Europe's Digital Reckoning — Why the Tech Sovereignty Package Is the Right Move, Even If It Is Imperfect
After three delays, the European Commission has published its most ambitious attempt yet to break Europe’s structural dependence on foreign technology. The package is ambitious, contested, and incomplete — and it is overdue.
Text by Martti Asikainen, 10.6.2026 | Photo by Adobe Stock Photos
In May 2025, the Chief Prosecutor Karim Khan of the International Criminal Court found himself unable to access his Microsoft email account. His bank accounts were frozen. Executive orders signed by the United States President Donald Trump had made it legally hazardous for American technology companies to continue serving him.
The outcome was unambiguous: a senior official of an independent international legal institution had been effectively disconnected from his digital working life by decisions made in Washington. The phrase “kill switch” entered the European policy vocabulary that week. It has not left.
On 3 June 2026, the European Commission published its European Technological Sovereignty Package — the most coherent attempt to date to translate that vulnerability into legislation. It is, by any measure, a significant policy moment. It is also imperfect. But the argument for it is stronger than its critics allow.
What the Package Does
The package consists of four elements: a revised Chips Act designed to strengthen European semiconductor capacity; a new Cloud and AI Development Act (CADA), which establishes a tiered sovereignty framework for cloud procurement; a non-binding open-source strategy; and a roadmap for AI and energy digitalisation.
CADA is the legislative centrepiece. It divides cloud services into four tiers according to the sensitivity of the data they handle. At the most sensitive tier — covering banks, healthcare systems, and public administration — providers must meet European supply-chain requirements.
The EU currently relies on non-EU countries for over 80% of key digital products, services, infrastructure, and intellectual property, and spends an annual €264 billion on buying US technology solutions. As Executive Vice-President Henna Virkkunen stated at the package’s launch: “Europe remains grounded in openness” — sovereignty, in the Commission’s framing, is not isolation but self-determination.
The package’s most consequential long-term element may be its least discussed: the open-source strategy. It treats open-source software and open digital standards not as an alternative to sovereignty, but as a form of it — one embedded in the architecture of the technology rather than guaranteed by a contract or a certification tier.
Made in Europe
I think we can all agree that open, interoperable, decentralised infrastructure does not have a kill switch. Europe already has genuine strengths here. Member states, between them, host over 500 for-profit open-source software companies, and the Commission’s proposal encourages more governments to procure from European providers.
The German research foundation DFG has also launched a funding initiative to preserve data sets held in foreign repositories that are crucial to European researchers — a practical, ground-level step that does not wait for legislative cycles to complete.
The largest unresolved question is money. According to the Commission, €120 billion is needed to boost the EU’s semiconductor ecosystem, whilst ramping up sovereign data centre capacity will require an additional €200 billion by 2036. “Europe is facing a critical investment gap,” Virkkunen said.
“We urgently need private capital to step up.” Europe’s deeper structural challenges — fragmented capital markets, high energy costs, and a skills deficit — will not be resolved through procurement preferences alone.
Sovereignty Requires Accountability
Europe’s prior contributions to global digital governance, GDPR and the AI Act, rested on the premise that sovereignty has something to do with the capacity of citizens and democratic institutions to shape the systems that affect their lives, not just with the nationality of the company running the server. The Tech Sovereignty Package shifts the emphasis towards economic competitiveness and security.
That is a choice, and it has consequences. A European cloud tier that processes citizens’ data in the shadow of a weakened AI Act and an eroded GDPR does not make citizens any more sovereign, it simply names a new actor who will mine their data. The Commission has defined sovereignty primarily in terms of infrastructure nationality. It has done less to define it in terms of democratic accountability. The window to align them is open.
None of the above constitutes a case for inaction. The structural dependency is documented. The kill-switch risk is real. The cost of doing nothing is not zero — it accumulates quietly, in contracts signed, in infrastructure locked in, in legal exposure that increases with each year of delay.
Even designating around 10% of all cloud contracts with strong European sovereignty standards is a significant change for the EU, noted Zach Meyers, director of research at the Centre on Regulation in Europe.
“I don’t think the EU is moving anywhere near the US or China, but they are certainly taking a step towards it,” he said. The European Technological Sovereignty Package is incomplete, contested, and in places internally contradictory. It is also, on balance, necessary.
The harder work begins now.
