January–February 2024: how close we came

On the night of 19–20 January 2024, Akira ransomware operators exploited a Cisco ASA vulnerability (CVE-2023-20269, patched October 2023 but not yet applied) in a single Tietoevry data center in Sweden. Tietoevry is the Nordic region's largest IT service provider — Sweden's equivalent of Advania.

The blast radius from that one compromised data center:

• Swedish government ministries and agenciesPartial outage, some services down for days.
• Sveriges RiksbankReported the incident to Swedish police.
• Granngården (100+ retail outlets)Forced to close stores; point-of-sale offline.
• Filmstaden, Sweden's largest cinema chainCould not sell tickets online for days.
• Regional healthcare providersScheduling and medical records affected.
• Recovery: several weeksNot hours or days. Weeks.

Three weeks later — February 2024 — it was Iceland's turn. Advania, the largest Icelandic-headquartered IT service provider, disclosed a cyber incident affecting customer environments. Swedish healthcare providers using Advania's regional services were cut off. Advania stated the affected environments had not been ransomed but that "several healthcare centers struggled with limited IT availability" for days.

Had that same incident been on Advania's Icelandic infrastructure rather than Swedish, it would have touched most of the Icelandic private sector at once. Advania is the default managed-services vendor for a large share of Icelandic companies. The concentration multiplier is larger in Iceland than in Sweden.

How much of Iceland runs on how few vendors

This is the first time (to our knowledge) anyone has put these numbers together in one place for Iceland.

Government IT — a single-vendor public sector

In 2015 Iceland's government ran on 100+ different IT suppliers across public institutions. In 2018, it signed a contract consolidating the entire public sector onto Microsoft 365. Microsoft itself celebrated this in its European press as "the first cloud-first nation." The consolidation covered more than 20,000 public-sector users.

Today, if you work in an Icelandic ministry, municipality, or state agency, your email, calendar, documents, Teams chats and most internal records are inside one Microsoft tenant.

Banking — three banks, one platform

The Icelandic banking sector is extraordinarily concentrated even by small-country standards:

• Three commercial banks control 95% of banking assetsArion banki, Íslandsbanki, Landsbankinn.
• All three run on the same core banking platformThe SBS Banking Platform (Sopra Banking Software, French-owned). Landsbankinn migrated in 2017, Íslandsbanki in 2018, Arion banki in 2019. The platform now processes 90%+ of all domestic accounts and ~1.5 million domestic payments per day.
• Card processing depends on Visa/MastercardThe IMF's 2023 Financial Sector Assessment Program explicitly flagged the dependence on Visa and Mastercard as an operational resilience reduction.

The one sector where Iceland accidentally avoided US dependence is here — SBS is French, not American. A CLOUD Act order would not reach the core of Icelandic banking. But the moment the banks add any Azure, AWS or Cloudflare service on top, that advantage erodes.

Telecom — three operators and two cable owners

Iceland's mobile market has three operators carrying essentially everything:

Iceland connects to the global internet via four submarine cables — FARICE-1, DANICE, Greenland Connect and IRIS. Two of them (FARICE-1 and DANICE) are both operated by Farice ehf. There are two internet exchange points, but RIX carries the vast majority of traffic.

Power and media

Landsnet, the electricity transmission system operator, is jointly owned by Landsvirkjun, RARIK and Orkubú Vestfjarða. Orkusalan is wholly owned by RARIK. A compact interlocking ownership structure means the OT/SCADA vendor landscape is also tightly coupled.

In media, only RÚV has formal critical-infrastructure designation. No private Icelandic broadcaster or newspaper has equivalent legal protection or resilience requirement.

Three incidents, one pattern

The pattern is vendor-caused, not attacker-caused, global downtime. Three incidents since January 2024 establish the shape:

The CrowdStrike case that nearly rhymes

On 19 July 2024, a single CrowdStrike content update crashed 8.5 million Windows machines worldwide within an hour. Delta Air Lines alone lost $380–500 million. Insurer Parametrix estimated total business losses at $5.4 billion for the top 500 US companies excluding Microsoft itself. Airlines grounded; hospitals reverted to paper; 911 dispatchers couldn't dispatch.

None of it was an attack. A vendor shipped a bad file. The EDR tool designed to protect operating systems took them offline instead. In a country where that EDR tool is the default — or where the operating system it runs on is the default — there was no alternative to fall back to.

Cloudflare, November 2025

Three months after CrowdStrike, Cloudflare repeated the pattern in a different layer. A database permissions change caused a Bot Management feature file to double in size; the oversized file propagated to their entire network; the network stopped routing. Not an attack. A configuration error.

Affected at peak: X, ChatGPT, OpenAI, Claude, Spotify, Discord, Zoom, Canva, Uber, IKEA, Square, League of Legends, Letterboxd, Google Store, Dayforce. Roughly 1 in 5 webpages and 1/3 of the world's 10,000 most popular sites.

Cloudflare's market position is the key number: 79.9% of websites that use a CDN use Cloudflare. It serves more than 20% of global internet request traffic. Its DNS serves 25+ million websites. Nearly every website that matters in Iceland — including news.1881.is — sits behind Cloudflare. A single internal configuration change at one US company took down the front door for a material fraction of the world.

The CLOUD Act problem Iceland has not publicly discussed

The US Clarifying Lawful Overseas Use of Data Act (CLOUD Act, 2018) compels US-based technology companies — Microsoft, AWS, Google, Oracle, Apple, Meta, Cloudflare — to hand over data held on their systems to US law enforcement with a warrant or subpoena, regardless of where that data is geographically stored. The corporate nationality of the provider, not the location of the servers, determines jurisdiction.

For nearly seven years, this remained a theoretical concern in European cybersecurity debate. Then on 10 June 2025, in sworn testimony before the French Senate, Microsoft France's Legal Counsel Anton Carniaux answered under oath the question Europe had been asking: can you guarantee that data of French citizens stored in Microsoft's cloud would never be passed to US authorities without approval?

That sentence is the end of a fifteen-year debate. Microsoft's own lawyer confirmed, on the record, that the CLOUD Act supersedes European data-location commitments. The Microsoft EU Data Boundary — which Microsoft finalised in early 2025 and markets as the European sovereignty solution — stores data in Europe and is operated by European employees, but does not change the legal jurisdiction of the corporate parent. Data residency solves residency. It does not solve sovereignty.

The GDPR conflict

GDPR Article 48 prohibits transfer of EU/EEA personal data to foreign authorities without a recognised international agreement. The CLOUD Act compels such transfers. The two laws are mutually exclusive — Microsoft cannot comply with both. When a CLOUD Act order arrives at Microsoft Ireland for Icelandic government data, Microsoft's only options are to comply with the CLOUD Act and violate the GDPR, or comply with the GDPR and violate a US court order.

The 2020 Schrems II ruling invalidated the EU-US Privacy Shield over exactly this problem. The replacement framework (the Data Privacy Framework, 2023) does not address the fundamental conflict; Max Schrems has filed for a Schrems III ruling that is widely expected to invalidate it too.

Iceland's specific legal footing

Iceland is not an EU member but is part of the European Economic Area. GDPR applies via the EEA Joint Committee decision of 6 July 2018. Iceland implemented it through Act 90/2018 on data protection. The supervisor is Persónuvernd, which explicitly recommends not using cloud services without a prior impact assessment.

To our knowledge, no public Icelandic government Data Protection Impact Assessment has been released that specifically addresses the CLOUD Act scenario for the Microsoft 365 tenant covering the public sector. If one exists, it is not public.

Why AWS and Cloudflare exposure is the same problem

The government stack is Microsoft-centric. The private stack is not — but it is US-centric in a different way.

AWS: dominant because it's easy, not because it's cheap

AWS holds roughly 32% global market share, more than Azure (23%) and Google Cloud (7%) combined, and is the default choice for Icelandic SaaS, e-commerce and most private-sector cloud workloads. The reasons have very little to do with cost:

• First-mover advantageAWS launched in 2006, ten years ahead of mainstream competition. Every tutorial, every hiring pipeline, every StackOverflow answer defaults to it.
• 200+ services in one consoleCompute, database, AI, IoT, serverless, edge. One-stop shopping means teams never need to learn a second cloud.
• Developer defaults and startup creditsVenture-backed startups get AWS credits as a condition of funding. Small Icelandic SaaS companies start on AWS by default.
• Egress fees as a lock-in mechanismMoving 50TB of data off AWS costs $3,500–7,000 in egress alone. Data-intensive workloads can see 40–70% of the cloud bill go to egress. Globally, cloud egress fees generate an estimated $43 billion per year — a soft tax on leaving. In 2025 AWS doubled inter-AZ transfer fees and increased cross-region costs 25–40%.

Running Windows workloads on AWS can cost up to 5× more than on Azure, because Azure Hybrid Benefit lets you apply existing Windows licences and AWS does not. In pure price terms AWS is often the most expensive of the three major clouds. It wins anyway because it's the easy answer.

The EU Data Act (September 2025) mandates "at cost" egress pricing and a full ban on switching fees by January 2027. AWS and Google Cloud have begun waiving egress for customers who migrate their entire workload off — but not for customers who want to run multi-cloud. The lock-in on diversification remains intact.

Cloudflare: the layer everyone forgot to inventory

Even organisations that diversify compute between Azure and AWS typically share a single edge/DNS provider. Cloudflare sits in front of ~20% of all websites, 79.9% of websites using a CDN, and serves DNS for 25+ million domains. It is the most concentrated layer in the internet stack, and it is the least-often discussed in procurement reviews.

The Icelandic stack in practice:

User request
  ↓
  DNS                Cloudflare (20%) · Route 53 · Google DNS  — US
  CDN / edge         Cloudflare (80% of CDN market)            — US
  Compute            AWS · Azure · GCP                          — US
  Identity           Microsoft Entra · Okta · Google            — US
  Code hosting       GitHub · GitLab.com                        — US
  Payments           Stripe · Adyen · PayPal                    — US-connected
  Collaboration      Teams · Slack · Zoom · Google Workspace    — US
  Analytics          Google Analytics · Meta Pixel              — US
  Core banking       SBS Banking Platform (Sopra, France)       — EU sovereign

Reading the stack top to bottom: every layer except core banking is under US corporate jurisdiction. A CLOUD Act order directed at any one of these providers can reach Icelandic data. A vendor-caused outage at any one of these providers can take Icelandic services offline.

Twelve months, ten concentration incidents

Plot each of the concrete incidents discussed above onto a single axis and the pattern becomes unignorable.

These are not cherry-picked. They are the publicly-reported major incidents in a 22-month window where a single US vendor's failure or legal exposure affected millions of users or national-scale services. The operational incidents (red) and the legal-jurisdictional event (orange) belong on the same chart because they have the same root cause: concentration of mission-critical services in a small number of US-controlled companies.

Why Iceland went concentrated in the first place — and why those reasons have not gone away

Every argument made above has a counter-argument, and a sovereignty discussion that skips it is not serious. The reasons Iceland chose to consolidate on Microsoft in 2018 were not a mistake. They were a rational trade. The trade is still rational in 2026, even if the terms have shifted. Three realities in particular deserve equal weight with the concentration critique.

Microsoft spends more on security than Iceland's entire national budget

Microsoft's annual cybersecurity investment is approximately $20 billion, supported by a security organisation of roughly 35,000 people. AWS and Google operate at comparable scale. No European provider, and no Icelandic institution, can match this absolute level of defensive capability. Moving government data from Microsoft 365 to a smaller European sovereign cloud — to solve a CLOUD Act exposure — may genuinely increase the probability of a successful attack by an ordinary cybercriminal. For most data, most of the time, the US hyperscalers remain the safer choice against the most likely threat. The operational security of the hyperscaler model is a real competitive advantage, not a myth propagated by their marketing departments.

Iceland does not have the staff

The domestic IT sector is approximately 3,500 people, and specialist cloud and security expertise is concentrated in a few dozen individuals. Running diverse, multi-cloud, sovereignty-focused infrastructure requires meaningfully more operators per workload than consolidating on Microsoft 365 does. Estonia manages a distributed architecture in part because it has roughly 15,000 IT professionals and a national cyber training pipeline that Iceland has not yet built. An architecture that works in Tallinn may simply not be deliverable in Reykjavík with the people currently in the country. This is a hiring problem before it is an architecture problem.

The cost is not a rounding error

Recent German state migrations from Microsoft toward open alternatives — Munich's LiMux programme, Schleswig-Holstein's Nextcloud+LibreOffice transition — have been budgeted at roughly €50–200 million over 3–5 years for populations comparable to Iceland. A similar national programme here would likely cost €15–40 million up-front plus ongoing operational overhead. This is not dismissable money in a national budget; it is measured in schools and hospital beds. Any honest sovereignty plan has to say out loud where that money comes from.

So what is the honest position?

The argument of this article is not that Iceland should leave Microsoft 365 wholesale. It is that:

• A small set of truly sensitive data warrants sovereign infrastructure in addition, not instead. National-security documents, classified cabinet deliberations, some health records. Most of government is not in that set.
• The country needs a documented plan for when a CLOUD Act order arrives, not a hope that one never will. Planning is cheap. Improvising during a legal crisis is expensive.
• Operational concentration demands continuity planning regardless of sovereignty. CrowdStrike, Cloudflare and Tietoevry are the same problem whether your stack is American or European.
• The 2018 decision was rational. 2026 is the right year to ask whether it has been reviewed since. The risks on both sides have changed. A periodic review is not an accusation of past error.

A same-sized nation that chose the opposite

Estonia has 1.3 million citizens — about three times Iceland's population, still in the small-nation bracket. Both countries pursue advanced digital government. The architectures could not be more different.

Estonia's architecture was not a triumph of foresight — it was a response to being attacked. In 2007, Russia ran a prolonged DDoS campaign against Estonian government, banking and media during a political dispute over a Soviet-era statue. The attack succeeded in degrading services for weeks. Estonia rebuilt the country's architecture around the assumption that any single system will fail and the state must keep running.

Iceland in 2018 was making a procurement decision. Estonia in 2008 was recovering from a war-adjacent digital offensive. They answered the same question — "how should a small nation run its digital government?" — from different teachers.

Sovereign-cloud options in 2026

This is no longer a theoretical debate. Europe now has commercially-operated sovereign cloud options that are not subject to the CLOUD Act. None of them replaces Microsoft 365 trivially. All of them exist.

Three points are worth saying out loud. First, Bleu and S3NS are not the same product as Microsoft 365 or Google Cloud — they are French-operated implementations of the same software, with the critical difference that a US court order does not reach them. Second, Nextcloud+IONOS is the only mature open-source-first option for a full M365 replacement. Third, Gaia-X is a cautionary tale, not a solution: sovereignty frameworks that admit US hyperscalers as members are not sovereign.

Concrete recommendations — narrow, selective, and resistant to over-correction

Given the counter-argument above, the right posture is targeted diversification, not wholesale migration. The recommendations below assume that Microsoft 365 remains the default platform for routine government and commercial work, and focus on the narrow set of changes that would meaningfully reduce sovereignty and concentration exposure without incurring costs or security regressions that outweigh the benefit.

For the Prime Minister's office and the Ministry of Justice

• Publish a Data Protection Impact Assessment that explicitly addresses the CLOUD Act scenarioThis is arguably required by Article 35 of the GDPR for the public-sector Microsoft 365 deployment. If one exists it should be public; if one does not, it should be commissioned this year.
• Classify government data by jurisdictional sensitivityCorrespondence with foreign allies, intelligence-sharing products, sensitive tax and judicial records, Cabinet deliberations, and legislative drafts in progress should not share a US-jurisdictional cloud tenant with routine administrative data.
• Open a public debate on sovereign alternativesFrance and Germany both have active national debates about the same issue. Iceland does not. That absence is itself a policy choice.

For Fjarskiptastofa and NCC-IS (Eyvör)

• Require concentration-risk disclosure in NIS2 implementationNIS2 Article 21(d) on supply-chain security is already law. An implementation that requires entities to disclose cross-sector single points of failure would turn a box-ticking exercise into a risk exercise.
• Publish an annual cross-sector dependency mapLike the Bank of England's cyber-resilience report for the UK financial sector, but covering the whole of Iceland's critical digital infrastructure.
• Maintain an authoritative list of CLOUD Act-exposed services in use by government entitiesEven a private list, held by NCC-IS, would force the question to be asked.

For boards and CIOs — the executive checklist

• Do not over-correctDistributing workloads is expensive, demands scarce talent, and adds its own operational risk. The default of US hyperscaler hosting remains defensible for most data. Apply sovereignty and diversification controls selectively — to the narrow set of data and services that actually warrant it — rather than as a platform-wide migration.
• Name your top five SPOFs on one slideIf you cannot produce this slide within an hour, that is the first problem to fix.
• Run a "day without vendor X" tabletop annually for each SPOFA day without Microsoft 365. A day without AWS eu-west-1. A day without Cloudflare. The CEO should participate.
• Keep a backup that does not live inside your primary vendor's architectureIf your primary platform is M365, your backups should not also be in Azure. If your primary is AWS, your backups should not also be in S3. Cross-architecture redundancy is the specific mitigation for the risks on this page — and it is affordable even when a full migration is not.
• Put OFAC, GDPR Article 48 and CLOUD Act into the incident-response planNot because these are likely to fire together, but because each one is a decision that cannot be made in the middle of an incident. Planning is cheap; improvisation during a legal crisis is not.
• Before 1 January 2027, inventory egress-fee lock-inThe EU Data Act abolishes cloud switching fees by that date. Plan to use that window — at minimum to know what an exit would cost, even if you do not intend to take one.

Methodology & caveats

• Microsoft — Iceland the first "cloud-first nation"
• TechMonitor — Iceland to Microsoft: "You can host our entire public sector"
• SBS — Arion banki go-live on Sopra Banking Platform
• IMF — Iceland FSAP 2023: Cyber & Operational Resilience
• The Register — Microsoft admits it "cannot guarantee" data sovereignty
• DataBalance — Microsoft Cloud sovereignty 2026: ambition and reality
• CMS — Demystifying the CLOUD Act vs European/UK sovereignty
• Microsoft — EU Data Boundary Overview
• The Register — Europe gets serious about cutting US digital umbilical cord
• BleepingComputer — Tietoevry ransomware attack
• KonBriefing — Tietoevry affected organisations list
• Cybernews — Advania cyberattack (Feb 2024)
• Wikipedia — 2024 CrowdStrike IT outages
• Cloudflare — Official post-mortem of 18 November 2025 outage
• Kinsta — Cloudflare market share
• byteiota — Cloud egress fees: the $43B tax
• HG Insights — AWS market share 2025
• Iceland Review — Ransomware cases double fourth straight year
• DieSec — Cyber threat landscape in Iceland
• PolicyReview — Securing Iceland's digital future
• Reykjavík Grapevine — If our submarine cables went bust
• Icelandic National Cybersecurity Strategy 2022–2037
• Cyber-Conscious Estonia 2024–2030 strategy
• DLA Piper — Data protection laws in Iceland