Does Europe Really Have a Plan for Tech Sovereignty?

This post is part of a series on Hype Studies appearing on Tech Policy Press in 2026. More from the series is here.

The European Union has been entertaining the idea of sovereignty for almost two years now; years marked by intensified AI hype. “The tech industry moves fast; bureaucrats move slow”: a punchline that has lodged itself in the minds of public servants and politicians, as if speed determined the quality of their work. Meanwhile, the constant release of new models, astronomical investment announcements and, more recently, promises of trillion-dollar IPOs have reinforced the narrative of AI’s inevitability. The overhasty AI strategy pursued by US giants was misread in Brussels. As Hannah Ruschemeier has argued previously in this series, AI hype has increasingly permeated European policymaking by framing AI development as an urgent economic and geopolitical necessity, burying discussions like what type of technology should Europe develop, by whom and for what purposes.

The European Commission finally released its proposal to achieve tech sovereignty on June 3. Under the title “Strengthening Europe’s Tech Sovereignty,” on paper, the goal for the package is to secure the continent’s “ability to act independently in the digital world by developing and controlling key technologies, data, and infrastructure, while reducing reliance on non-EU providers.” In reality, the package tries—and fails—to kill three birds with the same stone: competitiveness, sustainability and sovereignty. While it may partially succeed in capturing some economic gains, it will do so at the cost of exacerbating Europe’s ecological footprint and further entrenching foreign control of its economy.

Contradictions populate the package. Its preference for open source, the vocation to share resources among member states and the idea to create a “European public sector Cloud Federation” point to the urgent need to decouple from Big Tech’s predatory ecosystems. Still, the proposal falls short of addressing the public sector’s dependence and ultimately favors its expansion.

As part of the package, the Cloud and AI Development Act (CADA) introduces a cloud computing sovereignty framework with four assurance levels. They can be read as degrees of sovereignty to be guaranteed by a cloud provider to be eligible for providing services to public bodies in the EU and its member states. Even the fourth assurance level, the strictest one, leaves space for cloud giants like Microsoft, Amazon and Google if they demonstrate that customer data, employees, infrastructure and control remain inside Europe. By ‘control’, the regulation means that the subsidiary operating in Europe is formally separated from the parent company and subsidiaries from other countries. The open window for Big Tech is the use of “control” instead of ownership. As long as a global corporation establishes subsidiaries that are fully controlled inside Europe, the fact that the subsidiary is at least partly owned by a foreign company does not prevent the European entity from being eligible provided that it complies with all the other location-related clauses. The cloud service provider must also guarantee the continuity of the service independently of any third-country request.

The Commission’s proposal does not prevent cloud providers from granting access to European data to foreign governments, either. Instead, Annex III on auditing criteria only requests evidence of “an up-to-date record of any request to access customer data, to disrupt service continuity or to degrade service quality from a third country or a legal entity established in a third country, containing at least the request and the response to the request.”

The “buy European” preference is thus interpreted as a matter of geography: buying AI and cloud services provided inside Europe regardless of the ultimate owner.

Microsoft was ready

In a blog post published April 30, 2025, Microsoft Vice-Chair and President Brad Smith detailed his company’s European digital commitments. They all fit like hand in glove with the European Commission’s proposed package published over a year later.

By 2027, the company committed to have data center operations in 16 European countries, expanding its capacity by 40% in two years and assuring compliance with data localization requirements. By the time of the blog post, Microsoft’s cloud services were already provided to Europe from corporate entities headquartered in Europe. The post announced that these entities would be overseen by a European board of directors with only European nationals.

Microsoft publishes its “Government Requests for Customer Data Report” annually, evidencing—in line with the CADA—that it keeps records of all the requests it receives. And to face potential requests to suspend a cloud service in Europe, Microsoft claimed to include legally binding commitments in every contract with the public sector in Europe to “promptly and vigorously contest such a measure using all legal avenues available, including by pursuing litigation in court.”

As a contingency plan, Microsoft promised to use its European partners. It will provide legal rights to companies like SAP and Orange to access back-up copies of its services’ code to ensure that they keep running. In any case, Smith insisted that “there is a strong consensus in Washington supporting the sustained flow of digital services from the United States to Europe.” Nothing to be surprised about here. Assuring that US companies continue expanding their businesses in such a significant market while making public administrations structurally dependent on US technology is fully aligned with the US government’s goals.

Smith’s post also emphasized that Microsoft is committed to open source, anticipating the tech sovereignty package’s preference. Smith explained that most of the over 1,800 AI models hosted on Microsoft’s infrastructure are open-source, including those from the European firm Mistral and other models hosted on Hugging Face. The proliferation of AI models is beneficial for cloud giants, among others, because the use of models on their infrastructure—be them open systems or not—is charged with processing fees that their customers pay every time they use a model.

Entrenched public sector dependence

The strong alignment between Microsoft’s digital commitments for Europe and the proposal made by the European Commission a year later casts doubt on the full independence of the latter. There is space to be suspicious. Big Tech’s lobby succeeded in keeping confidential data centers’ consumption of electricity and water, thus concealing their environmental damage, in the Commission’s 2024 legislation.

Yet lobbying, just like AI hype, does not operate in a vacuum. Rather, it takes place within a landscape already shaped by technological dependence, procurement commitments and institutional path dependencies. Among EU member states’ procurement agreements, for a forthcoming project we have identified 3,609 contracts or memorandums of understanding signed by an EU member state with either Microsoft, Amazon or Google for a total value of €10.8 billion for the provision of AI or cloud technologies. Over two thirds of these are with Microsoft. In comparison, major Chinese tech firms only signed 144 such agreements. Procurement of AI and cloud has increased sharply since the pandemic, with the biggest growth in 2024 and 2025. At odds with claims to expand sovereignty, EU member states keep procuring frontier technologies from US giants. Far from addressing this dependence, the Commission’s proposal falls into Big Tech’s narrative.

An epistemic capture

In its 129 pages, the CADA uses the term sovereignty 72 times but only mentions the aim to reduce “reliance on” non-European cloud and AI services four times. The document plays with words to discursively advocate for sovereignty while accepting procurement from Big Tech’s European subsidiaries.

The overt promotion of AI can also be read throughout the document. The European Commission’s “AI first” principle, linked to the Digital Decade Policy Programme 2030, urges organizations to adopt AI, cloud services and big data so that at least 75% of EU enterprises use these technologies. The proposal’s broad promotion of AI for defense, self-driving vehicles and autonomous drones is particularly worrisome.

The CADA also mandates that every member state designates data center “acceleration zones” and embraces Big Tech’s techno-solutionist narrative by calling for innovations to make data centers more sustainable. Europe, the document goes, should at least triple its data center capacity by 2030.

Trusting that innovation will compensate for the ecological footprint of data centers and viewing AI as a key driver of economic growth are not neutral positions. They contribute to expanding Big Tech’s business on the continent while making the world increasingly dependent on American technologies. They are the perfect match to a tech sovereignty package that, as explained above, is compatible with increasing government procurement from Big Tech.

As people’s distrust of AI benefits grows and communities organize against data centers, Europe turns a blind eye and falls for the AI hype—a costly move for people and the planet that runs counter to the very motivation of the tech sovereignty package. If the European Commission truly wants Europe to “act independently in the digital world”, it should start by freeing itself from Big Tech’s epistemic capture.