Digital sovereignty: Europe’s declaration of independence?

Digital Policy Economy & Business European Union Politics & Diplomacy United States and Canada

Report January 14, 2026 • 9:27 am ET

Digital sovereignty: Europe’s declaration of independence?

Bottom lines up front

In 2025, the Trump administration’s open hostility to the EU and close connections with tech CEOs brought long-simmering transatlantic tensions over how to regulate Big Tech to a boil.
The effect so far has been to accelerate the EU’s quest to break its dependence on Silicon Valley and China.
Washington’s combative posture toward EU tech regulation sets the stage for more conflict that could imperil the $1.5-trillion trading relationship.

Defining the terms of the debate
Europe’s missing Silicon Valley
Geopolitics and the rise of tech sovereignty
Trump actions spur renewed calls for greater independence
Key issues:
Looking ahead: Transatlantic tensions will persist
Seven recommendations for Brussels and Washington

Introduction

Over the past several years, the concept of digital sovereignty has become ever more central to European notions of competitiveness and economic resilience. Formerly a niche idea within the digital policy community, it has now gone mainstream with major European leaders, from European Commission President Ursula von der Leyen to former head of the European Central Bank Mario Draghi, calling for the European Union to achieve digital sovereignty.¹ It has also become integral to European debates about technological sovereignty and strategic autonomy, and even to trade policy. And as digital sovereignty has become more prominent in European discussions, it has shifted from being a vague aspiration to a concept that EU policymakers increasingly seek to put into operation—raising the possibility of future EU restrictions on procurement from companies outside Europe, as well as other regulatory measures.

Yet, despite its growing centrality in European digital debates, digital sovereignty still does not have a clear definition.² At times, it seems to have been encompassed by the broader term of tech sovereignty, which reflects the EU’s desire to boost its industrial capabilities—not only in the digital space, but also in renewables and other green and future technologies. European policymakers also regularly refer to data sovereignty and cloud sovereignty, which can be seen as focused on particular aspects of digital sovereignty.

What all these definitions share, however, is the notion that Europe and its economy should be less dependent on others and more capable of protecting its own interests, including its interests in the digital sphere. That leads to the key unresolved questions at the heart of digital sovereignty. Does sovereignty require an economic approach that is exclusively European or, at minimum, favors European companies? Is ownership or effective control over key companies important, or is a risk-based system more appropriate? Is it desirable to limit sovereign requirements to certain sectors of the economy? Can Europe achieve a measure of sovereignty as part of a common enterprise among international partners? And if the partnership model is acceptable, who are the partners?

The transatlantic relationship is, in turn, entangled with Europe’s internal debate about digital sovereignty. Until recently, this has been an evenly divided contest, with some European experts calling for Europe to strategically decouple from the dominance of US companies, while others—including most member-state governments—have noted the lack of local alternatives and hesitated to discriminate against US and other non-EU companies.

But the Trump administration’s initial open hostility to the EU and continuing general unpredictability have caused even the most transatlantic of EU leaders to question the reliability of the United States. The July 2025 US-EU trade deal provided some temporary clarity and predictability in transatlantic commercial relations, although digital issues were addressed in only limited ways. President Donald Trump’s Truth Social post a few weeks later, threatening additional tariffs on countries with “Digital Taxes, Digital Services Legislation, and Digital Markets regulations [that] are all designed to harm, or discriminate against American Technology,” was immediately criticized by the European Commission, France, Germany, and others as a violation of Europe’s sovereignty.³ Nevertheless, during a November 2025 visit to Brussels, Commerce Secretary Howard Lutnick directly linked the removal of EU digital regulation with a potential US-EU agreement on steel and aluminum tariffs.⁴

Given Trump’s close connections with leading tech executives, the US administration’s combative posture toward European tech regulation is likely to continue being a point of transatlantic friction. Whether a continued focus by the Trump administration on Europe’s digital rules will create an even stronger push in Europe for an exclusive form of digital sovereignty is not yet evident. What is clear is that without some guidelines, such as those offered in the conclusions to this report, the European Union and United States might find that their differences regarding digital sovereignty and digital rules make creating and maintaining an open transatlantic digital marketplace much more challenging.

Defining the terms of the debate

One reason why digital sovereignty has become an increasingly inflammatory label across the Atlantic is that the lack of a clear definition allows everyone to define it in ways that support their own arguments. Its rise has also coincided with the European embrace of strategic autonomy in foreign and security policy—a notion that has predictably ruffled some US feathers, especially in the defense community. Further confusion has developed as similar terms (i.e., tech sovereignty, cloud sovereignty) have emerged in related areas. To introduce some clarity into this discussion, it can be useful to categorize these different notions.

Strategic autonomy: First arising in the context of foreign and security policy, strategic autonomy refers primarily to Europe developing defense and foreign policy capabilities that would allow the EU to play a more independent geopolitical role. Aside from a few defense funding efforts, the idea has not yet inspired major legislative initiatives. To indicate that partnership and autonomy were not contradictory, the EU later adopted the related idea of open strategic autonomy in trade policy. More recently, the EU has begun to embrace the concept of regulatory autonomy—the idea that “the Union’s values, interests, and regulatory autonomy underpin EU action, including in the digital sphere.”⁵ In these notions, autonomy is a more ambiguous and flexible concept than sovereignty, which implies a legal order backed by legislative initiatives.
Technological sovereignty: While the first European Commission headed by von der Leyen focused largely on legislation related to the online world, the importance of technologies—and Europe’s reliance on Chinese and US technologies—had come to the fore by the end of that mandate. This was not only about the digital world, but crucially about the European Green Deal. While the commission argued that carbon reduction would be key to the future EU economy, it became woefully clear that Europe remained dependent on others for many essential technologies: solar panels, wind turbines, semiconductors, electric vehicle batteries, etc.

Thus, in the second von der Leyen commission, the position of executive vice president for tech sovereignty, security, and democracy was created to oversee the development of EU capabilities to support the digital agenda. Others in the commission, including Executive Vice Presidents Teresa Ribera and Stéphane Séjourné, were tasked with strengthening EU technological capabilities across the Green Deal and industrial strategy generally. In June 2025, a key European Parliament committee defined tech sovereignty as “the ability to build capacity, resilience and security by reducing strategic dependencies, preventing reliance on foreign actors and single service providers, and safeguarding critical technologies and infrastructure.”⁶ Unlike strategic autonomy, however, tech sovereignty underlies significant legislative initiatives, from the Net Zero Industry Act and the Critical Raw Materials Act to the Public Procurement Directives. It also entails a strong focus on industrial policy, including state aid, competition policy, and other means of boosting key tech-related industries.
Digital sovereignty: While often used interchangeably with tech sovereignty, digital sovereignty focuses primarily on the online world. Legislation such as the General Data Protection Regulation (GDPR), Digital Services Act (DSA), Digital Markets Act (DMA), and Artificial Intelligence Act (AIA) have sought to establish a comprehensive system of governance for the online world, especially by regulating corporate behavior vis-à-vis individual or business users. With the exception of semiconductors and the EU Chips Act, much less attention has been paid to the technologies that enable the online world. However, recent proposals for a Eurostack—a European capacity to provide all elements of digital infrastructure, from cables to cloud—are indications of growing European concern about both governance and technologies.⁷

Data sovereignty: This subset of digital sovereignty—one of the earliest variants—initially focused primarily on protection of personal data under the GDPR. However, with the Data Act and other initiatives, increased attention is now paid to the re-use of industrial data that are either sensitive or commercially valuable, and to safeguarding the capacity of EU businesses and governments to exploit data generated in Europe.
Cloud sovereignty: The proliferation of data requires enhanced storage capabilities and increased focus on cloud storage and the security of data stored in the cloud. An increasingly sharp debate has centered on whether Europeans’ data should be stored exclusively within the EU, or whether they can be stored outside the EU by non-EU providers considered trustworthy and secure. This discussion has accelerated with the growth of artificial intelligence (AI) and its enormous requirements for cloud services and data centers. Cloud sovereignty also poses questions about how Europeans’ data can be accessed by foreign law enforcement and intelligence agencies.
Sovereignty over speech: Users of online services today confront a wide array of illegal or undesirable content, from child sexual abuse material to advertisements for illegal products to political disinformation. EU efforts to regulate platforms’ responsibility for illegal content and systemic risks have recently sparked criticism from the Trump administration, which regards aspects of these efforts as violations of free speech.⁸ Who has the right to determine allowable speech available online in a jurisdiction other than where it was produced?
Cybersecurity: Given the ever-growing number of cyberattacks, both in Europe and globally, the protection of the online world has become a growing element in digital sovereignty. In the past, cybersecurity had not been central to the debate about digital sovereignty, but since the Russian full-scale invasion of Ukraine in 2022 there has been a rapidly growing understanding that resilience against such attacks is an essential part of sovereignty. Europe in particular has faced numerous attacks from Russia and related online actors. The EU effort to establish standards for cybersecurity has already led to US-EU tensions, but there will likely be even more attention paid to cyber-proofing as the EU operationalizes its concept of sovereignty.

An increasingly sharp debate has centered on whether Europeans’ data should be stored exclusively within the EU.

As part of the growing effort to operationalize digital sovereignty, both EU institutions and member states have initiated efforts to elaborate the meaning of this elusive concept. The European Council, in formal conclusions to its October 23 meeting, declared, “It is crucial to advance Europe’s digital transformation, reinforce its sovereignty, and strengthen its own open digital ecosystem,” adding that “this requires reinforced international partnerships and close collaboration with trusted partner countries.”⁹

On November 18, 2025, the French and German governments convened a Summit on European Digital Sovereignty. The summit identified several areas for building digital sovereignty, including AI, data, and public infrastructure, and launched a joint task force on European digital sovereignty to report in 2026.¹⁰ Its final declaration underscored the EU member states’ “shared ambition to strengthen Europe’s digital sovereignty in an open manner as a cornerstone of our economic resilience, social prosperity, competitiveness and security.”¹¹

The European Commission, for its part, issued a Cloud Sovereignty Framework in September 2025 that identifies eight types of sovereignty-related objectives to be considered in the government procurement context. In a stab at precision, the framework encourages contracting authorities to assign each objective a sovereignty effective assurance level (SEAL). The results of that assessment should provide a mathematically derived sovereignty score.¹² But as EU discussions on this topic progress, there are still key differences among the member states about the choice between strict autonomy or international partnerships, and whether the model should be based on exclusive EU control or on risk management.

European officials at the Summit on European Digital Sovereignty in Berlin, November 18, 2025. REUTERS/Nadja Wohlleben.

The EU’S Cloud Security Framework, published in October 2025, lays out eight “sovereignty objectives” for procurement authorities to score as they decide what cloud services and products to buy. Source: Cloud Security Framework, European Commission.

Europe’s missing Silicon Valley

While many non-European observers would say that the EU’s regulatory power already gives it significant influence domestically and externally, the EU’s sovereignty in the European digital arena is vulnerable at best. Despite its role as a regulatory superpower, Europe finds itself reliant on non-EU companies for many essential elements of the digital world. A European Parliament report estimates that “the EU relies on non-EU countries for over 80% of digital products, services, infrastructure, and intellectual property.”¹³ This perception of dependency is at the heart of the EU push for digital sovereignty.

The EU has failed to develop a tech sector with either the vibrancy of Silicon Valley or the growing capabilities of China’s industry. In particular, Europe has not seen the emergence of world-leading new companies based on digital technologies. Indeed, while the US industry has created six companies with a market capitalization of €1 trillion or more, the EU has created none.¹⁴ In 2021, three US cloud companies supplied 65 percent of the EU cloud market, while EU-headquartered companies had less than 16 percent.¹⁵ As a consequence, European consumers and businesses must rely on non-EU companies—mostly US and some Chinese enterprises—for basic digital services. Initially, this largely applied to software, social media, search engines, and a wide array of shopping services. More recently, the importance of cloud, encryption, and AI, along with the prospective emergence of super-fast quantum computing, has made Europeans realize that this dependence on others has significant and potentially long-lasting effects on their own industries and economies, including those far beyond the tech sector.

Despite its role as a regulatory superpower, Europe finds itself reliant on non-EU companies for many essential elements of the digital world.

Of course, a few European companies are exceptions to these trends. Nokia and Ericsson were already leaders in the cables and fiber optics that are key to connectivity. They became even stronger in the market as concerns rose about the security of Chinese components. The Dutch company ASML has been a leader in the machines required to make the semiconductors that guide and manage so much of the digital world. SAP is the world’s largest vendor of enterprise resource planning software. But these European companies are not in the same league as their US equivalents in terms of market capitalization. For example, ASML has a market capitalization of $376 billion, while Nvidia is at $4.3 trillion and Microsoft is at $3.8 trillion.¹⁶

One consequence of Europe’s struggle in the digital marketplace has been the emergence of an EU-wide debate on competitiveness, as represented most prominently by the reports by former Italian Prime Minister Enrico Letta and former head of the European Central Bank Mario Draghi.¹⁷ Draghi specifically underlined the importance of Europe’s failure to develop an innovative tech sector by noting the increasing productivity gap between the EU and the United States, with European labor productivity falling to 80 percent of US productivity. He concluded that this was mainly due to “Europe’s failure to capitalise on the first digital revolution led by the internet—both in terms of generating new tech companies and diffusing digital tech into the economy.”¹⁸

The competitiveness debate has also sought to identify the causes of Europe’s lack of digital champions. Europe has a vibrant startup community, as demonstrated by the growing role of venture capital.¹⁹ But many of these innovative enterprises end up moving to the United States or elsewhere, while others fail to commercialize entirely. The most popular rationale for this failure to scale—cited by US and European analysts, including Draghi—is overregulation.²⁰ Other suggested reasons include a chronic lack of indigenous capital, overly strict bankruptcy laws, and a culture that fears failure.²¹ Whatever the reason, Europe’s inability to provide the resources and capabilities for its innovative companies to become continental champions, let alone world leaders, means it must rely on companies from elsewhere.

US Ambassador to the EU Andrew Puzder discusses disparities between major companies founded in the United States and the EU at the 2025 Transatlantic Forum on GeoEconomics, in Brussels, on September 30, 2025. Nicolas Lobet, PRYZM photography.

European Commission President Ursula von der Leyen holds former head of the European Central Bank Mario Draghi’s report on EU competitiveness at a September 2024 press conference in Brussels. Draghi’s report concluded that Europe failed to capitalize on the emergence of the internet to increase productivity. REUTERS/Yves Herman.

This was already the case in 2018, when the GDPR—the first major piece of EU digital legislation—came into force. During the next five years of von der Leyen’s first term as commission president, the EU passed several other pieces of digital legislation, most notably the DSA, DMA, and AIA. These measures made progress in harmonizing diverse member-state laws, both existing and anticipated. But while EU leaders saw this body of legislation as protecting their citizens from the excesses of data collection and illegal social media content, many outside the EU, especially in the US tech community, viewed these laws as overly burdensome at best and discriminatory at worst. Some EU policymakers, such as Member of the European Parliament (MEP) Andreas Schwab, early on were open about their desire to counter the dominance of US firms.²² Others, however, saw Europe as offering a positive alternative to the lightly regulated environment tech companies faced elsewhere. EU rules inevitably had the most impact on US companies, which provided the overwhelming majority of digital services in the EU market. Chinese companies also came to feel the impact of EU regulations as their market share grew over time, especially in shopping and social media.

Throughout this period of intense legislative activity, there were clear voices calling for greater digital sovereignty in Europe. The body of legislation passed in the first von der Leyen commission can certainly be viewed as an effort to place limits on the US companies that dominate Europe’s digital space—and as a way for Europe to regain some control, or sovereignty, over that market. But as competitiveness emerged as a top EU priority in 2023, the discussion about digital sovereignty became part of a much broader discussion about innovation and economic security.

Geopolitics and the rise of tech sovereignty

The earliest indication of a geopolitical element to EU digital sovereignty came during the first Trump administration, when the United States protested the use of Huawei components in European digital networks. Reluctantly at first, Europeans came to understand the risk of a Chinese capability to disrupt those networks and developed the EU Toolbox for 5G Security, a list of best practices released in January 2020. The toolbox identified states and state-backed actors as the most serious threats. It also set out criteria for identifying trusted versus untrusted vendors, including closeness to a foreign government, lack of democratic accountability in that government, lack of a data protection agreement with the EU, and ability of the third country to exercise pressure on the EU.²³

The toolbox was the first real effort to identify foreign companies and governments that might threaten Europe’s digital sovereignty and those that might not. There was clearly a focus on China and Chinese companies, as demonstrated by the criteria for vendors. But it should be noted that the toolbox is primarily voluntary guidance developed by the member states for themselves, with progress tracked by regular EU Commission reporting.

In 2019, the EU identified China as both an economic competitor and a “systemic rival,” but initially with little consequence, especially in terms of economic relations.²⁴ Over the next few years, the EU would increasingly focus on China and the dangers posed by its investments in the European economy, especially in critical European infrastructure. By March 2023, when von der Leyen called for de-risking Europe from China,²⁵ commission officials had identified a number of EU dependencies on China—including in critical raw materials, solar panels, and batteries—that had the power to disrupt European industry.²⁶ In June 2023, the commission reported that it considered Huawei and ZTE “materially higher risks” than other fifth-generation (5G) suppliers.²⁷

The EU also initiated a few measures to address those vulnerabilities: heightened screening of inward foreign investment, primarily at the member-state level; enactment of the European Chips Act, providing funding for advanced semiconductor manufacturing in Europe; adoption of the Critical Raw Materials Act, which established goals for EU production of key materials; and passage of the Net Zero Industry Act, which sought to build EU manufacturing capacity in clean technologies such as solar, batteries, and hydrogen. While these measures were not aimed only at China, concerns about that country’s ambitious global plans were a main motivation. Moreover, they had the effect of broadening the initially limited discussion of digital sovereignty beyond the realm of digital governance to include both digital and green technologies, resulting in a broader focus on technological sovereignty.

This European debate regarding the geopolitical dimensions of sovereignty—both digital and tech—intensified significantly following the Russian invasion of Ukraine in February 2022. Along with a focus on territorial security, as seen in the increased defense spending of most EU member states, the EU realized that it needed to address other vulnerabilities. Most urgently, the invasion led to a swift and drastic shift in Europe’s energy supply, as Russia went from providing 45 percent of Europe’s oil and gas in 2021 to 19 percent in 2024.²⁸ But the digital arena was also vulnerable: Russian cyberattacks and apparent sabotage against undersea cables demonstrated the dangers facing Europe’s digital infrastructure, while Russian-origin disinformation flooded European social media.

Perhaps the most important consequence of the Russian invasion, however, was the realization that Europe was vulnerable and that preserving its sovereignty—digital and otherwise—would require concrete actions. Many of the green technology initiatives mentioned above were still in the legislative process when the invasion began but moved to enactment by mid-2023 as the commission’s term began to close and as Europeans became even more conscious of those vulnerabilities. Competitiveness, resilience, and sovereignty became linked together in the concept of economic security as the EU sought to reduce its external dependencies, especially on Russia and China.

By the end of 2024, the tech sovereignty impulse in Europe had become a key policy priority, as demonstrated by the appointment of Henna Virkkunen to the new position of European Commission executive vice president for tech sovereignty, security, and democracy. But before the second von der Leyen commission could get its program under way—or make progress in implementing the Draghi report—Trump’s reelection as US president pushed the impulse toward European digital sovereignty into hyperdrive.

Trump actions spur renewed calls for greater independence

European suspicions about US intentions and capabilities in the digital world have existed since 2013, when Edward Snowden revealed the extent of US National Security Agency interception of Europeans’ communications. Nevertheless, the United States and EU enjoyed relatively open trade in digital services. The advent of the second Trump administration, however, has energized the transatlantic debate over digital sovereignty. While Trump’s focus during the 2024 campaign was on the EU’s trade in goods surplus with the United States, once back in office he frequently criticized the EU’s digital regulations as a whole, despite the US surplus in services trade driven by the success of US tech companies.

Only a month after Trump’s January 2025 inauguration, the White House issued a memorandum on “Defending American Companies and Innovators from Overseas Extortion and Unfair Fines and Penalties,” calling for tariffs and other responses in cases “where a foreign government, through its tax or regulatory structure, imposes a fine, penalty, tax, or other burden that is discriminatory, disproportionate, or designed to transfer significant funds or intellectual property.”²⁹ The memo specifically highlighted “regulations imposed on United States companies by foreign governments that could inhibit the growth or intended operation of United States companies.”³⁰ It also called for the US trade representative to determine whether to renew Section 301 investigations of several digital service taxes (DSTs), including those adopted in France, Austria, Italy, and Spain. The fact sheet accompanying the memo made clear that the target was the European Union and specifically “regulations that dictate how American companies interact with consumers in the European Union, like the Digital Markets Act and the Digital Services Act, will face scrutiny from the Administration.”³¹

Such an aggressive approach brought the issue of digital sovereignty to the fore, as it seemed to disregard the EU’s right to regulate its own market. As the United States and EU pursued a trade agreement, there were conflicting reports as to whether the DSA and DMA (as well as other EU regulations) were on the negotiating table.³² In the end, the joint statement published on August 21, 2025, did not mention either regulation or the DSTs adopted by several EU member states.

But the joint statement was hardly the last word. On August 25, Trump posted on Truth Social: “As the President of the United States, I will stand up to Countries that attack our incredible American Tech Companies. Digital Taxes, Digital Services Legislation, and Digital Markets Regulations are all designed to harm, or discriminate against, American Technology.”³³ Meanwhile von der Leyen, in her September 2025 State of the Union speech, defended the trade deal but also stated: “Whether on environmental or digital regulation, we set our own standards. We set our own regulations. Europe will always decide for itself.”³⁴

The Trump administration has continued criticizing EU digital regulation. For example, on December 16, US Trade Representative Jamieson Greer posted on X (formerly Twitter) that the EU had “persisted in a continuing course of discriminatory and harassing lawsuits, taxes, fines, and directives against U.S. service providers,” and suggested that the United States would retaliate.³⁵ It would be relatively easy for the administration to renew the Section 301 investigations of DSTs. The US government might also look for a mechanism to counter the impact of the DSA and DMA, especially if US companies are fined significantly under those laws. On April 23, 2025, the European Commission fined Apple and Meta €500 million and €200 million, respectively, for noncompliance with the DMA.³⁶ In September, Google was fined €2.95 billion for “distorting competition in the advertising technology industry,” although this case was pursued under the European Commission’s long-time competition authorities rather than under the DMA.³⁷

The commission is also investigating X as well as Meta’s Facebook and Instagram for alleged violations of the DSA, along with separate probes of the Chinese firms AliExpress, Temu, and Tiktok, and several European-based online pornography platforms. On December 5, 2025, the Commission fined X €120 million under the DSA for issues related to its blue checkmarks and advertising repository.³⁸ Beyond these specific cases, the growing criticism of Europe from the US executive branch and parts of Congress, which claim it is censoring “free speech,” is an indication that an influential segment of the Republican Party in the United States will continue to push for action against European efforts to moderate digital content. The EU has been a key target, as has the United Kingdom with its Online Safety Act.

US Commerce Secretary Howard Lutnick and US Trade Representative Jamieson Greer speak after a meeting with the EU Trade Ministers Council in Brussels on November 24, 2025. Lutnick suggested that the EU “reconsider” some digital regulations if the bloc wanted the United States to reduce tariffs on EU steel and aluminum. REUTERS/Piroschka van de Wouw.

At the same time, the European Commission has embarked on a process of simplifying some regulations as part of an effort to make the EU economy more competitive. A digital omnibus—a legislative package designed to amend several regulations across a sector simultaneously—was presented on November 19, 2025.³⁹ As with other commission proposals for simplifying regulations, the digital omnibus focuses on reducing requirements for small and medium-sized enterprises (SMEs), along with streamlining reporting in cases of cybersecurity incidents. It also proposes delaying implementation of AIA requirements for high-risk systems until relevant guidance has been issued and calls for “targeted amendments” to the GDPR to boost innovation, including that related to AI training.⁴⁰ While simplification is likely to reduce the regulatory burden on tech companies in Europe—including large US companies—it has not yet addressed issues related to digital sovereignty.

Apart from potential revisions to existing legislation, the commission plans to move forward on two tracks. First, the second von der Leyen commission anticipates deploying more financial resources to support research on emerging technologies such as AI and quantum. Early in 2025, von der Leyen announced InvestAI, an initiative to raise €200 billion in investment capital.⁴¹ The EU also plans, through the 2025 EU Startup and ScaleUp Strategy, to support startups in their search for the funding that will allow them to grow.⁴² While these funds should be viewed with some caution—it is unclear whether sufficient private funds will join this public-private effort—they demonstrate the EU’s commitment to building its own capabilities.

Second, the commission has made clear that it will continue to pursue new rules governing activities and companies in the digital arena. The Financial Data Access (FiDA) regulation, now in the final stage of negotiations, is intended to allow greater sharing of financial data among financial institutions in order to develop new digital financial products for consumers. European legacy banks have launched an effort to exclude those companies designated as gatekeepers under the Digital Markets Act from participation in FiDA; this effort will primarily affect US tech companies.⁴³

The EU Cloud and AI Development Act (CADA) will attempt to address the EU’s shortcomings in cloud and AI capacity by encouraging the permitting of new data centers and other infrastructure, and by providing greater computational capacity and resources to startups, especially those focused on AI. But it is also expected to establish EU-wide eligibility requirements for cloud service providers, along with harmonized procurement processes, in ways that could restrict participation by non-EU companies. It is not clear yet whether CADA will address concerns through risk-based assurance models or ownership restrictions. It has reportedly been delayed until the first quarter of 2026 as the commission considers the concept of European effective control as a way of supporting EU digital sovereignty.⁴⁴

The Digital Fairness Act, expected to be introduced in mid-2026, will be the EU’s flagship legislation for business-to-consumer relations and will address protection of minors online, transparent online pricing, the abuses of manipulative and addictive design, and marketing by influencers—all of which are likely to be of significant interest to US platforms. Other initiatives expected to be launched in the next eighteen months include the ICT Supply Chain Toolbox, the Quantum Europe Strategy, and the Digital Networks Act. Finally, the European Data Union Strategy, released on November 19 along with the digital omnibus, establishes the ambition of “safeguarding the EU’s data sovereignty through a strategic international data policy.”⁴⁵ It aims to do this by “making fair conditions for data access and cross-border transfer . . . protecting sensitive EU non-personal data . . . and deepening cooperation with trusted partners.”⁴⁶ While a strategy is not a legislative document, we can expect that it will help guide EU policy on international data flows.

The European Parliament is also active in the digital sovereignty debate. MEP Axel Voss, one of the parliament’s leaders on these issues, wrote in an October 2025 post on LinkedIn: “We need immediate decisions to regain a digitally competitive and sovereign EU. Eurostack, deregulation, venture capital, chips, energy, access to quality data and a flourishing environment for Start Ups and creators are crucial for our sovereignty.⁴⁷ He proposes a number of measures, from digital special economic zones to using only EU programs within EU institutions to integrating “buy and deploy European tech” in public procurement.⁴⁸

These initiatives will undoubtedly continue to have an impact on the transatlantic relationship, as they will affect the major actors in the market, most of them American. Even with the best of intentions—and no ambition to exclude those companies—EU adoption and implementation of such rules will likely raise questions about the openness of its future market and the participation of non-EU firms.

The next section explores how the United States and EU have wrestled with the competing pressures of sovereignty and open markets, as presented by a set of key issues relating to government access to data.

Snowden’s relevations and the ‘kill switch‘

More than a decade has passed since the Snowden revelations, but the topic continues to shadow transatlantic digital relations. Many in Europe hailed Snowden as a hero for revealing Europe’s vulnerability to US signals intelligence, and the European Parliament invited him to appear and speak at a plenary meeting. The Obama administration, which charged Snowden under the Espionage Act, objected vehemently to the invitation and, in the end, Snowden addressed the parliament only by video link.⁴⁹ Now, however, US domestic sentiment regarding Snowden’s actions has begun to shift, at least in Republican circles, as several of Trump’s advisers have called for him to be pardoned.⁵⁰

Snowden’s disclosures started a chain of legal proceedings in Europe that generated substantial uncertainty among companies about the legality of their indispensable transfers of personal data to the United States. The Court of Justice of the European Union (CJEU) twice invalidated EU-US international transfer arrangements, judging them insufficient to protect Europeans’ fundamental rights. In 2015, the court struck down the EU-US Safe Harbor Framework, and a successor arrangement, the Privacy Shield, met the same fate in 2020.⁵¹ Meta, the object of the litigation both times, took the issue seriously enough that it publicly conceded to US securities regulators that it might need to withdraw Facebook and Instagram from Europe if it could not legally transfer data to the United States.⁵²

A third arrangement, the EU-US Data Privacy Framework (DPF), concluded in 2023, put significant additional safeguards in place for Europeans’ personal data when they are transferred to the United States. It has stabilized the situation, at least for the time being. On September 3, 2025, the EU General Court rejected a challenge to the DPF brought by Philippe Latombe, a French parliamentarian.⁵³ The case tested the sufficiency of US legal reforms made to overcome the CJEU’s 2020 judgment on the Privacy Shield. The court rejected claims that a redress mechanism created by the agreement lacked independence within the US legal system. It also validated the sufficiency of US safeguards relating to the collection of bulk data for intelligence purposes. Latombe has appealed the General Court verdict to the Court of Justice, however, so a definitive verdict on the fate of DPF has yet to be issued.⁵⁴

The European privacy advocacy organization None of Your Business (NOYB)—headed by well-known Austrian privacy activist Max Schrems, who brought the 2015 and 2020 CJEU cases—reacted with disbelief to the Latombe ruling. Schrems drew attention to Trump administration actions against the independence of the US Privacy and Civil Liberties Oversight Board (PCLOB) and the Federal Trade Commission (FTC). He also said that he is mulling bringing a second challenge to the DPF in EU courts.⁵⁵

US cloud service providers, including Amazon Web Services and Microsoft, have responded to European unease over data transfers to the United States by introducing service features that allow enterprise customers to store certain types of data exclusively on servers located on the continent.⁵⁶ Offering to localize data in this fashion can reassure European customers concerned about the long arm of US government’s potential access to their data.

However, the Trump administration exacerbated European anxiety over data flows to and from the United States by briefly cutting off Ukraine from US intelligence sharing in early 2025.⁵⁷ The specter of a US government kill switch—in the form of an order to US cloud providers to stop commercial data transfers to Europe—has spurred further efforts by US cloud providers to reassure their European customers. Brad Smith, Microsoft’s vice chair and president, went so far as to issue a public statement in April that, “In the unlikely event we are ever ordered by any government anywhere in the world to suspend or cease cloud operations in Europe, we are committing that Microsoft will promptly and vigorously contest such a measure using all legal avenues available, including by pursuing litigation in court.”⁵⁸

In the unlikely event we are ever ordered by any government anywhere in the world to suspend or cease cloud operations in Europe, we are committing that Microsoft will promptly and vigorously contest such a measure using all legal avenues available, including by pursuing litigation in court.
Brad Smith, “Microsoft Announces New European Digital Commitments,” Microsoft, April 30, 2025, https://blogs.microsoft.com/on-the-issues/2025/04/30/european-digital-commitments.

In response, some European companies have spied a business opportunity. For example, the German company Ecosia and its French counterpart Qwant announced their intention to build a European web index called European Search Perspective (ESP) to compete with Google’s search engine.⁵⁹ Ecosia’s chief executive officer (CEO) cited concern about the political winds blowing in the United States: “With the US election turning out as it has, I think there is an increased fear that the future US president will do things that we as Europeans don’t like very much . . . We, as a European community, just need to make sure that nobody can blackmail us.” He also emphasized Europe’s current dependence on Google’s services: “If the US turned off access to search results tomorrow, we would have to go back to phone books.”⁶⁰

The European dream of regaining data sovereignty by generating companies that can compete with the US cloud giants has a long history of failure. Our 2022 report chronicled the ambitious Franco-German effort to develop GAIA-X, a federated data and cloud ecosystem.⁶¹ In the years since, the vision of an interoperable network of trusted European cloud providers has had limited success. Its major output is a series of standards, specifications, and labels for European cloud providers, rather than a transformation of the commercial landscape.⁶²

Draghi’s 2024 report on the single market effectively conceded defeat in this area of endeavor. “It is too late for the EU to . . . develop systematic challengers to the major US cloud providers,” Draghi wrote.⁶³ Nonetheless, European anxiety over the possibility, however small, that dominant US platform services could withdraw from the continent, be blocked from serving it by the US government, or be a mechanism for channeling EU data to the US government, will continue to power a push for European sovereign alternatives.

A second continuing impetus is an awareness in Europe—thanks to Snowden—that the dominance of US digital services in Europe offers US intelligence agencies a strategic advantage. The Biden administration even boasted of this during the 2023 congressional debate to reauthorize Section 702 of the Foreign Intelligence Surveillance Act (FISA), a principal authority for collecting intelligence information on non-Americans. The pervasiveness of US digital service providers worldwide, the administration noted, allows US intelligence agencies to “leverage this national advantage to collect foreign intelligence information . . . in order to protect America from its adversaries.”⁶⁴

US law enforcement access to data on European servers

US intelligence collection in Europe is not the only challenge to data sovereignty that the EU sees emanating from the United States. Another is the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), a 2018 US law. This statute confirmed that US law enforcement can unilaterally order cloud service providers with a presence in the United States to turn over personal data they host on servers in Europe and other foreign locations for criminal investigations and prosecutions. Although several EU countries, including Belgium, give their law enforcement authorities similar extraterritorial criminal evidentiary powers, this part of the CLOUD Act is seen in Europe as singularly intrusive. When EU legislators call for companies to be immune to foreign law, they are often referring to the CLOUD Act.

However, the CLOUD Act also contains a conciliatory dimension. Part II of the act authorizes the US Department of Justice to negotiate binding international agreements under which criminal investigators and prosecutors can obtain foreign-located electronic evidence directly from providers. Because CLOUD Act agreements are consensual, they do not violate a foreign state’s judicial sovereignty by commanding that a legal measure be taken on its territory. Instead, they remove legal obstacles that companies otherwise face in voluntarily assisting foreign law enforcement. This new type of international agreement can substantially reduce reliance on mutual legal assistance treaties (MLATs), which can be too slow and cumbersome for obtaining e-evidence in fast-moving investigations.

The United States has concluded CLOUD Act agreements with the United Kingdom (UK) and Australia, and negotiations are under way with Canada, all of which are members of the Five Eyes intelligence collective.⁶⁵ The UK agreement, the first to be concluded, has had a positive effect for that country’s law enforcement agencies.⁶⁶ According to the US Department of Justice, UK agencies have already made more than twenty thousand direct requests to companies holding electronic evidence in the United States, including many for real-time interception of communications.⁶⁷ The results “provided UK Law Enforcement and Intelligence Agencies with critical data to tackle the most serious crimes facing UK citizens including terrorism; child sexual exploitation; drug trafficking; and organised crime,” a UK government minister said in late 2023.⁶⁸

Prosecutors from EU member states have looked across the channel jealously as their UK counterparts have made use of this powerful new investigative tool. In 2019, the EU authorized negotiation of an e-evidence agreement with the United States.⁶⁹ Talks began in earnest after the EU finalized its controversial counterpart to the CLOUD Act, the 2023 E-Evidence Regulation.⁷⁰ Progress has been slow and painstaking. In June 2024, senior EU and US home affairs and justice officials issued an optimistic joint statement welcoming “further progress” in the negotiations and looking “forward to advancing and completing” them.⁷¹

The Trump administration has paused EU-US negotiations without explanation. It might have concluded that CLOUD Act agreements operate overwhelmingly to the advantage of foreign partners—the inevitable consequence of most relevant data being housed on servers located in the United States. As the Trump administration has demonstrated in trade negotiations with foreign countries, it is singularly focused on agreements that it can present as bringing more benefits for the United States. However, such a narrow focus overlooks other benefits of CLOUD Act agreements—sparing cloud providers conflicts of law, deterring data localization measures, and reducing the burden on the mutual legal assistance process.

The EU-US Data Privacy Framework and an e-evidence agreement would neutralize much of the political tension that has prevailed in these realms for more than a decade.

In mid-2025, the UK government added an element of controversy to the use of CLOUD agreements by allegedly serving a request to Apple that it globally disable security features on its products.⁷² If the UK successfully required Apple to remove security from a product (for example, by building in a backdoor to data that would otherwise be end-to-end encrypted), it could then use the CLOUD Act agreement to request the now-vulnerable data directly from the company. Apple challenged the request in a UK administrative court proceeding and issued a public statement warning customers about the measure’s impact.⁷³ In addition, the White House and Congress sharply criticized the reported UK measure.⁷⁴ In August, the UK government withdrew its demand for access to Apple US customers’ encrypted data, effectively conceding to the US objection.⁷⁵ It recently confirmed that the order had been reissued to apply only to UK users.⁷⁶ The US government could well demand that any EU e-evidence agreement include a similar commitment safeguarding US persons’ data from surveillance by member states’ authorities.

A US-EU e-evidence agreement would be an important advance in calming Europe’s sovereign sensitivities about how US law enforcement authorities collect foreign-located evidence, just as the Data Privacy Framework has at least temporarily allayed Europe’s concerns about US national security agencies’ collection practices. Taken together, the two agreements would neutralize much of the political tension that has prevailed in these realms for more than a decade.

The US u-turn on data flows

After decades of the United States propounding unrestricted international commercial data flows—and bemoaning Europe’s privacy impediments to them—the Biden administration made a dramatic course correction in late 2023.⁷⁷ Through parallel legislation (the Protecting Americans from Foreign Adversary Controlled Applications Act) and executive action, it imposed controls on certain categories of data exports to China, Russia, and other “foreign adversaries” citing national security reasons.⁷⁸ Subsequently, the Department of Justice issued a final rule and guidance to companies on compliance and enforcement.⁷⁹ Both the legislation and regulatory actions were spurred by reports that data brokers were collecting publicly available bulk data on US persons and selling them to foreign governments, which could enable them to—among other things—track the location of US military personnel.⁸⁰

In addition to enacting domestic measures to limit certain international commercial data flows, the United States reversed course internationally. In the fall of 2023, the Office of the US Trade Representative withdrew its proposal to include in the Joint Statement Initiative on Electronic Commerce (JSI)—a World Trade Organization negotiation—a guarantee of the free flow of data across borders.⁸¹ The final text of the JSI, announced in July 2024, not only lacks such an obligation but allows parties essentially unlimited scope to restrict data flows for data protection reasons, precisely as the EU had sought.⁸² Even with these changes, the United States declined to join the JSI because it regarded the agreement’s national security exception as insufficiently flexible, a move that some European Commission officials found puzzling.⁸³

In contrast to the United States—and despite its long history of controlling data exports through the GDPR—the EU has moved slowly to evaluate the risks of data transfers to authoritarian states such as China and Russia. In 2021, the European Data Protection Board commissioned an outside report from academics that confirmed both countries’ governments have access to individuals’ personal information without commensurate rule-of-law protections, but it took no further action.⁸⁴ Even Russia’s full-scale invasion of Ukraine has not served to entirely staunch the flow of European data to Russia. The Finnish and Dutch data protection authorities investigated data transfers by Yango, a subsidiary of the Russian search engine Yandex, but have not yet imposed restrictions.⁸⁵

The data dynamics are a microcosm of Europe’s larger dilemma with China—deep commercial dependency, but also a recognition that a degree of sovereign control is needed.

The past year, however, has seen a gradual shift in European regulators’ thinking regarding data transfers to China. In May 2025, the Irish Data Protection Commission (DPC) fined TikTok €530 million after discovering it was transferring data to China without requisite data protection safeguards.⁸⁶ In July, the DPC broadened its TikTok inquiry into whether the Chinese government could access such data when they are stored in China.⁸⁷ The Finnish data protection authority began a separate investigation into possible Chinese government access to health data that a Finnish university had shared with a Chinese genetic analysis company.⁸⁸

Even Schrems, who has long challenged European data transfers to the United States, has turned his attention to China. Early in 2025, he filed complaints with European data protection authorities against six major Chinese consumer companies, including Shein, Temu, and WeChat, alleging government access to Europeans’ personal data by an “authoritarian surveillance state.⁸⁹

Recent moves by European data protection authorities to question whether China’s government has impermissible access to Europeans’ personal information mirror the rise in geopolitical tensions between Brussels and Beijing. Ireland’s inquiry into TikTok data transfers, for example, can be read as asserting European data sovereignty against a geopolitical rival. The data dynamics are, in effect, a microcosm of Europe’s larger dilemma with China—deep commercial dependency, but also a recognition that a degree of sovereign control is needed.

A single European data market

Brussels has recently expanded its laws promoting the secondary use of data for commercial, research, and government purposes, in hopes that these innovative legal measures will give homegrown companies a much-needed advantage in competing with data-rich foreign tech giants. However, the transfer of such data to non-EU companies has raised concerns about potentially protectionist restrictions. The Data Governance Act, the Data Act, and the European Health Data Space regulation—all enacted during the first von der Leyen commission—seek to stimulate a market for the secondary use of European data for commercial purposes.⁹⁰ These measures are based on the recognition that data collected by—and locked within—governmental or commercial organizations can have societal and economic benefits if made available for reuse by other entities.

The 2022 Data Governance Act grew out of a post-pandemic recognition of the potential for reuse of government-held data. It facilitates reuse by the private sector, for both commercial and non-commercial purposes, of government-held data (G2B), including data originally collected by public health, environmental, and transport authorities. Then Commissioner Thierry Breton hailed it as a step toward “an open yet sovereign European Single Market for data.”⁹¹

The Data Governance Act was followed a year later by the even more ambitious Data Act, which concentrated on expanding business-to-business sharing of non-personal data, such as the industrial data generated by connected devices. The Data Act sought to ease legal issues that arise with reuse by third parties, such as intellectual property protection and trade secret rules. Both laws insisted upon additional safeguards for transferring data to companies in third countries, such as the United States, where that data could become subject to governmental access. The European Commission further envisaged a series of sector-specific European data spaces, each requiring separate legislation.⁹² They would cover sectors—from agriculture to energy to transportation—that generate large amounts of industrial data ripe for reuse. The European Health Data Space regulation is the first of this series to be enacted.

At the start of the current commission mandate, von der Leyen’s mission letter to Virkkunen instructed her to deepen focus on the reuse of data. She was asked to “present a European Data Union Strategy drawing on existing data rules to ensure a simplified, clear and coherent legal framework for businesses and administrations to share data seamlessly and at scale, while respecting high privacy and security standards.”⁹³ The commission duly launched a public consultation process, articulating as its aim “expanding the availability and use of data to support AI development.”⁹⁴ Published on November 19, 2025, the Data Union Strategy seeks to safeguard the EU’s data sovereignty by ensuring fair conditions for cross border flows of non-personal data; “linking EU data ecosystems with those of like-minded partners;” and “boosting the EU voice in global data governance.”⁹⁵ This is intended to build a comprehensive legal regime for secondary data access that will enable European industry to catch up with the US tech giants that already enjoy access to vast pools of proprietary data.

EU content moderation and free speech

One of the EU’s proudest recent legislative accomplishments is the 2023 Digital Services Act, a sprawling and complex framework regulating online platforms’ accountability for illegal content, including illegal hate speech.⁹⁶ It imposes the most onerous requirements on very large online platforms, half of which are US companies. The Trump administration and the Republican-led Congress have sharply criticized the DSA, viewing it as a tool for the suppression of right-wing populist political speech.⁹⁷ On the contrary, the EU views certain DSA provisions, such as transparency tools and safeguards against arbitrary content moderation, as intended to protect free speech.

Trump singled out the DSA for criticism in the February 2025 official memorandum on preventing the “Unfair Exploitation of American Innovation,” while the Republican chair of the Federal Communications Commission called it “incompatible with both our free speech tradition in America and the commitments that these technology companies have made to a diversity of opinions.”⁹⁸ The US State Department began a diplomatic campaign, alleging, “In Europe, thousands are being convicted for the crime of criticizing their own governments.”⁹⁹ A leaked August 2025 cable to European posts directed US diplomats to advocate for a narrowing of the DSA’s definition of illegal content, among other ambitions. The European Commission firmly pushed back, describing the censorship allegations as “completely unfounded” and insisting that its digital legislation “will not be changed.”¹⁰⁰

The Republican majority on the House of Representatives Judiciary Committee also weighed in with a strongly worded staff report describing the DSA as an “anti-speech, Big Brother law.”¹⁰¹

The report identified a handful of examples of how the act could function to restrict speech extraterritorially. For example, in an August 2024 letter, then Commissioner Breton warned Elon Musk’s X platform that the effects of a campaign interview it hosted with Trump could spill over into the EU and spur commission retaliatory measures under the DSA.¹⁰² The committee also cited a request to X by the French national police that the platform remove a post originating from a US-based account suggesting France’s immigration and citizenship policies were to blame for a 2023 terrorist attack a Syrian refugee committed in that country.¹⁰³

Reform UK party leader Nigel Farage before a House Judiciary Committee hearing entitled “Europe’s threats to American speech and innovation” in Washington, DC, September 3, 2025. REUTERS/Nathan Howard.

The chairman of the US FTC launched a further salvo in August, warning US companies that their very compliance with the EU’s DSA, or with the UK’s similar Online Services Act or its surveillance authorities, could constitute a violation of the FTC Act, which prohibits unfair or deceptive commercial acts or practices. FTC Chairman Andrew N. Ferguson suggested, “It might be an unfair practice to subject American consumers to censorship by a foreign power by applying foreign legal requirements, demands, or expected demands to consumers outside of that foreign jurisdiction.”¹⁰⁴

This transatlantic dispute over the DSA and similar content moderation laws reflects differing US and European historical traditions on speech regulation.¹⁰⁵ The US Supreme Court has identified only speech creating a “clear and present danger” of inciting violence or other illegal conduct as suitable for restriction. Many European judiciaries, informed by their countries’ twentieth century histories of hate speech, take a more cautious view. For example, Germany bans speech glorifying or denying the Holocaust, while Denmark makes it illegal to burn the Quran. The DSA is the EU’s attempt to ensure that platforms remove content deemed illegal, both offline and online, but the act’s lack of definitions leaves a door open to abuse.

On December 23, 2025, the Trump administration raised the stakes in its free speech campaign against European content moderation laws. Secretary of State Marco Rubio issued determinations under the Immigration and Nationality Act barring from entry into the United States five Europeans associated with content moderation.¹⁰⁶ The headliner was Thierry Breton, an architect of the DSA; the others hail from European non-governmental organizations that track hate speech and disinformation on the internet. The European Commission quickly issued a statement that it “strongly condemns” the US actions, reiterating its “sovereign right to regulate economic activity in line with our democratic values.”¹⁰⁷ As the Trump administration continues its ideological campaign against the DSA, the transatlantic dispute over free speech seems bound to escalate.

Cybersecurity and cloud services

In 2022, the European Union Agency for Cybersecurity (ENISA) began an effort to harmonize member-state cybersecurity requirements for government data processing contracts. The European Commission averred that cloud services were a “strategic dependency” on a handful of large providers headquartered in the United States.¹⁰⁸ Several EU member states, led by France, argued for including sovereignty requirements in the envisaged EU Cybersecurity Scheme (EUCS).

A leaked 2023 ENISA draft proposed that the EU impose sovereignty requirements similar to those in France’s domestic security certification and labeling program, SecNumCloud, for contracts involving the most sensitive government data. SecNumCloud has an announced goal that, in order to obtain a trust certificate, cloud service providers must be “immune to any extra-EU regulation.”¹⁰⁹ ENISA proposed incorporating this requirement into EU law as well, adding restrictions on foreign ownership and insisting on localization of cloud services operations and data within the EU.

EU member states divided over whether to adopt such cybersecurity requirements, which could have the effect of disqualifying large foreign cloud service providers from sensitive government data processing contracts. In addition, some European companies, especially in the financial sector, argued that the foreign providers offered greater cybersecurity as well as a superior technical product.¹¹⁰ The Office of the US Trade Representative formally questioned whether the potential EUCS restrictions were consistent with the EU’s obligations under the World Trade Organization’s Government Procurement Agreement (GPA).¹¹¹

In 2024, the Belgian EU presidency put forward a compromise proposal that discarded the foreign ownership restrictions in favor of data labeling and localization requirements.¹¹² French authorities and technology companies expressed dismay at the prospect of EU-level cybersecurity certification rules weaker than France’s own.¹¹³ ENISA has yet to issue the final implementing measure, and this debate could well reemerge in the context of the anticipated CADA.

Looking ahead: Transatlantic tension will persist

The European debate over digital sovereignty—now firmly linked to the wider debate over technological sovereignty—is likely to be a continuing point of tension in the US-EU relationship. For many years, this has been a rhetorical exercise with few real consequences for non-EU firms, especially US companies. But the shift in geopolitics and the increasing drive to support EU industries to build a more competitive economy have led many European policymakers to conclude that now is the time to act. Moreover, the geopolitics are not just about Russia’s aggression or China’s export domination. They are also about the shifts and inconsistencies in US policy that have made many in Europe believe that it must now begin to fend for itself, in terms of both defense and the economy.

As a result, the debate over digital sovereignty has moved from a discussion of whether there should be limits on non-EU companies to a discussion of how many restrictions there will be, and of what type and in what sectors of the economy. That discussion is likely to be pursued through several key legislative initiatives planned for late 2025 and 2026. CADA is already expected to identify requirements—including sovereign requirements—for cloud services.

The geopolitics are not just about Russia’s aggression or China’s export domination. They are also about the shifts and inconsistencies in US policy that have made many in Europe believe that it must now begin to fend for itself.

Perhaps most relevant, the public procurement directives are already under internal review, with a proposal for revision expected from the commission in 2026.¹¹⁴ Because much of the debate is about who can sell which products and services to whom (including to governments), procurement policy will be a key instrument in imposing sovereign requirements. EU and member-state procurement rules currently privilege price as the key selection criteria but, in the Net Zero Industry Act and other new measures, other considerations have been introduced into the procurement calculation.

As the EU pursues these initiatives, it will face a dilemma: To what degree does sovereignty require autarky? Or does the EU require partnerships, despite the risk of dependencies, because of the current lack of key capabilities? Some in Europe have argued that the right way forward is to develop end-to-end EU capabilities in the form of a Eurostack.¹¹⁵ From fiber-optic networks and computing hardware to software development and cybersecurity capabilities, all would be provided by EU companies.¹¹⁶ Others have pointed to the difficulties with this, asking whether the lack of EU-owned capabilities in cloud, AI, search, and other key functions would doom such an effort to be inferior and thus push Europe farther behind in the race to innovate essential digital technologies for the future. They also fear that European companies will not be able to compete internationally if they are cushioned by sovereign requirements.¹¹⁷ Some see no contradiction between sovereignty and being open to non-EU firms; indeed, they see access to the most innovative global companies as essential, especially given Europe’s competitiveness challenge.¹¹⁸ For others, the key element is timing. The EU tech sector currently lags in innovation but, with proper support and time, it should be fully capable of growing world-leading firms and technologies.¹¹⁹ Indeed, the EU’s International Digital Strategy emphasizes the importance of partners in boosting EU competitiveness and innovation, and the EU’s ambitions in global governance for data can hardly be accomplished without cooperative partners.¹²⁰

But in all these versions of digital sovereignty, as well as in the larger arena of tech sovereignty, there is a central question: who owns the companies involved, and does it matter if they are not EU firms as long as they abide by EU laws and regulations? The recent negotiations over an EU-wide cloud certification system stalled on exactly this point (see the above discussion of EUCS). The Toolbox for 5G Cybersecurity put forward the concept of a “high-risk supplier” to warn against non-EU companies that were insufficiently independent of their home governments. While this was aimed at Chinese companies—especially Huawei—concerns have more recently focused on the United States and its companies.

The EU’s concerns are not only about the dominant position of US platforms in the European digital market, but also the potential actions of the US government—especially the Trump administration. The administration’s inconsistency on Ukraine, highlighted by its threats in July 2025 to cease sending weapons and other military supplies to Ukraine (reversed shortly after), alarmed many in Europe.¹²¹ Reports that the Trump administration threatened to block Ukraine’s access to the vital communications network Starlink during negotiations over critical minerals also raised European concerns.¹²² While these instances were primarily about defense, not the digital arena, they have created a heightened sense of insecurity in Europe. Coupled with the experience of the trade negotiations, they put into question the reliability of the United States as a partner in any undertaking.

In this environment, the EU will need to make choices about how best to ensure it has sufficient sovereignty over its digital market. Will the answer be found in more restrictions on non-EU companies, or with a more open arrangement that also boosts European economic growth and competitiveness?

Seven recommendations for Brussels and Washington

Given the economic stakes involved for both parties, the EU should engage the United States as it moves forward, and should keep the following guidelines in mind.

Competitiveness is key to innovation and economic success.

Throughout the coming debates over sovereign requirements, the EU must balance the need for security and for its own industrial and digital capabilities with the efficiencies and productivity required for a globally competitive economy. Settling for a more expensive and less capable product or service because it is European owned is not the way to grow the economy. There are times when it is necessary, but these instances should be rare and well considered, not routine.¹²³

Heated rhetoric on either side does not help the economy.

As the EU moves forward with legislation, both Washington and Brussels should seek to lower the temperature. While some US executive orders and statements from top officials have seemed to decry any EU regulation that impedes US companies, the reality is that Europe has the right to regulate as it sees fit in its own market, as does the United States. At the same time, European threats of broad sovereign restrictions do not encourage needed investment. It should not be forgotten that the US-EU trade and investment relationship is the largest such partnership in the world, worth around $1.5 trillion in goods and services trade in 2024, and with mutual investment worth several times that.¹²⁴ As both parties establish regulatory or investment requirements intended to boost domestic capabilities and add resilience to their economies, there will inevitably be tensions and misunderstandings. Creating barriers to trade and investment is sometimes necessary in limited circumstances, but careful consultations can ameliorate their impact.

Agreed legal frameworks in key areas can ease the need for sovereign protections.

A proposal that the trusted circle of cybersecurity providers be based on NATO membership might be appropriate.

As the discussion of data policy demonstrates, the transatlantic economy is not just about products and services, but also the data generated by them. Sharing those data—and being able to use them to generate revenues—is key to success in the digital economy. Of course, those transferring and using data must comply with local laws, including the GDPR. But the US and EU regulatory regimes collide at times, offering inconsistent or even conflicting requirements. Negotiated arrangements, such as the US-EU Data Privacy Framework, can overcome those differences and provide a stable context for business. A US–EU agreement on law enforcement access to data likewise could provide the protections and access both parties need. Similarly, an agreement that facilitates transfers of non-personal data might be useful in response to the Data Act and Data Union Strategy. Now is the time to make sure the United States and EU are developing compatible regimes.

Ringfencing can be a valuable strategy, as can trusted vendors.

Not all suppliers and customers are equal. Arrangements among allies and partners can lessen risks while preserving as much of the open, prosperous economy as possible, even in sensitive sectors. It makes no sense for Europeans to focus more on the transfer of data to the United States than to Russia or China. Using criteria such as those in the EU Toolbox for 5G Cybersecurity to identify foreign companies that can partner in key sectors will provide clarity and ease transactions. Similarly, a proposal floated in the EUCS negotiations that the trusted circle of cybersecurity providers be based on NATO membership might be appropriate. The Group of Seven (G7) could also offer a starting point for developing a set of compatible, interacting regulatory regimes in the digital economy, as it has done to some degree through its discussion of data free flow with trust and the AI principles and code of conduct.¹²⁵

Certain sectors of the economy are more sensitive than others.

Digital sovereignty requirements should not be imposed on broad swaths of the economy. There are two main reasons for such requirements: national security and creating an indigenous capability in those areas where national economic resiliency is required. Policymakers should carefully identify the areas of the economy where these two reasons apply. Cybersecurity for essential government operations and protecting critical infrastructure are good examples. Management of more prosaic, but still sensitive government data—including where they are stored and who has access—might not need such stringent requirements. Because digital elements—data, cloud, software, and increasingly AI—exist across the economy, it might be more helpful to think about specific functions and make a risk-based assessment of the consequences of failure. Sovereign requirements should be limited to those areas in which a failure or breach will have consequences across society and the economy.

The type of sovereign requirement can vary with the economic sector and even particular conditions.

Among European policymakers, the sovereign requirements currently under discussion can be divided into two types: those that require a supplier to adhere to specific rules and those that involve restrictions relating to the ownership of the company supplying a particular service or product. The first might involve data localization or restricting access to data or use of a particular technology, such as AI. The second, which has been applied in the French SecNumCloud, is far more restrictive and affects the ability of any US-based company to provide the service in question. In some cases, an ownership restriction might exclude companies with the best capabilities from providing the service, and could even expose those using the service to more risk. Thus, ownership restrictions are unlikely to be worthwhile except in rare cases. In the United States, these exist in areas of defense contracting, in which companies dealing with US classified material must set up a US company with US governance and employees. But most government digital contracts, both in the United States and in Europe, are not defense related and would not require such far-reaching ownership rules.

Instead, for those functions in which a breach or disruption would cause significant harm, creating a category of trusted vendors might be appropriate. This could apply to sensitive government functions, as well as to critical infrastructure provided by private-sector enterprises. A system based on trusted vendors could balance the desire to boost local providers while also securing access to top-quality services from non-EU companies. The EU might consider whether there are lessons to be learned from the US government’s FedRAMP system, which certifies companies (including non-US companies) to provide cloud services to different government customers. Companies need to meet criteria that become more restrictive and complex through the three levels of certification (low, moderate, and high).¹²⁶ While FedRAMP applies across most of the US government, individual agencies have the ability to impose their own requirements, allowing national security and intelligence agencies to impose further restrictions on those involved in classified functions. Despite these exceptions, FedRAMP’s graduated approach—matching certification level to sensitivity of the data—is much more tailored than some European proposals in matching certification requirements to the risk level of the cloud service required.¹²⁷

Sovereign requirements should be implemented in a consistent manner, including at the member-state level.

One of the persistent challenges of EU policy is ensuring that implementation is the same throughout the union. Both the Draghi and Letta reports cited differences in member-state requirements for businesses (or implementation of those requirements) as a key factor slowing EU competitiveness. The US trade representative has cited as trade barriers numerous instances of different requirements among EU member states, meaning that companies must follow multiple sets of rules even within the single market.¹²⁸ The European Commission recognized this problem when it decided that, under the DSA, very large online platforms (VLOPs) should be regulated at the EU level, not by member-state authorities. As the EU develops sovereign requirements in the digital sphere, it should be alert to efforts by member states to toughen criteria in ways that add unwarranted restrictions.

While the EU certainly has the right to decide on its own digital sovereignty requirements, those measures will undoubtedly affect access of non-EU companies to the market as well as the capabilities that are accessible to the EU and its member states. There will be costs for the EU, especially as it tries to build a more competitive economy. For that reason, any restrictions should be focused on those circumstances in which risks are high and security is necessary. This exercise should not be about denying access to non-EU companies, but instead about building a secure digital environment and resilient European capabilities. The EU should engage with its partners—not only the United States, but also Japan, South Korea, the UK, and others—to ensure that the fewest possible frictions arise. This will be a test for the transatlantic relationship, but one that can lead to greater cooperation rather than continued angst.

About the authors

Fellow

Frances Burwell

Distinguished Fellow

Europe Center

Central Europe Digital Policy

Fellow

Kenneth Propp

Nonresident Senior Fellow

Europe Center

European Union Digital Policy

Acknowledgements

The authors would like to thank James Batchik, Emma Nix, and Jack Muldoon for their tireless support on the report’s editing, research, and data visualization.

Explore the program

The Europe Center promotes leadership, strategies, and analysis to ensure a strong, ambitious, and forward-looking transatlantic relationship.

Learn more

Image: German Chancellor Friedrich Merz and French President Emmanuel Macron attend a press conference on the day of a Summit on European Digital Sovereignty in Berlin, Germany, November 18, 2025. REUTERS/Nadja Wohlleben.