Ideas for a Better World newsletter

The S-Word: What Nations Actually Mean When They Talk About Tech Sovereignty

Digital sovereignty isn't a buzzword; it's a survival strategy. There is a legal mechanism by which the United States government can, today, shut down significant portions of European public infrastructure. No shots fired. No declaration of war. Just a clause in a terms of service agreement. That is what sovereignty actually means in 2026, and Europe, which hands >65% of its cloud market to American companies, is only just beginning to reckon with it.

The S-Word: What Nations Actually Mean When They Talk About Tech Sovereignty

There is a word you cannot avoid in 2026 if you follow technology, geopolitics or business strategy. That word is sovereignty.

Political leaders say it. CEOs say it. Procurement teams now write it into RFPs.

Most people, if pressed, will give you a definition. It tends to involve where data is stored or where a company is incorporated. That is only the beginning of the story.

This edition peels back the layers on one of the most consequential and least understood debates of the moment: what nations actually mean when they invoke digital sovereignty, what the European Union is concretely doing about it, where the UK stands in uncomfortable contrast, and why the gap between the rhetoric and the reality matters enormously to any organisation making technology decisions right now.


Layer One

The Dependency Is Real, and It Is Stark

Before getting to politics, it is worth anchoring in facts.

This is not merely a commercial observation. It means that the infrastructure on which European hospitals, governments, financial systems, defence supply chains, and public services increasingly run is owned, operated, and legally controlled by companies incorporated in the United States. And those companies are subject to US law, including legislation that gives US authorities the right to demand access to data held anywhere in the world.

US export controls, cloud service terms of use, and sanctions frameworks explicitly reserve the right to terminate access to critical technologies in alignment with US foreign policy objectives. Analysis has shown how Washington could activate a form of kill switch, revoking European access to cloud infrastructure or AI models through executive action, with no recourse for affected governments.

"If the UK got into an argument today with President Trump, over Greenland, Israel, or trade, then he could swiftly close down the UK's government, by closing down US-owned IT and cloud systems."

Open Rights Group, Parliamentary Briefing, January 2026


Layer Two

What the EU Is Actually Doing

On 18 November 2025, the French and German governments convened a Summit on European Digital Sovereignty in Berlin. It identified several areas for action — including AI, data, and public infrastructure — and launched a joint task force to report in 2026. The declaration that followed called for a "shared ambition to strengthen Europe's digital sovereignty in an open manner as a cornerstone of economic resilience, social prosperity, competitiveness and security."

Fine words. But the EU is also doing something more concrete, and it is worth understanding what the actual legislative machinery looks like.

The flagship is the Cloud and AI Development Act (CADA). This proposed legislation aims to bolster Europe's capacity to develop, deploy and scale cloud and AI technologies, in direct response to concern that Europe is overly dependent on US network technologies. The key question at its heart is how to define "European" in the first place. The Commission has been considering the concept of "European effective control" as its test for eligibility, which would shape which cloud providers can bid for public contracts across the bloc.

There is also the Digital Networks Act (DNA), which addresses fragmented telecommunications infrastructure. The EU currently has 27 distinct regulatory silos for telecoms, creating what analysts call a "fragmentation penalty" that prevents European providers from achieving the scale necessary to compete with US companies, which average 107 million customers, or Chinese ones, which average 467 million. The DNA seeks to merge multiple regulatory instruments into a single unified rulebook and introduces a "single passport" authorisation, allowing telecoms companies to operate across all member states without going through 27 separate notification procedures.


Layer Three

The Three Fronts of the Battle

When you strip away the policy language, there are three distinct strands to Europe's tech sovereignty push: the creation of European alternatives to US-dominated social media; support for domestic manufacturing of semiconductor chips; and the creation of sovereign cloud infrastructure.

Each has a different maturity level and a different set of obstacles.

Semiconductors

Europe is furthest along here, thanks to the EU Chips Act and TSMC's new facility in Dresden. But it remains a long road from ambition to competitive parity with Taiwan and South Korea.

Cloud

The history here is sobering. Gaia-X, launched in 2020 as Europe's answer to AWS and Azure, did not aim to create a competing hyperscaler. It sought to create standards and frameworks to enable European alternatives to interoperate. The project attracted significant scepticism and delivered modest results.

AI

The picture is complex. France has Mistral, which has received direct state investment and enjoys a high political profile. But a handful of national champions does not constitute a continent-wide answer to the compute and model capabilities of OpenAI, Google DeepMind, or Anthropic.

There is also a hidden structural constraint that is not technical but energetic: AI and digital infrastructure demand massive, continuous power, and Europe's grid is not yet built for it, while industrial energy prices in Europe remain significantly higher than in competing markets, threatening to undermine the economics of any sovereign infrastructure push.


Layer Four

Show Me the Money

None of this happens through legislation alone. The harder question is whether governments are willing to back their rhetoric with capital at the scale the problem demands. The answer, increasingly, is yes — though with significant variation between the EU as a bloc, France as the most assertive national actor, and the UK operating on a different and more contested trajectory.

Start with the cost of inaction. A report by CIGREF, the IT Club of France's Largest Enterprises, estimates that Europe's digital dependence costs approximately €265 billion per year, reflecting a structural transfer of wealth primarily to US companies. That number puts the investment case in sharp relief. The question is not whether Europe can afford to act, but whether it can afford not to.

At the EU level

Capital is being deployed through several parallel instruments. Horizon Europe invested €6.4 billion in AI over 2021 to 2024. The 2025 work programme added a further €1.6 billion, of which around €700 million is directed specifically at AI in science, with further support planned for 2026 and 2027. The Digital Europe Programme has allocated an additional €1.3 billion for critical technologies including AI, cybersecurity, and digital skills. On semiconductors, Chips Act 2.0 has drawn public-private commitments approaching €80 billion, targeting a 20% global semiconductor market share.

The AI infrastructure push is becoming more concrete. Thirteen AI Factories have been selected across 17 member states, integrating AI-optimised supercomputers with data resources and programming facilities. Nine new AI-optimised supercomputers are being procured and deployed across the EU in 2025 and 2026, which will more than triple the bloc's current high-performance computing capacity for AI. The newest initiative, announced at Mobile World Congress in Barcelona in March 2026, is EURO-3C: a €75 million project to develop Europe's first large-scale federated Telco-Edge-Cloud infrastructure, backed by the Commission through Horizon Europe.

The EU is also using its own procurement as a policy lever. The Commission issued a €180 million tender for sovereign cloud infrastructure to equip its own institutions, explicitly stating it "establishes a benchmark for how sovereignty is applied in practice to cloud services" and for the first time demanding robust, quantifiable metrics for technological sovereignty based on its new Cloud Sovereignty Framework.

France

France is operating at a different level of intensity from most European peers and deserves separate

treatment. At the AI Action Summit in Paris in February 2025, President Macron announced €109 billion in AI investment, encompassing both public and private contributions including €50 billion from the UAE for data centre campuses and €20 billion from Brookfield for AI infrastructure. The public component is smaller, but the signal was deliberate: France was positioning itself as Europe's AI capital.

The domestic industrial bet centres on Mistral AI. Mistral raised €1.7 billion at an €11.7 billion valuation in its September 2025 Series C, with Dutch semiconductor giant ASML as lead investor at approximately 11%. Total funding since 2023 has reached approximately €2.8 billion. The ASML investment is particularly significant: it explicitly bridges the semiconductor and AI value chains within a single European ownership structure.

On compute, France signed an agreement with Fluidstack to develop one of the world's largest low-carbon supercomputers, with a €10 billion investment, 500,000 GPUs planned by 2026, and one gigawatt of capacity by 2028, powered by France's nuclear energy grid. France generates roughly 70% of its electricity from nuclear, providing a structural cost and carbon advantage for AI workloads that most other European countries cannot replicate.

Macron has framed the entire programme as a deliberate "third way": not going alone and not relying on US or Chinese platforms, but building strategic alliances among European and non-European nations to create mutual interdependence rather than isolation. Whether that is achievable at scale is the open question. But France is (arguably) the only European country with a functioning model to test it against.

Germany

Germany is less visible on headline numbers, but it co-launched a joint task force with France that is developing common sovereignty indicators for cloud, AI, and cybersecurity, with measures to be codified through sectoral regulation, state aid, and the European Competitiveness Fund. And it is Germany where the most concrete on-the-ground action is visible: the state of Schleswig-Holstein is replacing Microsoft Office, Exchange, and Windows across its public sector with open-source alternatives including LibreOffice and Linux. It is unglamorous. It is also real.


Layer Five

The UK's Uncomfortable Position

The United Kingdom presents a fascinating contrast to the EU, and not an entirely flattering one.

Post-Brexit, the UK's approach to tech was bound up with the "Global Britain" narrative, which translated in practice into an enthusiasm for US technology partnerships. Long-term deals with US tech giants became a big part of that story, with Microsoft and Google announcing billion-dollar investments in data centres and AI hubs in the UK. More recently, the UK signed a £400 million MoD contract with Google and a £1.5 billion defence AI partnership with Palantir.

It has not gone unnoticed that these are precisely the kind of critical infrastructure dependencies that sovereignty advocates warn against.

The UK does not have a formal digital sovereignty strategy. The government's AI Minister has defined sovereignty in AI as "the ability for a state to have strategic leverage when it comes to this technology, such that it can ensure ongoing access to critical inputs, and ongoing assurance that its wider economic and national security objectives can be met." But critics argue that no coherent strategy follows from that definition.

On spending, the UK has committed serious capital, but the nature of the bet is different. The 2025 Spending Review announced record public R&D investment of £86 billion across the period 2026 to 2030, with £38.6 billion allocated to UKRI. Within that, AI is the single largest priority: UKRI committed £1.6 billion directly targeted at the AI sector over four years. This sits alongside £500 million for the new Sovereign AI Unit, £750 million for supercomputing capacity, and a defence R&D budget exceeding £2 billion in 2026 to 2027.

The AI for Science Strategy allocates £137 million to accelerate AI-driven breakthroughs in five priority areas: engineering biology, fusion energy, materials science, medical research, and quantum technologies. New data repositories will be co-located with sovereign compute facilities at Bristol and Edinburgh.

These are real numbers. But the comparison with Europe reveals something important about the difference in approach. The EU is investing in shared infrastructure: common compute, interoperable standards, shared data spaces, AI Factories that pool resources across member states. The UK is predominantly funding research excellence and betting that commercialisation follows. That is a legitimate model — the UK has a strong track record of producing world-class research. But it is a different theory of how sovereignty gets built, and it leaves the translation from lab to strategic infrastructure largely to market forces and to foreign capital.

The government has launched a Sovereign AI Unit, but the AI Opportunities Action Plan and Compute Roadmap do not explicitly call for its capabilities to be provided by UK companies. That distinction matters more than it might seem. Sovereignty over research inputs is not the same as sovereignty over operational infrastructure. Building a data centre is not the same as controlling what runs in it.


Layer Six

The "Sovereignty-Washing" Problem

Here is where it gets subtle, and where the debate gets genuinely difficult.

Many of the largest US hyperscalers have responded to sovereignty concerns by offering "sovereign cloud" products: data residency in-country, dedicated infrastructure, local keys, local personnel. Microsoft, AWS, and Google have all launched versions of this. On the surface, it sounds like exactly what governments asked for.

The core issue is not where the servers are. It is who controls them, and under whose legal jurisdiction that control ultimately falls.

The European Centre for International Political Economy has estimated that broad sovereignty requirements in cloud security, such as mandatory domestic hosting or preferential procurement, could cost the EU up to 3.9% of annual GDP, compared to just 0.2% for a more focused, risk-based approach. That is not a trivial number. It is the cost of getting this wrong in either direction.


Sovereignty, in the tech context, is not a binary condition. It is a spectrum of control, and the debate is really about where on that spectrum you need to sit for different categories of data, infrastructure, and service.

The sensible answer, which is slowly emerging through the noise, is that not all dependencies are equal. The protocols running your financial clearing systems are a different risk category from the software powering your marketing emails. Sensitive defence intelligence processed in a US hyperscaler is a categorically different risk from your HR onboarding forms.

What pays for governments, in strategic terms, is to be precise about where they actually need to maintain digital sovereignty to reduce national vulnerability. That varies from country to country: for Estonia, control over its defence stack while Russian aircraft skirt its airspace is the priority; for Kenya, the current preoccupation is control over valuable health data.

For Europe, right now, the live question is whether a continent that built global influence on regulatory power alone can translate that into genuine industrial capacity. The money is now moving. The political will is present at a level it was not three years ago. But money and will are not the same as execution. Chips Act, Gaia-X, and a dozen other European industrial programmes have demonstrated that announcing a strategy and delivering one are separated by a considerable distance.

For the UK, the question is more pointed. There is no agreement on what digital sovereignty looks like or what its key outcomes should be, with policy choices depending on whether the main priority is growth, resilience, security, or something else. Until that question is resolved, the UK will continue to have a Sovereign AI Unit on the one hand and a £1.5 billion Palantir contract on the other, and no obvious framework for reconciling them.

Sovereignty, properly understood, is not about building walls. It is about knowing which doors you can afford to leave unlocked, and which ones you cannot. Most organisations have not done that analysis yet. Most governments have not either.

Editor, Ideas for a Better World