When a company asks us “which is the best EDR/XDR?”, the honest answer is: it depends. There is no “best” solution in absolute terms — there is the right one for your context. And that context, increasingly, is not only technical: the stack you already run matters, but so do regulatory obligations, data residency and the vendor’s origin. That is why we are not a single-vendor reseller: we implement EDR and XDR on two tracks, and we make the choice together with the client.
The two tracks we implement
The first is Microsoft-native: Microsoft Defender for Endpoint and XDR, integrated with Entra, Intune and Microsoft 365. The second is a European alternative: Bitdefender GravityZone, a unified EPP/EDR/XDR platform with a managed MDR option. Both cover prevention, behavioural analysis, detection and automated response; what changes is the integration, the vendor’s origin and the data-governance model.
| Dimension | Microsoft Defender | Bitdefender GravityZone |
|---|---|---|
| Integration | Native with Entra, Intune and Microsoft 365: identity, endpoints and cloud in a single console. | Independent, tenant-agnostic platform: integrates with mixed and non-Microsoft stacks. |
| Vendor origin | United States. | European (Romania, since 2001). |
| ACN qualification | Assessed case by case on individual cloud services. | GravityZone qualified at the QC2 level (listing SA-4626). |
| Natural choice for | Those already on a Microsoft tenant who want a single identity-endpoint-cloud console. | Those who want to avoid concentration on a single ecosystem or have EU-origin and data-residency requirements. |
Neither track is “second class”. They are two solid routes to the same goal — seeing and stopping an attack before it does damage — with different constraints and advantages.
What ACN QC2 qualification means (and what it does not)
The ACN (Italian National Cybersecurity Agency) maintains a catalogue of cloud services qualified for public administration, with increasing levels based on the criticality of the data and services they can host. Moving from QC1 to QC2 is not a marketing detail: it means the service has been assessed as suitable to handle higher-criticality data and services. In the catalogue, listing SA-4626 (Bitdefender GravityZone, SaaS) is qualified at the QC2 level.
Be careful not to overstate it: for a private company ACN qualification is not a legal obligation. It is, however, a concrete indicator of reliability and governance, and it becomes relevant if you work in the public-administration supply chain or in sectors with obligations such as NIS2. In those cases, choosing already-qualified tools simplifies audits and client requests.
Digital sovereignty: a tool, not a flag
“European vendor” and “data in Italy” are powerful arguments right now, but they need to be handled with clarity. Data residency and vendor origin are not a value in themselves: they are tools to meet concrete requirements — contractual constraints, applicable jurisdiction, a public client’s request, reducing dependence on a single ecosystem. Choosing them “for the flag”, without a requirement that justifies them, is a cost with no benefit.
That said, for those who do have those requirements, a European vendor qualified by the ACN is the most direct answer: Bitdefender is a European company with over twenty years of cybersecurity research, and it has announced a console with data resident in Italy (coming, not yet available). Our job is to help you understand whether those requirements apply to you — not to sell you a narrative.
How we choose together
The choice starts from a few concrete questions, not from the vendor catalogue:
- 1What stack do you already run? A mature Microsoft 365 tenant makes Defender the lowest-friction route; a mixed or non-Microsoft environment tips the balance towards an independent platform.
- 2Which regulatory obligations apply to you? NIS2, regulated sectors, working with public administration: these change the weight of ACN qualification and data residency.
- 3Do you need a managed service? If you have no in-house security team, GravityZone’s MDR option or managed monitoring on the Microsoft side can cover the gap.
- 4How much does independence from a single supplier matter? Diversifying vendors reduces lock-in but adds a console to manage: it is a trade-off to weigh, not a dogma.
AtWorkStudio has operated from Piacenza, Italy, since 2000. We hold ISO/IEC 27001, 27017, 27018 and ISO 9001 certifications, with ACN qualification for our own cloud services, are members of Clusit (Italian Association for Information Security) and affiliated with Confindustria Piacenza in the RICT cluster. We do not implement a brand: we deploy the right tool for your risk, and manage it over time.
Sources
- ACN — Catalogue of qualified cloud-service listings (listing SA-4626, Bitdefender GravityZone, SaaS, QC2 level)
- ACN — Regulation on digital infrastructure and cloud services for public administration
- Bitdefender — GravityZone documentation (EPP, EDR, XDR, MDR/MXDR)
- Computer Gross — communication on GravityZone’s ACN QC2 qualification, July 2026
Dig deeper
Frequently asked questions
The most common questions about choosing between Microsoft Defender and a European ACN-qualified vendor.
Yes. Bitdefender GravityZone is an EPP/EDR/XDR platform from a European vendor (founded in Romania in 2001), with a managed MDR option. Its listing is included in the catalogue of cloud services qualified by the ACN (Italian National Cybersecurity Agency) at the QC2 level. It is the concrete alternative for those who do not want a single dependency on the Microsoft ecosystem or who have specific requirements around data residency and a European vendor origin.
The ACN catalogue classifies cloud services qualified for public administration on increasing levels based on the criticality of the data and services they can host. QC2 is above the initial QC1 and enables the processing of higher-criticality data and services. In the catalogue, listing SA-4626 (Bitdefender GravityZone, SaaS) is qualified at the QC2 level. For a private company it is not mandatory, but it is a useful indicator of reliability and compliance, especially for those working with public administration or in regulated sectors.
No. If you already run Microsoft 365, Entra and Intune, Microsoft Defender is often the most natural choice because it unifies identity, endpoints and cloud in a single console and reduces integration effort. But it is not mandatory: a third-party vendor such as Bitdefender GravityZone is fully compatible and may be preferable for data-residency requirements, to avoid concentration on a single supplier, or for multi-tenant and non-Microsoft scenarios.
ACN qualification of cloud services is a requirement for public administration and for those providing cloud services to public administration under the relevant regulation. For a private company it is not a legal obligation, but it is a trust signal: it means the service has been assessed against nationally defined requirements for security, reliability and governance. It becomes relevant if you work in the public-administration supply chain or in sectors with obligations such as NIS2.
We start from requirements, not from the brand: the stack already in use, regulatory obligations (NIS2, regulated sectors), data-residency and European-vendor-origin needs, the need for a managed service (MDR), budget and in-house skills. From there we implement and manage the solution that genuinely reduces risk. The goal is effective protection, not allegiance to an ecosystem.