Analysis
Market Differentiators
This research examines the European subsegment of the endpoint protection market covered in the Magic Quadrant for Endpoint Protection. Gartner estimates that, despite ongoing disruptions, the endpoint protection market in Europe grew by approximately 10% in 2025 compared with the previous year. The market is expected to generate more than $4.5 billion in revenue by 2028, based on constant currency. Europe accounts for roughly 20% of global endpoint protection revenue. We anticipate that positive, though slightly slower, growth will continue over the coming years (see Forecast: Information Security, Worldwide, 2024-2030, 1Q26).
According to Magic Quadrant survey data, U.S.-based endpoint protection providers hold about 60% of the global market share when measured by the number of actively licensed endpoint protection seats. In contrast, vendors headquartered in Europe hold only an estimated 15%, primarily within the small and midsize business (SMB) and midmarket segments.
Europe is not a homogeneous market, but the heightened geopolitical instability has raised concerns in both the public and private sectors about the overreliance on cybersecurity vendors headquartered outside of Europe. This has driven a push for technological sovereignty in specific European submarkets where customers place a high value on:
Regional legal entities subject to local laws and regulations
Local staffing for sales, operations, support, and services
Local data hosting and processing to ensure regulatory compliance and reduce foreign exposure
Transparency in data processing, including audit trails and both technical and legal controls
On-premises and hybrid deployment models, particularly for highly regulated sectors
Region-specific threat research and intelligence
Local language support
This environment drives stricter requirements and enforcement for data residency, operational sovereignty, and technological independence from foreign technology providers.
Analysis of Gartner end-user inquiry trends demonstrates that European organizations are more cautious about vendors and cloud infrastructure providers perceived as vulnerable to extraterritorial access (e.g., the U.S. CLOUD Act or China’s security laws), and are shifting preferences toward providers with clear legal and technical controls that protect data from foreign government access. While nonregulated organizations were previously open to relying on global providers, today’s heightened risk landscape is making geopatriation of critical workloads a more common response (see Top Strategic Technology Trends for 2026: Geopatriation).
Historically in Europe, sovereignty focused on data protection, ensuring data was protected regardless of location, in line with European norms and regulations (such as the GDPR). Today, the drive for digital sovereignty has shifted toward reducing dependency on foreign-controlled infrastructure and services.
As a result, many European organizations are now reassessing regional data hosting and underlying cloud infrastructure, exploring on-premises management and deployment options, evaluating European endpoint protection providers, and adopting multitenant strategies for operations across jurisdictions.
Geopatriation is creating opportunities for regional vendors to gain market share. However, many European organizations find that transitioning to local alternatives is less appealing because it impacts other priorities such as cybersecurity vendor rationalization and cost optimization. Moreover, no single country or region can sustainably achieve full technological autonomy at a commercially viable scale, given the complexity of the hardware supply chain.
Achieving full independence from global cybersecurity vendors while meeting cybersecurity objectives will require years of sustained focus and investment from the broader European technology provider ecosystem, not only endpoint protection vendors. At the same time, global vendors are accelerating their sovereign offerings to reassure customers and prevent market share erosion, although much of the vendor messaging is “compliance theater” rather than meaningful change.
Key factors affecting future outcomes:
Measurable independence from global technology providers among European enterprises is unlikely within the next five years.
Regulatory and government pressure may increase demand for European vendors; however, limited enterprise features and narrow portfolios could hinder growth.
An escalation of global tensions could drive more restrictive procurement policies, while decreasing tensions might slow the shift toward geopatriation.
If non-European vendors successfully localize their offerings and address sovereignty concerns, they may retain dominance, particularly among large enterprises and multinational organizations.
Considerations for Technology and Service Selection
Disclaimer: While Gartner insights may reference related legal issues, we do not provide legal advice or services, and our guidance should not be construed or used as a specific guide to action. We encourage you to consult with your legal counsel in considering and applying the advice and recommendations contained in our research.
Digital sovereignty has shifted from a manageable regulatory risk focused on a subset of an organization’s data to a holistic requirement for business continuity among European organizations. However, there are no one-size-fits-all or sovereign-by-design solutions. Sovereignty exists on a spectrum that typically involves trade-offs in cost, scalability, data survivability, functional depth, and effectiveness. For further details, see Digital Sovereignty Is Needed for Future Technological Resilience and Business Outcome.
The primary motivation for cybersecurity leaders is to adapt procurement strategies and gradually insulate the business from future localized disruptions (geopolitical or otherwise), while providing a stable operating environment. This is achieved through:
Methodical, incremental investment in sovereign offerings to replace existing services
Diversification where no sovereign alternative exists, focusing on reducing residual sovereign risk and distributing it across multiple countries or regions as a hedge against localized disruption
This research will address Gartner’s three sovereignty pillars aligned with the European Commission’s Cloud Sovereignty Framework:
Data sovereignty: Control over data location and access
Assessment criteria: Hosting locations, data minimization and anonymization practices, data access and permissions, encryption key management, and contractual clauses
Cautions: Assess that the provider does not, intentionally or unintentionally, transfer data and metadata outside the specified location, especially when using additional services.
Operational sovereignty: Visibility into and control over provider actions
Assessment criteria: Operational control of core product services and hosting infrastructure under European jurisdiction, independence from foreign entities, local staffing, transparency
Caution: Assess the degree of separation of the operational unit within the regional legal entity, ensuring it is locally staffed for the required services to allow control plane autonomy.
Technological sovereignty: Autonomy and continuity without reliance on the provider
Assessment criteria: Country of origin for the technology stack, research and development locations, on-premises management, supply chain components, regulatory compliance
Caution: Remedies for technological sovereignty are complex and lead to sacrificing the key characteristics that make cloud offerings attractive, such as innovation and service delivery.
The specific requirements relevant to your organization will directly impact the shortlist of endpoint protection providers. At a high level, these vendors can be grouped as follows:
Endpoint protection vendors headquartered in Europe
Non-European vendors with cloud hosting points of presence (POPs) in Europe
Non-European vendors offering on-premises management and deployment
Foreign dependencies:
U.S.-based cloud infrastructure providers, such as Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure, to host endpoint protection products in various regions, including Europe
Some endpoint protection vendors are partnering with European hosting providers, such as OVHcloud, STACKIT (subsidiary of Schwarz Group), and SysEleven (subsidiary of secunet AG), while others are exploring the use of the AWS European Sovereign Cloud (ESC), aiming to deliver sovereign-enough offerings.
Non-European components within the software development ecosystem
Non-European components within the hardware and firmware ecosystem
Non-European large language models (LLMs) for generative AI assistant functionality
Recommendations:
Cybersecurity leaders must partner with CIOs to develop and execute tailored sovereignty strategies that address their organization’s unique requirements for control over data, operations, and technology. For further detail, see Gartner’s European CIOs Sovereign Strategy Playbook. Balance sovereignty requirements with cybersecurity needs. Unless your organization is a highly regulated organization, do not compromise cybersecurity effectiveness in pursuit of sovereignty alone.
Avoid blanket demands for maximum sovereignty across all protected assets and environments, as this may exclude most global options and will be impractical in the short to medium term.
Require evidence from providers on data residency, processing, storage, the impact of sovereign offerings on functionality, and the legal and technical controls to prevent unauthorized access.
Multinational organizations headquartered outside Europe but with a European presence will likely have varying sovereignty requirements across data, operational, and technological areas, and are more likely to retain global vendors that provide localized data hosting for local branches.
Notable Vendors
Vendors included in this Magic Quadrant Perspective have customers that are successfully using their products and services. Selections are based on analyst opinion and references that validate IT provider claims; however, this is not an exhaustive list or analysis of vendors in this market. Use this perspective as a resource for evaluations, but explore the market further to gauge the ability of each vendor to address your unique business problems and technical concerns. Consider this research as part of your due diligence and in conjunction with discussions with Gartner analysts and other resources.
Endpoint Protection Vendors Headquartered in Europe
Acronis
Overview: Acronis is headquartered in Schaffhausen, Switzerland, and is owned by EQT AB, a Sweden-based investment firm. Acronis Cyber Protect Cloud is the product that includes integrated endpoint protection capabilities. It supports Windows, macOS, and Linux OS. Supported delivery models include SaaS and on-premises management. In addition to endpoint protection, the vendor offers backup and recovery, email security, security awareness training, and data loss prevention. Most of Acronis’ customers are SMBs in Europe, North America, and Japan.
Europe context:
Data sovereignty: Acronis offers SaaS cloud hosting POPs in Austria, Bulgaria, Czechia, Denmark, Finland, France, Germany, Greece, Hungary, Italy, Liechtenstein, Norway, Poland, Romania, Spain, Sweden, Switzerland, U.K., and other international locations.
Operational sovereignty: Acronis operates its endpoint protection product services for EU customers through EU-based teams and hosts the product using third-party European colocation providers.
Technological sovereignty: Acronis offers an on-premises endpoint protection product deployment option, including support for air-gapped environments.
Presence of resources: Most of Acronis’ research and development is based in Bulgaria and Singapore, with technical support also located in Israel and the United States.
Language support: Acronis’ management console is available in English, Bulgarian, Czech, Danish, Dutch, Finnish, French, German, Hungarian, Italian, Norwegian, Polish, Portuguese, Russian, Serbian, Spanish, Swedish, Turkish, and numerous other languages.
Known dependencies: Non-European components within the firmware, hardware, and software development supply chain, as well as third-party LLMs for generative AI assistant functionality.
Bitdefender
Overview: Bitdefender is headquartered in Bucharest, Romania, and is managed by its original founders, with a small number of private equity investors. Bitdefender GravityZone is the core endpoint protection product. It supports Windows, macOS, and Linux OS. Supported delivery models include SaaS and on-premises management. In addition to endpoint protection, the vendor offers hardening and attack surface reduction, email security, identity protection, and managed detection and response (MDR) services. Most of Bitdefender’s customers are SMBs and midsize enterprises in Asia/Pacific, Europe, North America, and South America.
Europe context:
Data sovereignty: Bitdefender offers SaaS cloud hosting POPs in France, Germany, and other international locations, including Australia, Singapore, and the United States. GCP, OVHcloud, and SysEleven are the underlying cloud infrastructure providers; however, Bitdefender manages the encryption keys to protect customer data.
Operational sovereignty: Bitdefender operates its endpoint protection product services for EU customers through EU-based teams and offers deployment model extensions that include cloud hosting with European cloud infrastructure providers.
Technological sovereignty: Bitdefender offers an on-premises endpoint protection product deployment option, including support for air-gapped environments.
Presence of resources: Most of Bitdefender’s research and development centers are located in Europe, and the vendor offers a broad international presence through its technical support centers.
Language support: Bitdefender’s management console is available in English, Czech, French, German, Italian, Japanese, Korean, Polish, Portuguese, Romanian, Simplified Chinese, Spanish, Turkish, and Vietnamese.
Known dependencies: Non-European components within the firmware, hardware, and software development supply chain, as well as LLMs for generative AI assistant functionality.
ESET
Overview: ESET is headquartered in Bratislava, Slovakia, and is independently run by its original founders. ESET PROTECT is the core endpoint protection product. It supports Windows, macOS, and Linux OS. In addition to endpoint protection, the vendor offers vulnerability assessment and patch management, email security, server and workload protection, and MDR services. Supported delivery models include SaaS and on-premises management. Most of ESET’s customers are SMBs and midsize enterprises in Asia/Pacific and Europe.
Europe context:
Data sovereignty: ESET offers SaaS cloud hosting POPs in Germany, the Netherlands, and other international locations, including Canada, Japan, and the United States. Microsoft Azure is the underlying cloud infrastructure provider; however, ESET manages the encryption keys to protect customer data in Azure.
Operational sovereignty: ESET operates its endpoint protection product services for EU customers through EU-based teams; however, it does not currently offer an AWS ESC deployment option.
Technological sovereignty: ESET offers an on-premises endpoint protection product deployment option, including support for air-gapped environments.
Presence of resources: Most of ESET’s research and development centers are located in Europe, and the vendor offers a broad international presence through its technical support centers.
Language support: ESET’s management console is available in English, Arabic, Canadian French, Chilean Spanish, Croatian, Czech, French, German, Greek, Hungarian, Indonesian, Italian, Japanese, Korean, Polish, Portuguese, Russian, Simplified Chinese, Slovak, Spanish, Traditional Chinese, Turkish, and Ukrainian.
Known dependencies: Microsoft Azure cloud infrastructure, non-European components within the firmware, hardware, and software development supply chain, as well as third-party LLMs for generative AI assistant functionality.
HarfangLab
Overview: HarfangLab is headquartered in Paris, France. Key investors include Crédit Mutuel Innovation, Elaia, and MassMutual Ventures. HarfangLab Guard is the core endpoint protection product. It supports Windows, macOS, and Linux OS. Supported delivery models include SaaS and on-premises management. In addition to endpoint protection, the vendor offers vulnerability assessment and attack surface management. Most of HarfangLab’s customers are midsize and large organizations in France.
Europe context:
Data sovereignty: Vendor offers multiple SaaS cloud hosting POPs in France. OVHcloud is the underlying cloud infrastructure provider; however, HarfangLab manages the encryption keys to protect customer data in OVHcloud.
Operational sovereignty: HarfangLab operates its endpoint protection product services for all customers through EU-based teams and utilizes a European cloud infrastructure provider.
Technological sovereignty: HarfangLab offers an on-premises endpoint protection product deployment option, including support for air-gapped environments.
Presence of resources: Most of HarfangLab’s research and development, as well as its technical support centers, are located in France.
Language support: HarfangLab’s management console is available only in English.
Known dependencies: European and non-European components within the firmware, hardware, and software development supply chain, including third-party LLMs for generative AI assistant functionality. Mistral AI, a France-based AI company, is the third-party LLM provider.
Heimdal
Overview: Heimdal is headquartered in Copenhagen, Denmark, and is owned by Marlin Equity Partners, a U.S.-based investment firm. Heimdal Endpoint Detection and Response is the core endpoint protection product. It supports Windows, macOS, and Linux OS. The supported delivery model includes SaaS. In addition to endpoint protection, the vendor offers vulnerability assessment, privileged access management, email security, DNS security, and MDR services. Most of Heimdal’s customers are SMBs and midsize enterprises in Europe and Great Britain.
Europe context:
Data sovereignty: Heimdal offers SaaS cloud hosting POPs in the Netherlands, United Kingdom, and the United States. Microsoft Azure is the underlying cloud infrastructure provider; however, Heimdal manages the encryption keys to protect customer data in Azure.
Operational sovereignty: Heimdal operates its endpoint protection product services for EU and U.K. customers through EU-based teams; however, it does not currently offer an AWS ESC deployment option.
Technological sovereignty: Heimdal does not offer an on-premises endpoint protection product deployment option.
Presence of resources: Most of Heimdal’s research and development, as well as its technical support centers, are located in Romania.
Language support: Heimdal’s management console is available in English, Danish, French, German, Japanese, and Polish.
Known dependencies: Microsoft Azure cloud infrastructure, non-European components within the firmware, hardware, and software development supply chain, as well as third-party LLMs for generative AI assistant functionality.
Sophos
Overview: Sophos is headquartered in Abingdon, England, U.K., and is owned by Thoma Bravo, a U.S.-based investment firm. Sophos Endpoint powered by Intercept X is the core endpoint protection product. It supports Windows, macOS, and Linux OS. The supported delivery model includes SaaS. In addition to endpoint protection, the vendor offers network security, secure access, email security, identity protection, and MDR services. Most of Sophos’ customers are SMBs and midsize organizations in Europe and North America.
Europe context:
Data sovereignty: Sophos offers SaaS cloud hosting POPs in Germany, Ireland, and other international locations, including Australia, Brazil, Canada, India, Japan, the UAE, and the United States. AWS is the underlying cloud infrastructure provider; however, Sophos manages the encryption keys to protect customer data in AWS.
Operational sovereignty: Sophos operates its endpoint protection product services for EU and U.K. customers through U.K.-based teams; however, it does not currently offer an AWS ESC deployment option.
Technological sovereignty: Sophos discontinued its on-premises endpoint protection product deployment option in July 2023.
Presence of resources: Sophos has a broad international presence, with research and development as well as technical support centers in Asia/Pacific, Europe, Great Britain, and North America.
Language support: Sophos’ management console is available in English, Brazilian Portuguese, French, German, Italian, Japanese, Korean, Spanish, and Traditional Chinese.
Known dependencies: AWS cloud infrastructure, non-European components within the firmware, hardware, and software development supply chain, as well as third-party LLMs for generative AI assistant functionality.
WithSecure
Overview: WithSecure is headquartered in Helsinki, Finland, and is primarily owned by CVC Capital Partners PLC, a Jersey-based private equity and investment advisory firm. WithSecure Elements XDR is the core endpoint protection product. It supports Windows, macOS, and Linux OS. Supported delivery models include SaaS and on-premises management. In addition to endpoint protection, the vendor offers vulnerability and exposure assessment, email security, identity protection, and MDR services. Most of WithSecure’s customers are SMBs and midsize organizations in Europe.
Europe context:
Data sovereignty: WithSecure offers a SaaS cloud hosting POP in Ireland. Other international locations, including Australia, Japan, Singapore, and the United States, are used primarily for latency optimization and regional malware analytics. AWS is the underlying cloud infrastructure provider; however, WithSecure manages the encryption keys to protect customer data in AWS.
Operational sovereignty: WithSecure operates its endpoint protection product services for EU customers through EU-based teams. WithSecure announced plans to make its offering available on the AWS ESC in Germany.
Technological sovereignty: WithSecure has announced the end of life for WithSecure Business Suite, its on-premises endpoint protection product deployment option, effective September 2028.
Presence of resources: All of WithSecure’s research and development, as well as its technical support centers, are located in Europe.
Language support: WithSecure’s management console is available in English, Finnish, French, German, Italian, Japanese, Portuguese, Spanish, Swedish, and Traditional Chinese.
Known dependencies: AWS cloud infrastructure, non-European components within the firmware, hardware, and software development supply chain, as well as third-party LLMs for generative AI assistant functionality.
Non-European Endpoint Protection Vendors
Non-European vendors with cloud hosting POPs in Europe:
Check Point Software Technologies (headquartered in Tel Aviv, Israel)
CrowdStrike (headquartered in Austin, Texas, U.S.)
Fortinet (headquartered in Sunnyvale, California, U.S.)
Microsoft (headquartered in Redmond, Washington, U.S.)
Palo Alto Networks (headquartered in Santa Clara, California, U.S.)
SentinelOne (headquartered in Mountain View, California, U.S.)
Trellix (headquartered in Plano, Texas, U.S.)
TrendAI (headquartered in Tokyo, Japan)
Non-European vendors with on-premises management and deployment:
Check Point Software Technologies (headquartered in Tel Aviv, Israel)
SentinelOne (headquartered in Mountain View, California, U.S.)
Trellix (headquartered in Plano, Texas, U.S.)
TrendAI (headquartered in Tokyo, Japan)