The European Commission unveiled its long-awaited European Technological Sovereignty Package last week, a bundle of draft laws and strategies aimed at aggressively cutting the continent’s overwhelming reliance on American and Chinese tech giants.
Driven by deep-seated fears that foreign dependencies could be weaponized during geopolitical crises, the blueprint marks a dramatic, protective shift in how Europe intends to secure its digital future.
The master plan: Four pillars of independence
The new policy blitz tackles Europe’s digital vulnerabilities across four distinct areas, blending strict regulatory frameworks with state-backed development roadmaps.
- The Chips Act 2.0: Moving beyond the supply-side manufacturing goals of the original 2023 Chips Act, this upgrade shifts its weight to the demand side. It fast-tracks manufacturing permits to a one-year maximum, boosts funding for strategic supply-chain projects, and prioritizes building an advanced semiconductor foundry within the bloc to feed European AI infrastructure.
- The Cloud and AI Development Act (CADA): The undisputed centerpiece of the package, CADA aims to triple European data center capacity over the next five to seven years. It establishes a tiered system to assess cloud sovereignty, requiring public entities to rate digital tools according to their vulnerability to foreign interference.
- The Open Source Strategy: Elevating community-maintained software from a niche procurement option to critical national infrastructure, this strategy pledges to fund the long-term maintenance of European open-source alternatives in cybersecurity, AI, and cloud routing.
- The Energy Digitalisation Roadmap: A strategic plan to integrate power-hungry data centers directly alongside clean energy grids, aiming to smarten Europe’s electricity infrastructure while keeping massive computing centers from crashing the power grid.
The ‘kill switch’ dilemma
The primary motivator behind the sudden regulatory muscle-flexing is absolute control over critical infrastructure. According to The Parliament report, citing the Centre on Regulation in Europe, foreign-owned platforms currently host over 80% of Europe’s essential digital services. Furthermore, the outlet notes that the EU spends €264 billion annually on foreign IT products, a reality that policy experts describe as severe vendor lock-in.
The Commission’s leadership didn’t mince words regarding the security implications of this landscape.
“We cannot afford to depend on others for the technologies that keep our hospitals running, our energy grids stable and our services secure,” stated Commission President Ursula von der Leyen. “This is about protecting our citizens, defending our interests and making our own choices.”
Executive Vice-President Henna Virkkunen took the rhetoric a step further during a press briefing, explicitly stating, “We want to be sure nobody has a kill switch.”
Virkkunen conceded to reporters that it would be extraordinarily difficult for American tech giants to meet the highest tiers of the new CADA sovereignty framework. This friction stems directly from conflict with the US Cloud Act, which permits American law enforcement to demand user data from domestic companies regardless of where those servers sit geographically. “We live in a world where geopolitics and technology are inseparable,” Virkkunen noted during a subsequent committee hearing. “Today’s package marks a major shift in how Europe approaches technological sovereignty.”
Pushback from all sides
Despite the Commission’s efforts to frame the package as standard digital hygiene rather than a direct assault on Washington, the proposals have drawn fierce bipartisan fire from politicians and industry lobbyists alike.
On the one hand, European lawmakers argue that the Commission lost its nerve and watered down the rules under intense transatlantic pressure.
Kim van Sparrentak, a Greens lawmaker in the European Parliament, remarked, “This long-delayed package finally recognizes the scale of Europe’s digital dependency, but ultimately falls short. I am skeptical that this will be sufficient to ensure long-term independence from the U.S.” She added, per Politico. “We’re not there yet.”
Other European politicians feel the text leaves too many backdoors open.
“The proposal remains too permissive,” argued Christophe Grudler, a French centrist member of the Parliament, pointing out that foreign entities could still service highly sensitive economic sectors.
Analysts note that under the current draft, only about 10% of cloud contracts would be bound to strict European-only sovereignty standards, leaving the remaining 90% accessible to global vendors.
Meanwhile, American tech groups are already calling the framework a thinly veiled exercise in protectionism.
Guido Lobrano, director general for Europe at the Information Technology Industry Council, which represents tech giants like Amazon, Meta, Google, and Microsoft, slammed the geographic criteria, stating, “The proposal’s focus on geographic and nationality-based criteria is not conducive to effective sovereignty outcomes,” according to Politico.
Amazon spokesperson Harry Staight echoed those criticisms, stating, “European organizations deserve access to the best technology available from trusted providers, chosen on the basis of security, performance, verifiable controls and value.”
Reality check: The financial and legislative hurdles
Even if the EU finds the collective political will to alienate its allies, the package faces a looming wall of reality regarding its execution. Foremost among those hurdles is a staggering investment gap. According to internal Commission estimates, the EU needs €120 billion to shore up its semiconductor ecosystem and an additional €200 billion by 2036 to scale up sovereign data centers, The Parliament reported. “We urgently need private capital to step up,” Virkkunen warned.
The text also lacks explicit clarity on enforcement, handing over the administrative burden of implementing the “Made in Europe” procurement rules entirely to individual member states. Policy analysts worry this move will result in a fragmented patchwork of compliance, where free-trade-oriented Nordic capitals and Germany enforce the rules loosely, while protectionist-leaning capitals like Paris enforce them rigidly.
However, before any of these initiatives become law, the draft texts must survive intense, multi-month negotiations between the European Parliament and the Council of the European Union. Current project timelines suggest the acts won’t be adopted until at least 2027. For many policymakers, that timeline is dangerously slow.
Related reading: Europe wants more tech independence, and DeepMind alumni startups show why the region’s AI ambitions are gaining force.