Euro-Office is being launched as Europe’s answer to Microsoft Office and Google Docs to reduce reliance on US tech. Yet it could be vulnerable to Russian modifications, according to Cybernews analysis.

The text has been updated with the comment from Nextcloud.

Euro-Office is a fork of an open-source software developed by OnlyOffice, a Russia-linked project, and has been transparent about it. In March, it announced a split, promising to “liberate” the OnlyOffice codebase and citing both technical and geopolitical reasons for the move.

However, the vast majority of the code that Euro-Office runs on – and continues to import – appears to be written by developers working on Russian time-zone settings, a Cybernews analysis of its source code shows.

Only a fraction of the code can be attributed to the European consortium behind Euro-Office, mostly to German firm Nextcloud, while up to 99% can be traced to work performed on Russian clocks, the findings suggest.

Research carried out by the Cybernews infosecurity team before the suite’s scheduled launch on June 9th indicates that Euro-Office keeps pulling in fresh Russian code even after the split in March, including parts that run on the network, which raises security concerns.

“One of the biggest issues is that the code pulls an Android bundle from an unknown cloud resource, which raises security concerns about what is in it, who owns it, and if it can be changed at any time,” Cybernews security researchers said.

OnlyOffice is in dispute with Euro-Office over the use of its code, with the European consortium refusing collaboration over its ties to Russia and practises they say are non-transparent.

OnlyOffice is registered in Latvia, with beneficiaries in Singapore, and says it has left Russia. However, an analysis of its own code suggests otherwise.

What does the code say?

Although Euro-Office formally split from OnlyOffice in March, Cybernews found that the project continues to merge selected code changes authored by OnlyOffice developers after the fork, particularly in the server-side components that power online collaboration, including viewing and editing spreadsheets, documents, and presentations.

Every time a developer saves a change while coding, that change is given a unique fingerprint code, meaning the same fingerprint can’t exist in two unrelated projects. Cybernews has looked into Euro-Office’s code and found that it shares thousands of fingerprints with OnlyOffice.

The most recent change that the two share dates back to March 5th, 2026, when Euro-Office split off from OnlyOffice version 9.3.1. Older shared changes are signed by OnlyOffice staff, while Euro-Office has added 184 changes of its own.

Cybernews community is talking about this – join the conversation.

Analysis of the code showed that Euro-Office continued to pull in OnlyOffice’s newer work. Changes linked to developers associated with a Moscow time zone between December 2025 and March 2026 were added to Euro-Office by Nextcloud staff after the split, according to Cybernews researchers.

Euro-Office is a fork of OnlyOffice code. The analysis suggests that 98.6% of its document engine and 99.2% of its live service component were originally written by developers in Russian time zones, while European-authored contributions account for roughly 0.5%.

Euro-Office has imported around 370 changes from OnlyOffice developers into the server-side service, while its own developers have made only about 20 changes.

OnlyOffice says its code is developed by people from 24 countries. According to Cybernews researchers, time-zone data does not indicate nationality or physical location, but is a technical clue that helps indicate where the work was likely done.

“As some countries still use summer/winter time, it is interesting to see that some of the commits never changed the timezone in winter. Which could indicate a narrowed list of countries in which a person is,” researchers said.

A Cybernews analysis of roughly 15,600 changes in the OnlyOffice codebase found that about 90% were made on Moscow time.

The figure rises to 99.5% when other Russian time zones, such as Omsk, Yekaterinburg, and Samara, are included. Only one change could be traced to Latvia, where the company is registered.

Russia ties a dealbreaker

Euro-Office developers said on the project’s GitHub page that they’re reviewing and cleaning up the OnlyOffice codebase and that the fork was a “last resort” driven by technical and geopolitical reasons.

They said contributing to OnlyOffice’s source was “impossible or greatly discouraged,” while the company “regularly makes controversial decisions” and lacks transparency. They also claimed that OnlyOffice is a Russian company, “despite many attempts to hide this.”

“Open source is a global effort, but the current political situation makes collaboration hard and trust difficult to earn. Especially when development is not transparent and open. A lot of users and customers require software that is not potentially influenced or controlled by the Russian government,” the developers said.

Nextcloud, one of the lead companies behind Euro-Office, told Cybernews that "the OnlyOffice code base we had as basis was indeed developed almost entirely behind closed doors in Russia."

"The company itself has since taken steps to hide this and distance itself from Russia. Regardless, this is a major reason the Euro-Office team decided to fork its code base, and since then we have been reviewing and cleaning up the code, not only to make it easier to contribute to, but also to check for security and other issues," Nextcloud co-founder Jos Poortvliet said.

"As the development opens up and becomes fully transparent, there is now a community forming around the code base. This means more and more people will be looking at and contributing to the code," Poortvliet said, adding that "with more transparency and with more people involved, the chance of catching security issues increases."

Apart from Nextcloud, the project is also backed by other European tech companies and organizations such as IONOS, Eurostack, Proton, XWiki, and OpenProject.

In a statement to Cybernews, OnlyOffice said its product is developed and distributed by Ascensio System, a company registered and operating in Latvia, an EU member state, and “fully compliant” with EU law and international regulations.

“Our team is international, as is common for modern technology companies. We work with developers and contributors from multiple countries, focusing on expertise, not geography,” said OnlyOffice Commercial Director Galina Goduhina. “We would also like to note that attempts to frame collaboration or product evaluation based on the nationality of developers rather than on the quality, security, and compliance of the software raise serious concerns,” Goduhina said.

“Such an approach risks shifting the discussion from professional and technical criteria into the realm of discrimination and reflects a broader issue in the industry, where some companies, in pursuit of commercial gain, resort to questionable practices that operate close to the limits of fair competition,” she added.

---

Unlock more exclusive Cybernews content on YouTube.