Why is public-sector email a sovereignty concern?
Government agencies, public authorities, and EU institutions sending email — citizen notifications, regulatory communications, public-tender announcements, public-service updates — operate under data-sovereignty constraints that rule out most US-headquartered providers. They also operate under public procurement law (EU 2014/24/EU and national transpositions) that requires open competitive tendering, GPA-compatible terms, and specific audit and exit-and-portability provisions. We are EU-incorporated (Austria), EU-routed, EU-operated, and our standard procurement-ready DPA template includes the GPA provisions and Article 73 directive compatibility. Eight EU public-sector customers currently active, from federal ministries to municipal authorities to a public-service broadcaster.
What does public-sector procurement actually require?
EU public procurement law requires specific procedural and substantive provisions in contracts above the relevant threshold (~€140K for central government, ~€215K for sub-central, ~€430K for utilities). The procedural side: open or restricted tender procedures, equal-treatment standards, transparency requirements, time limits, electronic communications under eIDAS. The substantive side: data sovereignty (often national, not just EU), audit rights, exit-and-portability with structured data export, transparency on sub-contracting, security clearance for staff with access to sensitive workloads, accessibility under EN 301 549 and the Web Accessibility Directive (Directive 2016/2102 for public-sector websites, and the EAA for consumer-facing services). Our standard public-sector procurement pack addresses each of these.
What we do not pretend to be.
We are not a fully cleared classified-information processor. We do not hold EU RESTRICTED or EU CONFIDENTIAL clearance for our facilities or staff at the current scale. Customers handling EU classified information (NATO-equivalent) cannot use us for that workload. We are appropriate for: unclassified citizen-facing communications, public information dissemination, public-tender notifications, regulatory announcements, public-service operational notifications. For classified workloads, we point customers to specialized public-sector providers (Bundesdruckerei in Germany, ANSSI-qualified providers in France).
How does the European Accessibility Act apply to public-sector email?
The European Accessibility Act became enforceable on 28 June 2025, and through 2026 the question shifted from whether to comply to who is checking. Public-sector senders already carry the Web Accessibility Directive obligation for their own websites and mobile apps; the EAA adds consumer-facing services on top, and both point at the same technical standard, EN 301 549. The current harmonized version is v3.2.1, which maps to WCAG 2.1 Level AA; the updated v4.1.1, developed under the Commission's standardisation request and carrying WCAG 2.2, is expected to publish during 2026, so a programme building to WCAG 2.2 now is building toward where the standard is going rather than where it sat in 2021. Enforcement is national and it has teeth: France runs it through ARCOM and the DGCCRF, Germany through the Federal Network Agency, Italy through AGID, and Sweden's PTS opened active market surveillance in late 2025. The penalties on the table include corrective orders, market restrictions, and fines that several member-state frameworks set in the tens of thousands of euros. The email-specific consequence is concrete. A citizen notification that renders as an inaccessible HTML blob fails the same bar a website does. Our message templates and the customer portal conform to EN 301 549 against WCAG 2.2 AA, and the template patterns we hand customers carry that conformance, so the accessibility work is done once at the template layer rather than rediscovered after a complaint.
eIDAS 2.0 and the identity wallet land in 2026, and citizen notifications sit next to them.
eIDAS 2.0, Regulation (EU) 2024/1183, entered into force in May 2024 and obliges every member state to provide a European Digital Identity Wallet to citizens, residents, and businesses, with the rollout landing across 2026. The wallet holds government-verified credentials and supports Qualified Electronic Signatures recognised across the Union, and it sits on a certified cryptographic base tied to the EU cybersecurity certification framework. For a public authority, the wallet changes the onboarding and authentication surface around the same citizen who receives your email, which raises the bar on the notification leg: a legal notification delivered by email increasingly needs to slot into a qualified delivery flow rather than land as ordinary mail. eIDAS keeps qualified electronic registered delivery as a trust service under Article 44, and that is where we fit. We provide a configuration that meets the technical requirements of a qualified electronic registered delivery service — the delivery, the evidence, the timestamps — while the qualification itself stays with the national supervisory body on the customer side: TKG in Austria, the Bundesnetzagentur in Germany, ANSSI in France. We are deliberate about the line: we operate the technical delivery and the proof-of-delivery evidence, and the legal status of qualification is granted to your service by your supervisor, not asserted by us.
B2G e-invoicing is already mandatory, and the email is the courtesy layer.
Public-sector suppliers have lived with mandatory electronic invoicing to government longer than the private sector — business-to-government e-invoicing has been required across most of the EU for years, exchanged over the Peppol network in structured formats such as XRechnung in Germany, Factur-X in France, and through FACe in Spain. The wider VAT in the Digital Age package now pulls business-to-business onto the same path by 2030. For a public authority sending payment and procurement communications, this draws the same boundary we draw elsewhere. The structured invoice that carries legal and fiscal weight travels over Peppol from a finance system, and we are not that system; we do not generate or transmit XRechnung or Factur-X documents and will not claim to. What the email does is carry the human-readable confirmation, the status update, the courtesy copy, and the procedural notification to the supplier or the citizen, and our job is to make those land reliably and accessibly on EU-resident infrastructure. Keeping that distinction explicit in a tender response matters, because evaluators have watched vendors overstate scope, and a provider that names the Peppol layer as someone else's job reads as more credible than one that blurs it.
Why is sovereignty structural for public-sector email?
For a public authority the data-residency requirement is rarely satisfied by a region setting on a US-headquartered platform, because the concern is jurisdiction rather than geography: a provider with a US parent remains exposed to extraterritorial access demands regardless of where the bytes sit. Our position is structural. The company is incorporated in Austria with no US parent in the corporate chain, the public-sector accounts default to EU-only point-of-presence selection with the Dallas and Panama gateways disabled, and the sub-processor list for those accounts excludes entities that would route processing through US-only operations. Where a national rule goes further and prohibits data flowing even to another EU country — Germany's federal-authority rules and France's ANSSI restrictions are the common cases — single-country residency pins all data and processing inside the chosen state. That choice trades resilience for sovereignty, because a single-country pin limits failover to points of presence within that country, and authorities accept the trade because the sovereignty constraint is not negotiable. The EU cybersecurity certification work and the various sovereign-cloud initiatives across member states all point the same direction, and a provider whose sovereignty is a matter of corporate structure rather than a configuration toggle is the one that survives the legal review without an asterisk.
What does a public-sector tender evaluation score?
A public-sector procurement of an email infrastructure vendor runs nine to twelve months from tender publication to signature, and the time is not evenly spread. The procurement thresholds that trigger the full regime sit around €143,000 for central-government contracts and roughly €221,000 for sub-central bodies under the periodically updated figures, below which lighter procedures apply. Above the threshold the procedure is prescribed: an open or restricted tender, equal-treatment and transparency obligations, fixed time limits, and electronic communication under eIDAS. The technical evaluation scores certifications and conformance — ISO 27001, the GDPR posture, EN 301 549 accessibility, the security questionnaire — and a vendor either has the evidence on file or loses points it cannot recover inside the deadline. The legal phase is where the calendar actually disappears: redlining the contract against the authority's required clauses, the audit rights, the exit-and-portability terms with structured export, sub-processor transparency, and staff-vetting expectations. The final gate is board or council approval, which runs on a meeting calendar rather than a project plan. We field a procurement-response team that handles the technical, legal, and financial sections inside the published deadlines, which is the part a generalist sales motion tends to get wrong by treating a tender like a sales call.
Citizen notifications are not marketing, and the routing reflects that.
A citizen notification — a tax-filing reminder, a benefits-status change, a public-consultation notice, a summons to renew a document — carries an obligation, and treating it like a newsletter is how authorities end up with the wrong deliverability and the wrong evidence. These messages need the highest inbox placement, because a missed one becomes a missed legal deadline for the recipient, and they need delivery evidence, because the authority may have to show that the notice was sent and received. We route citizen notifications on a dedicated pool kept clean of any promotional or informational bulk, separate from public-information dissemination, which can tolerate the volume profile of a newsletter. The two are not the same workload and do not share a reputation. The notification pool carries the strictest discipline and, where the legal context calls for it, the registered-delivery evidence trail; the dissemination pool carries the public campaigns and consultations where reach matters more than per-message proof.