Why control may be the wrong metric… and resilience the right

The European Union increasingly treats cybersecurity as an integral part of its sovereignty. From cloud infrastructure and semiconductor supply chains to data localisation and digital regulation, calls for European control over strategically relevant components of digital infrastructure have become a defining feature of the EU’s digital strategy. 

This turn to what I have termed ‘infrastructuring digital sovereignty’, is understandable. Cyber operations are no longer a secondary dimension of conflict; they shape geopolitical competition, with state-linked actors integrating digital campaigns into broader hybrid warfare strategies that target infrastructure and public opinion across borders. Ransomware disrupts hospitals and municipalities, inflicting real operational outages on critical public services and highlighting the systemic impact of criminal and hybrid cyber threats. 

Dependence on foreign technology firms raises fears of coercion, surveillance, and systemic vulnerability. Yet the intuitive leap from exposure to insecurity, and from insecurity to sovereign control, is far less straightforward than European policy debates often suggest.

Digital sovereignty, as currently articulated, only partially supports Europe’s cybersecurity interests – and in some configurations, it actively undermines them. The problem is not sovereignty per se, but a narrow understanding of it as territorial control, ownership, and technological substitution. Cybersecurity is not primarily strengthened by owning infrastructure, locating servers within borders, or ensuring suppliers are European. It depends instead on diversification, transparency, institutional capacity, and trusted interdependence. A sovereignty agenda that prioritises control over resilience risks leaving Europe more autonomous on paper but less secure in practice.

To strengthen European cyber resilience, EU digital sovereignty efforts must reorient, from ‘strategic autonomy’ to ‘strategic exposure management’: the capacity to shape, govern, and mitigate dependencies rather than treating their elimination as the primary objective.

The sovereignty-security assumption

At the heart of Europe’s digital sovereignty agenda lies a core assumption: dependency equals vulnerability. Reliance on non-European cloud providers, foreign chips, or global software supply chains is seen as a strategic weakness that adversaries could exploit in times of crisis. This logic animates initiatives such as GAIA-X, the EU Chips Act, and repeated calls for ‘European clouds’ and ‘trusted data spaces’.

However, empirical evidence from major cyber incidents suggests that ownership and geography are weak predictors of cyber risk. The 2020 SolarWinds compromise, a supply-chain attack that affected US government agencies and European organisations alike, did not succeed because software was foreign-owned, but because of opaque development practices and insufficient monitoring. Similarly, the 2017 NotPetya malware attack spread devastatingly through European firms not because systems were foreign-controlled, but because networks were tightly coupled and poorly segmented.

Cyber vulnerability often emerges from how dependencies are structured and governed. Indeed, concentration, lack of visibility, and weak institutional oversight often supersede ‘foreignness’ as risk factors. Yet much sovereignty discourse conflates these issues, treating ‘European’ as a proxy for ‘secure’.

Where sovereignty actually weakens security

Let me now push my somewhat provocative claim further: some sovereignty-driven policies actually make European cyber less secure, not more.

Cyber defence depends on rapid, cross-border information-sharing. Malware indicators, exploit signatures, and forensic data lose value when trapped within national or regional silos. Data localisation requirements, often justified in the name of sovereignty, can inhibit the pooling of security telemetry and delay collective response. In a threat environment defined by speed and scale, latency is a vulnerability. 

Past experience in digital security mitigation in Europe supports this concern. During recent surges in ransomware targeting European hospitals, the uneven implementation of cybersecurity frameworks across member states and limited EU-wide mechanisms for sharing threat intelligence and coordinating response exposed challenges at the European level. These underscored the need for improved cross-border information sharing and joint mitigation capacity. Sovereignty understood as data immobility sits uneasily with cybersecurity understood as networked defence.

European cloud and hardware initiatives often promise security through ‘control’, yet control over infrastructure does not equate to control over risk. A domestically hosted but insufficiently secured system remains vulnerable. Conversely, globally distributed systems operated by large providers often benefit from superior patching, redundancy, and security investment. Hyperscale cloud providers spend billions annually on cybersecurity, threat hunting, and resilience engineering; these are resources that few European alternatives can currently match. Excluding or marginalising these providers in pursuit of symbolic autonomy may reduce access to best-in-class security practices without delivering compensatory gains. 

This reality, however, should not and does not require Europe to become a passive consumer of American cloud power, especially in these troubled times. Regulatory scrutiny, ethical oversight, and enforceable transparency obligations remain essential to ensure that scale is matched by accountability, integrity, and alignment with European values, so as to avoid the spreading of the ‘sovereignty-as-a-service’ phenomenon.

Finally, digital sovereignty initiatives implemented unevenly across member states – a challenge which is quite unique to the EU ecosystem – risk fragmenting the internal market. Divergent cloud certification schemes, procurement rules, and compliance requirements increase complexity for firms and reduce incentives to invest in robust security. Technological and economic fragmentation also weakens the EU’s collective bargaining power vis-a-vis global vendors, ironically increasing dependency rather than reducing it.

Cybersecurity benefits from scale, standardisation, and interoperability. Sovereignty strategies that erode these conditions undercut Europe’s own resilience.

Where sovereignty does support cybersecurity

Pointing out the limits of ‘control-based’ sovereignty does not mean abandoning sovereignty altogether. In fact, Europe’s most successful cybersecurity advances have come from forms of sovereignty that emphasise governance rather than ownership.

The EU’s regulatory capacity has proven one of its most potent security tools. The NIS2 Directive significantly expands the scope of entities subject to cybersecurity obligations, harmonises incident reporting, and introduces stronger enforcement mechanisms across the Union. Early evidence suggests that firms subject to mandatory reporting regimes improve internal security practices and detection capabilities. Additionally, and crucially, these rules apply irrespective of nationality; a United States-based or Asian-based firm operating in Europe must meet EU cybersecurity standards. This form of sovereignty, which amounts to rule-setting with extraterritorial impact, enhances security without retreating from global integration.

Cyber risk increasingly concentrates in software and hardware supply chains. Rather than attempting to ‘reshore’ entire value chains, Europe’s more promising initiatives focus on transparency and accountability, such as software bills of materials (SBOMs) and risk assessments for critical suppliers. These measures address concerns identified in incidents like Log4Shell, one of the most serious software vulnerabilities ever discovered, in which unknown dependencies led to struggles identifying vulnerabilities – often introduced by third parties – and prolonged exposure even after patches were released. Here, as well, sovereignty manifests as the ability to demand visibility.

In terms of institutional capacity and negotiation, European agencies such as the European Union Agency for Cybersecurity (ENISA) have grown steadily in authority and capability, coordinating exercises, producing threat assessments, and supporting member-state responses. This institutional deepening contributes more directly to resilience than many high-profile infrastructure projects. Sovereignty exercised through shared institutions rather than national silos strengthens Europe’s collective cyber posture.

Reframing digital sovereignty from autonomy to exposure management

One of the cornerstones of Europe’s digital sovereignty agenda is its emphasis on autonomy as an end in itself. Cybersecurity research, by contrast, emphasises resilience: the ability to anticipate, withstand, recover from, and adapt to shocks. These goals are not achieved by eliminating dependencies, which increasingly appears impossible, but by managing them intelligently. What would, then, be the cornerstones of a resilience-oriented sovereignty-security strategy for Europe?

First, dependency mapping, not dependency denial. Europe should invest systematically in mapping its critical digital dependencies – cloud services, software components, hardware supply chains, and data flows – building on and federating pre-existing initiatives. Knowing where dependencies lie and how failures propagate is a prerequisite for meaningful security. Sovereignty begins with situational awareness.

Second, where dependencies are unavoidable, diversification should be prioritised. Multi-vendor strategies, interoperable standards, and avoidance of single points of failure reduce systemic risk more effectively than national ownership. Public procurement can play a decisive role by rewarding architectures that enhance resilience rather than focusing on national origin. Importantly, the oft-superior security capabilities of hyperscale providers at the level of individual systems do not negate the systemic risks created by excessive concentration; structural resilience comes from diversification, not the baseline security quality of any single provider.

Third, building on Europe’s strengths, digitally and beyond: alliances. Cybersecurity is inherently collective. Europe’s resilience depends on deep cooperation with trusted partners;  mechanisms such as the EU-US Trade and Technology Council offer pathways to align security standards while preserving policy autonomy. Sovereignty should enable Europe to choose its dependencies, not reject dependency altogether. Admittedly, shifting geopolitical balances and threats to the very foundations of democracies – threats that seemed unfathomable even a year ago – pose a whole new set of challenges to this principle.

Finally, Europe’s most acute cyber vulnerabilities lie not in hardware ownership but in skills shortages, under-resourced public institutions, and uneven enforcement. ENISA estimates a persistent gap of hundreds of thousands of cybersecurity professionals across the EU. Addressing this gap would likely yield greater security returns than any single infrastructure project.

Sovereignty as ‘standing prepared’

Digital sovereignty can support Europe’s cybersecurity interests; however, this will require a shift from the widespread understanding of control as safety. Cyber threats primarily exploit complexity, opacity, and fragmentation, rather than nationality and geographical location. A sovereignty agenda that focuses on ownership and localisation risks misallocating political attention and financial resources, leaving deeper vulnerabilities untouched.

A mature vision of digital sovereignty will likely define interdependence as a condition to be governed, rather than a weakness to be erased. By emphasising diversification, regulatory power, institutional capacity, and trusted cooperation, Europe can strengthen its cyber resilience without sacrificing the openness that underpins effective defence.

In Europe today, the notion of digital sovereignty is primarily understood as strategic autonomy, the need to ‘stand alone’. It’s time to see digital sovereignty instead as strategic exposure management – the ability to ‘stand prepared’.

Read the other 2025-2026 Binding Hook-Munich Security Conference Essay Prize Competition winners here.