The European challenge

In his 1967 bestseller The American Challenge, French intellectual Jean-Jacques Servan-Schreiber wrote that, ‘a country that will acquire its essential electronic equipment from abroad will find itself in a situation of inferiority analogous to that of nations that, a century ago, have been incapable of mastering the mechanisation of work.’ Europe’s current reliance on US digital services mirrors the ‘technology gap’ debate of the 1960s. Indeed, it is estimated that 80% of Europe’s digital technologies are currently imported. 

In cloud computing alone, Amazon Web Services (AWS), Microsoft Azure, and Google Cloud – the ‘hyperscalers’ – control 70% of the European market, with European companies mustering a mere 2%. Against this background, Europe’s digital sovereignty agenda echoes past concerns of the Continent losing control over its digital infrastructures and missing out on the development of frontier technologies. 

The conventional wisdom depicts European digital sovereignty as an unrealistic objective, incompatible with cyber resilience and strategic interests. In this essay, I will refute this reading – digital sovereignty is not only compatible with cybersecurity cooperation but also paramount to increasing Europe’s strategic autonomy. I will also outline concrete steps for Europe to gradually enhance sovereign control over its digital infrastructures. I will focus primarily on services like cloud computing, as the cloud encompasses both the infrastructure – data centres, servers, and chips – and software layers of emerging technologies like artificial intelligence.

What is digital sovereignty?

Let us begin by establishing what digital sovereignty is, and what motivates it. Digital sovereignty can be defined as a meaningful degree of control over the ‘digital’, be it software, services, data, or infrastructure. Concerns about it stem primarily from governments’ needs for data confidentiality and reliable availability of digital services. Confidentiality refers to guarantees that data will only be accessed by authorised parties, while availability refers to guarantees about the continuity of digital services. 

Europe’s dependence on US services represents a threat both to confidentiality and availability. The Snowden leaks revealed that European governments are not necessarily protected against US mass espionage programs through their tech companies. What is more, US overreach is enshrined in law, as extraterritorial legislation like the 2018 Clarifying Lawful Overseas Use of Data (CLOUD) Act and Section 702 of the Foreign Intelligence Surveillance Act (FISA), amended in 2008, allow the US government to access data stored by US companies without such companies having to notify their customers. 

Equally, Microsoft’s recent blocking of cloud services to the International Criminal Court shows that the US government can weaponise access to critical digital services and cut off any customer of US services at any time.

The relationship between digital sovereignty and cybersecurity

Critics argue that digital sovereignty hurts cybersecurity and the digital economy. They posit a zero-sum relationship between sovereignty and cybersecurity, where advancement of the former leads to retrenchment of the latter. 

The first pillar of such criticism is the Schumpeterian argument: monopolies provide better security, mainly because they have deeper pockets to continuously invest in the latest cybersecurity solutions. In this view, US hyperscalers can better protect customers from cyber threats than smaller European vendors. 

The second pillar is that digital sovereignty increases complexity and hinders the swift information sharing needed for incident response. Some, for example, suggest that data localisation increases costs for companies, while others submit that digital sovereignty will create ‘splinter clouds’ and fragment global data flows. Yet none of these arguments seems to hold up to empirical scrutiny. 

Research on companies’ cyber incident exposure shows that concentration among a handful of hyperscalers dramatically increases the rate of security exposures. Similarly, concentration has been found to increase systemic cyber risk, as large platforms and organisations are more targeted by malicious cyber activity. Further, several misaligned incentives may prevent hyperscalers from properly investing in cybersecurity. Such companies may, in fact, consider security an externality, as the consequences of cyber incidents largely fall back on users. Moreover, hyperscalers do not suffer the financial consequences of their cybersecurity failures either, as their performance is not affected by security breaches, beyond brief dips in stock price.

Recent events confirm that the hyperscale model of digital development is unsustainable. In the past few months alone, three major digital service providers suffered outages that brought widespread disruption and great financial damage. In October 2025, AWS servers in Virginia went down for 15 hours due to a cascading failure in the system for automatically updating DynamoDB, a service that manages DNS records – the phonebook of the Internet – within AWS. The outage affected more than 17 million customers and 3,500 companies, including banks, across 60 countries, causing an estimated financial loss of $75 million for every hour of outage. In the UK, HMRC, the country’s tax agency, was forced to direct customers to use phone lines. 

Similar misconfigurations caused mass Microsoft Azure and Cloudflare outages in October and November 2025. Relying on a handful of hyperscalers creates single points of failure and brittle supply chains, making digital sovereignty a strategic priority for European governments. 

As for cross-border data flows, digital sovereignty policies do not necessarily translate into poorer cybersecurity. On the contrary, isolating critical data from complex transnational flows can make cybersecurity easier. In the previous example, had the UK tax agency relied on a smaller, non-hyperscaler cloud provider to host its data, it would have been able to continue its operations. Research further shows that restrictions to data flows under Europe’s digital sovereignty agenda would only apply to a narrow subset of critical data (eg, security and defence). Moreover, such measures would still allow companies to share information about data breaches for incident reporting, thereby safeguarding cybersecurity cooperation while protecting the content of the data they store and process.

Digital sovereignty in the age of Trump

The above demonstrates that digital sovereignty is compatible with strong cybersecurity and would boost Europe’s digital resilience. But there is another argument for digital sovereignty – a strategic one. The recently published US National Security Strategy makes clear that the current US administration poses an existential threat to the European Union, which it hopes will be watered down to a mere ‘group of aligned sovereign nations’. The strategy also states that ‘opening European markets to US goods and services’ is a US policy priority and that the US government should help American companies bid for infrastructure contracts and win procurement opportunities. In this regard, it states that ‘the terms of our agreements especially with those countries that depend on us most and therefore over which we have the most leverage, must be sole-source contracts for our companies’. As has been previously noted, the term ‘infrastructure’ here includes data centres and cloud services. The US wants to preserve Europe’s dependence on its hyperscalers as a crucial source of influence, which a more independent Europe could imperil. 

Europe’s dependence on foreign technology providers is deep and entrenched. To assuage policymakers’ concerns about confidentiality and availability, US hyperscalers are now offering tailored ‘sovereign’ solutions that promise to square their transnational services with Europe’s strategic interests. Yet, while technical and organisational arrangements can reduce the risk of US intervention and delay requests from the US government, no amount of indirection can change the reality that the US can coerce these companies to hand over customer data and interrupt their services. 

Next steps for Europe

Achieving digital sovereignty for Europe will require time, focused effort, and the ability to absorb some pain. Closing the technology gap with the US will likely require massive investments and targeted industrial policy measures, as well as a true harmonisation of the EU Digital Single Market and reinforcement of European capital markets. Nevertheless, some measures can be taken to gradually strengthen Europe’s digital resilience. 

First and foremost, European governments should de-risk from US digital services by progressively terminating selected data flows and cloud contracts, particularly those struck by government bodies. To do so, governments must audit current cloud contracts to assess which data have strategic value for the EU and whether they could be weaponised by the US. If contracts can be replaced with a European alternative, the flows should be shut down in stages to allow for a gradual transition. 

The upcoming European Cybersecurity Certification Scheme for Cloud Services (EUCS) could be geared towards this objective if policymakers approve ‘sovereignty’ clauses, whereby non-European providers would be excluded from high-risk government and public sector contracts. This would also stimulate demand for European services, which brings us to the next policy recommendation. 

Governments should use public procurement to further stimulate demand for European digital services. There is growing empirical evidence that demand-side instruments like public procurement can have a positive effect in directing technological change. In this sense, Europeans should learn from the United States, which leveraged the expanded procurement power of the federal government under the 1933 Buy American Act to support its electronics industry. By the 1960s, 50% of the American semiconductor industry’s output was purchased by the government, and by the 1970s, the federal government spent more than 20 billion dollars annually on its electronics industry. 

Procurement could also be used to help European companies scale up and foster the adoption of open-source technologies, which are less susceptible to weaponisation than proprietary ecosystems. The rapid success of Chinese open-source AI models attests to the potential of open ecosystems to help countries catch up in the development of frontier technologies. To facilitate this, policymakers could implement proposals to repeal existing IP laws – such as Article 6 of the EU Copyright Directive – which make it illegal to reverse engineer tech platforms’ closed ecosystems and migrate to open-source alternatives, thereby harming interoperability and data portability. 

At a time when the logic of conflict infuses the governance of emerging technologies, digital sovereignty is Europe’s best shot at defending its model of technological development. Digital sovereignty is both compatible with cybersecurity cooperation and indispensable to strengthening Europe’s resilience. However, concrete steps must be taken to allow for a gradual transition to a more sovereign digital Europe. If, as Servan-Schreiber quipped in the 1960s, the battle of the future is the battle for computation, then Europe must proceed with haste.

Read the other 2025-2026 Binding Hook-Munich Security Conference Essay Prize Competition winners here.