Toward European Digital Sovereignty: the Implementation Test

Is the European Union moving toward a principle of sovereignty in the digital sphere? Several recent decisions point to the EU seeking to reduce dependencies on China and reaffirm its regulatory autonomy challenged by the current United States administration. Heavy lifting remains to be done: taboos surrounding European preference, divisions over cloud security, tests of resolve in a number of competition and platform liability-related cases. The instruments for an ambitious policy are yet to be crafted in order to consolidate a series of foundational political guidelines. Without any illusion on how much can be achieved in the short to medium term, Europe must bear the cost of its sovereignty today, to not accept an imposed fate tomorrow.

A New Shift is Taking Place…

A discreet but major shift is underway in the European approach to digital policy. Long a regulatory power predominantly indifferent to market outcomes, the Union is embarking on a strategic reorientation: digital technology is now recognized as a critical sector, at the heart of European competitiveness, economic security, and strategic autonomy. Recent European Council conclusions refer to the objective of a "sovereign digital transition"-a first for a term long considered politically "radioactive" in Brussels-and detail the next steps for its implementation. The doctrine is based on three vectors.

The recent conclusions of the European Council refer to the objective of a "sovereign digital transition" - a first for a term that has long been radioactive in Brussels - and detail the tactics for its implementation.

First, regulatory autonomy. The Council has reaffirmed the full implementation of the existing regulatory framework, whether in terms of healthy competition in areas naturally prone to concentration (DMA), societal regulation of social networks that permeate everyday life (DSA), privacy protection (GDPR), or that of cybersecurity (Cybersecurity Act).

What would have been a truism in ordinary circumstances has become a founding act of our ability to lay out our own rules in the face of pressure from the current U.S. administration, and tomorrow (perhaps) from China. Indeed, U.S. Secretary of Commerce Howard Lutnick was quick to remind Europeans of the need to "adjust" the DMA and DSA, a prerequisite for any possible reduction of tariffs on European steel. Beyond regulations, EU heads of state are also calling for additional efforts to protect infrastructure and reduce dependencies. Cloud services, networks, AI, and semiconductors, given the hybrid threats and supply risks they pose, are now treated as critical inputs for our economies. The forthcoming revision of the Chips Act (EU semiconductor regulation), scheduled for 2026, fits in with this approach. But the most notable shift in the traditionally extremely regulatory EU philosophy concerns its support for the development of European actors, combining European preference, competitiveness policies, regulatory simplification, and the strengthening of underlying infrastructure.

...Driven by Franco-German Momentum...

It is within this context that the Franco-German summit on European digital sovereignty was held on November 18. The meeting sent strong signals, particularly from the German side, long reluctant to embrace the idea of digital sovereignty. For the first time, Paris and Berlin displayed explicit political convergence on the need to protect European data from extraterritorial legislation. The French and German cybersecurity agencies then agreed to collaborate on cloud security standards, while SAP and Mistralannounced the development of joint offerings, particularly for both countries’ administrations -a concrete illustration of a European capacity-based approach.

While the final communiqué remained cautious on the notion of European preference, Chancellor Friedrich Merz publicly expressed his alignment with Emmanuel Macron on the subject. The two capitals also supported ambitious regulatory simplification, including the need for a "28th regime" for innovative companies, a targeted moratorium on certain high-risk obligations of the AI Act, and a revision of the GDPR-guidelines in line with the Commission's proposal for a digital omnibus, put on the table a few days earlier.

... the Result of an Increasingly Harsh/Ruthless International Context

This reorientation represents a concession made by Europeans, particularly the most liberal among them, faced with a changing international environment. The Busan summit in October was revealing in this regard: Donald Trump and Xi Jinping negotiated a trade truce focused on export controls directly involving European firms and interests without any European at the table. Indeed, the extension of US measures in September to groups owned by sanctioned entities has created unprecedented tensions over European semiconductor supplies, centering on the Dutch company Nexperia, owned itself by a sanctioned Chinese entity. China's response to the U.S. measures, consisting of a sudden extension of its export controls to all global value chains containing minerals from China-which in theory affects most global trade-has caused great concern among European players already struggling with the existing Chinese framework put in place at the beginning of the year.

Meanwhile, maintained high U.S. trade barriers continue to automatically redirect massive Chinese industrial surpluses to the European market. While Washington pursues a policy of technological imperialism, distributing access to breakthrough American innovations according to the concessions obtained, Europeans remain on the receiving end of the "G2" agenda. Access to cutting-edge U.S. resources is no longer a guarantee for allies but is traded in return for various concessions and investment commitments. Europeans are thus exposed to a double threat: Beijing's ambitions for techno-industrial supremacy, the risk of domestic industrial destruction, and U.S. predation backed by its digital and financial power.

Indeed, the second Trump administration has surprised observers with the aggressiveness of its stated intentions to establish undisputed and non-cooperative leadership in digital services and AI. Any form of regulation, regardless of its legitimacy and terms, is immediately perceived as an attack on American interests. This was evidenced by the Trump administration's public and explicit naming, on December 16, of several French and German champions-from SAP to Mistral, Capgemini, Siemens, and Spotify-explicitly exposed to trade retaliation measures, an unprecedented level of targeting in transatlantic relations.

The notion of "digital sovereignty," long understood in certain circles as a protectionist smokescreen or an outdated fad in an era of interdependence, has become a national security imperative. Faced with these two giants, only action at a continental scale seems to offer an effective response.

Maintained high U.S. trade barriers continue to automatically redirect massive Chinese industrial surpluses to the European market.

In light of this observation, the potential benefits of the thorny issue of cloud computing demand to be examined. Since 2019, Europeans have been required to produce cybersecurity standards for critical elements of their digital domain.

For the moment, they are hitting a snag over the cloud, in particular over the definition of the level of exposure to US extraterritoriality considered acceptable. Indeed, even when operated in Europe, a cloud based on American building blocks remains, by design, exposed to Washington's decisions. Even in a maximalist vision, where this standard would only be awarded to European operators, given the current state of American technological supremacy in this field, total hermeticism seems illusory in the short and medium term. Nevertheless, there is still no consensus among European states on the threshold and modalities of acceptable exposure.

This digital dependence gives the United States a very concrete ability to mobilize European digital infrastructure in the service of its geopolitical interests, as illustrated by the pressure exerted via US law on foreign powers (including international institutions such as the International Criminal Court, since if the ICC used US cloud services, it would potentially expose itself to surveillance or data seizure by U.S. authorities). All too often, the European debate overlooks the fact that, in theory, the U.S. president has the power to shut down our economies with the stroke of a pen, as we are entirely dependent on U.S. digital services.

From Intention to Execution: Credibility Is Yet to Be Established

While the conclusions of the European Council have displayed an unprecedented change of course, the realization of this ambition remains hampered by deep political divides between Member States. The diagnosis is now widely shared: the Union must strengthen its own digital ecosystem, protect its critical infrastructure, and reduce its dependencies. A healthy starting point, but consensus on the analysis is not enough to make a strategy, nor even a policy.

The coming months will, therefore, provide several tests of credibility. The ongoing investigations under the DSA and DMA-targeting U.S. actors, as well as Chinese ones-are immediate tests of European resolve. They include highly political cases, such as those involving X (owned by former Trump administration member Elon Musk), with the Commission taking a further step in early December by imposing a fine of €120 million on the social network for failing to comply with transparency obligations under the DSA, the first under this flagship regulation. U.S. Secretary of State Marco Rubio rushed to describe it as "an attack on all American technology platforms and the American people."

Recently, the Transport, Telecommunications and Energy Council of December 5, 2025 extended the conclusions of October by reiterating their core strategies-data and AI as drivers of competitiveness, protection of critical infrastructure, regulatory simplification-while acknowledging a worrying but hardly surprising observation: the EU is not on track to achieve its digital decade objectives by 2030. In other words, despite the EU's awareness and change of course initiated in October, the Council has still not defined the tools for an ambitious policy, contenting itself for the time being with a status quo based on repeated incantations of "sovereignty."

While the conclusions of the European Council have displayed an unprecedented change of course, the realization of this ambition remains hampered by deep political divides between Member States.

At the same time, a series of foundational texts is expected in the medium term. The revision of the Cybersecurity Act will need to specify the security requirements applicable to critical digital infrastructures, in particular the cloud, while the future regulation on the development of the cloud and AI (CAIDA) aims to strengthen European industrial capabilities.

Regarding the Digital Networks Act, it seeks to modernize the rules applicable to telecommunication networks in order to support investment in digital infrastructures. Other projects are also expected, including a quantum strategy, a potential second Chips Act aimed at strengthening European autonomy in semiconductors, and the European toolbox dedicated to the resilience of digital supply chains, designed to better anticipate disruptions and geopolitical pressures. All of these instruments are intended to translate doctrine into tangible capabilities. But for this to happen, a broad consensus must emerge among Europeans on the modalities to be followed, the efforts to be made, and the distribution of costs and benefits.

Experience, however, calls for caution. The file on cloud certification (EUCS) remains, as we have explained, emblematic of Europe's difficulties in reaching a decision. While some states, led by France, argued for strong "sovereignty" criteria, a group of more liberal countries-notably the Netherlands, Sweden, Finland, and Ireland-worked to water down the scope of these criteria, which de facto excluded U.S. hyperscalers. Beyond the traditional European faultline vis-à-vis openness, this divide between Member States also reflects a strategic choice difficult to resolve in the short term: prioritize European legal sovereignty or rely on the best cyber shields currently available, which are currently provided by American actors and considered essential by those most exposed to increasingly aggressive attacks from China and Russia.

In the absence of a compromise, the EUCS has become a focal point for the political differences between Member States on the issue of European dependence on U.S. suppliers and digital sovereignty. As a result, the project is at an impasse, leaving great uncertainty for cloud players. Trump's return has nevertheless initiated a slight shift. Traditionally liberal countries such as the Netherlands have reopened the door to a compromise permitting the possibility of imposing a minimum share of European cloud solutions in government systems, without however agreeing to a strictly European model, as demanded by France. The Commission is therefore working on a partial solution under which the EUCS would remain technically open, but would incorporate risk factors in public and critical uses.

This same hesitation can be found elsewhere in the digital agenda. The repeated postponing of the Digital Networks Act illustrates the resistance to preserving national powers, particularly with regard to spectrum allocation. While these arguments refer to legitimate sovereign considerations, their cumulative effect is hindering the emergence of a true continental digital power. Similarly, the "28th regime" project, designed to facilitate the scaling up of European innovative firms, with the digital sector as its main target, is also facing persistent resistance, at the risk of perpetuating the lag already highlighted in the Draghi and Letta reports.

Beyond the Milestone, Speed? Digital Europe and the 2026 Horizon

As 2025 draws to a close with a clear-eyed assessment-Europe having understood that it can no longer outsource its digital security to the United States or its industrial prosperity to Chinese supply chains-concrete action is still awaited.

Added to this is a legislative timetable (2026 for the proposal, 2028 for implementation) that is already lagging behind the pace of technological change, with AI models doubling in capacity every six months. In this context, digital sovereignty comes at a cost: doing without certain non-European solutions may initially be more expensive, less efficient, or more complex. But should it be abandoned on the grounds of high cost? That would be the servile choice, and recent examples in the semiconductor and critical minerals sectors remind us that this will unlikely be the happy choice in an increasingly ruthless globalized world. If Europe and its Member States are agreeing to invest billions in their defense to strengthen their autonomy from the United States, the impact of this effort cannot be maximized as long as digital spending remains unchanged. Adopting a similar approach to resilience in the digital sphere therefore becomes a matter of strategic consistency. In the current circumstances, it seems imperative to invest in sovereign infrastructure, not for the sake of protectionism, but in service of a core liberal principle: the freedom to choose independently.

It therefore seems imperative, in the current circumstances, to invest in sovereign infrastructure, not for protectionist reasons, but in the service of a fundamental principle of liberalism: the freedom to choose independently.

If Europe's twentieth century fate was shaped by its control of steel and hydrocarbons, later nuclear power, the twenty-first century will also be determined by its control over data and algorithms. Europe must bear the cost of its sovereignty today, to not accept a fate imposed upon it tomorrow. Our fate is not yet sealed, but we must be willing to reshuffle the deck ourselves.