VMware Workspace ONE EU Alternative 2026: Broadcom's $61B Acquisition and CLOUD Act 19/25 Risk for European Enterprises
Post #1205 in the sota.io EU Cyber Compliance Series
When Broadcom completed its acquisition of VMware in November 2023 for $61 billion, the transaction did more than transfer corporate ownership of the world's dominant enterprise virtualisation platform. It placed VMware Workspace ONE — the endpoint management platform running on millions of European corporate devices — under the operational control of a US corporation with extensive US government relationships, FedRAMP authorizations across its portfolio, and a documented track record of using acquisitions to aggressively restructure customer commercial relationships.
For European enterprises managing corporate endpoints under GDPR Article 32, NIS2 Article 21(2)(g), and an increasingly assertive European regulatory environment, the Broadcom acquisition creates new compliance calculus that extends far beyond the immediate question of licensing costs.
CLOUD Act Risk Score: 19/25
Broadcom Inc., San Jose, California — incorporated in the State of Delaware.
| Risk Factor | Score |
|---|---|
| US parent company (Broadcom Inc., principal HQ San Jose CA, NASDAQ: AVGO) | 5/5 |
| FedRAMP Moderate/High authorization (Workspace ONE US government deployment) | 4/5 |
| FISA Section 702 exposure (US-domiciled cloud service provider) | 4/5 |
| NSL/DOJ cooperation potential (US enterprise MDM, device identity data) | 3/5 |
| Workspace ONE Intelligence telemetry scope (DEX analytics, US-hosted SaaS) | 3/5 |
| Total | 19/25 |
The score of 19/25 places VMware Workspace ONE second in the EU MDM Series — behind Microsoft Intune (21/25, the confirmed PRISM participant) but significantly above Jamf (16/25) and ahead of the EU-native alternatives assessed in this series.
The 19/25 score reflects one structural characteristic that distinguishes Broadcom from other MDM vendors: Broadcom is a US national security-adjacent company. In 2017, the Committee on Foreign Investment in the United States (CFIUS) blocked Broadcom's attempted acquisition of Qualcomm, citing national security concerns. CFIUS blocking an acquisition of a US company by a then-Singapore-domiciled Broadcom reveals the depth of US government interest in Broadcom's corporate footprint. When Broadcom subsequently redomiciled to the United States, it did so with explicit US government approval — signalling a formal alignment of Broadcom's corporate structure with US national security interests.
This context matters for CLOUD Act exposure assessments. Under 18 U.S.C. §2713, US law compels US corporations — including Broadcom — to provide stored communications and records to US government agencies regardless of where those records are physically stored.
The Broadcom Acquisition: What Changed for European Customers
From VMware Inc. (Palo Alto, CA) to Broadcom Inc. (San Jose, CA)
VMware was incorporated in 1998 in Palo Alto, California. The company went public in 2007 and was majority-owned by Dell Technologies until Broadcom's acquisition. Throughout this period, VMware operated as a publicly-traded US corporation with all the CLOUD Act exposure that entails. The November 2023 Broadcom acquisition did not change the underlying US jurisdiction — but it changed everything else.
Broadcom's post-acquisition restructuring of VMware (2023–2024):
-
End of perpetual licenses: Broadcom announced the end-of-sale for all VMware perpetual licenses in December 2023. European enterprises that had purchased perpetual vSphere, vSAN, or NSX licenses — intentionally avoiding ongoing cloud dependencies — were compelled to migrate to subscription models or transition away from VMware entirely.
-
Forced cloud migration: Workspace ONE UEM on-premises deployments became economically disadvantaged as Broadcom concentrated development investment in the cloud-hosted SaaS version. European IT departments that had specifically chosen on-premises Workspace ONE to limit US-cloud data exposure found their sovereignty strategy undercut.
-
Price restructuring: Broadcom's commercial restructuring resulted in reported price increases of 100–300% for many existing VMware customers. The Broadcom CEO Hock Tan has executed the same pattern across previous acquisitions: CA Technologies ($18.9B, 2018) and Symantec Enterprise Security ($10.7B, 2019). In each case, Broadcom raised prices, reduced support staffing, and concentrated customers into fewer, higher-revenue tiers.
-
Workspace ONE Intelligence moved to SaaS-first: Workspace ONE Intelligence — the DEX (Digital Employee Experience) analytics and automation layer — operates exclusively as a US-hosted SaaS service. European device telemetry processed through Intelligence (application performance metrics, device health scores, user experience analytics) routes to US Broadcom infrastructure.
AirWatch History: US-Origin MDM from Day One
Workspace ONE UEM is the rebranded AirWatch platform. AirWatch was founded in Atlanta, Georgia in 2003 by John Marshall and Alan Dabbiere. VMware acquired AirWatch in January 2014 for $1.54 billion — then the largest acquisition in VMware's history.
The AirWatch provenance matters for architectural understanding: Workspace ONE UEM was designed as a US SaaS-first platform. The enrollment infrastructure, certificate management services, APNs relay services, and command queuing systems were built in US data centres from the beginning. While Broadcom has expanded data centre regions, the core platform architecture reflects its Atlanta-origin SaaS heritage.
Device Enrollment Service (DES) data flows under Workspace ONE:
| Data Category | System | US Jurisdiction? |
|---|---|---|
| Device identity (UDID, serial, IMEI) | Workspace ONE UEM cloud | Yes — Broadcom US infrastructure |
| APNs tokens (iOS/macOS) | Apple Push Notification Service | Yes — Apple US servers |
| Google FCM tokens (Android) | Firebase Cloud Messaging | Yes — Google US servers |
| Device certificates (SCEP) | Workspace ONE UEM PKI | Yes — Broadcom US |
| Enrollment profiles | Workspace ONE UEM cloud | Yes — Broadcom US |
| App inventory | Workspace ONE UEM cloud | Yes — Broadcom US |
| Compliance policy results | Workspace ONE UEM cloud | Yes — Broadcom US |
| User identity (Active Directory sync) | Workspace ONE Access (vIDM) | Yes — Broadcom US |
| DEX analytics | Workspace ONE Intelligence | Yes — US SaaS only |
Every device enrolled in Workspace ONE UEM — whether a Windows laptop, macOS workstation, iOS device, or Android phone — has its device identity, enrollment profile, and compliance state stored in Broadcom's US-controlled infrastructure. Under 18 U.S.C. §2713, this data is accessible to US government agencies upon lawful order.
Workspace ONE Intelligence: The Telemetry Layer Under US Jurisdiction
Workspace ONE Intelligence is the component most likely to create GDPR Article 28 violations for European enterprises, because it is the component most directly processing personal data beyond the expected scope of device management.
What Workspace ONE Intelligence collects:
-
Digital Employee Experience (DEX) scoring: Composite scores derived from device boot time, login time, application launch latency, crash frequency, and network connectivity. These scores are computed on a per-user basis — they are personal data under GDPR Article 4(1).
-
Application usage analytics: Which applications employees use, how frequently, for how long, and on what devices. This data is processed in Workspace ONE Intelligence's US-hosted analytics engine.
-
Network performance telemetry: Wi-Fi SSID connections, signal strength, roaming events, VPN tunnel performance. Correlating network data with device identity creates a location-adjacent record.
-
Carbon Black integration telemetry: European organisations using the integrated Workspace ONE + Carbon Black EDR stack send endpoint behavioural data to both platforms — both under Broadcom US jurisdiction.
-
Custom intelligence automation: Workspace ONE Intelligence allows automated remediation workflows based on telemetry — meaning the US-hosted platform actively executes policy decisions on European devices.
The Intelligence platform operates under Broadcom's cloud Terms of Service, which subjects all data to US law. European enterprises processing employee personal data through Intelligence without explicit GDPR Article 28 data processing agreements that account for CLOUD Act exposure are operating in a legal grey zone that the European Data Protection Board's post-Schrems II guidance explicitly flags as problematic.
FedRAMP Authorization: The US Government Deployment Signal
Workspace ONE UEM holds FedRAMP Moderate authorization for US government deployments. FedRAMP authorization has a dual significance for CLOUD Act risk assessments:
-
It confirms the platform handles US government data: FedRAMP Moderate-authorized platforms are used by US federal agencies. This creates a structural relationship between Broadcom and US government IT operations that does not exist for non-FedRAMP vendors.
-
It confirms compliance posture for US government requests: A FedRAMP-authorized vendor has documented processes for responding to US government data requests — including under FISA Section 702 and the CLOUD Act. The authorization certifies that these processes exist and function.
For European regulators assessing whether a vendor is likely to comply with US government data requests, FedRAMP authorization is evidence of an established, tested compliance channel.
NIS2 Article 21 Supply Chain Analysis
Under NIS2 Directive Article 21(2)(d), essential and important entities must implement supply chain security measures "regarding the security in network and information systems of suppliers." Mobile device management platforms are Tier-1 supply chain dependencies — they hold the master credential authority over every managed endpoint.
Workspace ONE UEM as a Tier-1 supply chain dependency:
- Root certificate authority for device trust
- Remote wipe capability over all enrolled devices
- Application deployment and removal authority
- VPN tunnel configuration authority (Workspace ONE Tunnel)
- Compliance gate for network access control
- Identity brokerage (Workspace ONE Access as SSO/IdP)
If Broadcom's Workspace ONE infrastructure is compromised — as VMware was by nation-state actors in 2022 (CVE-2022-22954: VMware Workspace ONE Access remote code execution, CVSS 9.8) — the blast radius encompasses every managed device in the affected organisation.
NIS2 Article 21(2)(d) requires entities to assess their supply chain. A Workspace ONE UEM deployment under NIS2 requires the following documented risk assessment: What is the CLOUD Act exposure of our primary device management platform, and how does it interact with our GDPR Article 28 obligations?
The answer for Broadcom Workspace ONE is clear: the platform is operated by a US corporation, its intelligence analytics run exclusively in US infrastructure, and US law can compel production of device identity and telemetry data held by Broadcom regardless of the physical location of the data.
Broadcom's Track Record: Why Sovereignty Planning Matters Beyond CLOUD Act
CLOUD Act exposure is a legal risk. Broadcom's operational track record introduces an additional business continuity risk specific to this vendor.
Broadcom acquisitions and post-acquisition patterns:
| Acquisition | Year | Price | Post-Acquisition Outcome |
|---|---|---|---|
| Brocade Communications | 2017 | $5.9B | Networking assets kept; storage networking sold |
| CA Technologies | 2018 | $18.9B | Support staff cut 40%+; perpetual licenses ended; customers reported 2–4× price increases |
| Symantec Enterprise | 2019 | $10.7B | Renamed NortonLifeLock; enterprise business restructured; many customers migrated to alternatives |
| VMware | 2023 | $61B | Perpetual licenses ended; price restructuring 100–300%; cloud-only roadmap enforced |
European enterprises with decade-long VMware investments have experienced Broadcom's post-acquisition pattern directly. The forced cloud subscription migration of 2024 moved on-premises Workspace ONE UEM deployments — which European IT teams had accepted precisely because they minimised cloud data exposure — onto Broadcom's US-hosted SaaS infrastructure.
This is not a theoretical risk. European enterprises are actively evaluating Workspace ONE alternatives in 2026 because of Broadcom's commercial restructuring — creating a window for EU-native MDM adoption that aligns with GDPR and NIS2 compliance objectives.
EU-Native Alternatives: CLOUD Act Scores
| Vendor | HQ | CLOUD Act Score | Key Differentiator |
|---|---|---|---|
| baramundi management suite | Augsburg, Germany (Freudenberg SE group) | 0/25 | Windows-first, WSUS replacement, 100% German corporate chain |
| ACMP by Aagon | Soest, NRW, Germany | 0/25 | 500+ German enterprise customers, KRITIS-sector deployments |
| Matrix42 UEM | Frankfurt, Germany | 1/25 | 25+ years, enterprise-grade, Vector Capital PE (US investor, but German corp) |
| Cortado MDM | Berlin, Germany | 0/25 | Apple-specialist (iOS/macOS), Berlin-based founding team |
| VMware Workspace ONE | San Jose, CA (Broadcom) | 19/25 | Broadcom CLOUD Act exposure, forced cloud migration, FedRAMP authorized |
baramundi management suite (0/25)
Augsburg-based baramundi is a subsidiary of Freudenberg SE, the German industrial conglomerate headquartered in Weinheim, Baden-Württemberg. Freudenberg has no US parent company and no US-listed entity controlling baramundi operations.
baramundi specialises in Windows endpoint management and positions itself explicitly as the best WSUS replacement — Microsoft deprecated WSUS for feature updates in June 2024, creating an immediate migration opportunity that baramundi has captured in the German enterprise market. For European organisations running Windows-heavy estates (the primary Workspace ONE UEM use case in many enterprises), baramundi provides comparable UEM capabilities with zero CLOUD Act exposure.
Key capabilities: Windows, macOS, Linux, iOS, Android endpoint management. Software distribution. Patch management (as WSUS successor). Compliance reporting. OS deployment. Asset management.
ACMP by Aagon (0/25)
Aagon GmbH, based in Soest, North Rhine-Westphalia, serves more than 500 enterprise customers across DACH (Germany, Austria, Switzerland). ACMP (Aagon Client Management Platform) covers the full UEM spectrum: software distribution, patch management, remote control, mobile device management (MDM), and ITSM integration.
Aagon is a privately-held German company with no US corporate parent. For KRITIS-sector organisations (energy, water, healthcare, digital infrastructure) that NIS2 designates as essential entities, Aagon's entirely German corporate chain simplifies the GDPR Article 28 documentation requirement — no cross-border transfer analysis under GDPR Chapter V is required.
Matrix42 UEM (1/25)
Matrix42 AG, headquartered in Frankfurt am Main, has been providing enterprise IT management software since 1992. The company is owned by Vector Capital, a San Francisco-based private equity firm — which introduces a single US-connected ownership factor, reflected in the 1/25 score.
However, Matrix42's software operates on European infrastructure, the company is incorporated and registered in Germany, and Vector Capital's ownership does not create the direct CLOUD Act exposure that a US parent operating US-domiciled cloud infrastructure would create. For organisations that can document this distinction in their GDPR Article 28 DPA, Matrix42 remains a significantly lower-risk alternative to Workspace ONE.
Key capabilities: Windows/macOS/Linux/iOS/Android UEM, service management, self-service portal, workspace virtualisation integration, enterprise app store.
Cortado MDM (0/25)
Cortado Mobile Solutions GmbH is a Berlin-based company specialising in Apple device management — iOS, iPadOS, and macOS. Cortado was founded by Carsten Mickeleit, who previously created Cortado Corporate Server (enterprise printing and document management). The MDM platform is built specifically for Apple MDM protocol compliance.
For European organisations with predominantly Apple device fleets (common in creative, media, design, and professional services sectors), Cortado provides native Apple MDM support with no US corporate parent exposure. Note: like all Apple MDM vendors, Cortado routes iOS/macOS push notifications through Apple's APNs infrastructure (US-based thin channel). Cortado's own data infrastructure, however, is European.
12-Week Migration Guide: Workspace ONE to EU-Native MDM
Migrating from Workspace ONE UEM to a EU-native MDM platform requires coordinated planning across device enrollment, policy migration, application deployment, and identity provider changes. The following 12-week framework applies to a mid-enterprise deployment (500–2,000 endpoints).
Weeks 1–2: Inventory and Assessment
Export the complete Workspace ONE UEM device inventory: all enrolled devices with OS version, enrollment date, last check-in, compliance status, and assigned profiles. Generate a full list of deployed MDM profiles (Wi-Fi, VPN, certificate, restriction, application policies) and managed applications (VPP/ABM app assignments, in-house apps, public apps).
Assess Workspace ONE Intelligence usage: which DEX dashboards are in active use, which automation workflows are running, and which compliance reports are produced for auditors. This assessment determines which EU-native alternatives have feature parity for the specific use cases in scope.
Weeks 3–4: Vendor Evaluation and Architecture Design
Conduct structured evaluation of baramundi, ACMP, Matrix42, and Cortado against the inventory from Weeks 1–2. Prioritise CLOUD Act score, GDPR Article 28 DPA availability, on-premises vs SaaS deployment options, and feature parity for the top 10 MDM profiles in scope.
Design the target architecture: directory integration (on-premises AD sync vs Azure AD/Entra vs EU-hosted IdP), PKI for device certificates, network segmentation for MDM traffic, and identity provider for SSO. EU-native UEM platforms typically integrate with existing on-premises infrastructure more directly than Workspace ONE Intelligence's cloud-first architecture.
Weeks 5–6: Pilot Deployment
Deploy the selected EU-native MDM in a pilot environment of 50–100 devices across device types (Windows, macOS, iOS, Android) and user groups (standard users, privileged users, mobile workers). Validate the top 10 MDM profiles against pilot devices. Document gaps and edge cases.
Weeks 7–8: Policy Migration
Translate Workspace ONE UEM profiles to the target platform's policy format. This is the technically intensive phase: Wi-Fi profiles, VPN configurations, certificate profiles, application allowlists/blocklists, and compliance rules each require explicit mapping. Validate that application deployment workflows function for the top 20 managed applications by install count.
Weeks 9–10: Application Deployment and Licence Migration
Migrate managed applications to the EU-native platform's app deployment mechanism. Apple Business Manager (ABM) VPP licenses can be reassigned to a new MDM vendor through Apple Business Manager — this requires the new MDM to register as the MDM server in ABM and for VPP licenses to be unassigned from Workspace ONE before reassignment. Allow 48–72 hours for ABM propagation.
Week 11: User Communication and Helpdesk Preparation
Communicate the migration timeline to end users. The device re-enrollment process (from Workspace ONE to the new MDM) requires either user-initiated re-enrollment or a forced factory reset — depending on the device ownership model (corporate-owned vs BYOD) and OS. Prepare helpdesk with re-enrollment runbooks for each device type and OS version combination.
Week 12: Cutover and Workspace ONE Decommission
Execute phased cutover by device group. Verify device compliance status in the new MDM before removing compliance enforcement in Workspace ONE. Once all devices are fully managed by the EU-native MDM, initiate Workspace ONE UEM offboarding: revoke API tokens, close Workspace ONE Intelligence data export, request data deletion under GDPR Article 17, and cancel Broadcom subscription.
Document the migration in the organisation's Article 30 GDPR processing record: new processor (EU-native MDM vendor), data categories (device identity, compliance status, app inventory), legal basis for processing, and data retention period.
GDPR Article 28 Checklist for MDM Vendor Assessment
European data protection officers auditing MDM platform compliance against GDPR Article 28 should verify:
- Is the MDM vendor incorporated and operating in the EU/EEA or an adequacy decision country?
- Does the MDM vendor have a signed GDPR Article 28 DPA available?
- Is device telemetry (including DEX analytics) processed on EU infrastructure?
- Does the vendor's parent company have US domicile (CLOUD Act exposure)?
- Has the vendor disclosed its FISA Section 702 and NSL compliance process?
- Is there an SCCs (Standard Contractual Clauses) addendum for any US-adjacent data transfers?
- Does APNs/FCM traffic routing satisfy the GDPR Article 44 cross-border transfer requirements? (Note: Apple and Google operate this thin channel — the assessment is whether the MDM vendor's own data beyond APNs/FCM is under EU jurisdiction)
- Is the vendor FedRAMP authorized? (Signal of established US government data request compliance channel)
For Workspace ONE UEM under Broadcom, the answers to questions 1, 4, 5, and 8 create documented compliance risks that the MDM vendor itself cannot resolve — because they reflect the fundamental corporate structure of Broadcom Inc.
Summary
VMware Workspace ONE remains a technically capable enterprise MDM platform in 2026. The compliance question for European enterprises is not capability — it is jurisdiction.
Broadcom Inc., the US corporation that now owns Workspace ONE, scores 19/25 on the CLOUD Act risk scale. The score reflects US corporate domicile, FedRAMP authorization, FISA Section 702 exposure, and the US-exclusive SaaS deployment of Workspace ONE Intelligence. Additionally, Broadcom's post-acquisition commercial restructuring has forced European enterprises that specifically avoided US-cloud MDM dependencies — through on-premises deployments — onto Broadcom's US-hosted SaaS infrastructure.
For European enterprises under GDPR, NIS2, and the DORA operational resilience framework, EU-native MDM alternatives provide the same core endpoint management capabilities with zero CLOUD Act exposure: baramundi management suite (Freudenberg SE, Augsburg), ACMP by Aagon (Soest NRW), Matrix42 UEM (Frankfurt), and Cortado MDM (Berlin).
The Broadcom acquisition created a migration window. European IT teams are already evaluating alternatives in response to commercial restructuring. Aligning the commercial migration decision with a compliance-driven MDM reassessment converts a reactive cost exercise into a proactive GDPR and NIS2 risk reduction.
This post is part 3 of the sota.io EU Mobile Device Management Series. Read the full series: Jamf EU Alternative (Post #1203) | Microsoft Intune EU Alternative (Post #1204) | VMware Workspace ONE (this post) | Ivanti UEM EU Alternative (Post #1206) | EU MDM Comparison Finale (Post #1207).
sota.io is an EU-native managed PaaS platform — deploy any language, 100% GDPR, no CLOUD Act exposure. Start free →
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.