The Surprising Part: Europe Doesn't Control Its Own Digital Infrastructure
For a bloc that has positioned itself as the world's leading regulator of technology, the European Union has a striking blind spot: it does not meaningfully control the infrastructure that runs its own digital economy. Government agencies, hospitals, universities, and major enterprises across EU member states process sensitive data on platforms headquartered in the United States and subject to US law.
That is the uncomfortable starting point for any honest conversation about EU digital sovereignty in 2025.
What 'Digital Sovereignty' Actually Means
Digital sovereignty—a term used loosely across policy documents, vendor marketing, and academic papers—refers, at its core, to a jurisdiction's ability to govern its own digital environment without being subject to the unilateral decisions of foreign governments or corporations. It encompasses at least three distinct concerns:
- **Data privacy and legal jurisdiction**: Who can access data, under what legal authority, and which courts have standing to compel disclosure? - **Economic competitiveness**: Are European companies and public bodies dependent on foreign vendors in ways that create lock-in, extract value, or suppress domestic industry? - **National security and resilience**: Could a foreign government, through legal or extralegal pressure on a technology company, disrupt or surveil critical European infrastructure?
These are related but not identical problems. Conflating them—as much EU policy discourse does—makes it harder to evaluate whether any given intervention actually addresses the underlying risk.
The Hyperscaler Problem
The three dominant global cloud providers—Amazon Web Services (AWS), Microsoft Azure, and Google Cloud—are all headquartered in the United States. Together they account for the majority of cloud infrastructure spending in Europe, including by public-sector customers.
This matters legally because of the US CLOUD Act (Clarifying Lawful Overseas Use of Data Act), enacted in 2018. The CLOUD Act allows US law enforcement to compel US-based companies to produce data stored abroad, subject to certain procedural constraints. EU data protection law, including the General Data Protection Regulation (GDPR), does not straightforwardly override this: a US company served with a valid CLOUD Act order faces a conflict-of-laws problem that has not been definitively resolved in practice.
Data localization—storing data in EU-based data centers—does not solve this problem if the operator of those data centers is a US-headquartered company subject to US jurisdiction.
GAIA-X: Ambition Meets Governance Complexity
GAIA-X, launched in 2020 with backing from the European Commission and major EU member states, was intended to create a federated, interoperable European cloud ecosystem with common standards for data sovereignty and portability. The ambition was significant. The execution has been slower and more contested.
Critics—including participants in the initiative itself—have noted that GAIA-X became a standards and labeling body rather than an operational cloud platform. Its governance structure grew complex, and the inclusion of non-European hyperscalers as members drew accusations that the initiative had been captured by the incumbents it was meant to challenge.
As of 2025, GAIA-X has not produced a credible alternative to AWS, Azure, or Google Cloud at enterprise scale. European cloud providers such as OVHcloud, Hetzner, and Deutsche Telekom's Open Telekom Cloud exist and serve real customers, but their combined market share remains a fraction of the US hyperscalers'.
What the Regulations Actually Cover
The EU has enacted or advanced several regulatory instruments relevant to digital sovereignty:
- **GDPR** (2018): Governs personal data processing and cross-border transfers. Significant, but does not address the CLOUD Act conflict or infrastructure dependency. - **Data Act** (2024): Aims to improve data portability and switching rights between cloud providers, reducing lock-in. A meaningful step, but primarily addresses commercial terms rather than security architecture. - **European Chips Act** (2023): Targets semiconductor supply chain resilience, with the goal of producing 20% of global chip output in Europe by 2030. Addresses a real vulnerability but is a long-horizon investment. - **NIS2 Directive**: Updates cybersecurity requirements for critical infrastructure operators. Strengthens baseline security posture but does not resolve jurisdictional dependency. - **Cyber Resilience Act**: Introduces security requirements for connected products. Again, addresses product security rather than infrastructure sovereignty.
None of these, individually or collectively, resolves the core dependency: European institutions running critical workloads on infrastructure they do not control and cannot fully audit.
The Full-Stack Problem
Sovereignty over data infrastructure is not just a question of where servers are located. A complete threat model requires considering the entire technology stack:
- **Hardware**: Processors, network equipment, and storage devices, most of which are designed in the US or manufactured in Taiwan and South Korea. - **Firmware and microcode**: Low-level software embedded in hardware, largely opaque and difficult to audit. - **Operating systems**: Linux is open-source and auditable in principle, but the dominant enterprise distributions are maintained by US companies. - **Hypervisors and container runtimes**: The virtualization layer that cloud providers use to isolate customer workloads. - **Application software**: The SaaS (Software as a Service) tools—productivity suites, collaboration platforms, ERP systems—that employees actually use.
Achieving meaningful sovereignty across this stack would require sustained investment over decades, not years, and would involve difficult tradeoffs between security, cost, and capability.
What Is Known and What Isn't
It is known that EU institutions and member-state governments continue to use US hyperscaler services for sensitive workloads. It is known that the legal conflict between GDPR and the CLOUD Act has not been resolved. It is known that European cloud alternatives exist but have not achieved scale parity.
What is less clear: the actual frequency and scope of CLOUD Act requests affecting EU-resident data; the degree to which EU-specific cloud regions operated by US hyperscalers provide meaningful legal insulation; and whether GAIA-X or successor initiatives will produce operational infrastructure rather than standards documents.
The honest answer is that EU digital sovereignty in 2025 is a work in progress, with significant political will, incomplete regulatory tools, and a technology gap that market forces alone are unlikely to close.