How European outbound stacks reshaped themselves around GDPR enforcement

The CNIL fine that changed what a sales tool needs to prove

In November 2022 the French CNIL fined a US-headquartered prospecting platform €600,000 for processing personal data of French professionals without a valid legal basis. The platform's defence was the standard industry argument that publicly available business data on LinkedIn profiles was fair game under legitimate interests. The CNIL disagreed in detail. The decision laid out which categories of data the platform could keep, which retention periods were defensible, and which forms of enrichment crossed into unlawful territory. The fine was not the largest the regulator had issued that year. The decision was the most cited inside European sales operations meetings for the eighteen months that followed.

Cognism, the London-founded B2B intelligence platform, had been preparing for that decision for two years. The company's positioning shift from "global B2B data" to "GDPR-aligned data, with do-not-call list checks built into every export" was a commercial bet that the European market would converge on stricter requirements before American competitors did. By 2026 that bet has paid out. Cognism's European revenue, according to its own disclosures, is the largest portion of its business, and the company's compliance posture is referenced by competitors as the bar to clear.

The structural lesson for European GTM teams was that lawful basis is not a compliance footnote. It is the data architecture. A vendor that cannot tell you exactly where a contact's email address came from, when it entered the database, what consent if any was attached, and when it must be deleted under retention policy is a vendor that creates the next CNIL decision for its customers.

The category shifted, the tools shifted with it

Apollo and ZoomInfo, the US-headquartered incumbents in B2B data, responded by adding EU-region data centres and contract-level changes that mid-market European buyers found inadequate. The contracts were strong on indemnification. The data architecture still treated EU contacts the same way it treated US contacts, which meant retention defaults the GDPR could not validate. By 2026 the share of European mid-market revenue going to Cognism, Lusha (Israeli but with structurally separate EU pipelines), and the newer EU-built tools has grown meaningfully against the US incumbents.

The email engagement layer moved in a similar direction. Lemlist, the French-built outbound platform that crossed €30M ARR in 2024, built its automation around explicit suppression list management. A user cannot send a sequence to a contact who has been suppressed in any prior campaign run on the same account. Surfe, the Berlin-built LinkedIn-to-CRM bridge, sits on top of the Sales Navigator API in a way that respects LinkedIn's terms and does not scrape the platform. These are small architectural choices. They compound into the difference between a stack that survives an enforcement action and one that does not.

The sequencing platforms that struggled in Europe were the ones that treated GDPR as a localisation question rather than a foundational one. Outreach and Salesloft, the dominant American sales engagement platforms, did not lose European customers because their products were worse. They lost share because European customers needed answers to specific questions about contact origin, retention, and right-to-erasure workflows that the products were not designed to answer cleanly.

What the stack actually looks like in 2026

A typical European mid-market outbound stack in 2026 looks different from its US counterpart in three places. The data layer is dominated by Cognism or Lusha rather than ZoomInfo. The engagement layer is dominated by Lemlist, Apollo (which adapted faster than peers), or HubSpot Sequences rather than Outreach. The CRM integration runs through Surfe for LinkedIn pulls. The whole stack has a do-not-contact registry, a retention policy that defaults to deletion at twelve months for cold contacts, and a workflow that triggers data subject access request fulfilment when a contact replies asking for one.

The interesting part is not the tool choice. It is the workflow shape. A European SDR running a campaign in 2026 is doing approximately the same daily work as a US SDR. The platform telling them which contact to call has done a different amount of upstream legal reasoning before serving them that contact, and the platform retains less information about the contact after the campaign ends. The buyer who chose those platforms gets to sleep through any future enforcement action against a competitor.

For a European GTM leader rebuilding the stack this year, the practical question is not "which tool is best." It is which tool can answer the specific question a CNIL or BfDI investigator would ask if a complaint were filed about your outreach. The vendors that have answers are the vendors that built around the question. The vendors that quote you their AWS Frankfurt region are still treating it as a localisation problem. Both can be bought. Only one survives the next enforcement cycle in its current shape.