Every time a European government stores sensitive data on American servers, Washington can legally demand access. The EU’s Tech Sovereignty Package lands this week. But industry insiders warn it may swap one dependency for another.
The EU’s Tech Sovereignty Package is due tomorrow, and EU Perspectives asked the people building Europe’s digital future what to expect. Dominic Williams, founder of DFINITY, called the situation “a really messed up situation.” “AI is going to ramp everything up and the EU’s upcoming Tech Sovereignty Package is effectively too little too late and being written by people who don’t understand the implications,” he said.
The package is meant to reduce Europe’s reliance on foreign technology by accelerating data centre capacity through a Cloud and AI Development Act. According to the leaks, the goal is to triple EU capacity in the next five to seven years. The Commission has said the Tech Sovereignty Package will include major digital infrastructure proposals, as well as fresh attempts to attract chipmakers to Europe.
Sovereignty washing
European governments would have to carry out “sovereignty risk assessments” to identify local alternatives. But Williams argues that non-tech bureaucrats make procurement decisions. They rely on incumbents rather than risk their careers. The result is ever-deeper dependence on US tech.
This may explain why the proposals have been repeatedly delayed. A move away from US tech could anger the volatile administration in Washington. The US ambassador to the EU has already accused the Commission of overly “protectionist” rules.
You might be interested
Williams says the package will fail unless Brussels picks the right alternative. “Most sovereign cloud today is just a hyperscaler product with a flag on it,” he said. The US CLOUD Act forces American providers to hand over data regardless of where they store it. Microsoft has acknowledged this in European court proceedings. “A regional data centre running American software under American legal jurisdiction is not sovereign but a dependency with a different label,” he added.
A regional data centre running American software under American legal jurisdiction is not sovereign but a dependency with a different label.
— Dominic Williams, founder, DFINITY
The package will signal whether the EU is prepared to compete globally not just through regulation, but through long-term industrial capacity building. “The EU Tech Sovereignty Package will only mean something if Europe stops building policy for the market it had and starts building infrastructure for the market it wants,” said Ramin Seyed, founder and CEO of Atalency.
Security and expansion
“What to watch is not the regulation itself. It is who controls the data layer underneath it. Europe has spent a decade telling Big Tech what it cannot do. This package is the first serious attempt to build something Europe actually owns. The risk is that it arrives too late and too cautiously to matter,” he said.
From where he sits in Dubai, watching platforms launch simultaneously across the Middle East and Europe, the urgency is visible. “The regions moving fastest are not waiting for regulatory frameworks. They are building and letting the frameworks follow. Europe needs to decide whether this package is a statement of intent or an actual foundation. That difference will determine everything,” he added.
Johan Konst, founder of EUSA PR, a European tech public relations agency based in Amsterdam, said the package should establish a shared understanding of digital sovereignty. It should also focus on reducing critical tech dependencies. He pointed to a similar push against Chinese technology: “Security is becoming central, this will be a main topic I think. Untrusted Chinese vendors – Huawei, ZTE etc – are being pushed out of 5G, subsea cables, and cloud infrastructure.”
He also sees an expansion opportunity. The EU is pitching European tech as a trusted alternative to American and Chinese solutions. Schwarz Group’s cloud platform Stackit and the defence tech industry are sectors worth watching, he noted.
Robert Harrison, a board member of the European Quantum Industry Consortium, identified three priorities. “First, updating the Chips Act — providing more incentives to onshore chip production and development. Second, open source for government tech to reduce dependency on US tools. We have already seen, for example, that a prosecutor at the International Criminal Court in The Hague has lost access to his account after being sanctioned by the US government,” he said.
“Finally, the Cloud and AI Development Act (CADA) should simplify the building of computing infrastructure. It must also give European companies easier, less bureaucratic access to AI solutions,” he added.
Beyond public procurement
Public procurement is a powerful lever. But focusing exclusively on it would be a mistake, warned Julian Gage, data protection expert and founder of Engage Compliance. “Most companies are going to see ‘public sector’ in the scope and decide this one is not their problem, which is incorrect,” he said.
“While the rules target government use of US cloud for sensitive data, procurement standards are not stagnant. When public buyers in finance and healthcare start asking for proof of where their data physically lives and who can legally request access to it, every vendor in the chain has to be ready to answer the same thing,” he said.
“The part I’m watching out for is the language around the CLOUD Act and encryption key custody. Proving that no US parent company can be required to hand it over to the US government is a completely different thing – most companies running Microsoft 365 or AWS cannot do it today. These sorts of questions are coming regardless of whether a company is in scope, so it’s a good idea to have the answer before customers ask,” he added.
Being realistic
“I expect we’ll see a balance between Europe wanting to project sovereignty and what is feasible,” said Armand Cucciniello, strategic communications director at Blue Force Communications and former senior US Department of Defense official.
“Complete autonomy requires fully EU-based infrastructure, compute, and energy capacity, cloud storage, semiconductor access and secure data environments. This kind of independence is economically unviable for the EU and frankly unnecessary, considering US hyperscalers already dominate European cloud markets,” said Cucciniello. “I also think the package will address the growing global realisation that AI requirements and industry competitiveness are closely tied to energy policy and longer-term industrial strategies,” he added.
The Tech Sovereignty Package will likely reach well beyond the AI Act, said Dhruv Jain, founder of Robossist. It will pull in cloud infrastructure dependencies, semiconductor supply chains, and data residency requirements. “For organisations already preparing for the AI Act’s compliance deadline, this adds another layer of complexity that most haven’t planned for,” he added.
“The practical question isn’t whether these rules apply – it’s how quickly your existing compliance framework can absorb new requirements without starting from scratch. Companies that built modular governance structures for the AI Act will adapt in weeks. Those that treated compliance as a one-off checkbox exercise will be starting over,” he said.
The open source question
Astor Nummelin Carlberg, director of open source sovereignty at SUSE, had a warning. Do not look only at the headlines about blocking non-European hyperscalers.
Sovereignty is meaningless if you just swap one dependency for another.
— Astor Nummelin Carlberg, director of open source sovereignty, SUSE
“Sovereignty is meaningless if you just swap one dependency for another. With our 30 years of experience, SUSE and the European open source industry have spelled out the real problem: public and critical sector procurement has been Europe’s biggest engine of proprietary lock-in and source of the weakened sovereignty posture. It will be interesting to see whether CADA delivers a genuine, auditable ‘Open Source First’ obligation, or just ambition without accountability,” he said.
Jan Slama, co-founder and CEO of FaceUp, said the package was a wake-up call not just for American giants, but for every European tech company. “Even we, as a European-built platform, run on AWS infrastructure. This law forces a real conversation: migrate to European cloud, or risk being locked out of public sector procurement entirely. The ‘buy European by default’ rule sounds simple, but the infrastructure reality across the European tech ecosystem is far more complicated than Brussels may realise,” he said.
