Insights

EDR/XDR: Microsoft
or a European vendor?

·EDR/XDRDigital sovereigntyACNNIS2Cybersecurity
Bitdefender vendorEuropean, since 2001
ACN qualificationGravityZone QC2
Our approachTwo tracks
Selection criterionRequirements, not brand

When a company asks us “which is the best EDR/XDR?”, the honest answer is: it depends. There is no “best” solution in absolute terms — there is the right one for your context. And that context, increasingly, is not only technical: the stack you already run matters, but so do regulatory obligations, data residency and the vendor’s origin. That is why we are not a single-vendor reseller: we implement EDR and XDR on two tracks, and we make the choice together with the client.

The two tracks we implement

The first is Microsoft-native: Microsoft Defender for Endpoint and XDR, integrated with Entra, Intune and Microsoft 365. The second is a European alternative: Bitdefender GravityZone, a unified EPP/EDR/XDR platform with a managed MDR option. Both cover prevention, behavioural analysis, detection and automated response; what changes is the integration, the vendor’s origin and the data-governance model.

DimensionMicrosoft DefenderBitdefender GravityZone
IntegrationNative with Entra, Intune and Microsoft 365: identity, endpoints and cloud in a single console.Independent, tenant-agnostic platform: integrates with mixed and non-Microsoft stacks.
Vendor originUnited States.European (Romania, since 2001).
ACN qualificationAssessed case by case on individual cloud services.GravityZone qualified at the QC2 level (listing SA-4626).
Natural choice forThose already on a Microsoft tenant who want a single identity-endpoint-cloud console.Those who want to avoid concentration on a single ecosystem or have EU-origin and data-residency requirements.

Neither track is “second class”. They are two solid routes to the same goal — seeing and stopping an attack before it does damage — with different constraints and advantages.

What ACN QC2 qualification means (and what it does not)

The ACN (Italian National Cybersecurity Agency) maintains a catalogue of cloud services qualified for public administration, with increasing levels based on the criticality of the data and services they can host. Moving from QC1 to QC2 is not a marketing detail: it means the service has been assessed as suitable to handle higher-criticality data and services. In the catalogue, listing SA-4626 (Bitdefender GravityZone, SaaS) is qualified at the QC2 level.

Be careful not to overstate it: for a private company ACN qualification is not a legal obligation. It is, however, a concrete indicator of reliability and governance, and it becomes relevant if you work in the public-administration supply chain or in sectors with obligations such as NIS2. In those cases, choosing already-qualified tools simplifies audits and client requests.

Digital sovereignty: a tool, not a flag

“European vendor” and “data in Italy” are powerful arguments right now, but they need to be handled with clarity. Data residency and vendor origin are not a value in themselves: they are tools to meet concrete requirements — contractual constraints, applicable jurisdiction, a public client’s request, reducing dependence on a single ecosystem. Choosing them “for the flag”, without a requirement that justifies them, is a cost with no benefit.

That said, for those who do have those requirements, a European vendor qualified by the ACN is the most direct answer: Bitdefender is a European company with over twenty years of cybersecurity research, and it has announced a console with data resident in Italy (coming, not yet available). Our job is to help you understand whether those requirements apply to you — not to sell you a narrative.

How we choose together

The choice starts from a few concrete questions, not from the vendor catalogue:

  • 1What stack do you already run? A mature Microsoft 365 tenant makes Defender the lowest-friction route; a mixed or non-Microsoft environment tips the balance towards an independent platform.
  • 2Which regulatory obligations apply to you? NIS2, regulated sectors, working with public administration: these change the weight of ACN qualification and data residency.
  • 3Do you need a managed service? If you have no in-house security team, GravityZone’s MDR option or managed monitoring on the Microsoft side can cover the gap.
  • 4How much does independence from a single supplier matter? Diversifying vendors reduces lock-in but adds a console to manage: it is a trade-off to weigh, not a dogma.

AtWorkStudio has operated from Piacenza, Italy, since 2000. We hold ISO/IEC 27001, 27017, 27018 and ISO 9001 certifications, with ACN qualification for our own cloud services, are members of Clusit (Italian Association for Information Security) and affiliated with Confindustria Piacenza in the RICT cluster. We do not implement a brand: we deploy the right tool for your risk, and manage it over time.

Sources

  • ACN — Catalogue of qualified cloud-service listings (listing SA-4626, Bitdefender GravityZone, SaaS, QC2 level)
  • ACN — Regulation on digital infrastructure and cloud services for public administration
  • Bitdefender — GravityZone documentation (EPP, EDR, XDR, MDR/MXDR)
  • Computer Gross — communication on GravityZone’s ACN QC2 qualification, July 2026

Frequently asked questions

The most common questions about choosing between Microsoft Defender and a European ACN-qualified vendor.

Which EDR/XDR is right for your company?

We start from a free NIST CSF 2.0 assessment to understand your security posture, then choose the stack together — Microsoft or a European ACN-qualified vendor — that genuinely reduces your risk.