True Data Sovereignty Requires Control, Not Dependence on the U.S.

February 2026, Daryl Flack, Partner

Published on: EE Times

Europe’s dependence on U.S. digital infrastructure is emerging as a security risk in a fractured geopolitical order.

We are no longer operating in a world where our decisions to use digital platforms was based in large part on the inherent trust we placed in our trading partners. Certainty has given way to uncertainty, driven by geopolitical fragmentation and the concentration of U.S. tech dominance that no longer sits as comfortably as it once did. The “rules-based order” that shaped the past eight decades is fraying.

When Miguel De Bruycker, director general of Belgium’s Center for Cybersecurity, said that Europe has effectively “lost the internet”, it made people uncomfortable for good reason. It was an unvarnished assessment of reality.

Europe hasn’t lost connectivity, skills, or ambition. What it has lost is control. And in today’s world, that is a dangerous place to be.

For decades, Europe has outsourced the foundations of its digital life, cloud platforms, software stacks, identity systems, data analytics, and AI infrastructure overwhelmingly to the U.S. This was framed as efficiency and globalization, softened by the language of partnership and shared values.

Like defense, Europe relied on the U.S. for too long. And just as defense has re-emerged as a hard security issue, data sovereignty is no longer a procurement question. It is a matter of national and regional security.

If Europe wants true data sovereignty, it cannot just regulate its way out of this problem. It must also build its way out. That means creating European hyperscaler-class infrastructure, not someday, not as a white paper, but as a deliberate, long-term industrial strategy starting now.

A new world order, whether we like it or not

We are living through a structural shift in geopolitics. The certainty that underpinned Western cooperation since World War II has fractured. The current U.S. administration has shown its willingness to act unilaterally when it suits domestic priorities.

The U.S. has begun pulling back from several international cooperation and collaboration frameworks, including elements of global cyber and technology governance. Long-standing assumptions about shared norms, coordinated cyberdefense, and predictable alignment are being quietly revised. Even where alliances remain intact, national interest now appear to take precedence over collective digital stewardship for some countries.

Technology sanctions are weaponized as policy tools, extraterritorial laws that reach deep into foreign geographies. This is not theoretical. It is happening now.

Last summer, Microsoft admitted in a French court that it couldn’t guarantee data on French citizens would not be transmitted to the U.S. government if it received an injunction that was legally justified.

Europe’s digital economy, government services, healthcare systems, energy grids, transport networks, and financial infrastructure are built largely on U.S.-owned platforms such as Microsoft Azure, AWS, and Google Cloud. These are not just vendors; they are structural dependencies.

And here’s the uncomfortable truth: Those companies do not ultimately answer to Europe. They answer to U.S. law.

Data sovereignty is not just about geography

Let’s clear up one of the most persistent myths in this debate. Data sovereignty is not just about where your data is stored.

Even if your data is sitting in Frankfurt, Dublin, Paris, or Milan, if the system that controls it, the software, the encryption keys, the identity layer, and the operational access, is owned elsewhere, then sovereignty may already be compromised. Sovereignty is about location, control, and access. Who can see the data? Who can compel access to it? Who can turn the tap off?

And, critically, who decides under what laws?

In many jurisdictions, governments can legally compel companies to provide access to data under their control, even if that data belongs to foreign citizens or governments. China’s legal framework, particularly the National Intelligence Law (2017), Cybersecurity Law (2017), and Data Security Law (2021), compels companies operating in China to provide data and assistance to the Chinese Communist Party (CCP) and intelligence agencies, requiring cooperation with state intelligence work and allowing government access to data for national security, effectively creating mandatory data sharing and potential backdoors for surveillance. 

The U.S. CLOUD Act is another example. This puts U.S. hyperscalers in an impossible position. They may want to respect European privacy laws and data protection principles, and many genuinely do, but if U.S. law changes, they must comply.

With the foresight that sovereignty cannot be built on assurances that ultimately depend on foreign legislation or enduring political goodwill, Amazon Web Services has launched its European Sovereign Cloud. One of the most direct and decisive responses by a major hyperscaler. AWS says the offering is fully EU-based, with infrastructure physically located within the European Union and operationally isolated from its other global regions.

According to the company, the service is supported by layered legal, operational, and technical safeguards designed to reduce exposure to non-EU jurisdictions and reinforce compliance with European data-protection requirements. However, it remains to be seen whether this and other measures, such as heightened data security requirements and large investments in German data centers from Microsoft and Google, respectively, will be enough to rebuild European confidence.

Europe’s values don’t match its infrastructure

This is where the contradiction becomes glaring. Europe has some of the strongest data protection and privacy frameworks in the world. GDPR is not perfect, but it is rooted in a clear principle: Citizens have rights over their data. Governments are constrained. Corporations are accountable.

Contrast that with the direction of travel elsewhere.

In China, the state ultimately owns and controls the data. Surveillance is systemic. Compliance is mandatory. The uncomfortable reality is that the U.S. regulatory landscape is beginning to echo some of these traits, not in ideology, but in mechanism. Expanding state powers. Broader national security justifications. Increasing pressure on technology providers to act as extensions of policy.

If Europe continues to run its most critical systems on infrastructure it does not control, it risks drifting into a position where its values are enforced by systems built for someone else’s rules.

Regulation alone will not save us

Europe’s instinct, understandably, has been to regulate. Digital Markets Act. Digital Services Act. NIS2. Cybersecurity and Resilience legislation. These are necessary steps, and they matter.

But regulation without capability is like a suit of armor made of paper. It gives an illusion of protection but crumbles the moment it’s tested.

You can demand transparency. You can impose fines. You can write exit clauses into contracts. But when push comes to shove, when geopolitical pressure mounts, when alliances strain, when laws change quickly, regulation will not give you control over infrastructure you do not own or ultimately control.

This is why De Bruycker’s warning is very poignant. Europe hasn’t lost the internet because it failed to regulate it. Europe lost control because it failed to build.

The hyperscaler problem

Let’s be blunt. There are no true European equivalents to Microsoft, Google, or Amazon in cloud infrastructure. Not at scale. Not in breadth. Not in influence.

Yes, there are strong regional providers. Yes, there are sovereign cloud initiatives. Yes, there are promising collaborations. But none yet constitute a hyperscaler-class alternative capable of underpinning Europe’s digital economy or critical national infrastructure end-to-end.

If Europe’s ambitions stop at “regulating the existing market”, it will remain dependent on that market. True sovereignty requires ownership and control of infrastructure, not just oversight.

This will be expensive. It will take years. It will require political courage, industrial coordination, and long-term commitment that goes well beyond election cycles.

But the alternative is accepting a new world order in which Europe’s digital spine is permanently outsourced, with access to data, systems, and services contingent on foreign goodwill.

Signs of movement, but not yet momentum

There is encouraging progression taking place. Austria, for example, has begun reducing its reliance on U.S. hyperscalers by investing in sovereign data center infrastructure and independent networks. Building it layer by layer, with acknowledgment that this will take time, a lot of effort, and expense.

Across Europe, critical national infrastructure operators are beginning to map their dependencies more seriously. Governments are paying closer attention to supply chain risk. Cyber resilience is no longer a technical footnote; it is a board-level concern.

In the U.K., powers under the National Security and Investment Act allow the government to intervene where foreign ownership or control poses a risk. The Cybersecurity and Resilience Bill opens the door to imposing additional requirements on critical suppliers.

These are steps in the right direction. Yet, they do not yet amount to a proactive strategy for reclaiming digital control at a continental scale.

Mapping the spaghetti bowl for European resilience

So, what does action actually look like? The first step is brutally complicated: mapping dependencies.

Most European nations, and most large organizations, only partially understand how deeply intertwined their systems are with global digital infrastructure, and how exposed those interconnections are to deliberate cyber disruption. Cloud services sit on top of software dependencies, which rely on hardware supply chains, which depend on ecosystems scattered across the world. Each layer introduces technical, legal, and geopolitical points of leverage that can be exploited in a crisis.

Unravelling this is like pulling apart an ocean’s worth of spaghetti. Daunting, slow, and messy, but unavoidable. Without this visibility, resilience becomes guesswork, and response decisions are made blindly, under pressure.

This process needs to include:

1. Mapping all critical systems, including communications, services, components, platforms, and their cyber and operational interdependencies.

2. Tiering by importance, distinguishing what truly matters to national and regional security from what can tolerate disruption or degradation.

3. Scenario planning for cyber-enabled pressure, including restricted, degraded, or withdrawn access.

4. Identifying viable alternatives, technical, operational, and commercial, that can be activated under stress rather than optimized only for a steady state.

5. Risk assessment beyond traditional cyberthreats, incorporating geopolitical exposure, jurisdictional risk, and legal compulsion alongside vulnerability and attack surface.

6. Building sovereign capability pipelines, spanning infrastructure, skills, standards, and governance required to operate and recover systems under sustained pressure.

   
   

For new organizations, this can be approached deliberately and designed in from the start. For legacy environments, it will be slow and painful. But doing nothing is no longer a choice.

Skills: the quiet crisis

Infrastructure is only half the story.

Europe has world-class academia. It produces exceptional engineers, cryptographers, systems architects, and researchers. And then, too often, it exports them.

Silicon Valley did not become dominant by accident. It built an ecosystem that celebrates risk, rewards entrepreneurship, and provides capital, mentorship, and scale. Europe, by contrast, has historically been cautious, fragmented, and regulation-heavy.

If Europe wants digital sovereignty, it must also reclaim its entrepreneurial ambition.

That means nurturing home-grown technology companies, supporting open-source ecosystems, and giving engineers reasons to build and stay in Europe rather than heading to the U.S. or Asia.

People who understand systems, who can operate, secure, rebuild, and recover them, are the real foundation of sovereignty.

Alliances still matter, but on new terms

Europe should not, and cannot, “own the internet”. Nor should it try to go alone. Cooperation with allies remains essential.

But alliances must be built on choice and resilience, not single-point dependence.

Working with the U.K., Canada, Australia, New Zealand, Japan, Singapore, and others to develop shared standards, interoperable infrastructure, and mutual recovery capabilities makes sense. What no longer makes sense is structuring Europe’s digital future around the assumption that one country’s laws will always align with Europe’s interests.

Greenland’s evolving relationship with Denmark and NATO is a reminder that even long-standing arrangements can shift under pressure. Digital infrastructure must be resilient to political change, not anchored to it.

Removing dependence, reclaiming control

Europe is at a crossroads. It can continue to optimize for short-term efficiency, convenience, and cost, and accept a future of permanent dependence.

Or it can make the hard, expensive, necessary decision to rebuild control over its digital foundations. Building European hyperscaler-class infrastructure will not be quick. It will not be cheap. It will not be easy.

But neither was building the European Union. Neither was rebuilding after the war. Neither was creating the regulatory frameworks that now protect citizens’ rights.

The genie is out of the bottle. The world has changed. And Europe must respond, decisively, collectively, and with its eyes wide open. Because sovereignty is not something you declare. It is something you build.