Series
Blogs
EU – The European Commission’s tech sovereignty proposal and the move to digital deglobalisation
EU – The European Commission’s tech sovereignty proposal and the move to digital deglobalisation
22 June 2026
Series
Blogs
22 June 2026
Author: Peter Church
At the start of June, the EU Commission presented its European Technological Sovereignty Package. These measures are intended to strengthen Europe's capacity in semiconductors, AI, cloud and open source.
In response to the changing geopolitical environment, the Commission has concluded that the EU “cannot afford to depend on others for the technologies that keep our hospitals running, our energy grids stable and our services secure”. We consider these proposals and the wider commercial implications of regionalising your IT infrastructure to respond to this tide of digital deglobalisation.
The EU Commission’s concerns are not unreasonable. One recent example is the U.S. Government’s recent directive to suspend all access to Anthropic’s Fable 5 and Mythos 5 by any foreign national, whether inside or outside the United States. This was driven by national security concerns, particularly the risk of jailbreaking these models to, for example, develop cyber security attacks (more details here).
The risk of frontier AI models being used to undertake cyber-attacks is real (e.g. here) and is driving a recent spike in CVEs. However, having access to these models also allows software developers and businesses to harden their systems against these attacks. Balancing these factors requires care and may not be easy, but this issue has simply been taken out of the hands of the Commission and Member States.
The European Technological Sovereignty Package is made up of two legislative proposals, and two strategic plans:
The desire to build out the EU’s digital capabilities is laudable, but it seems optimistic to think this will deliver meaningful digital sovereignty or erase dependency on foreign technology. The “global technology stack” is wide and deep. It is made up of contributions from many different nations and regions, but is dominated by technology from the U.S. The suggestion that the EU or indeed any nation or regional block has the technical capability, or political will, to create their own fully independent technological ecosystem is questionable.
The announcement by the Commission sits alongside a range of other digital deglobalisation pressures both within the EU and outside.
One obvious example is the increasing pressure on international transfers of personal data under the GDPR. For example, the European Data Protection Supervisor (EDPS) issued a decision requiring the Commission to suspend data flows arising from its use of Microsoft 365 to affiliates of Microsoft located outside the EEA – which may have prevented continued use of that software. The EU Commission submitted a compliance report and entered into detailed discussions following which the EDPS announced that transfers were now compliant.
More recently, the Irish Data Protection Commission ordered an entertainment platform to stop remote access from China to its global data centres. The Irish Court subsequently removed the ban and remitted the issue back to the Commission, but this is notable because for many years EU data protection authorities have focused on international transfers to the U.S. and are now clearly looking further afield.
Finally, while many data transfers to the U.S. are currently made in reliance on the EU-U.S. Privacy Framework that is being challenged in the CJEU (Latombe, Case C-703/25 P) and could result in a significant rupture in the digital arrangements between the EU-U.S.
Similar changes are taking place outside of the EU. The U.S. has ratcheted up the use of technology sanctions and is starting to limit and curtail transfers of sensitive data overseas (here). Similarly, China also maintains tight controls over its digital infrastructure and now has a sophisticated data protection framework with controls on international transfers and wider transfers of data (here).
These proposals are a response to the current geo-political storms, shifting allegiances and the relentless pace of technology. Whether the solution is for different regional blocks to retreat and disengage is questionable.
Quite apart from the economic efficiencies of globalisation and the significant challenges to the EU achieving full technical sovereignty – the less connected the world becomes, the greater the risk of miscommunication and misunderstanding. The net outcome is to reduce incentives to avoid outright conflict. As Michael Corleone put it: “keep your friends close, but your enemies closer”. The EU might be better off encouraging greater innovation so that, rather than draw back, EU companies embed themselves more deeply in the global technology stack.
One consequence of this tide of digital deglobalisation is pressure on businesses to regionalise their IT infrastructure. This is expensive and technically very challenging, and can also have significant operational implications. The regionalisation of access to data will often limit the ability of an organisation to operate in a coherent global manner and may mean significant workforce changes as employees move to follow the data.
Despite these challenges, this is an issue that global companies should think about carefully as the different regional blocks around the world place an increasing premium on technical sovereignty.