The struggle for digital sovereignty (II)

On the path to digital sovereignty?

On Tuesday, Germany and France signalled a new unified front fighting for Europe’s technological independence at a jointly organised one-day Summit on European Digital Sovereignty. “We want to speak with one European voice and work together towards one goal: European digital sovereignty,” said German Chancellor Friedrich Merz at the meeting, also attended by his French counterpart Emmanuel Macron.[1] Merz’s remarks reportedly came just hours after an outage at an American cloud computing company had paralysed online services in Europe as well as the US. Referencing the increasing number of outages at major US cloud providers and the massive bottlenecks in the chip industry, Merz went on to note, “We are dependent on digital technologies from China and the US.” Macron shared this view, stating, “Europe does not want to be just a customer either of the big tech corporations or of the big tech solutions coming from the US or China.” Alongside Merz and Macron, the summit was attended by other European heads of state and government, EU commissioners, founders and CEOs of IT companies, researchers and representatives of civil society organisations.

‘A Schuman moment’

A key document released at the summit was a ‘Declaration for European Digital Sovereignty’, drawn up by the Austrian government. This position paper is considered the most comprehensive attempt to date in the EU to formulate a common understanding of digital sovereignty. It calls for steps to strengthen Europe’s position as a technology hub in the global market.[2] One of the highlights of the summit was the announcement that France and Germany would support an EU call for the largest US cloud computing providers, Amazon Web Services and Microsoft, to be subject to an antitrust review.[3] On the very same day, the European Commission launched market investigations into three US cloud computing giants under the terms of the Digital Markets Act (DMA).[4] Expectations for the summit were high in other respects as well: Axel Voss (CDU), a member of the European Parliament with expertise in digital policy, described it as “a Schuman moment”.[5] A post-war French Foreign Minister and two times Prime Minister Robert Schuman is considered the political architect of the European Union. In 1950, he drafted a plan for cross-border cooperation in the coal and steel industry and aimed, in a second step, to bring the countries of Western Europe closer together.

Dependent on the US

The summit took place just a few days after the publication of a new analysis by an influential German think-tank, the Institute for International and Security Affairs (SWP). It highlights the problem of Europe’s strong dependence on the US in the field of cyber security. The paper, entitled ‘Europe’s cybersecurity depends on the US’, argues that Europe relies on the United States in ways that go far beyond cloud services, “software-as-a-service offerings” and security updates. The author points out that American companies such as IBM and Microsoft dominate the market for cybersecurity applications like antivirus software and firewalls, while American corporations like Crowdstrike, IBM, Google (Mandiant) and Recorded Future dominate the markets for cyber threat intelligence (CTI).[6] The paper goes on to discuss the role of the US armed forces in generating CTI, from which European countries directly benefit. In fact, the US military has conducted CTI operations in the Baltic states and Southeast Europe in the past, providing valuable CTI to European countries. In addition, the US government funds a vulnerability database that simplifies the task of protecting the countless software products available today from vulnerabilities. Finally, Washington also supports the security of open source software (OSS).

Leverage

On the assumption that the Trump administration will relentlessly exploit any weakness in the EU, the SWP analysis goes on to say that the above-mentioned dependencies on the US could become a problem for Europe. The author sketches out three scenarios. First, the US could withdraw its financial support for cybersecurity projects. Second, the US government could change its political priorities and focus even more strongly on the power struggle with China. This would mean a shift away from Europe, which, according to the SWP, faces ongoing Russian cyber threats. Third, a fundamental deterioration of transatlantic relations could result in the US weaponising Europe’s dependencies to force concessions in other policy areas, not least foreign and defence policy. The SWP analysis concludes by proposing a number of measures to alleviate these EU dependencies. They include giving “preference to European CTI vendors” and getting EU policymakers to create a legal framework for cyber security activities. The author stresses the urgency of taking action to build capacity in the field of vulnerability databases.

Easier said than done

The realisation that the EU is dependent on the US is nothing new, nor are its efforts to achieve digital sovereignty. The EU has already launched several initiatives to expand its cyber capabilities. One prominent example is ‘Gaia-X’. The consortium was founded in 2019 with the aim of strengthening the EU’s digital sovereignty and global competitiveness by building a “decentralised cloud infrastructure” that promotes the interoperability and trustworthiness of digital ecosystem members in Europe.[7] The consortium did indeed bring together various companies, governments and research institutes from across Europe. However, doubts about its usefulness arose from the outset, as many partners preferred to rely on the established, primarily US-based cloud servers. Well-known companies have left the consortium, including French founding member Scaleway, Europe’s third-largest cloud provider, which withdrew in November 2021.[8] The next major player to leave the consortium was Nextcloud, a Stuttgart-based provider of communication and collaboration software, which announced its departure earlier this year. However, the project did receive a boost in July this year when the Cloud Infrastructure Service Providers in Europe (CISPE), an association of European cloud providers, committed to adapting around three thousand European services to the Gaia-X cloud requirements by November this year.[9]

More on this topic: The battle for digital sovereignty.

[1] Mathieu Pollet, Frida Preuß, Océane Herrero: Germany wakes up to US tech dominance. politico.eu 19.11.2025.

[2] Olga Scheer, Dietmar Neuerer: Europa rüstet sich im globalen Technologie-Wettstreit. handelsblatt.com. 18.11.2025

[3] Mathieu Pollet, Frida Preuß, Océane Herrero: Germany wakes up to US tech dominance. politico.eu 19.11.2025.

[4] Press Release: Commission launches market investigations on cloud computing services under the Digital Markets Act. European Commission. 18.11.2025

[5] Götz Hamann: Wenn plötzlich das Microsoft-Konto von unliebsamen Personen streikt. zeit.de. 18.11.2025

[6] Alexandra Paulus: Europas Cybersicherheit hängt an den USA. Stiftung Wissenschaft und Politik 05.11.2025.

[7] Mission & Vision. gaia-x.eu. See: Die europäische Cloud and Risse in Europas „digitaler Souveränität“.

[8] Michael Kroker: Nextcloud-Chef Frank Karlitschek: „Gaia-X ist tot“. wiwo.de 07.02.2025

[9] Stefan Krempl: The dead live longer: EU cloud providers back Gaia-X. heise.de 19.07.2025.