Skip to content
OS Domains
Industry

Email infrastructure for EU public-sector entities.

EU public-sector email infrastructure is a sovereignty and accountability concern: data must stay within the EU (often within a specific country), procurement law requires Article 73 directive-compatible terms, and citizen-facing communications fall under the Web Accessibility Directive and the European Accessibility Act. OS Domains is EU-incorporated, EU-routed and EU-operated, with a procurement-ready DPA template, for federal ministries, municipal authorities and public-service bodies that need email infrastructure a public tender will accept.

EU public-sector email infrastructure is a sovereignty and accountability concern. Data must stay within the EU (often within a specific country), procurement law requires Article 73 directive-compatible terms, accessibility under the Web Accessibility Directive and EAA applies to citizen-facing communications. We are EU-incorporated, EU-routed, EU-operated, and our standard procurement-ready DPA template addresses public-sector specifics. Eight EU public-sector customers active — federal ministries, municipal authorities, a public-service broadcaster.

Expect 9-12 month procurement timelines and budget for that. We have a procurement-response team that handles tenders end-to-end.

In short

  • EU-incorporated, EU-routed and EU-operated, with data kept inside the EU and, where required, inside a specific country.
  • Procurement-ready: Article 73 directive-compatible terms and a public-sector DPA template handled end to end by a tender-response team.
  • Citizen-facing communications covered under the Web Accessibility Directive and the European Accessibility Act.
  • B2G e-invoicing is already mandatory; the email sits as the courtesy layer around it.
  • Expect a 9-12 month procurement timeline, which the tender-response team manages end to end.
Key numbers
Public-sector customers
8
EU-only routing
Default
eIDAS qualified ready
On request
Procurement standard
GPA-compatible

Why is public-sector email a sovereignty concern?

Government agencies, public authorities, and EU institutions sending email — citizen notifications, regulatory communications, public-tender announcements, public-service updates — operate under data-sovereignty constraints that rule out most US-headquartered providers. They also operate under public procurement law (EU 2014/24/EU and national transpositions) that requires open competitive tendering, GPA-compatible terms, and specific audit and exit-and-portability provisions. We are EU-incorporated (Austria), EU-routed, EU-operated, and our standard procurement-ready DPA template includes the GPA provisions and Article 73 directive compatibility. Eight EU public-sector customers currently active, from federal ministries to municipal authorities to a public-service broadcaster.

What does public-sector procurement actually require?

EU public procurement law requires specific procedural and substantive provisions in contracts above the relevant threshold (~€140K for central government, ~€215K for sub-central, ~€430K for utilities). The procedural side: open or restricted tender procedures, equal-treatment standards, transparency requirements, time limits, electronic communications under eIDAS. The substantive side: data sovereignty (often national, not just EU), audit rights, exit-and-portability with structured data export, transparency on sub-contracting, security clearance for staff with access to sensitive workloads, accessibility under EN 301 549 and the Web Accessibility Directive (Directive 2016/2102 for public-sector websites, and the EAA for consumer-facing services). Our standard public-sector procurement pack addresses each of these.

What we do not pretend to be.

We are not a fully cleared classified-information processor. We do not hold EU RESTRICTED or EU CONFIDENTIAL clearance for our facilities or staff at the current scale. Customers handling EU classified information (NATO-equivalent) cannot use us for that workload. We are appropriate for: unclassified citizen-facing communications, public information dissemination, public-tender notifications, regulatory announcements, public-service operational notifications. For classified workloads, we point customers to specialized public-sector providers (Bundesdruckerei in Germany, ANSSI-qualified providers in France).

How does the European Accessibility Act apply to public-sector email?

The European Accessibility Act became enforceable on 28 June 2025, and through 2026 the question shifted from whether to comply to who is checking. Public-sector senders already carry the Web Accessibility Directive obligation for their own websites and mobile apps; the EAA adds consumer-facing services on top, and both point at the same technical standard, EN 301 549. The current harmonized version is v3.2.1, which maps to WCAG 2.1 Level AA; the updated v4.1.1, developed under the Commission's standardisation request and carrying WCAG 2.2, is expected to publish during 2026, so a programme building to WCAG 2.2 now is building toward where the standard is going rather than where it sat in 2021. Enforcement is national and it has teeth: France runs it through ARCOM and the DGCCRF, Germany through the Federal Network Agency, Italy through AGID, and Sweden's PTS opened active market surveillance in late 2025. The penalties on the table include corrective orders, market restrictions, and fines that several member-state frameworks set in the tens of thousands of euros. The email-specific consequence is concrete. A citizen notification that renders as an inaccessible HTML blob fails the same bar a website does. Our message templates and the customer portal conform to EN 301 549 against WCAG 2.2 AA, and the template patterns we hand customers carry that conformance, so the accessibility work is done once at the template layer rather than rediscovered after a complaint.

eIDAS 2.0 and the identity wallet land in 2026, and citizen notifications sit next to them.

eIDAS 2.0, Regulation (EU) 2024/1183, entered into force in May 2024 and obliges every member state to provide a European Digital Identity Wallet to citizens, residents, and businesses, with the rollout landing across 2026. The wallet holds government-verified credentials and supports Qualified Electronic Signatures recognised across the Union, and it sits on a certified cryptographic base tied to the EU cybersecurity certification framework. For a public authority, the wallet changes the onboarding and authentication surface around the same citizen who receives your email, which raises the bar on the notification leg: a legal notification delivered by email increasingly needs to slot into a qualified delivery flow rather than land as ordinary mail. eIDAS keeps qualified electronic registered delivery as a trust service under Article 44, and that is where we fit. We provide a configuration that meets the technical requirements of a qualified electronic registered delivery service — the delivery, the evidence, the timestamps — while the qualification itself stays with the national supervisory body on the customer side: TKG in Austria, the Bundesnetzagentur in Germany, ANSSI in France. We are deliberate about the line: we operate the technical delivery and the proof-of-delivery evidence, and the legal status of qualification is granted to your service by your supervisor, not asserted by us.

B2G e-invoicing is already mandatory, and the email is the courtesy layer.

Public-sector suppliers have lived with mandatory electronic invoicing to government longer than the private sector — business-to-government e-invoicing has been required across most of the EU for years, exchanged over the Peppol network in structured formats such as XRechnung in Germany, Factur-X in France, and through FACe in Spain. The wider VAT in the Digital Age package now pulls business-to-business onto the same path by 2030. For a public authority sending payment and procurement communications, this draws the same boundary we draw elsewhere. The structured invoice that carries legal and fiscal weight travels over Peppol from a finance system, and we are not that system; we do not generate or transmit XRechnung or Factur-X documents and will not claim to. What the email does is carry the human-readable confirmation, the status update, the courtesy copy, and the procedural notification to the supplier or the citizen, and our job is to make those land reliably and accessibly on EU-resident infrastructure. Keeping that distinction explicit in a tender response matters, because evaluators have watched vendors overstate scope, and a provider that names the Peppol layer as someone else's job reads as more credible than one that blurs it.

Why is sovereignty structural for public-sector email?

For a public authority the data-residency requirement is rarely satisfied by a region setting on a US-headquartered platform, because the concern is jurisdiction rather than geography: a provider with a US parent remains exposed to extraterritorial access demands regardless of where the bytes sit. Our position is structural. The company is incorporated in Austria with no US parent in the corporate chain, the public-sector accounts default to EU-only point-of-presence selection with the Dallas and Panama gateways disabled, and the sub-processor list for those accounts excludes entities that would route processing through US-only operations. Where a national rule goes further and prohibits data flowing even to another EU country — Germany's federal-authority rules and France's ANSSI restrictions are the common cases — single-country residency pins all data and processing inside the chosen state. That choice trades resilience for sovereignty, because a single-country pin limits failover to points of presence within that country, and authorities accept the trade because the sovereignty constraint is not negotiable. The EU cybersecurity certification work and the various sovereign-cloud initiatives across member states all point the same direction, and a provider whose sovereignty is a matter of corporate structure rather than a configuration toggle is the one that survives the legal review without an asterisk.

What does a public-sector tender evaluation score?

A public-sector procurement of an email infrastructure vendor runs nine to twelve months from tender publication to signature, and the time is not evenly spread. The procurement thresholds that trigger the full regime sit around €143,000 for central-government contracts and roughly €221,000 for sub-central bodies under the periodically updated figures, below which lighter procedures apply. Above the threshold the procedure is prescribed: an open or restricted tender, equal-treatment and transparency obligations, fixed time limits, and electronic communication under eIDAS. The technical evaluation scores certifications and conformance — ISO 27001, the GDPR posture, EN 301 549 accessibility, the security questionnaire — and a vendor either has the evidence on file or loses points it cannot recover inside the deadline. The legal phase is where the calendar actually disappears: redlining the contract against the authority's required clauses, the audit rights, the exit-and-portability terms with structured export, sub-processor transparency, and staff-vetting expectations. The final gate is board or council approval, which runs on a meeting calendar rather than a project plan. We field a procurement-response team that handles the technical, legal, and financial sections inside the published deadlines, which is the part a generalist sales motion tends to get wrong by treating a tender like a sales call.

Citizen notifications are not marketing, and the routing reflects that.

A citizen notification — a tax-filing reminder, a benefits-status change, a public-consultation notice, a summons to renew a document — carries an obligation, and treating it like a newsletter is how authorities end up with the wrong deliverability and the wrong evidence. These messages need the highest inbox placement, because a missed one becomes a missed legal deadline for the recipient, and they need delivery evidence, because the authority may have to show that the notice was sent and received. We route citizen notifications on a dedicated pool kept clean of any promotional or informational bulk, separate from public-information dissemination, which can tolerate the volume profile of a newsletter. The two are not the same workload and do not share a reputation. The notification pool carries the strictest discipline and, where the legal context calls for it, the registered-delivery evidence trail; the dissemination pool carries the public campaigns and consultations where reach matters more than per-message proof.

How we solve it

The specific capabilities that matter for this use case.

01

EU-only routing default

Public-sector accounts default to EU-only PoP selection. DFW and PTY PoPs disabled. Sub-processor list excludes any with US-only entities (Cloudflare alternative routing available).

02

National-country residency

Pin all data and processing to a specific EU country: Austria, Germany, France, Netherlands, Ireland, Belgium, Italy, Spain. Required by some national authorities (BMI Germany, ANSSI France).

03

GPA Article-73-compatible contract

Procurement-ready template addresses GPA non-discrimination, public access to procurement information, audit rights, exit assistance, sub-contractor transparency.

04

Web Accessibility Directive readiness

Customer-portal templates conform to EN 301 549 against WCAG 2.2 AA, ahead of the v4.1.1 update that folds WCAG 2.2 into the standard during 2026 (the current v3.2.1 maps to WCAG 2.1 AA). Required by Directive 2016/2102 for public-sector websites and mobile applications across the EU.

05

eIDAS qualified e-delivery on request

For citizen-facing legal notifications, qualified electronic registered delivery service compatibility under eIDAS Article 44. Requires custom configuration; available for €1,490 setup + standard plan pricing.

06

Staff vetting on request

For Enterprise public-sector customers, staff with access to your workload can be subject to background-check requirements beyond our standard pre-hire process. National security vetting (NDC, BfV, DGSI clearance) is not available; commercial-grade vetting is.

Common challenges

What we see go wrong, and how we fix it.

Procurement timeline of 9-12 months

EU public-sector procurement of an ICT vendor runs 9-12 months from tender publication to contract signature. We have done this with public-sector customers. The path: respond to the tender within deadlines (we have a procurement-response team for this), pass the technical-evaluation phase (ISO 27001, GDPR, accessibility), navigate legal redlines (this is where most of the time goes), and meet board-or-council approval requirements. Our procurement contact handles end-to-end.

Cross-border data flows even within EU

Some national authorities prohibit data flow to other EU countries (Germany BMI rules for federal authority data, ANSSI restrictions in France). Single-country residency configuration addresses this but limits resilience to a single PoP within that country. Customers accept the trade-off because the sovereignty constraint comes first.

Accessibility under EAA and WAD

Public-sector customers face both the Web Accessibility Directive (their own websites must conform) and EAA (consumer-facing services). Our customer-portal templates and the message templates we produce pass both bars; customers who roll their own templates often need to redo them. We provide WCAG 2.2 AA-compliant template patterns at no extra cost.

Single-country residency limits failover by design

When a national rule pins data inside one member state, the resilience that comes from multi-country failover is gone by construction: the failover targets have to live inside the same jurisdiction. We are direct about the trade in the tender response rather than after signature, because an authority that learns the resilience limit during an incident review is an authority that feels misled. The sovereignty constraint comes first, the architecture follows it, and the recovery plan is written to the points of presence available inside the permitted country.

Accessibility complaints arrive after launch, not before

Under the EAA and the Web Accessibility Directive, the enforcement trigger is often a complaint from a member of the public or an advocacy organisation, which means the problem surfaces in production on a live citizen-facing notification, not in a pre-launch audit. We close that exposure at the template layer: the message templates we provide conform to EN 301 549 against WCAG 2.2 AA, so a customer who sends through our templates is not relying on catching every accessibility defect by hand before each send.

FAQ

Questions we get the most.

01

Do you respond to public-sector tenders?

Yes. We have a procurement-response team that handles tender responses (technical, legal, financial sections) end-to-end. Typical response timeline: 30 days from tender publication, depending on complexity. We have responded to tenders in Austria, Germany, France, Netherlands, Italy, and at EU institution level (Commission, Parliament).

02

Can you provide an eIDAS qualified electronic registered delivery service?

On request, with custom configuration. Qualified ERDS under eIDAS Article 44 requires audited compliance with specific technical requirements. We can provide a configuration that meets the technical requirements; the qualification step itself is done by a national supervisory body (TKG in Austria, BNetzA in Germany, ANSSI in France) on the customer side. Setup is €1,490 + standard plan pricing.

03

Are you NIS2 essential entity?

No. NIS2 designates "essential" and "important" entities by size and sector. We do not meet the size threshold for essential designation. However, NIS2 has substantial spillover effects through the supply chain — our customers who are essential or important entities require us to meet Article 21 risk management standards, which we do. We can provide an Article 21 self-assessment summary on request.

04

Do you accept payment via SEPA invoice with NET-60?

Yes for public-sector customers. NET-60 is the typical public-sector payment term and we accommodate it. SEPA invoice is the default payment method. Some authorities require a specific invoicing format (XRechnung in Germany, Factur-X in France); we support both.

05

Can you sign a non-disclosure agreement before contract signature?

Yes. Our standard procurement NDA is mutually executable within 48 hours of receiving your request. Most public-sector procurement requires NDA before sharing tender-specific technical details; we are accustomed to this and do not slow it down.

06

Will the EU Digital Identity Wallet change how we send citizen notifications?

Over time, yes. eIDAS 2.0 obliges every member state to issue a European Digital Identity Wallet across 2026, and as adoption grows, citizens will expect identity and consent interactions to flow through the wallet rather than through ad-hoc verification. The email leg sits beside that: a legal notification will increasingly need to plug into a qualified delivery flow with proper evidence rather than arrive as ordinary mail. We provide the technical configuration for qualified electronic registered delivery under eIDAS Article 44; the qualification of your service is granted by your national supervisor. We track the wallet rollout so the delivery configuration stays aligned with it.

07

Can you meet a requirement that data never leaves our specific country?

Yes, through single-country residency, which pins all data and processing to one EU state from Austria, Germany, France, the Netherlands, Ireland, Belgium, Italy, or Spain. This is how we serve authorities under Germany's federal-data rules and France's ANSSI restrictions. The honest trade-off is resilience: pinning to one country limits failover to the points of presence inside it, so we document the recovery plan against that constraint rather than implying a redundancy we cannot provide under the rule.

08

Do you handle B2G e-invoicing over Peppol, or just the email?

Just the email, and we say so plainly. The structured business-to-government invoice — XRechnung in Germany, Factur-X in France, the FACe route in Spain — travels over Peppol from a finance system, and that is not us. We carry the human-readable confirmation, the procedural notification, and the courtesy copy that accompanies the structured document, on EU-resident infrastructure. If a tender asks for the Peppol exchange layer, we name it as a separate component rather than overstating what an email provider does.

09

Do we get audit rights and access to your control evidence?

Yes. Public-sector contracts include annual audit rights, exercised by desk audit in most cases — reviewing the ISO 27001 control-mapping evidence, the GDPR documentation, EN 301 549 conformance evidence, and business-continuity test results — with an on-site option available on notice. The exit-and-portability terms guarantee a structured export of your data and configuration at the end of the contract, which procurement evaluators read closely because vendor lock-in is a scored risk in public tenders.

Ready to talk

Schedule a 45-minute architecture call with an engineer.

No salesperson, no commission, no qualification rounds. Tell us what you are trying to do, we tell you whether we are a fit, and you walk away with a recommendation either way.

Phone +43 1 205 11 80 Mon–Fri · 9–18 CET
Email [email protected] Avg response 4h business
Office Fleischmarkt 1, 1010 Wien By appointment