European Institutions Are Quietly Defecting from Meta's Social Infrastructure
European public institutions are not simply switching social media platforms. They are making a more consequential decision: that public communications infrastructure should not depend on platforms governed by US law, optimized for US advertising markets, and subject to the ownership decisions of private actors who have already, twice in three years, visibly altered what public discourse looks like at scale.
What makes this shift legible is a distinction the tech industry resists making explicit. A platform is a product: one company builds it, owns it, and can be compelled, acquired, or instructed to change it. A protocol is an open standard: it belongs to no one and cannot be switched off by executive order. ActivityPub — the W3C standard underlying Mastodon and the broader fediverse — is a protocol. Twitter was a platform. Facebook is a platform. Bluesky, despite its decentralization rhetoric, is a US-incorporated entity governed by US law. For the purposes of European institutional risk assessment, that makes it a platform.
European institutions are not migrating because a better Facebook has appeared. They are moving toward an architecture in which no Facebook-equivalent can become structurally indispensable — because structural indispensability is itself the vulnerability.
———
On March 31, 2021, the German Federal Office for Information Security — the BSI, the agency responsible for Germany's national cybersecurity posture — joined Mastodon. It became the second German federal agency to do so, publishing security advisories and vulnerability disclosures through social.bund.de, an instance operated by the Federal Commissioner for Data Protection and Freedom of Information. The BSI made this choice eighteen months before Elon Musk acquired Twitter, and well before the legal and geopolitical disruptions of 2025 made US platform dependency visible to a general audience. The BSI was not reacting to a crisis. It was acting on a risk assessment. The agency tasked with protecting Germany from digital threats looked at its own public communications infrastructure and reached the same conclusion it would reach for any critical system: dependency on a platform you do not control, governed by law you cannot invoke, owned by an entity subject to foreign government compulsion, is a vulnerability. It fixed it.
The BSI is not alone. ZDF launched its own Mastodon instance at zdf.social in April 2023. ARD's Tagesschau joined at ard.social in May 2023. The European Commission operates its own instance at ec.social-network.europa.eu. The Court of Justice of the EU runs curia.social-network.europa.eu. When the institutions that drafted the GDPR and the Digital Markets Act chose a federated protocol for their own public communications, the choices were not incidental.
The analytical weight of the BSI's 2021 decision lies in its timing. It looked principled but perhaps eccentric. By 2025, it looked prescient in ways a risk assessment conducted in 2021 could not fully have anticipated.
———
The question the BSI's decision raises is not whether Mastodon is a better product than Twitter. That is a consumer product question, and it is beside the point. The institutional question is this: can a European public institution responsibly make its communications infrastructure dependent on a US platform? For a growing number of European governments and bodies, the answer is no. Understanding why requires understanding two interlocking legal systems.
The cornerstone is GDPR. On May 22, 2023, Ireland's Data Protection Commission issued a €1.2 billion penalty against Meta — the largest GDPR enforcement action in the regulation's history — for transferring EU user data to US servers in a manner found incompatible with European data protection law. Meta's core business model is structurally incompatible with the EU's treatment of data as a fundamental right. Remove the transatlantic data transfer and the targeting model collapses.
The ECJ's Schrems II ruling in 2020 invalidated the EU-US Privacy Shield on the grounds that US surveillance law — FISA Section 702 in particular — cannot provide the data protection equivalence EU law requires. The replacement EU-US Data Privacy Framework, adopted in 2023, faces an active legal challenge from Max Schrems. It will likely not survive its first ECJ review intact. An institution building its public presence on a US platform is building on a legal foundation that a Luxembourg court can collapse and that the platform's own lawyers cannot fully guarantee.
The Digital Markets Act adds a second layer. Under Article 7, gatekeeper platforms are now legally required to interoperate with open protocols. Meta's compliance response — connecting Threads to ActivityPub — was not a product decision. It was a legal obligation. The EU did not set out to endorse the fediverse. It set out to break open walled gardens, and ActivityPub happened to be the open protocol already built to scale. The regulation reached for the nearest available open standard and found one that a German developer had been building since 2016.
ActivityPub's sovereignty properties are a consequence of its design. A German federal ministry running its own Mastodon instance on German infrastructure has complete legal and technical control over that node in the network. There is no parent company to subpoena, no US headquarters to serve a CLOUD Act order to, no platform whose content moderation decisions the ministry must live with. The data lives where the operator puts it, governed by whatever law the operator is subject to.
———
Three incidents between 2022 and 2025 moved this from theoretical to operational.
In October 2022, Musk's Twitter acquisition revealed that years of institutional communications infrastructure belonged entirely to someone else — and that someone else had just changed his mind about what it was for. European public agencies accelerated activity on federated alternatives. The migration was messy and incomplete. But it established something no policy argument had managed in the preceding decade: that platform dependency is a real operational risk, and that it materializes suddenly.
In January 2025, Meta announced it was ending its US third-party fact-checking program and relaxing political content suppression. For European public health agencies that had built outbreak notification infrastructure on Facebook, this was an operational problem. The European Commission opened a DSA investigation within weeks. Investigation is not remedy — the content policy changed on the day Meta announced it, on a timeline no European authority could affect.
The sharpest incident involved not a social media company but a productivity suite. On February 6, 2025, President Trump signed an executive order sanctioning ICC chief prosecutor Karim Khan over arrest warrants connected to alleged war crimes in Gaza. By May, Khan had lost access to his Microsoft email account and moved to Proton Mail. Brad Smith stated that Microsoft had not ceased services to the ICC. The sequence of events was contested enough that Microsoft subsequently asked the UK Parliament to correct testimony its own spokesperson had given about the matter. On October 31, 2025, the ICC confirmed it was replacing Microsoft Office with openDesk, the open-source suite developed by ZenDiS, the German Centre for Digital Sovereignty of the Public Administration. An international criminal tribunal answerable to 124 member states decided its communications could not safely depend on American software.
In each case the vulnerability was not a hack or a breach. It was the governance architecture of the platform itself — the fact that a US company sat between a European institution and its own operational continuity.
———
Eugen Rochko was completing his computer science degree at Friedrich Schiller University Jena when he built Mastodon in 2016, at twenty-three, out of frustration with Twitter's centralization. He structured it as a nonprofit from the beginning and built on ActivityPub specifically to ensure that no single server would be the platform — that the network itself would be the platform, distributed across thousands of independently operated instances. He was not thinking about the CLOUD Act or European procurement criteria. He was thinking about what Twitter would look like if no one could buy it.
That decision turned out to be precisely the combination European institutional procurement would eventually require. In January 2025, Rochko took the governance logic to its conclusion, transitioning Mastodon to a community nonprofit board structure and stepping back from sole management control. The nonprofit form becomes more durable than any individual's continued involvement — removing the one remaining structural vulnerability an acquisition-minded actor might have tried to exploit.
The parallel to the Schwarz Digits story is not incidental. The Schwarz Group built Stackit because it could not responsibly route sensitive data for 14,200 stores through American cloud providers subject to the CLOUD Act, then discovered it had accidentally built a credible European cloud alternative. Rochko built Mastodon because he wanted a social network no one could ruin by buying it, then discovered he had accidentally built the communications architecture that European regulators were writing into law as the mandatory interoperability standard for the world's largest platforms.
Bluesky's growth deserves acknowledgment: 30 million users by January 2025, 40.2 million by November 2025, with a meaningfully better product experience than Mastodon for most new users. None of that resolves the institutional problem. Bluesky Social PBC is a US-incorporated public benefit corporation, originally funded by Twitter under Jack Dorsey, subject to US law and US government compulsion. For a European user deciding where to post, that is largely irrelevant. For the BSI deciding where to publish security advisories, it is disqualifying. The consumer migration story and the institutional migration story are happening simultaneously and have almost nothing to do with each other.
———
Meta's federation of Threads with ActivityPub is genuine engineering work. The interoperability is real. It also changes nothing about the sovereignty problem. A Mastodon user following a Threads account is receiving content from a Meta-operated server governed by US law, generating engagement data that flows back to Meta's infrastructure and remains available to US authorities under applicable legal process. The protocol is open. The platform is not.
On June 18, 2025, Anton Carniaux, Microsoft France's Director of Public and Legal Affairs, testified under oath before a French Senate inquiry commission that his company cannot guarantee EU data is safe from US government access requests. Asked directly whether he could guarantee French citizen data would never be transmitted to US authorities without explicit French authorization, Carniaux answered: "No, I cannot guarantee it." Asked whether a well-framed US government data request would compel Microsoft to transmit the data: "Absolutely, by respecting this process." The structural constraint is not engineering. It is jurisdiction. A company incorporated in the United States is subject to US law regardless of where it builds its data centers. The CLOUD Act has no carve-out for sovereign cloud products.
———
Mastodon is not as good a product as Twitter was at its best, and the piece's credibility depends on saying so plainly. The onboarding experience is confusing, the developer ecosystem is thin, and institutional instances require ongoing administrative costs that US platforms provide invisibly as a service. Bluesky's product development has moved faster. Meta's resources dwarf anything a community nonprofit can deploy.
Schleswig-Holstein's migration of 30,000 civil servants away from Microsoft is instructive. By December 2025, 80% of workplaces had completed migration to LibreOffice, with annual savings exceeding €15 million in Microsoft license costs. Getting there cost years of real operational friction. The lesson is not that migration is easy. It is that it is expensive, slow, and worth doing — and that European governments are beginning to see the returns.
The asymmetry that drives these decisions is not symmetric. Performance gaps are incremental and improvable. Sovereignty risks are binary. No amount of product development at Meta resolves the CLOUD Act. No amount of European investment in US platform relationships resolves the fact that a US executive order can disrupt a European institution's communications on a Tuesday afternoon, without warning, without appeal to any European legal authority, and without remedy on any timeline that operational continuity requires. The acceptable risk level for critical institutional communications infrastructure is zero. "Probably fine" is the best guarantee any US platform can honestly offer. Their lawyers have said so under oath.
———
On April 17, 2026, the European Commission awarded a €180 million, six-year sovereign cloud contract to four European providers — Post Telecom, StackIT, Scaleway, and Proximus — explicitly framing the procurement as a mechanism to reinforce strategic control over critical digital infrastructure. The contract is a template: the Commission said it is finalizing a Cloud Sovereignty Framework that member states and EU bodies can reuse for their own procurement. The regulation and the migration continue to converge.
Europe is not trying to build a better internet. It is trying to build a governable one — governable in the specific sense that institutions accountable to European citizens under European law can guarantee their own operational continuity without depending on the goodwill or legal jurisdiction of companies headquartered in a country that has demonstrated, recently and specifically, that it regards digital infrastructure as an instrument of foreign policy.
———
The German Federal Office for Information Security made its infrastructure decision in March 2021, before any of the crises that would vindicate it. It chose a platform built by a twenty-three-year-old student in Jena, run on a community nonprofit model, hosted on federal infrastructure in Germany, reachable by no American executive order and purchasable by no American technology company. By every product benchmark, an inferior tool. By the metric that actually matters to a cybersecurity agency — can a foreign government take this away from us? — the only rational choice.
Mastodon did not set out to be European critical infrastructure. The Digital Markets Act did not set out to endorse the fediverse. The BSI did not set out to run a social media instance. Each arrived at the same architecture by following a different thread of the same argument to its conclusion: institutions accountable to citizens under law should operate on infrastructure accountable to the same citizens under the same law.
The protocol that couldn't be bought turned out to be the only one that answered the right question.
Sources
Legal and Regulatory Framework
US CLOUD Act (2018) Clarifying Lawful Overseas Use of Data Act, Pub. L. 115-141. Full text via Congress.gov. Provisions cited: extraterritorial reach compelling US-headquartered companies to produce data regardless of storage location.
GDPR Articles 46 and 48 Regulation (EU) 2016/679 of the European Parliament and of the Council. Full text via EUR-Lex. Article 46: adequacy requirements for third-country transfers. Article 48: foreign court orders not recognized unless based on international agreement.
ECJ — Schrems II ruling (2020) Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems, Case C-311/18. Court of Justice of the European Union, July 16, 2020. Invalidated EU-US Privacy Shield; found US surveillance law (FISA Section 702) incompatible with EU data protection adequacy requirements. EUR-Lex.
EU-US Data Privacy Framework (2023) European Commission adequacy decision, July 10, 2023. Commission Implementing Decision (EU) 2023/1795. EUR-Lex. NOYB legal challenge filed; ECJ referral proceedings ongoing as of publication.
Digital Markets Act Regulation (EU) 2022/1925. EUR-Lex. Article 7: interoperability obligations for designated gatekeepers. Gatekeeper designations and enforcement timeline: European Commission DMA portal. Meta Threads ActivityPub compliance: Meta official announcement, December 2023.
Digital Services Act Regulation (EU) 2022/2065. EUR-Lex. European Commission investigation into Meta following January 2025 content moderation changes: European Commission press releases, January–February 2025.
EU Data Act Regulation (EU) 2023/2854. In force January 11, 2024; applying from September 12, 2025. EUR-Lex.
Data Governance Act Regulation (EU) 2022/868. EUR-Lex.
NIS2 Directive Directive (EU) 2022/2555. EUR-Lex.
EU Charter of Fundamental Rights, Article 8 Official Journal of the European Union, C 326/391.
W3C ActivityPub Protocol World Wide Web Consortium, ActivityPub specification, W3C Recommendation, January 23, 2018. w3.org/TR/activitypub/
———
Enforcement Actions and Regulatory Decisions
Irish Data Protection Commission — Meta €1.2 billion fine Data Protection Commission, Decision of May 22, 2023. dataprotection.ie. EDPB binding decision of April 13, 2023 directed the fine. Confirmed largest GDPR fine to date: EDPB announcement, May 22, 2023, edpb.europa.eu.
Schrems/NOYB legal challenge to EU-US Data Privacy Framework Challenge filed 2023. Current ECJ referral status: verify at noyb.eu before publication.
———
Institutional Decisions and Migrations
BSI joins Mastodon (March 31, 2021) BSI official press release: "BSI jetzt auch auf der Open-Source-Plattform Mastodon präsent," April 6, 2021. bsi.bund.de. BSI account launch post: social.bund.de/@bsi, March 31, 2021. social.bund.de instance launched 2020 by BfDI (Federal Commissioner for Data Protection and Freedom of Information); BSI was second German federal agency to join.
ZDF Mastodon instance (zdf.social) ZDF launched zdf.social, April 2023. Reported: Heise Online, April 18, 2023.
ARD/Tagesschau Mastodon (ard.social) Tagesschau joins Mastodon, May 9, 2023. Tagesschau.de official announcement, May 9, 2023.
BBC Mastodon (social.bbc) BBC launches Mastodon presence, July 2023. Mastodon official account post, July 31, 2023.
European Commission Mastodon instance ec.social-network.europa.eu. Official launch: European Commission Mastodon post, May 17, 2024. Separate from the earlier EU Voice instance at social.network.europa.eu (launched April 2022).
Court of Justice of the EU Mastodon instance curia.social-network.europa.eu.
European Commission — €180 million sovereign cloud contract Awarded April 17, 2026. Four providers: Post Telecom (with CleverCloud and OVHcloud), StackIT, Scaleway, Proximus (with S3NS — Thales/Google Cloud joint venture — Clarence, and Mistral). Tender launched October 10, 2025 under Cloud III Dynamic Purchasing System. Duration: six years. Sources: European Commission official announcement, April 17, 2026; The Next Web; TechRepublic; Data Center Dynamics; Reuters; GovInfoSecurity. Note: the contract value is €180 million; the approximate USD equivalent at time of award was $213 million.
Microsoft France Senate testimony (June 18, 2025) French Senate inquiry commission on public procurement and European digital sovereignty. Anton Carniaux, Director of Public and Legal Affairs, Microsoft France, testified under oath that Microsoft cannot guarantee EU data would not be transmitted to US authorities: "No, I cannot guarantee it." Separately confirmed that a well-framed US government data request would compel Microsoft to transmit the data: "Absolutely, by respecting this process." Primary transcript: senat.fr. Reported: The Register, July 25, 2025; Heise Online, July 21, 2025; PPC Land, July 18, 2025; Convotis, August 11, 2025.
Trump executive order sanctioning ICC (February 6, 2025) Executive order signed February 6, 2025. White House. Reported: Fox News; European Parliament Question P-10-2025-002270 (submitted May 2025), europarl.europa.eu.
ICC email disruption (May 2025) Khan loses access to Microsoft email account, May 2025. Moves to Proton Mail. Reported: Associated Press; JusticeInfo.net, March 2026. Brad Smith denial: "at no point did Microsoft cease or suspend its services to the ICC." Microsoft subsequently asked UK Parliament to correct testimony by its own spokesperson. Reported: The Register, February 18, 2026.
ICC adopts openDesk (October 31, 2025) ICC confirms replacement of Microsoft Office with openDesk. Reported: The Register, October 31, 2025; JusticeInfo.net, March 2026. ZenDiS: zendis.de; founded 2022 by German Interior Ministry.
Meta — fact-checking program termination Meta official announcement, January 7, 2025. Reported: Reuters, BBC, POLITICO Europe.
Schleswig-Holstein Microsoft migration Status as of December 2025: 80% of workplaces migrated to LibreOffice; annual savings exceeding €15 million; 40,000+ accounts migrated from Exchange/Outlook to Open-Xchange/Thunderbird. State government statement, December 4, 2025. Sources: Heise Online, December 7, 2025; The Register, October 15, 2025; IT's FOSS, December 8, 2025.
Twitter/X acquisition Elon Musk acquisition of Twitter, October 28, 2022. SEC filings; widely reported.
Schwarz Group / Schwarz Digits / Stackit — De Nederlandsche Bank contract Announced by Bernd Wagner, Hannover Messe, April 2026. Reported: Techzine Global. schwarz-digits.de, stackit.de.
———
Protagonists and Organizations
Eugen Rochko / Mastodon Born January 22, 1993. Computer science degree, Friedrich Schiller University Jena. Began coding Mastodon early 2016; published October 2016 (age 23). Sources: Wikipedia/Eugen Rochko; TIME interview, November 8, 2022; Fortune, November 28, 2022.
Mastodon governance transition (2025) January 2025: Rochko announces transition to community nonprofit governance structure. April 2024: US nonprofit established; Twitter co-founder Biz Stone joins board. Sources: Yahoo Tech/TechCrunch, January 2025; TechCrunch, April 29, 2024.
Mastodon initial release March 16, 2016 (beta); October 2016 (public). Wikipedia/Mastodon (social network).
Bluesky Social PBC US-incorporated public benefit corporation. Original funding from Twitter/Jack Dorsey. User growth: 30 million users by January 29, 2025; 40.2 million registered users by November 2025. Sources: Backlinko, January 2026; Sprout Social, March 2026.
Meta Threads / ActivityPub federation Meta announcement, December 2023. Federation rollout through 2024. developers.facebook.com/docs/threads.
AWS European Sovereign Cloud AWS official announcements. Investment: €7.8 billion. First region: Brandenburg, Germany.
Gaia-X gaia-x.eu. European Commission launch documentation, 2019.
openDesk / ZenDiS zendis.de; opendesk.eu.
———
Secondary and Analytical Sources
Stiftung Neue Verantwortung (SNV) — European digital sovereignty analysis. stiftung-nv.de
Access Now — CLOUD Act and European data rights. accessnow.org
IAPP — GDPR enforcement tracker and Schrems II analysis; Meta fine reporting. iapp.org
Center for Strategic and International Studies (CSIS) — European digital sovereignty reporting. csis.org
EDRi (European Digital Rights) — platform accountability and DSA analysis. edri.org
JusticeInfo.net — ICC developments and Microsoft sanctions episode. justiceinfo.net
EJIL:Talk! — legal analysis of ICC sanctions and technology access. ejiltalk.org
The Register — ICC/Microsoft reporting; Schleswig-Holstein migration; Microsoft France Senate testimony; EU sovereign cloud contract. theregister.com
Heise Online — Schleswig-Holstein migration; Microsoft France Senate testimony; BSI/Mastodon. heise.de
Techzine Global — Schwarz Digits/DNB contract. techzine.eu
The Next Web — EU sovereign cloud contract. thenextweb.com
European Parliament — formal questions on ICC/Microsoft: Question P-10-2025-002270. europarl.europa.eu
French Senate — hearing transcript, June 18, 2025. senat.fr
Jonathan Brown is a cybersecurity researcher and investigative journalist at bordercybergroup.com.
If you would like to support our work, providing useful, well researched and detailed evaluations of current cybersecurity topics at no cost, feel free to buy us a coffee! https://bordercybergroup.com/#/portal/support
Member discussion: