S. authorities access to their data upon request, regardless of where that data is physically stored. Having a data center in Frankfurt doesn’t help if the parent company is based in Delaware. Microsoft admitted this under oath before the French Senate in 2025.
The EU-US Data Privacy Framework (DPF), introduced in 2023 as the successor to Privacy Shield, is under pressure. Austrian data protection activist Max Schrems has already overturned two previous agreements before the European Court of Justice and filed another complaint immediately after the DPF took effect, arguing that FISA Section 702 continues to allow US intelligence agencies mass access to EU data. Another Schrems ruling is considered likely. For many legal departments, this is no longer an abstract threat, but a matter of active risk management.
Furthermore, 83% of companies view a politically motivated “kill switch” – that is, the targeted shutdown of individual cloud or software solutions – as a relevant risk scenario for their IT strategy. 47% consider this scenario realistic over the next two years (Lünendonk Study 2026). And only 14% have defined exit strategies for switching IT providers. The pressure is mounting, but preparation is lacking.
Country of origin is now a mandatory purchasing criterion for 67% of German companies when selecting cloud services (Bitkom Cloud Report 2025). In 2024, that figure was 58%. This is primarily measured at the infrastructure level, but the trend extends across the entire stack: Those who check their cloud provider’s country of origin will soon ask the same question about their software. We’re seeing this on OMR Reviews as well: Demand for sovereign and open-source alternatives is rising noticeably.
Not all industries and company sizes are the same
The urgency varies greatly depending on the industry and company size. In the public sector and the healthcare industry, the pressure is particularly acute. The CLOUD Act, security requirements, and GDPR Article 9 create real legal risks. Schleswig-Holstein is the first federal state to adopt a binding open-source strategy and is migrating approximately 25,000 IT workstations to LibreOffice. This demonstrates that the political will to reduce software dependencies has now taken root at the institutional level.
In the financial sector, the DORA (Digital Operational Resilience Act) requirements, which define the management of cybersecurity and ICT risks, have been in effect since January 2025. Banks are investing in risk modeling software of European origin and avoiding public clouds for core data. According to Accenture, 76% of banks are already relying on sovereign AI approaches – that is, AI systems in which data, models, and infrastructure remain entirely under their own control.
In the Small and medium-sized businesses sector, the pressure is more indirect, but it is growing. Supply chain compliance, enterprise customers verifying suppliers’ GDPR compliance, and a growing awareness that is reflected in software purchasing decisions.
Tech startups are the exception. US tech stacks continue to dominate there. Speed of innovation trumps sovereignty.
The Growing Importance of the Country of Origin in Software Decisions
Highest priority
Public Sector & Healthcare
- U.S. software has effectively been eliminated
- Focus on EU-compliant alternatives
- Avoiding dependence on licenses
Strict regulation
Financial sector
- DORA requirements have been in effect since January 2025
- Avoiding public clouds for core data
- Preference for EU software in core systems
Growing pressure
Small and medium-sized businesses
- Supply chain compliance as a driver
- Pressure from enterprise customers
- Growing awareness among decision-makers
Exception
Tech-Startups
- U.S. tech stacks continue to dominate
- Innovation and speed beat sovereignty
- Minimal regulatory hurdles
The questions your sales team needs answers to
Today, your customers are asking questions that many software teams don’t have prepared answers for:
- Under which jurisdiction does your company operate?
- Do U.S. authorities theoretically have access to our data?
- What certifications do you have: BSI C5, ISO 27001, SOC 2?
- How do your AI features handle our data—is it used for training?
These questions no longer come solely from the IT department. They come from the executive board, from Legal, and from the works council. Anyone who doesn’t have clear answers to these questions quietly loses deals because the procurement team won’t even continue the conversation.
What this means for software companies in Germany, Austria, and Switzerland (DACH) and across the EU
European software companies are currently experiencing a window of opportunity that hasn’t been this favorable in a long time. But it’s closing faster than many realize.
The real home-field advantages
Kein CLOUD Act
No data access by U.S. authorities. A structural advantage in regulated industries that U.S. hyperscalers cannot offer.
Cultural & legal affinity
Full GDPR compliance, DATEV integrations, and a focus on DACH-specific requirements in works council law.
No CLOUD Act. This isn’t a given – it’s a tangible competitive advantage. A European software company is not subject to any U.S. authority that can demand access to data. This fact alone opens doors in regulated industries that U.S. competitors simply cannot access, no matter how much they invest in European data centers.
Add to that linguistic and cultural proximity, legal familiarity with the GDPR, works council law, and DATEV integration, as well as an industry focus on DACH-specific requirements. That may sound like a niche, but it is often the decisive factor in enterprise sales.
And it pays off immediately: 94% of IT decision-makers say that a high degree of digital sovereignty has a positive impact on their customer relationships (Lünendonk Study 2026). Sovereignty is not a compliance argument, but an argument based on trust.
And then there’s the cost argument – the one most often underestimated. Bernd Korz, founder of Alugha, runs his entire stack on European infrastructure. That’s an infrastructure-level decision he makes himself as a software provider: self-hosted transcription costs him one-tenth of what comparable U.S. cloud services charge. European server hosting costs one-third of US hyperscaler prices. European CDN providers cost one-quarter.
His conclusion: “Nothing we do costs more money than the US solutions. That’s the absurd part of it.”
This shows that European software providers who also rely on European infrastructure have a double advantage: legal clarity at the software level and a more cost-effective structure at the infrastructure level.
Where there is still room for improvement
Compliance is not a differentiator. Companies that primarily market their products as “GDPR-compliant” lose out to competitors who can say the same thing. DeepL, Celonis, and Personio are gaining market share through product quality, not by capitalizing on compliance fears.
And the gaps are real. AI integration, ecosystem depth, UX maturity, and the breadth of partner and integration networks still lag behind those of the US market leaders for many European software companies. 84% of IT decision-makers cite a lack of functionality from European providers as a major or very major hurdle to switching (Lünendonk Study 2026). This is not irrational conservatism. There are real gaps.
The good news: The awareness problem is bigger than the feature problem. According to Myra Security, only one in five IT decision-makers is even aware of European AI software alternatives. And only 3% of IT managers currently consider European providers to be on par with the hyperscalers when it comes to platform and AI services. By 2030, only 2% expect functional parity (Lünendonk Study 2026). That’s the honest truth. And it shows where the work lies: not in denying the gap, but in systematically closing the critical gaps.
What this means for US software companies
This section is not meant as an attack. Many of the world’s best software tools come from the US, and OMR Reviews works with US companies every day. But anyone who takes the DACH market seriously must understand the objections that exist today and how to address them professionally.
The objections you need to know
“You’re a US company; the CLOUD Act.” That’s the most common objection in regulated industries. “Our data is stored in Frankfurt” is no longer a sufficient answer. The CLOUD Act addresses control over the company, not the location of the data.
Other questions that are coming up more and more:
- How do you use our data for AI training?
- What guarantees are there in the event of a policy shift in the U.S.?
- Can your German branch really operate independently of the U.S. parent company?
What works and what doesn’t
Today, buyers can reliably spot “sovereignty washing.” 66% of IT decision-makers are skeptical of sovereign hyperscaler offerings, even when these companies advertise EU data centers (Lünendonk Study 2026). Those who merely slap a European data center label on their offerings but leave their corporate structure and data sharing practices unchanged lose trust, especially in enterprise segments where contracts undergo legal review.
What does work, however: an independent EU legal structure with genuine decision-making autonomy, EU staff with security clearances, BSI C5 certification as the DACH gold standard, and partnerships with trusted German anchors like SAP, Telekom, or DATEV. And transparent communication about what CLOUD Act obligations specifically entail and what contractual safeguards exist.
HubSpot and Salesforce demonstrate how this works: their own EU strategies, active communication regarding data storage, and local compliance teams. This has opened DACH enterprise doors for them that remain closed to less transparent U.S. companies.
The Big Opportunity
It is now clear that major U.S. companies are taking this pressure seriously. Mid-sized U.S. software companies that invest in a credible EU strategy now will be better positioned than those that sit on the sidelines.
Recommendations for Action: what you can do in the next 18 months
The trend is here. The question is how quickly you’ll respond. Here are recommendations across three time frames, applicable to both European and U.S. software companies, with appropriate distinctions where necessary.
0–6 months: Messaging and Sales
Start with what you can change today – without product development or legal restructuring.
Build a sovereignty page. 70% of IT decision-makers have already had to provide external proof of sovereignty (Lünendonk Study 2026). Your customers expect four answers: Under which jurisdiction do you operate? Who has access to their data? How do you handle AI training? And what happens if they want to switch providers? Whoever answers these four questions clearly and publicly gains trust before the first sales conversation even takes place.
Sharpen your messaging. Three approaches, depending on your starting point: If you’re an EU provider, frame your structural advantage proactively, not defensively. “No CLOUD Act” is a door-opener in regulated industries, but only if you explicitly mention it instead of hiding it in a privacy policy. If you’re a U.S. provider, proactively communicate what you do, not what you aren’t. And for both: explicitly address AI data processing. This is the fastest-growing question in sales conversations, and very few providers have a prepared answer.
6–18 months: Product and Certifications
Close the feature gaps that are blocking decisions. Not all of them – that’s unrealistic. But identify the two or three gaps in your product that are causing customers to hesitate to switch or to leave, and prioritize those gaps.
Invest in certifications. BSI C5 is the de facto standard for enterprise trust in the DACH market. ISO 27001 is mandatory. SOC 2 Type II opens international doors. These investments pay off directly in sales meetings.
Lesetipp: Unsere ISO 27001 Checklist equips you with the necessary tools for information security.
Expand your partner ecosystem. Integrations with DATEV, Lexoffice, sevDesk, or industry-specific German tools are selling points that U.S. software companies find structurally difficult to replicate.
18+ months: Strategic positioning
The decisions you make over the next 18 months will determine the story you tell in five years.
Option A: Trusted DACH/EU software company. You consistently build on the strengths of your European heritage: legal clarity, data sovereignty, and industry expertise. This is not a niche play. With exactly this positioning, Personio has reached over 12,000 customers across Europe and a valuation of €8.5 billion.
Option B: Global player with a credible EU story. You are not a European company, but you take the market’s requirements seriously. Independent EU legal structure, genuine transparency, local partnerships. This is the path HubSpot and Salesforce have taken.
What is not an option: sitting it out. The proportion of companies that use their country of origin as a mandatory criterion is rising. Those who ignore this lose bids before the conversation even begins.
Conclusion: The window of opportunity is open, but it’s closing
The trend toward European software is real. But it’s not a romantic market choice. It’s a forced response to legal uncertainty. The CLOUD Act, Schrems II, and GDPR uncertainty: these are the real drivers of growth, not European patriotism.
What this means for you as a software company: The window of opportunity is open, but it won’t open on its own. If you want to succeed in the DACH region, you don’t need compliance concerns as an argument. Those who succeed do so through product quality, credible positioning, and the ability to answer the questions that are increasingly being asked in procurement discussions today.
Bernd Korz did not switch to a full EU stack as a political statement, but because he determined that it was more cost-effective and technically equivalent, and because, as a software provider, he wanted to decide for himself under which jurisdiction his infrastructure runs. That is the story that more companies are discovering right now.
76 of the 100 highest-rated tools on OMR Reviews come from Germany (Top 100 Guide 2026). This is a snapshot, not a promise. And the underlying trend is structural: Today, 36% of companies consider digital sovereignty to be “very important.” By 2030, 85% expect this to remain the case, regardless of how the relationship between the U.S. and Europe develops (Lünendonk Study 2026). This isn’t hype. It’s a structural shift.
Those who defend or expand this share in three years’ time are the ones who started today. Take an hour. Look at how your company responds to today’s purchasing criteria. And start where the gap is greatest.
Are you a European software provider? Then OMR Reviews is the place where your target audience is making exactly these decisions right now. Check how your profile is set up and whether your story of excellence is visible there.
Is your software not yet listed on OMR Reviews? Or are you missing a tool on our platform? You can request both directly in the B2B section.
Author
Johannes Schulz
Johannes ist Research Manager bei OMR Reviews, mit Fokus auf Tech, Software und AI. Er behält den Softwaremarkt im Blick, sortiert Tools in die richtigen Kategorien und identifiziert Trends, bevor sie laut werden. Seine Leidenschaft: nicht an der Oberfläche bleiben, sondern den gesamten Eisberg betrachten.