Cloudflare is the biggest web host in Europe, beating every domestic rival
A scan of 19,450 European companies found Cloudflare fronting more of the continent's web traffic than any domestic host, in every one of seven countries checked, from the UK to Poland.
One US company was checked against 19,450 European company websites. It won in every single country.
CipherCue checked which company sits in front of 19,450 European company websites, resolving DNS records and mapping the answers back to the network that actually serves the traffic. In the UK, the Netherlands, Italy, Spain, France, Germany, and Poland, one name came out on top every single time: Cloudflare. Not just the largest US vendor. The largest vendor, full stop, ahead of every domestic ISP and every homegrown hosting company in each of the seven countries.
How the count was actually done
The study, run between April 28 and June 29, 2026, resolved DNS A and AAAA records for both the apex and www domains of 19,450 European company entities, then mapped each resulting IP address to the autonomous system announcing it, using Routeviews-derived BGP data. That approach identifies the internet-facing vendor, the network your browser actually connects to, rather than whatever origin host sits behind it. A company can run its own servers in its own country and still show up as a US vendor here, if a US company's network is what your request hits first.
Cloudflare wins in every country, including at home
Germany and Poland sit lowest, and the reason is not a lack of US presence so much as unusually strong domestic hosting industries: Hetzner and IONOS in Germany, Home.pl and NetArt in Poland. Everywhere else, Amazon typically ranks second among US vendors, with Google, Microsoft, Fastly, Akamai, and Squarespace filling out the rest.
Why the front door matters more than people assume
A reverse proxy like Cloudflare does not just point traffic somewhere. It terminates the connection, which means it holds the decrypted content passing through, not just an encrypted blob addressed to someone else. sovereigntyscore.io's audit put this plainly: "Cloudflare can be compelled to produce data in its possession, including traffic logs, cached content, DNS query logs, and potentially decrypted traffic content."
The EU is already trying to fix this, slowly
This is not a new concern in Brussels. Three US hyperscalers, AWS, Google, and Microsoft, hold around 70% of the European cloud market between them, and the European Commission has a Cloud and AI Development Act in progress that would require member states to run sovereignty risk assessments and lock US hyperscalers out of the most sensitive public sector contracts. Sovereign cloud spending in Europe is projected to grow 83% year over year off a 6.9 billion euro base, and the Commission has already run a 180 million euro sovereign cloud procurement tender.
Not everyone reads this the same way
When this study circulated on Hacker News, the pushback was as informative as the finding. Some commenters flagged the methodology itself: counting only the front-end CDN misses that many of these same companies run their actual backend on European infrastructure, OVH or Hetzner among them, with Cloudflare sitting in front purely for caching and DDoS protection. Others called out the framing directly, arguing that a company's landing page vendor matters far less than where its actual user and company data lives. One methodology critique claimed the smaller-site numbers here undercount real US exposure by more than double, while agreeing the picture for large companies is broadly accurate.
Both things can be true at once: Cloudflare's front-door share is real and worth knowing, and it is not the same question as where your data actually lives. Treat this as a starting point for that second question, not a substitute for asking it.
What an alternative actually looks like
Bunny.net is the most capable EU-headquartered CDN alternative for general use, per the same sovereignty analysis. It will not match Cloudflare's scale or product breadth, and most European alternatives run into the same wall Hacker News commenters pointed at: they are smaller, sometimes pricier, and were not built on the kind of venture funding that let Cloudflare give away a generous free tier for over a decade.
Why a build studio cares
This one is not abstract for us. This site runs on Cloudflare Pages. We put Cloudflare in front of client work regularly, because it is fast, free at small scale, and reduces what we have to operate ourselves. This report is a reminder that the same choice we make for speed and cost is also a sovereignty choice, whether or not a client asked us to think about it that way.
We already flagged the sharp edge of this exact dependency in our post on Spain's LaLiga IP blocks: when the infrastructure in front of your product is shared with hundreds of thousands of other sites, a block, a policy change, or a legal order aimed at someone else can catch you too. Concentration cuts both ways. It is also why fewer teams have to build DDoS protection or global caching from scratch. Knowing which risk you are accepting, and for which client, in which country, is the part worth doing deliberately instead of by default.
Next step: read CipherCue's original analysis for the full country breakdown, sovereigntyscore.io's Cloudflare audit for the CLOUD Act risk detail, and the Hacker News discussion for the methodology pushback in full. If you are choosing infrastructure for a project that serves the EU and want a second opinion on what you are trading away, write to us at hello@gattyworks.com.