Concentrated compute is an overlooked European cyber vulnerability

Europe’s cybersecurity debate is focused on the wrong layer. While policymakers rightly worry about ransomware, critical infrastructure protection, and the Cyber Resilience Act, they are largely ignoring a structural vulnerability that sits beneath all of these: the concentration of AI computing infrastructure in the hands of a small number of non-European providers. This dependency poses a first-order cybersecurity risk.

The concentration problem

Today, over two-thirds of the cloud computing capacity used by European firms, governments, and researchers is supplied by three US-headquartered hyperscalers: Amazon Web Services, Microsoft Azure, and Google Cloud. The hardware underpinning these services relies on chips designed overwhelmingly by a single, also US-headquartered company, Nvidia, and manufactured at advanced nodes by a single foundry in Taiwan.

The European Union Agency for Cybersecurity (ENISA) has flagged cloud concentration as a systemic risk, yet European policy responses have focused on data localisation and contractual safeguards rather than on the security implications of computing infrastructure dependency itself.

This matters for cybersecurity in three distinct ways.

First, concentrated computing capacity creates single points of failure. When a majority of European organisations depend on the same handful of infrastructure providers, a successful attack against one provider, or a cascading software vulnerability in a shared component, can simultaneously compromise hospitals, banks, energy grids, and government agencies across multiple member states.

The July 2024 CrowdStrike incident, in which a single faulty update disrupted airlines, broadcasters, and financial institutions globally, illustrated how fragile monoculture infrastructure can be. That incident was accidental. A deliberate, state-sponsored attack exploiting similar concentration could be far more damaging.

Second, dependency undermines incident response. When the infrastructure layer is controlled by foreign providers, European authorities face structural barriers to forensic investigation, threat intelligence sharing, and coordinated response. During a major cyber incident, European governments may lack the access, visibility, and legal jurisdiction needed to investigate the supply chain, audit logs, or compel timely disclosure from providers headquartered in other jurisdictions.

The EU’s Cybersecurity Shield initiative envisions cross-border coordination among national security operations centres, but this coordination is only as effective as the underlying access to infrastructure data permits.

Lastly, the concentration of AI computing infrastructure compounds the risks posed by AI-enabled cyber threats. AI models are increasingly used in both offensive and defensive cyber operations, from automated vulnerability discovery to sophisticated social engineering. Because training and deploying these models depends on the same concentrated infrastructure, a disruption could degrade Europe’s defensive AI capabilities while leaving adversarial capabilities, hosted elsewhere, intact.

The market will not fix this

The persistence of computing concentration in firms outside of Europe reflects a set of well-understood market failures. Cloud computing exhibits strong network effects and economies of scale: the largest providers offer the lowest marginal costs and the broadest ecosystems of compatible services. Switching costs are high, and the cybersecurity benefits of diversifying providers, such as reduced blast radius during outages, greater forensic access for national authorities, and less leverage for any single foreign jurisdiction, are diffuse. They accrue to the ecosystem as a whole rather than to individual organisations. Resilient computing infrastructure is a public good that private markets under-provide.

European firms face a rational but collectively dangerous incentive: each organisation chooses the cheapest, most capable cloud provider available, typically a US hyperscaler. The result is a tragedy of the commons in which individually optimal procurement decisions produce a systemically fragile outcome. Existing regulatory tools, such as the NIS2 Directive and the Digital Operational Resilience Act (DORA), impose security obligations on operators of essential services but do not address the upstream concentration that makes compliance fragile.

Three policy directions

Addressing this blind spot does not require Europe to build its own hyperscalers from scratch, a goal that is neither realistic nor necessary. Instead, European policymakers should consider three complementary approaches.

Mandate concentration stress testing

Just as financial regulators require banks to undergo stress tests for systemic risk, ENISA and national cybersecurity authorities should require critical infrastructure operators, including hospitals, energy grid operators, and financial institutions, to assess and report their degree of computing provider concentration. Operators above a certain dependency threshold should be required to demonstrate credible contingency plans, including the ability to migrate essential workloads to alternative providers within defined timeframes.

Create economic incentives for computing diversification

Public procurement rules and EU funding instruments, including the Digital Europe Programme and Horizon Europe, should reward multi-provider architectures and penalise single-provider dependencies in publicly funded projects. Tax incentives or co-investment mechanisms could reduce the cost premium of using European or alternative cloud providers for sensitive workloads, particularly in health, defence, and critical infrastructure sectors.

Invest in interoperability standards for resilient migration

The practical barrier to diversification is engineering, not ideology: migrating workloads between cloud providers remains difficult and expensive. EU investment in open standards for cloud portability and interoperability, building on ongoing efforts under the EU Cloud Rulebook, would reduce switching costs and make multi-cloud architectures economically viable. This is not only a competition policy measure; it is a cybersecurity measure, because interoperability is what makes rapid failover possible during an incident.

From digital sovereignty rhetoric to cybersecurity substance

European debates about ‘digital sovereignty’ and ‘strategic autonomy’ often remain highly abstract, disconnected from the concrete technical and economic realities of infrastructure dependency. Cybersecurity, by contrast, demands specificity. The question is not whether Europe should aspire to digital sovereignty in principle, but whether European organisations can maintain the ability to detect, respond to, and recover from cyber incidents when the infrastructure they depend on is concentrated in systems they do not control.

Treating concentration of computing power as a cybersecurity risk, rather than merely an industrial policy aspiration, would give Europe’s digital sovereignty agenda the operational substance it currently lacks. The tools to begin this work already exist. What is missing is the recognition that cybersecurity strategy must extend beyond endpoint protection and incident response to encompass the structural economics of the infrastructure layer itself.