Engineering interdependence for Europe’s cybersecurity

Europeans are arguing about the wrong trade‑off. Digital sovereignty is framed as a choice between dependence on foreign tech or full independence, when the real prize is engineered interdependence that turns Europe’s cloud dependencies into a strategic asset for cybersecurity.

Digital sovereignty supports Europe’s cybersecurity interests only when understood as the power to govern interdependence, not to escape it. Instead of pursuing illusory independence from foreign clouds, Europe should design its digital sovereignty around engineered interdependence: diversified, governable cloud relationships that reduce dependencies and make critical systems harder to disrupt.

A false choice

Europe’s digital debate lumps three things together: dependence, interdependence, and sovereignty. In practice, they are different, yet high‑level rhetoric frequently treats ‘digital sovereignty’ as shorthand for independence from foreign providers, without distinguishing managed interdependence from raw dependence.

Dependence is one‑sided, with reliance on another actor for something critical and without a credible fallback. Interdependence is mutual, with both sides incurring real costs if the relationship breaks down. This is often an asymmetric reality, where one side has more options and can better absorb disruption.

Nowhere is this clearer than in the way European leaders talk about the public cloud. On the one hand, leaders warn that relying on a handful of US‑based ‘hyperscalers’ for everything, from banking systems to public administration, creates an unhealthy concentration of risk. On the other hand, they often invoke ‘digital sovereignty’ in ways that imply the answer is to build an entirely European‑only cloud universe, as if sovereignty required near‑total technological self‑sufficiency.

This way of posing the problem leads to a familiar narrative: if foreign providers host critical workloads, Europe must be ‘dependent’ and therefore vulnerable to arbitrary service cuts, foreign laws, or coercion. If that is true, then the answer must be strict localisation, mandatory EU‑only clouds, or means of doing everything in‑house. 

This framing does three unhelpful things. It blurs the line between dependence – being stuck with a single, non‑substitutable provider – and interdependence, where multiple actors are mutually exposed but also mutually supporting. It implies that any interdependence is automatically a weakness, it suggests that sovereignty means doing everything yourself, and it pushes policymakers toward sweeping, symbolic solutions rather than targeted fixes.

Look at how strategy documents are often used. The EU’s Cybersecurity Strategy, the Digital Decade targets, the NIS2 Directive, and the Cybersecurity Act are frequently cited as proof that Europe is finally reclaiming control from foreign tech. Yet these texts also assume, and even rely on, deep cross‑border connectivity, open standards, and cooperation with non‑European providers.

So, despite the substance of these strategies, the public conversation becomes a binary. Either Europe becomes a digital fortress trying to wall itself off from US and Chinese platforms, or it resigns itself to being a digital colony whose security ultimately depends on outside infrastructure and laws. That choice is emotionally satisfying and strategically misleading.

It is misleading because much of Europe’s cybersecurity success comes through interdependence. Intelligence sharing, joint incident response exercises, and cross‑border cloud architectures have made it possible to absorb major outages and attacks that no single member state could handle alone.

Yet the sovereignty debate still gravitates toward a simple intuition: if ‘our’ data or services sit on ‘their’ infrastructure, we must not be fully sovereign. That intuition ignores two questions that matter far more for cybersecurity: who actually controls the levers in a crisis, and how easy it is to reroute or substitute when something goes wrong?

By focusing on ownership, European leaders risk investing in symbolic autonomy rather than operational resilience. This misunderstanding shapes procurement rules, state‑aid decisions, and regulatory choices that could impact Europe’s ability to withstand cyber shocks.​

The problem then is not that Europe is dependent. It is that Europe has not clearly distinguished between dangerous dependencies – where there is no credible fallback if a provider fails – and manageable, even beneficial, interdependence – where there are workable alternatives and shared safety nets. Without that distinction, ‘digital sovereignty’ becomes a slogan that treats every foreign technology and interconnection as a latent security threat rather than a potential source of strength.

Sovereignty through interdependence

Once that binary is set aside, the picture looks very different.

Start with a basic observation: modern cloud computing, by design, spreads workloads across data centres, regions, and providers. European enterprises and public agencies increasingly use multi‑cloud setups precisely to avoid lock‑in and single points of failure. Studies of European cloud usage show organisations are combining hyperscalers with EU‑based providers to meet regulatory, performance, and sovereignty needs.

In this context, reliance on US hyperscalers is not a single, undifferentiated dependency. A hospital that uses a US‑based platform for backup storage while maintaining local control over patient‑facing applications is in a very different position from a government that runs its entire tax system on a single foreign cloud region. One is using interdependence to gain resilience and innovation; the other is flirting with a single point of systemic failure.

Examples outside Europe drive the point home. Chinese AI companies build some of their most advanced models on American chips and, sometimes, on cloud infrastructure provided by US firms. Even faced with aggressive export controls, Chinese developers have turned to workarounds like cloud‑based access to graphics processing units (GPUs) and creatively stitching together slightly less advanced chips. That is not digital autarky; it is a form of asymmetric interdependence that China tries to bend to its advantage.​

Meanwhile, US firms in robotics and other sectors depend on Chinese manufacturers for components and hardware. American humanoid robots run on parts sourced from Chinese suppliers; augmented- and virtual-reality devices rely on Chinese manufacturing components. Neither side is fully independent, yet both have pockets of sovereignty in the form of critical technologies, standards, or wieldable market power.

Semiconductors provide an even clearer illustration. No country, not even the United States, controls the entire chip stack. Designers, foundries, equipment manufacturers, and raw material suppliers are spread across multiple jurisdictions. Export controls do not make the US self‑reliant; they allow Washington to slow China’s access to leading‑edge chips, raise the costs and delays of Beijing’s military and AI modernisation plans, and steer sensitive manufacturing and research and development activity toward firms and jurisdictions it can better influence. In other words, Washington uses structural interdependence as a tool of sovereignty, shaping others’ options and timelines.

Europe’s interdependencies

Europe itself has long practised something similar in other domains. Energy policy, especially after the gas crises with Russia, has moved from naive dependence on a single dominant supplier to managed interdependence with a broader set of producers and transit countries, with more storage, more interconnectors, and shared rules.​ The goal was not to stop importing gas, but to redesign the network so that it could no longer be used as a weapon.

In cybersecurity, alliances and standards play the same role. The EU’s Cybersecurity Act, NIS2, and related measures are starting to define requirements and certifications that apply to any provider serving European markets, regardless of where their headquarters sit. Instead of cutting links, Europe is setting the terms under which those links operate. That is a form of normative sovereignty exercised inside an interdependent system.

Cloud providers themselves are adapting. Multi‑tenant architectures, where customers share infrastructure but not data, and regionalisation, which keeps workloads in specific geographic regions, already separate workloads by geography and regulatory regime. Sovereign cloud offerings aim to combine global technology stacks with local control over data, operations, and compliance.

In practice, these are experiments in engineered interdependence. Europe retains key decision rights and fallback options while still tapping into the scale and innovation of global providers.

All of this points toward a simple reality: interdependence is not the opposite of sovereignty. What matters is which dependencies are non‑substitutable, who controls them, and how flexibly systems can adapt when something fails. Sovereignty in a networked world looks less like an isolated stronghold and more like a well‑designed mesh, where the loss of any single element is costly but not catastrophic.

Engineering interdependence

If sovereignty and interdependence are not enemies, Europe’s task changes. The question is no longer ‘How do we become independent of foreign clouds?’ but ‘How do we design our cloud interdependencies so they make us more secure, not less?’

That design challenge has three parts. First, Europe needs to be brutally honest about where genuine, non‑substitutable dependencies lie in its cloud and cybersecurity stack. Second, it has to redesign cloud usage so that critical services always have credible options under European control without retreating into self‑isolation. Third, it must use regulation, procurement, and alliances to lock in resilience as a shared obligation across providers and member states.

On the first point, European policymakers should adopt an explicit doctrine of non‑substitutable digital dependencies for cloud and cybersecurity. This would require identifying specific areas where a loss of functionality would be intolerable: for example, identity and trust services, core payment and financial market infrastructures, emergency communications, and key control systems for energy and health. The aim is not to list every foreign vendor, but to pinpoint those functions where Europe cannot afford to be left without a back‑up.

The second step is to require at least one robust, EU‑governed implementation path for each of its non‑substitutable segments. ‘EU‑governed’ does not have to mean purely domestic technology at every layer. It means that in a crisis, European authorities and operators can keep systems running without needing permission from foreign regulators or corporate boards. In cloud terms, that implies architectures where critical workloads can move to an EU‑based or EU‑controlled environment, even if they usually run on global platforms.

This is where multi‑cloud and ‘sovereign cloud’ models become strategic tools rather than slogans. Regulators and sector authorities can require that essential services like power grids, hospitals, payment systems, and key government services avoid single‑provider, single‑region dependencies. Instead, they should have tested, documented migration paths across at least two providers, with one option anchored in the EU. That way, the system is interdependent by default, but no single foreign actor can flip a switch that turns the lights off.

The third piece is governance, using existing EU instruments to make resilience a condition of market access. Certification schemes under the Cybersecurity Act can give higher assurance labels to cloud services that support portability, strong incident‑response commitments, and clear jurisdictional separation of data and operations. NIS2 implementation can push operators of essential services to treat multi‑cloud resilience and vendor diversity as baseline security controls, not ‘nice-to-have’ extras.

Public procurement can reinforce this. When governments and EU institutions buy cloud services, they can demand technical features that make interdependence safer, such as open standards, exportable logs, transparent data flows, clear escalation paths, and contractual guarantees about continuity of service in geopolitical crises. The message to providers, European and non‑European alike, is simple: if you want to serve Europe’s most sensitive workloads, you must help engineer away the worst kinds of dependency.

Finally, European leaders should treat alliances as part of the continent’s cloud security architecture, not just foreign policy. Joint norms on cyber operations, shared threat‑intelligence platforms, and ‘resilience clubs’ – small groups of like‑minded states that pre‑commit to help each other absorb and recover from major cyber and cloud incidents – can ensure that when a major cloud outage or attack hits, European operators are not improvising alone. Strategic interdependence, in this sense, is about creating dense, predictable patterns of mutual support that build distributed strength across a set of national systems.

What emerges from this approach is a third path in the sovereignty debate. Europe does not have to choose between a fantasy of total independence and resignation to dependence on foreign clouds. It can instead govern interdependence: tightening control where dependencies are existential, opening up where diversity and scale bring security, and using its regulatory and market power to make resilience a shared responsibility. 

Governing interdependence

Digital sovereignty supports European cybersecurity interests only if it is designed to govern, not to escape, interdependence. The goal is to identify truly non‑substitutable digital functions, ensure at least one EU‑governed option for each, and make multi‑cloud and sovereign‑cloud architectures standard so that no critical service rests on a single foreign provider. Using regulation, procurement, and alliances, Europe can stay connected to global cloud ecosystems while making its dependencies resistant to weaponisation.

Read the other 2025-2026 Binding Hook-Munich Security Conference Essay Prize Competition winners here.