The European Union’s push for “digital sovereignty” is often presented as an industrial ambition. It is also a contingency question: what would still function if access to critical, non-European digital services were restricted, delayed, or made conditional by a third country or a foreign-owned supplier.
A sudden loss of access to US-owned digital infrastructure would not be confined to consumer apps. It would touch payments, cloud hosting, software supply chains, identity services, data storage, collaboration tools, cybersecurity updates, and the connectivity layers that keep public administration and business running. The EU’s exposure stems from scale and concentration: a small number of firms provide services that are deeply integrated into day-to-day operations, while the legal jurisdiction governing those firms can sit outside Europe.
EU institutions increasingly frame sovereignty as reducing strategic dependencies rather than pursuing self-sufficiency. A recent definition used in European Parliament work links technological sovereignty to building capacity, resilience and security by reducing dependencies and avoiding reliance on single providers for critical technologies and infrastructure.
That distinction matters because the economics are different. Autarky in digital technology implies duplicating entire ecosystems: chips, operating systems, cloud platforms, app stores, identity rails, networks, and security tooling. De-risking instead concentrates on the highest-impact vulnerabilities and on creating credible alternatives that can be switched on when needed.
The short term: know the failure points
The first step is unglamorous: mapping. Many organisations do not hold a complete inventory of which services depend on which providers, where data physically sits, and which processes would halt if a single authentication, cloud, or payments component failed. This is as relevant for national administrations as it is for critical industries.
Regulatory policy has become part of that resilience agenda. The EU’s Anti-Coercion Instrument, in force since 27 December 2023, provides a framework for EU action when a third country applies economic pressure intended to influence EU policy choices. It is not a technology policy in itself, but it sits in the toolkit for deterring coercive measures that could target digital sectors.
Payments: the “always on” dependency
Payments illustrate the sovereignty problem in practical terms. Cashless payments are now central to the euro area’s transaction volume: in the second half of 2024, card payments accounted for 57 per cent of the total number of non-cash transactions in the euro area.
European policymakers and banks have focused on alternatives that reduce reliance on global card schemes and platform wallets. The European Central Bank continues technical work on a digital euro, and states that if lawmakers adopt the necessary regulation in 2026, a first issuance could follow during 2029. The Commission’s legislative proposal for a digital euro was tabled on 28 June 2023.
Alongside public-sector plans, the private banking sector has moved on a European wallet: the European Payments Initiative launched Wero in 2024, with expansion steps announced for 2026. These efforts are aimed at ensuring that, in a crisis, domestic payment capacity does not rely on a single external decision point.
Cloud and data: jurisdiction as a strategic risk
Digital sovereignty debates in Europe have also been shaped by surveillance disclosures and by US legislation with extra-territorial reach. The US CLOUD Act, enacted in 2018, has been a recurring concern because it can compel US-based service providers to produce data even when it is stored outside the United States, raising legal and governance questions for EU entities handling sensitive information.
This is one reason why “sovereign cloud” and multi-provider strategies are increasingly discussed in public procurement and in critical-sector guidance: the aim is not to ban non-European services, but to ensure that core state functions can operate on infrastructure governed by European law, with defined exit paths.
Networks and hardware: sovereignty is physical
The sovereignty agenda also depends on cables, spectrum, data centres and chips. On 21 January 2026, the European Commission proposed the Digital Networks Act, intended to modernise and harmonise EU connectivity rules, including changes affecting spectrum licensing and a longer-term push away from legacy copper networks.
Supply chain risk sits alongside connectivity. In January 2026, the Commission also advanced proposals associated with tightening controls on “high-risk” suppliers in critical infrastructure, with telecom networks a focal point.
Semiconductors remain a structural dependency. The European Chips Act entered into force in September 2023, designed to strengthen Europe’s semiconductor ecosystem. The European Court of Auditors has assessed the strategy and has questioned whether some of its headline ambitions are achievable under current conditions, highlighting the scale of the challenge.
A sovereignty agenda measured in options
The EU’s digital sovereignty project is therefore less a single programme than a set of decisions about where Europe needs its own capability, where it needs leverage, and where it needs redundancy. The practical test is whether governments and critical sectors can keep operating if external services become unavailable or politically constrained.
In that sense, sovereignty is not an absolute state. It is the ability to choose suppliers and jurisdictions for the most sensitive functions, and to switch when required without a system-wide shock.
