At the start of June, the EU Commission presented its European Technological Sovereignty Package. These measures are intended to strengthen Europe’s capacity in semiconductors, AI, cloud and open source.
In response to the changing geopolitical environment, the Commission has concluded that the EU “cannot afford to depend on others for the technologies that keep our hospitals running, our energy grids stable and our services secure”. We consider these proposals and the wider commercial implications of regionalising your IT infrastructure to respond to this tide of digital deglobalisation.
The Fable and Mythos export ban
The EU Commission’s concerns are not unreasonable. One recent example is the U.S. Government’s recent directive to suspend all access to Anthropic’s Fable 5 and Mythos 5 by any foreign national, whether inside or outside the United States. This was driven by national security concerns, particularly the risk of jailbreaking these models to, for example, develop cyber security attacks (more details here).
The risk of frontier AI models being used to undertake cyber-attacks is real (e.g. here) and is driving a recent spike in CVEs. However, having access to these models also allows software developers and businesses to harden their systems against these attacks. Balancing these factors requires care and may not be easy, but this issue has simply been taken out of the hands of the Commission and Member States.
Outline of the proposals
The European Technological Sovereignty Package is made up of two legislative proposals, and two strategic plans:
- Cloud and AI Development Act: This aims to triple data centre capacity in Europe over the next five to seven years, including streamlining conditions for deploying data centres across the EU. It will introduce a single EU-wide framework to assess cloud and AI sovereignty to help protect critical applications and sensitive data, and support the development and roll-out of advanced cloud and AI technologies. It includes things like the creation of four Union Assurance Levels (UALs) for cloud providers providing cloud services to EU entities and public sector bodies
- Chips Act 2.0: This is intended to speed up permitting, introduce a new excellence label for Europe’s semiconductor regions and support investment and strategic projects.
- Open Source Strategy: This will support greater use of open source in public administrations through procurement guidelines and practical best practice. There will also be investment in skills, supporting open source start-ups, and improving the long-term maintenance and security of Europe’s open-source digital infrastructure.
- Strategic Roadmap for Digitalisation and AI in the Energy Sector: This is to ensure that data centres are integrated into our energy system in a sustainable and transparent manner. This will also encourage the roll out of smart meters and help build sovereign and secure AI models for the energy sector.
The desire to build out the EU’s digital capabilities is laudable, but it seems optimistic to think this will deliver meaningful digital sovereignty or erase dependency on foreign technology. The “global technology stack” is wide and deep. It is made up of contributions from many different nations and regions, but is dominated by technology from the U.S. The suggestion that the EU or indeed any nation or regional block has the technical capability, or political will, to create their own fully independent technological ecosystem is questionable.
Wider regulatory developments
The announcement by the Commission sits alongside a range of other digital deglobalisation pressures both within the EU and outside.
One obvious example is the increasing pressure on international transfers of personal data under the GDPR. For example, the European Data Protection Supervisor (EDPS) issued a decision requiring the Commission to suspend data flows arising from its use of Microsoft 365 to affiliates of Microsoft located outside the EEA – which may have prevented continued use of that software. The EU Commission submitted a compliance report and entered into detailed discussions following which the EDPS announced that transfers were now compliant.
More recently, the Irish Data Protection Commission ordered an entertainment platform to stop remote access from China to its global data centres. The Irish Court subsequently removed the ban and remitted the issue back to the Commission, but this is notable because for many years EU data protection authorities have focused on international transfers to the U.S. and are now clearly looking further afield.
Finally, while many data transfers to the U.S. are currently made in reliance on the EU-U.S. Privacy Framework that is being challenged in the CJEU (Latombe, Case C-703/25 P) and could result in a significant rupture in the digital arrangements between the EU-U.S.
Similar changes are taking place outside of the EU. The U.S. has ratcheted up the use of technology sanctions and is starting to limit and curtail transfers of sensitive data overseas (here). Similarly, China also maintains tight controls over its digital infrastructure and now has a sophisticated data protection framework with controls on international transfers and wider transfers of data (here).
Keep your friends close…
These proposals are a response to the current geo-political storms, shifting allegiances and the relentless pace of technology. Whether the solution is for different regional blocks to retreat and disengage is questionable.
Quite apart from the economic efficiencies of globalisation and the significant challenges to the EU achieving full technical sovereignty – the less connected the world becomes, the greater the risk of miscommunication and misunderstanding. The net outcome is to reduce incentives to avoid outright conflict. As Michael Corleone put it: “keep your friends close, but your enemies closer”. The EU might be better off encouraging greater innovation so that, rather than draw back, EU companies embed themselves more deeply in the global technology stack.
In practice – Challenges in regionalising your IT infrastructure
One consequence of this tide of digital deglobalisation is pressure on businesses to regionalise their IT infrastructure. This is expensive and technically very challenging, and can also have significant operational implications. The regionalisation of access to data will often limit the ability of an organisation to operate in a coherent global manner and may mean significant workforce changes as employees move to follow the data.
Despite these challenges, this is an issue that global companies should think about carefully as the different regional blocks around the world place an increasing premium on technical sovereignty.
For further information, please contact:
Sonia Cissé, Partner, Linklaters
sonia.cisse@linklaters.com
