Google’s Wiz Deal Could Become a Trojan Horse in Europe’s Cloud

On January 6, Google notified its proposed USD 32 billion acquisition of cloud security company Wiz to the European Commission. This marks a pivotal moment, not only for the future of cloud markets, but also for whether European competition policy is finally willing to confront the expanding power of Big Tech companies.

The deal follows an earlier USD 23 billion takeover attempt in 2024 that collapsed due to alleged concerns about regulatory hurdles in the United States. This time, Google has upped its game and sweetened the deal with a USD 3.2 billion break-up fee if the deal fails. A change in the US administration appears to have paved the way for early merger approval there in November.

Wiz is a fast-growing cybersecurity success story founded in 2020 as a cloud-agnostic challenger to both hyperscalers’ native tools and traditional vendors. It has become a central component of cloud security for governments, critical infrastructure operators and large enterprises. As a multi-cloud security layer, Wiz provides visibility across Amazon Web Services (AWS), Azure, Google Cloud Platform (GCP) and other environments. If Google acquires Wiz, this neutral multi-cloud visibility would be absorbed into a single hyperscaler’s ecosystem, enabling Google to align Wiz’s products and roadmap with its own cloud strategy.

While Wiz would be Google’s largest acquisition to date, no European competition authority opened a review before the deal reached Brussels. This is striking at a time in which Big Tech’s excessive market power in cloud not only hurts businesses and citizens, but has become an increasingly tangible geopolitical threat to Europe’s digital sovereignty agenda. The European Commission must now review the notification and decide by February 10 whether to clear the deal or open an in-depth merger investigation. To prevent the possibility of Google from taking control of the cloud, Europe must step up and stop a structural consolidation that would give the US gatekeeper unprecedented leverage over Europe’s cloud security architecture.

The Wiz deal threatens competition - and more

This transaction is the latest in Google’s long-standing strategy of expanding its empire. Globally, Google acquired at least 43 companies between 2019 and 2025, and since 2010, it has invested in nearly 6,000 companies globally. However, the Wiz transaction stands out from the others: in addition to being Google’s largest, it follows a series of recent cloud security acquisitions, in particular Mandiant, Chronicle and Siemplify, aimed at strengthening its position against Microsoft and Amazon. The scale of this takeover reflects Google’s gargantuan ambition to become an essential player in “left of boom” (i.e., before cybersecurity attacks happen) cloud security.

With Wiz, Google will become one of the most powerful players in cloud security, combining its GCP with a security platform used across all major clouds. This creates an inherent conflict of interest. Google could shape Wiz’s tools to work best with its own cloud, bundle them across its AI and other services, or steer product development in a way that favours GCP. Independent cybersecurity vendors cannot match these advantages and some have already warned that customers operating on other non-Google clouds risk becoming second-class citizens. Large businesses and public bodies would be left with fewer genuinely independent alternative security providers and weaker bargaining positions.

The merger would also strengthen an already dominant tech giant across yet another layer of the digital stack. By gaining control over a key multi-cloud security tool, Google would be in a position to shape the practical level of interoperability across competing cloud environments. This risks customers becoming more dependent on one provider for cloud and security. That is precisely the type of lock-in the EU’s Data Act is meant to reduce.

The deal raises substantial data governance concerns. Wiz’s multi-cloud deployment gives it deep insight into how organisations configure and secure their systems. Once integrated into Google, that insight could be used to reinforce both Google’s cloud and AI businesses. Some investors have described Wiz as a Trojan horse, giving Google visibility into rival clouds that no competitor could replicate.

Experts also note that the acquisition gives Google access to thousands of Wiz patents, allowing it to buy rather than innovate. This removes an independent source of cloud security innovation and reduces the likelihood that Wiz would develop tools that challenge Google’s broader commercial interests.

Consolidating Wiz inside Google would give one company large-scale access to sensitive operational and strategically valuable information. Centralizing this visibility in a single foreign provider increases the risks of misuse, exposure or leakage, and is likely to reduce transparency. Gatekeeper platforms often invoke “security reasons” to justify limiting what customers and regulators can see about how their services work. If Google controls this security layer, users may struggle to assess their own risks, and regulators may find effective oversight harder.

These issues echo a familiar regulatory pattern: competition authorities have repeatedly underestimated the cumulative impact of Google’s acquisitions on market structure, data concentration and ecosystem leverage, most visibly when the DoubleClick takeover paved the way for Google’s dominance in digital advertising.

In addition to this, the competition concerns sit within a wider security and geopolitical context that has been largely overlooked. Europe has already seen cloud outages disrupt basic services such as hospitals, energy grids and financial services. Deepening Europe’s dependence on a small group of powerful hyperscalers, while handing another critical layer of Europe’s digital infrastructure to one of them, runs directly against the European Commission’s and France and Germany’s stated goals of strengthening European cloud sovereignty.

Europe’s competition authorities must act now

Given these risks, the Google/Wiz merger demands more than routine scrutiny. Now that the transaction has been formally notified, the European Commission must open an in-depth investigation and be prepared to block the deal if the evidence shows that Google’s control of Wiz would distort competition in the cloud and cloud security markets. Wiz has a significant operational presence in the region, including registered subsidiaries in the Netherlands and Germany and offices in France. Its UK revenues reached almost GBP 30 million in 2024. Many major European companies—including LVMH, Siemens, BMW, Shell, and Revolut—are customers of Wiz, which means the deal has direct implications for how sensitive data generated in Europe may be consolidated and controlled by a single Big Tech player.

The fact that this USD 32 billion transaction reached the Commission without any prior European national competition authority scrutiny is revealing. The deal did not trigger national notification thresholds, and no national authority called it in, highlighting a persistent gap whereby strategically important digital deals often fall outside traditional merger thresholds, even when their impact is substantial. Past under-intervention, such as in Google/DoubleClick, shows how easily the impacts of such deals can be misjudged. If recently expanded merger regimes in countries such as Germany or the United Kingdom cannot capture a transaction of this magnitude, it raises questions about the effectiveness of those reforms and whether the EU framework is equipped to address high-risk digital infrastructure deals.

Countries currently considering below-threshold merger regimes, including France and the Netherlands, should treat the Google/Wiz as a clear test-case. Without mechanisms capable of assessing strategically relevant digital infrastructure acquisitions, Europe will continue to miss the very transactions that reshape power for years to come.

If Europe is serious about maintaining competitive cloud and cloud security markets, the European Commission must not only investigate but must also be prepared to block the Google/Wiz deal.