The long-standing discussion around digital sovereignty in Europe has recently gained new significance as a central pillar of the continent’s push for strategic autonomy. This shift is occurring alongside debates about Europe’s defense autonomy and is influencing trade negotiations worldwide, particularly with the United States. While previous conversations focused primarily on personal data protection and control—an area already addressed by regulations like the General Data Protection Regulation (GDPR)—the current debate now encompasses Europe’s reliance on foreign software and information technology (IT) infrastructure, such as cloud computing, where non-European technologies dominate.
Strategic Shifts in Digital Sovereignty
Previously, the location of data storage was the core principle for digital sovereignty. Now, policymakers recognize that where data is processed—and by whom— and how the added value is shared, are just as important. The 2020 “Schrems II” ruling by the European Court of Justice, which invalidated the Privacy Shield agreement, has fuelled debate on the risks of overseas data transfers and the limits of relying on non-European providers for sensitive data. The dependence of the EU on non-European technologies is now directly seen as having an impact on Europe’s strategic autonomy and the robustness of its digital infrastructure and services. The outcomes of this new approach will depend largely on the political will of certain Member States and the European Commission, who, encouraged by European digital sector stakeholders, are seeking to move beyond existing European laws and World Trade Organization agreements to establish a preference for European solutions in areas like public procurement.
Digital sovereignty in Europe was previously seen as a matter of asymmetrical power between national governments and EU institutions on one side and global technology companies on the other side, primarily through regulatory means. Today, the debate has expanded into the economic sphere, including competition policy, and now also concerns the trust between digital service providers and their European customers. What was once primarily a national issue is increasingly taking on a supranational character, as EU institutions—through initiatives like the Digital Services Act (DSA) and the Digital Markets Act (DMA)—assert collective control and governance over the digital landscape, surpassing the capabilities of individual Member States. This shift has practical consequences. Compliance, data localization and operational control requirements—once the responsibility of digital service providers—are increasingly being passed on to European businesses that use these services. For example, under the NIS 2 Directive, corporates in critical sectors must ensure that their IT suppliers meet stringent cybersecurity and resilience standards, regardless of where those suppliers are based. Additionally , European customers of these IT technologies could be soon accountable to measure technical dependencies and to report on the origin and diversity of the technologies they have deployed.
This crossroads is also visible in the current debate over the revision of the EU Cybersecurity Act, expected by the end of the year as part of the EU’s “digital simplification package”, which might be use introduce provision on protections against “non-technical threats”—like extraterritorial laws.
France previously pushed for such sovereignty requirements during negotiations on the EUCS cybersecurity certification scheme, but without much success However, the geopolitical context—marked by rising transatlantic tensions—has given new momentum to these demands. Would arguments last, that such measures would be “discriminatory,” increasing costs, limiting choices for European users and undermining the EU’s competitiveness? Looking at the political will of many European policymakers, who advocate that the issue is no longer just technical, the issue is now about ensuring that sensitive and strategic data remains out of the reach of any foreign interference or scrutiny, in a landscape where According independent market studies and depending on market segments, 70% to 90% of the European cloud market is dominated by non-European players.
Business Implications
European regulations applied to the digital market, such as the EU Artifical Intelligence Act (AI Act), are based on a normative legal perspective and architecture of risk analysis. When these principles of risk analysis and resilience capacity are linked to value chains and are integrated into the debate on digital sovereignty, they frame a new dimension that can transform the conduct of business and the environment of companies, affecting their reputation and the way they build trust with their customers within the European Union. Non-European companies are responding by investing in local data centers, forming partnerships with European corporates and committing to local skill development. These investments are not just about compliance—they are about aimed to re-build trust with European customers and regulators. This strategy will grow in importance and increase investment costs that are not only compliance costs.
While regulation remains a powerful tool—witness the recent passage of the EU AI Act, which sets global benchmarks for AI safety and transparency—Europe’s digital sovereignty agenda is now as much about strategic autonomy and economic strategy as it is about legal frameworks. Members states and the EU Commission advocate to foster a robust European digital ecosystem that can compete globally, reduce dependencies and ensure that Europe retains more control over its digital development and its benefits.
The evolution of the digital sovereignty debate in the European Union—part of the broader quest for strategic autonomy—shows that legislation and regulation alone do not define the market, even though the EU’s regulatory capacity is widely acknowledged. From a strategic standpoint, it is key to go beyond regulatory compliance and to look at local strategies to embrace economic integration within the European digital ecosystem. For businesses, the message is that success in the European market increasingly depends on transparency, local value creation and a demonstrated commitment to Europe’s digital resilience.
