The world may be consuming a lot of AI right now, but Europe has plans for a whole new cuisine. Last week, the European Commission officially launched the Tech Sovereignty Package, a new, large piece of legislation that lays the groundwork for a vast new technology ecosystem growing out of its own territories, starting with localised development in semiconductors, cloud, open source and (yes) AI infrastructure, and new sovereign services to run on them.
The name of the package says it all. Currently, US companies dominate how a lot of digital services are built and provisioned in the EU, and the aim is to lay the groundwork for more European independence from that, building more resilience into how everything operates – and possibly more tech streams into the European economy in the process.
The Tech Sovereignty Package has arrived at a critical moment.
Under Trump, the United States has become unpredictable when it comes to Europe. It may be America’s longtime, traditional ally – a position cemented through past wars, current strategic alliances like NATO, and deep economic and social ties. But the administration has distanced itself from all that and regularly describes Europe as “weak,” “going to hell,” and wrong to count on the US for help.
That precariousness has left Europe with a clear challenge: how can it stand more independently when it comes to defence and much more? This week, we had a glimpse into how independence might play out in the tech sphere.
“We cannot afford to depend on others for the technologies that keep our hospitals running, our energy grids stable and our services secure,” Commission president Ursula von der Leyen said in a statement. “This is about protecting our citizens, defending our interests and making our own choices. Europe has the talent, the research excellence, the industrial base and the Single Market. Together, we must turn these strengths into technological sovereignty.”
But that may be easier said than done – not least because Europe is not ready, nor able, to close the door on the US altogether, and because sovereignty can actually be a malleable concept.
“I think when you ask 10 different people what sovereignty means, you’ll get 10 different answers,” said Zach Meyers, director of research at the Centre on Regulation in Europe (CERRE).
Launching the Package is the first, early step. The legislative proposal will now have to pass negotiations between the EU Parliament and national governments before becoming law.
Tech moves fast, but the European Commission sometimes does not, and so it will be worth watching how long the process takes. So far, the Tech Sovereignty Package has been a long time in the making. The key background is a report on European competitiveness published in 2024, known as the Draghi report – after the former prime minister of Italy who authored it. One big takeaway from it was a stark picture: “The EU relies on foreign countries for over 80% of digital products, services, infrastructure and intellectual property”.
But realistically, the package may be a difficult balancing act.
In the same week that it was proposed, EU ambassadors also signed off on a proposal for the EU to join Pax Silica, a US-led club aimed at ensuring advanced semiconductor supply chains.
Currently, Microsoft, Google and Amazon together control about 70% of the European cloud computing market, and European militaries are highly dependent on them too. Rather than sweeping “Buy European” requirements for public procurement or a ban on US tech, the Tech Sovereignty package’s response is a four-tiered categorisation system for cloud providers, depending on how critical and sensitive the data is.
“This is a fairly tentative step,” said Meyers, director of research at the Centre on Regulation in Europe (CERRE). He estimates that between 1% and 10% of public sector cloud contracts are likely reserved for European companies, or a few trusted suppliers beyond that.
Sensitive contracts could conceivably include national security, health, or financial data, he added.
It will be up to member states to decide how to categorise their data according to this four-tier framework. Some member states like France are particularly worried about tech sovereignty, while others like Sweden are generally less concerned about relying on foreign data providers.
In principle, the new framework would allow the Commission to intervene if a member state is not being tough enough in applying the framework. “That would obviously be a very politically contentious decision for the commission to take, particularly because national security has always been seen as a member state prerogative,” says Meyers.
The EU-level package comes amid broader efforts to reduce dependencies on US companies across individual member states. In April, France announced it was switching all government computers from Windows to Linux – a European open-source system. German domestic intelligence has decided to use ArgonOS, a French firm, as the cloud provider for its administrative data, rather than Palantir.
The dreaded kill switch
Increasingly convinced that the US is no longer the reliable partner it once was, many in Europe worry about how this would play out when it comes to newer technologies like AI. Specifically, lawmakers have raised the prospect of a so-called “kill switch” – that is, whether US-controlled companies might ever weaponise the technology that the EU (or any other country) relies on.
“We want to make sure that nobody has a so-called kill switch,” EU tech chief Henna Virkkunen said, according to Politico.
Meyers is sceptical that a “full-on kill switch” would ever be used because it would seriously undermine trust in US providers, who would therefore lobby hard against such a lever. However, small-scale targeted actions – such as the ICC judge who lost access to their emails – may continue.
Regardless, the new tech sovereignty package does not clearly address the kill switch problem. “You might protect 10% of your contracts, but you know, what are you going to do with the rest of them?” asked Meyers.
But to remove the threat of a “kill switch” entirely is currently not feasible, he added. It would require moving the vast majority of cloud usage to European cloud providers – not just public but also in the private sector – and that capacity just does not exist today.
In the short to medium term, if one is really worried about the prospect of a kill switch, “there probably isn’t that much you can do,” he added. “Even having the spare capacity in Europe isn’t enough, because it’s going to take organisations a lot of time to switch over to [a] new provider.”
Even at this early stage, the Commission has been at pains to show that the new sovereignty package does not mean Europe is becoming a less open economy.
“Europe remains grounded in openness, partnership and fair competition,” said Henna Virkkunen, the Commission’s tech czar, as she presented the tech package. “Technological sovereignty does not mean protectionism.”
Different ideas of tech sovereignty focus on different issues: foreign governments having access to European data, the issue of the kill switch, regulation of huge foreign companies, and the “value capture” of public money being sent to foreign companies.
As Margarida Silva, a senior tech researcher at the Centre for Research on Multinational Corporations, notes, “What counts as sovereign infrastructure remains unresolved.”
One important concern is about “sovereignty-washing”: the use of, for example, joint ventures including non-EU companies to satisfy local ownership requirements. In April, the European Commission awarded a sovereign cloud contract – providing services to EU institutions – to a joint venture between Google and European companies.
The package will now face challenging negotiations between the EU and national governments. Some MEPs have criticised the proposal as too permissive, failing to impose environmental requirements on data centres, and for the Commission’s unwillingness to frame this package as aimed at US companies.
The new Cloud and AI Development Act is a core part of a broader plan aimed at tripling European data centre capacity over the next five to seven years, speeding up new data centre developments with easier access to resources like energy and water.
It supports R&D related to AI, makes it easier to build sustainable data centres in Europe, and introduces a framework for assessing cloud and AI sovereignty.
The package aims to promote an open source ecosystem, and hopes to scale up open source alternatives in areas like AI, internet tech and cybersecurity.
Nevertheless, the very act of pulling together these concepts and proposing them in one sweeping piece of legislation is an important move, a “landmark moment for Europe,” in the words of the policy advisors at the OpenForum Europe, a think tank focused on open source. “Open source sits at the center of EU digital policymaking for the first time,” they wrote.
At its best, said Meyers “a lot of open source software is kind of pro-competition, it’s safe, it’s secure, it means that you don’t have the same risk of lock in and of high profit margins going to foreign companies.”
“It addresses a lot of the problems that the US, that the EU has been worried about in terms of kind of market concentration and lack of control, and it does it in a way that is a bit less antagonistic to the US or to the countries that really want an open free trade approach,” he said.
A concrete example of how the EU has taken to open source is the EU Digital Identity Wallet. Member states are required to provide at least one digital wallet for residents and businesses to store and share identity data and other documents. The software is mandated to be open source – which ensures transparency about how the data is handled.
Alongside software and cloud, the tech sovereignty package addresses another key area of sovereign tech capacity: semiconductors.
Chips Act 2.0, which is included in the package, is generally seen as a significant improvement on the previous legislation. The earlier 2022 legislation that it would replace clearly catalysed significant investment: a total of €69 billion in public and private investments by October 2025, according to SEMI.
But the industry has been talking about an updated Chips Act to cover shortfalls in the previous act, particularly after US chipmaker Intel scrapped plans to build two mega-fabs in Germany, in part because the high costs and a lack of demand for advanced chips in Europe made the business case unworkable.
Where the first Act focused on new fabs, Chips Act 2.0 provides a framework for national governments to support strategic projects across the supply chain, including research and equipment. This will help Europe to double down on its strengths in certain areas where it remains indispensable, including photolithography and lenses, speciality gases, and research.
While the original Chips Act was predominantly supply driven and focused on using subsidies to support construction of semiconductor manufacturing in Europe, the new Act explicitly emphasises a need to boost demand to improve the business case for producing chips in Europe – particularly more advanced chips. While legislation alone cannot create significant demand, related EU initiatives like AI Gigafactories aim to do this.
Serious questions remain about that project in particular. It aims to offer facilities for AI models to be trained in Europe, but also claims to offer a major source of advanced chip demand, something Europe lacks.
But even setting aside the questions many in the AI industry have raised about the business case for the project, there is an obvious tension: to have these facilities available quickly and cheaply, the chips would have to be made outside of Europe (probably Nvidia), because Europe currently does not make cutting edge semiconductors.
For all the provisions of the new legislation, the broader question for Europe’s tech sovereignty ambitions is whether the old continent can build the disruptive, dynamic tech companies able to compete with the US giants.
“We’ve got trillions of euros sitting in household savings accounts, doing, doing very little, like just going to fund business loans,” said Meyers, “rather than being spent on the sorts of high-risk, but really high-potential investments, like you see happen in the US.”
