 European capitals are right to be blunt: the idea that Europe can simply “delete” U.S. technology from its digital ecosystem is neither realistic nor desirable. As reported in Politico, policymakers increasingly acknowledge that European economies, public administrations and security infrastructures are deeply entangled with American cloud services, software stacks, semiconductors and platforms. These dependencies are not accidental, nor are they the product of European naïveté alone; they are the outcome of decades of innovation cycles, scale effects, and geopolitical alignment within the transatlantic space.
Yet realism should not be mistaken for resignation. Europe is neither numb to these dependencies nor condemned to permanent passivity. The real failure so far has not been dependency itself, but the absence of a coherent strategy for understanding, governing and gradually reshaping it. If Europe is serious about security—whether in relation to Russia, unstable neighbours, or internal resilience—it must move beyond slogans and defensive reflexes and begin doing the harder work of strategic clarity. Step One: Understanding What Dependency Really Means The first task is intellectual, not technological. Europe still lacks a granular, shared understanding of what its digital dependencies actually are. “Dependence on U.S. tech” is often treated as a monolith, when in reality it spans very different layers: cloud infrastructure, operating systems, development tools, cybersecurity services, AI models, data governance frameworks, and even tacit dependencies such as skills pipelines and venture capital norms. Some dependencies are shallow and substitutable; others are deep, systemic and reinforced by network effects. Some are commercially inconvenient but strategically tolerable; others have direct implications for national security, intelligence autonomy and crisis response. Treating all of them as equally problematic leads either to paralysis or to performative policy. From a security perspective, this distinction matters enormously. In a crisis scenario—say, heightened tensions with Russia or instability in the Eastern Mediterranean—Europe’s reliance on foreign-controlled digital infrastructure could become a strategic vulnerability. This is not only about espionage or data access. It is about continuity of service, legal jurisdiction, update control, and the ability to adapt systems rapidly under stress. Security today is not just about tanks and borders; it is about whether digital systems can be trusted to function predictably in moments of geopolitical friction. Mapping these dependencies—where they exist, how deeply embedded they are, and how feasible it is to override them—should be treated as a core security exercise, not a technocratic afterthought. This mapping should also be shared across member states, because asymmetric dependencies create internal EU fragilities. A union is only as resilient as its weakest digital link. Step Two: From Defensive Posture to Strategic Direction The second step is decisional. Europe has spent the past decade reacting—regulating platforms, blocking mergers, erecting defensive legal frameworks—without articulating a clear sense of where it actually wants to go. The term “digital sovereignty” has become a catch-all that signals concern without conveying intent. Sovereignty over what, exactly? For whom? And to what end? Increasingly, digital sovereignty is being associated with open source, and this is a welcome development. Open source reduces lock-in, increases transparency, and allows for collective scrutiny—important virtues in a security-conscious environment. However, open source is not a panacea. Code that is open but poorly governed, underfunded or fragmented can be just as fragile as proprietary alternatives. Moreover, open source alone does not solve questions of scale, liability, or long-term maintenance. A more mature strategy would treat open source as one pillar among several. Europe should also actively promote open standards and protocols, insisting on interoperability as a default condition in both public procurement and regulation. Interoperability is not just a competition tool; it is a security mechanism. Systems that can be swapped, recombined and reconfigured are harder to coerce and easier to defend. Decentralised architectures deserve particular attention. In a geopolitical environment marked by hybrid threats, centralisation is a liability. Decentralised systems—whether in data storage, identity management or communications—reduce single points of failure and make large-scale disruption more difficult. For countries with “tricky neighbours,” such as Greece or the Baltic states, this kind of architectural resilience is not theoretical; it is existential. Security Beyond Russia: The Full Spectrum While Russia understandably dominates European security thinking, a broader lens is needed. Europe’s digital vulnerabilities intersect with migration pressures, energy dependencies, supply-chain disruptions, and internal political polarisation. In the Eastern Mediterranean, for example, digital infrastructure has become entangled with energy exploration, maritime surveillance and military posturing. In such contexts, dependence on external digital systems can constrain diplomatic and military flexibility. Cybersecurity itself is no longer a niche domain. Ransomware attacks on hospitals, interference with electoral infrastructure, and manipulation of information spaces all sit at the intersection of digital dependency and societal security. Europe’s response cannot rely solely on regulation and incident response; it must include structural choices about how systems are built and governed. Creating the Right Incentives—and the Right Governance None of this will happen without investment, and investment will not flow into an environment perceived as hostile, unpredictable or ideologically confused. Europe needs a framework that is predictable, proportionate, rights-based and consistent—not just across policy areas, but across time. Constant regulatory churn may feel active, but it discourages long-term commitment. In addition to funding and regulation, Europe should experiment with new incentives: security-weighted public procurement, long-term public-private partnerships for critical digital infrastructure, and “resilience premiums” that reward architectures designed for interoperability and decentralisation. These tools would signal that Europe values not just innovation, but durable and secure innovation. Finally, governance matters. Europe’s current digital governance is fragmented across institutions, policy silos and national competencies. A credible strategy would require a standing governance structure that brings together security agencies, digital regulators, industrial policy actors and foreign policy expertise. This body should not micro-manage technology, but it should set priorities, coordinate dependency assessments, and stress-test Europe’s digital ecosystem against plausible geopolitical scenarios. Crucially, governance must also include mechanisms for learning and adaptation. Digital security is not static. A system that is resilient today may be brittle tomorrow. Europe’s strength should lie in its ability to adjust collectively, rather than to cling to fixed models. Conclusion European capitals are correct: cutting off U.S. technology is neither realistic nor necessary. But accepting dependency without strategy is equally untenable. In a world of renewed geopolitical tension and hybrid threats, Europe’s digital choices are security choices. The path forward is not technological autarky, but strategic intentionality—grounded in a clear understanding of dependencies, a coherent vision of where Europe wants to go, and governance structures capable of turning that vision into reality.  Across Europe, concern about the online environment is intensifying. Digital platforms are increasingly associated with the spread of disinformation, political polarisation, and social harms—particularly for children. In a context marked by geopolitical uncertainty, eroding trust in institutions, and fragmented public debate, it is understandable that governments feel compelled to respond. The issue is no longer whether some form of regulation is needed, but how such measures are conceived, justified, and put into practice.
In recent years, attention has often centred on the power of large technology companies, whose scale and influence over public discourse are unprecedented. While these concerns are well founded, there is a parallel risk that regulation becomes a vehicle for broader state intervention in the digital public sphere. Under the language of democracy, security, or national autonomy, efforts to address genuine problems online may slide into attempts to exert greater control over speech and information flows. The challenge, therefore, lies in developing regulatory frameworks that meaningfully address online harms without undermining the open and pluralistic character of democratic debate. Spain’s Prime Minister Pedro Sánchez has become one of the most prominent advocates of a hard-line approach. His proposals—including ending anonymity on social media, holding platform executives criminally liable for illegal or “hateful” content, criminalising certain forms of algorithmic amplification, and adopting a “zero-tolerance” enforcement posture—are framed as necessary responses to a digital environment he has described as a “failed state.” The stated objective is to protect democracy and society, particularly the most vulnerable. These concerns should not be dismissed. Children do face real harms online: exposure to abuse, predatory behaviour, harassment, self-harm content, and manipulative design practices that exploit their attention. Marginalised communities are disproportionately targeted by online hate and coordinated harassment. Platforms have often been slow, inconsistent, or opaque in responding. Governments are right to demand higher standards of care, transparency, and responsibility. At the same time, regulation that focuses primarily on punitive control risks overshooting its target. When policies emphasise criminal liability, prosecutorial investigations, and broad content restrictions, their effects rarely stop with powerful tech executives. They cascade down to millions of ordinary users—people discussing immigration, foreign policy, public health, religion, or identity. These are precisely the topics that become most sensitive during periods of political uncertainty and social change. In such contexts, the line between combating harm and constraining legitimate democratic disagreement can become dangerously thin. Ending anonymity, for example, may reduce some forms of abuse, but it also removes a vital layer of protection for whistleblowers, political dissidents, journalists, survivors of violence, LGBTQ+ youth, and members of ethnic or religious minorities. For many, anonymity is not about evading responsibility; it is about participating at all. Any policy that treats anonymity primarily as a problem risks silencing voices that democracy most needs to hear. Similarly, holding executives personally criminally liable for content decisions may create powerful incentives—but not necessarily the right ones. Faced with the risk of prosecution, platforms are likely to default to over-removal, automated filtering, and risk-averse moderation. This risk is not merely theoretical; Europe has seen it before. This is not an argument against regulation, but a reminder that it must be designed carefully. When Germany introduced the Network Enforcement Act (NetzDG), which imposed significant fines for failing to remove illegal content within short timeframes, platforms responded by erring on the side of caution. Numerous lawful posts—including satire, political commentary, and journalistic content—were removed or blocked because platforms prioritised legal risk reduction over contextual judgment. Similar dynamics emerged following the introduction of Article 17 of the EU Copyright Directive, where automated upload filters led to the removal or blocking of lawful material such as memes, parodies, and educational content. These risks were sufficiently significant that the Court of Justice of the European Union intervened to clarify and limit the scope of such filtering obligations, emphasising that any implementation must respect fundamental rights, including freedom of expression and information. These examples illustrate how heightened liability and unclear standards can incentivise over-removal, automated filtering, and risk-averse moderation. While such approaches may reduce visible controversy, they also suppress lawful speech and disproportionately affect minority voices and political dissent. The resulting chilling effect is difficult to quantify, but its impact on democratic participation and public debate is real and enduring. Europe’s historical experience makes this tension particularly salient. Countries like Spain know intimately what it means to live under systems where speech is tightly controlled in the name of order, unity, or national interest. That legacy has shaped Europe’s strong commitment to fundamental rights, proportionality, and the understanding that democracy depends not only on security, but on pluralism and open debate. Yet this concern is not only historical. Over the coming years, several European countries—including Hungary, France, Germany, Italy, Spain, Poland, and Greece—will hold elections that may significantly reshape their political landscapes, as voters weigh competing visions of governance, identity, and democratic norms. Regulatory powers designed today under centrist or liberal administrations may look very different if exercised by future governments with a more exclusionary or authoritarian approach to dissent. Measures introduced in the name of protecting democracy can, under changed political circumstances, become tools for narrowing it. This reality underscores the need to design digital regulation with long-term resilience in mind—grounded in rights, safeguards, and institutional restraint, rather than trust in the intentions of any one government. This is why the current framing of “digital sovereignty” deserves careful scrutiny. Once understood primarily as a strategy for technological resilience and strategic autonomy, it is increasingly politicised as a justification for assertive state intervention in online discourse. At times, digital sovereignty is presented as inherently at odds with open, transnational communication—despite the fact that democracy itself has always relied on cross-border flows of ideas, information, and innovation. This tension between state control and open communication is most visible in the debate over child safety, where 'digital sovereignty' is frequently invoked as a shield for restrictive policies. But, children deserve more than symbolic protection. They need safer digital environments, but they also need to be empowered—to learn, explore, create, and participate. This requires age-appropriate design, meaningful transparency, digital literacy, robust reporting mechanisms, and enforceable duties of care. It does not require turning the internet into a heavily policed space where speech is filtered primarily through fear of punishment. Crucially, children also grow into citizens. Protecting them should not come at the cost of hollowing out the democratic culture they will inherit. An online environment stripped of contestation, anonymity, and diversity of expression may be calmer—but it will also be poorer, less resilient, and less capable of absorbing social conflict without repression. The same applies to marginalised communities. Regulation that prioritises order over rights often ends up reinforcing existing power imbalances. Groups that already face discrimination offline are frequently the first to feel the effects of broad speech controls online. A rights-based approach must therefore be central, not incidental, to digital governance. None of this implies that Europe should be passive or naïve. Platforms must be held to account—but accountability should be precise, transparent, and proportionate. It should focus on systems and incentives rather than individual speech acts; on due process rather than zero-tolerance rhetoric; on empowerment rather than control. This is not the moment for Europe to “show its teeth” by asserting authority over digital discourse in ways that blur the line between regulation and repression. It is the moment to show confidence: confidence that democratic societies can address harm without sacrificing fundamental freedoms, that children can be protected without being over-shielded, and that innovation and rights can coexist. The challenge of the digital age is not simply taming Big Tech. It is learning how to govern a pluralistic, networked public sphere without turning fear into a substitute for judgment. Europe’s strength has always been its commitment to balance. That commitment is needed now more than ever.  Europe is undergoing a visible shift in mood. What was once an abstract debate about “strategic autonomy” has turned into a series of concrete political decisions, particularly in the technology sector. Concerns about Europe’s dependence on U.S.-based platforms such as Google, Meta, X, and Microsoft have long been present, but they are now translating into action. France plans to ban public officials from using American videoconferencing tools, replacing them with Visio, a service hosted on infrastructure provided by a French company. German lawmakers are debating alternatives to U.S. data analytics software, while members of the European Parliament are urging a broader move away from American software and hardware. Even in traditionally pro-Atlantic countries such as the Netherlands, political pressure is growing to shield sensitive digital infrastructure from foreign control. These developments reflect a growing recognition that digital technologies are no longer neutral utilities but strategic assets. As EU tech commissioner Henna Virkkunen recently noted, Europe has realised that dependence on “one country or one company” for critical technologies creates structural vulnerabilities. The impulse to reduce exposure—to de-risk and, where necessary, decouple from foreign technologies—is therefore understandable and, in some cases, justified. Yet Europe is repeating a familiar error. Rather than undertaking the difficult work of clarifying what digital sovereignty truly entails for its strategic goals, it is relying on piecemeal, defensive fixes. Platforms are replaced, procurement rules tightened, and data flows restricted—all without a coherent framework connecting these moves to a broader vision of power, resilience, and global influence. The outcome is a patchwork that may appear assertive on the surface but is strategically hollow. This weakness is compounded by a second, more subtle error: the assumption that digital sovereignty should primarily be about “building a stronger European tech ecosystem.” While this mantra is politically appealing, it is also myopic. Framed in isolation, it risks turning digital sovereignty into a project of technological self-containment—one that prioritises European origin over interoperability, and autonomy over collaboration. Digital sovereignty should not mean building technology only for Europe. That approach risks siloing the continent, alienating partners, and reducing Europe’s relevance in shaping global digital systems. Europe may be bruised by recent developments in transatlantic relations, particularly the growing unpredictability of its longest-standing and most trusted partner. But disappointment is not a strategy. Retreating into a purely inward-facing digital ecosystem would be a strategic overcorrection. History offers a clear warning. In the 1970s and 1980s, Europe repeatedly attempted to achieve technological sovereignty by nurturing national or regional champions in computing and telecommunications. These initiatives were driven by legitimate concerns: dependence on U.S. firms, fear of strategic vulnerability, and a desire to retain industrial value within Europe. Yet many of these projects ultimately failed—not because Europe lacked engineering talent or political ambition, but because autonomy was pursued at the expense of interoperability, openness, and alignment with global standards. One of the clearest examples is Europe’s fragmented approach to computing in the 1970s. France’s Plan Calcul, launched in 1966, sought to create a sovereign national computer industry capable of competing with IBM. Substantial public investment went into companies such as Bull, with the explicit aim of insulating France from U.S. technological dominance. While technically sophisticated, these systems were largely incompatible with the rapidly emerging global software and hardware ecosystems dominated by U.S. firms. As computing shifted toward standardised architectures and software portability, European systems struggled to adapt. IBM’s open, scalable ecosystem—combined with its ability to set de facto global standards—ultimately prevailed. Europe did not secure sovereignty; it entrenched dependence. A similar pattern emerged in telecommunications switching systems. Throughout the 1970s and 1980s, European countries developed proprietary digital switching technologies—such as France’s E10, Germany’s EWSD, and the UK’s System X—often with heavy state backing and limited concern for cross-border compatibility. These systems worked well domestically, but their lack of interoperability hindered integration and export. While Europe eventually succeeded with GSM—a rare case where coordination, openness, and standard-setting aligned—the earlier fragmentation delayed progress and weakened Europe’s position just as global telecommunications markets were taking shape. The videotex experience offers another cautionary tale. France’s Minitel is often remembered as a technological success, and in many ways it was: widely adopted, user-friendly, and years ahead of its time. But Minitel was also a closed, nationally specific system, built around proprietary standards and tightly controlled by the state. When the open, interoperable architecture of the Internet emerged, Minitel could not adapt. Its success at home became a liability abroad. France lost the opportunity to shape the global digital information ecosystem because it had optimised for domestic control rather than international scalability. Perhaps the most consequential example is Europe’s early approach to networking standards. In the 1980s, European governments and institutions strongly backed the OSI (Open Systems Interconnection) model, viewing it as a sovereign, standards-based alternative to the U.S.-developed TCP/IP protocol suite. OSI was theoretically elegant and institutionally endorsed, but it was slow to implement and disconnected from real-world deployment. TCP/IP, by contrast, spread through academic and commercial collaboration, evolving through use rather than central planning. By the time Europe acknowledged TCP/IP’s dominance, the global Internet’s architecture—and governance—had already been shaped elsewhere. Europe became a rule-taker in a system it might once have led. The common thread across these cases is not failure, but misalignment. European policymakers equated sovereignty with control, and control with closed systems. In doing so, they underestimated the strategic power of openness, interoperability, and early standard-setting. Meanwhile, more collaborative ecosystems—particularly in the United States—allowed markets, developers, and users to coalesce around shared technologies that scaled globally. Those systems became the infrastructure of the digital age, embedding the political, economic, and governance assumptions of their creators. The lesson for today is stark. Digital sovereignty built around exclusion, substitution, or inward-facing industrial policy may deliver short-term reassurance, but it risks long-term irrelevance. In a networked world, influence flows to those who design the systems others rely on. Europe’s historical experience shows that sovereignty without interoperability leads not to independence, but to dependency—only delayed and often more costly. The lesson is not that Europe should avoid building capacity, but that capacity without openness leads to marginalisation. In a deeply interconnected digital world, sovereignty cannot be achieved through isolation. It must be built through the ability to choose dependencies, shape standards, and collaborate from a position of strength. This is where Europe’s current approach falls short. By focusing narrowly on replacing foreign tools with European ones, policymakers risk conflating sovereignty with substitution. Replacing Microsoft Teams with a European videoconferencing platform may address immediate political or legal concerns, but it does little to answer the larger question: how does Europe intend to design digital systems that are resilient, interoperable, and influential beyond its borders? The security implications of this gap are significant. Digital infrastructure underpins critical state functions, from public administration and energy networks to defence logistics and intelligence cooperation. If each member state defines “trusted” or “sovereign” technology differently, Europe risks fragmenting its own digital foundations. Interoperability suffers, cross-border services weaken, and coordinated responses to cyber incidents or hybrid threats become harder to execute. Cloud infrastructure illustrates this danger clearly. A proliferation of national or “sovereign” cloud initiatives, absent a common European and international framework, may reduce dependence on specific foreign providers but at the cost of scale, efficiency, and resilience. In crisis scenarios, fragmented systems could slow information sharing and complicate collective defence. Sovereignty that undermines coordination ultimately weakens security. The same logic applies to artificial intelligence. Regulation can set guardrails, but it cannot substitute for strategic leadership. If Europe focuses primarily on constraining AI within its borders while failing to shape global AI architectures, standards, and governance models, it risks becoming a regulatory island. Influence flows not from restriction alone, but from offering systems that others can adopt, trust, and integrate. This is where Europe must rethink its approach. Digital sovereignty should be about de-risking critical dependencies while actively building an ecosystem that is open by design, interoperable by default, and attractive to partners. Europe does not need a technology stack that works only for Europeans. It needs one that allows Europe to be self-sufficient where it matters, while leading in collaboration where it counts. The answer to the current strain in transatlantic relations is not alienation. Nor is it technological autarky. If Europe still believes in cooperation and in shaping global norms rather than retreating from them, then its digital strategy must reflect that belief. That means investing in shared infrastructure, open standards, and governance models that enable cooperation with like-minded countries—and even structured engagement with those that are not. Until Europe confronts this challenge directly, it will continue to manage digital sovereignty through defensive, piecemeal decisions. It will swap platforms without setting strategy, build walls where bridges are needed, and mistake insulation for influence. Teams may be out, but unless Europe moves beyond substitution and isolation, digital sovereignty will remain more slogan than strategy.  The Digital Networks Act (DNA) represents a significant evolution in EU telecommunications policy, moving from a framework of Directives to a directly applicable Regulation. While this shift is intended to harmonize the internal market and strengthen oversight, several aspects of the Act raise concerns – this blog post will only focus on the DNA’s potential effects on net neutrality, interconnection, CDNs, consumer protection and dispute resolution.
1. Net Neutrality and Specialized Services The DNA incorporates and updates elements of the Open Internet Regulation (OIR), the EU’s foundational net neutrality framework.
2. Interconnection and the Sustainability Clause The DNA maintains the principle of commercial negotiation for interconnection but introduces language that may create leverage for large network operators.
3. Content Delivery Networks (CDNs) and Content Providers CDNs and CAPs are increasingly treated as part of the extended connectivity ecosystem, bringing them closer to the regulatory perimeter.
4. Voluntary Dispute Resolution The DNA introduces a voluntary conciliation process for resolving disputes over technical and commercial arrangements.
5. Potential Implications for Consumer Rights The DNA introduces several provisions that may have indirect effects on end-users:
The Digital Networks Act significantly reshapes the EU’s internet regulatory framework by moving from Directives to a directly applicable Regulation. While it aims to support technological innovation, harmonize standards, and improve connectivity, several provisions introduce risks:
Careful implementation, strong regulatory guidance, and ongoing monitoring will be essential to ensure that the DNA’s intended benefits do not inadvertently undermine competition, innovation, or consumer interests.  The European Commission is right to insist that critical infrastructure must be secure, resilient, and protected from undue foreign influence. In an era defined by geopolitical rivalry, cyber operations below the threshold of war, and the weaponisation of economic dependencies, it would be negligent not to scrutinise who builds and maintains the systems that keep European societies running.
The Commission’s Cybersecurity Act proposal to exclude “high-risk” foreign suppliers from critical sectors reflects a long-overdue recognition that cybersecurity is not merely a technical problem but a structural and political one. Infrastructure embeds power. Supply chains encode dependency. And digital systems, once deployed, shape the limits of sovereignty far more than abstract declarations ever could. Yet while the premise is sound, the policy as currently articulated leaves too many fundamental questions unanswered. If Europe is serious about securing its infrastructure, it must confront not only who should be excluded, but how, at what cost, and with what consequences for Europe’s place in a deeply interconnected digital world. The Problem of Embedded Dependency One of the most striking gaps in the Commission’s proposal is its limited engagement with legacy infrastructure. European networks — particularly in telecommunications — are not greenfield projects. They are the product of decades of procurement decisions, commercial incentives, and regulatory fragmentation. Equipment from vendors now deemed “high risk” is already embedded deep within core and access networks across multiple member states. Once hardware is embedded, dependency becomes structural. It is not easily reversed without redesigning systems, retraining staff, renegotiating maintenance contracts, and accepting periods of operational risk. This is not an abstract concern: operators have repeatedly warned that forced and accelerated replacement carries significant financial and technical costs, potentially affecting service quality and investment capacity. The Commission’s proposal gestures toward phased implementation, but it does not yet grapple with the political economy of de-risking. Who pays for the transition? Will the EU provide financial support, or will the burden fall disproportionately on operators — and ultimately consumers — in certain member states? Without a credible funding strategy, the policy risks entrenching inequalities between markets rather than strengthening collective resilience. Who Decides What “High Risk” Means? Equally unresolved is the question of classification. The proposed framework would allow the Commission, or a group of member states, to initiate a risk assessment that could lead to supplier exclusion. But the criteria remain deliberately broad: national security concerns, foreign interference, market concentration, and geopolitical context. This ambiguity is politically convenient, but strategically dangerous. Risk is not static. Nor is it confined to adversaries of the moment. If supplier risk is fundamentally tied to state power and political leverage — as the Commission implicitly acknowledges — then today’s trusted partner could become tomorrow’s vulnerability. The uncomfortable but necessary question is this: would Europe ever apply this logic consistently beyond its current focus on China? For decades, the United States has been treated as categorically “low risk,” even as European data, cloud infrastructure, and software ecosystems have become deeply dependent on American companies and subject to U.S. law. Recent geopolitical tensions — including explicit threats tied to territory, trade, or security commitments — illustrate that alliance does not eliminate asymmetry. A credible risk-based framework must therefore be principled rather than selective. If exclusions are perceived as politically motivated rather than analytically grounded, Europe will struggle to defend them legally, diplomatically, and normatively. Security Without Strategic Isolation? There is also a deeper tension at the heart of the proposal: the trade-off between security and openness. Europe’s digital economy does not exist in isolation. Innovation, resilience, and cybersecurity itself depend on global cooperation, shared standards, and cross-border supply chains. A policy that increasingly equates foreign origin with unacceptable risk risks drifting into strategic isolation — or at least strategic fragmentation. Excluding suppliers may reduce certain categories of risk, but it can also reduce competition, slow deployment, and lock Europe into a narrower technological trajectory. In sectors where Europe lacks strong domestic alternatives, exclusion without parallel investment becomes a defensive gesture rather than a strategic one. If digital sovereignty is the goal, it cannot be achieved through restriction alone. It requires sustained investment in European capabilities, research ecosystems, and market scale — none of which can be conjured through regulatory exclusion. The Legal and Normative Dimension There is also a normative dimension that Europe cannot afford to ignore. The EU has long positioned itself as a defender of rule-based governance, proportionality, and non-discrimination in digital policy. Supplier exclusion regimes that lack transparency or objective criteria invite legal challenge — not only from affected companies, but from trading partners and international institutions. If Europe wishes to set a global precedent for responsible infrastructure security, it must show that its decisions are evidence-based, proportionate, and legally robust. Otherwise, it risks legitimising similar measures elsewhere that are far less restrained — including by authoritarian states eager to justify protectionism or technological nationalism under the banner of “security.” A Necessary Policy — Incomplete as Strategy The Commission is right to act. Doing nothing is no longer an option. The idea that Europe can indefinitely rely on globally distributed, politically neutral supply chains is an illusion that the past decade has thoroughly dismantled. But securing critical infrastructure is not merely a question of exclusion. It is a question of managing dependency, financing transition, defining risk honestly, and preserving cooperation where it remains essential. Without addressing these dimensions, the policy risks becoming symbolically powerful but strategically thin. Europe does not need less openness; it needs structured, conditional openness grounded in realism rather than nostalgia. If this initiative is to succeed, it must evolve from a defensive posture into a coherent strategy — one that acknowledges power, cost, and consequence as inseparable from security. In the first part of this series, I looked at the DNA’s overall structure and direction, and flagged some of the broader concerns it raises. After spending more time with the text, however, additional issues start to emerge.
In this second instalment, I want to focus on two such issues: interconnection and the risk that the DNA could end up pulling Content Delivery Networks (CDNs) into telecom-style regulation. Once you start examining these questions, a third one inevitably follows: what all of this could mean for Internet Exchange Points (IXPs) — an area where Europe is, somewhat paradoxically, a global success story. These are not technical footnotes. They go to the heart of how the Internet functions, how the digital single market operates, and whether the EU’s regulatory choices genuinely support competitiveness, innovation, and growth. 1. Interconnection: the Internet’s Quiet Foundation Interconnection rarely features in political debates, yet it is one of the main reasons the Internet works at all. At its most basic level, interconnection is how independently operated networks exchange traffic with one another. It is what turns thousands of autonomous networks into a single, global Internet. Historically, interconnection has been governed by commercial agreements, not by regulators. Networks peer or purchase transit based on efficiency, performance, and cost. This decentralised, market-led model has allowed the Internet to scale, remain resilient, and support innovation without central coordination. For Europe, interconnection is fundamental. It enables cross-border digital services, lowers costs, supports competition between networks, and allows new entrants to reach users without needing permission from incumbents. In practical terms, it is one of the core enablers of the digital single market. 2. How the DNA Risks Re-regulating Interconnection While the DNA preserves commercial interconnection in formal terms, it materially lowers the threshold for regulatory involvement, creating a pathway — rather than a mandate — for the re-regulation of interconnection over time. The DNA does not explicitly announce a shift toward regulating interconnection. But regulatory change rarely comes that way. Instead, the proposal expands the role of national regulatory authorities in ensuring “end-to-end connectivity,” promoting “ecosystem cooperation,” and resolving disputes between actors involved in connectivity and traffic exchange. This language should ring a bell. It closely resembles arguments that large telecom operators have made for years to justify regulatory intervention in interconnection — including claims that upstream actors should be compelled to contribute financially to network costs. The risk is that interconnection gradually moves from being a commercial arrangement to a regulated relationship. Once regulators are empowered to intervene beyond narrowly defined cases of market failure, incentives shift:
From a competitiveness standpoint, this can be problematic. The Draghi report on European competitiveness makes clear that Europe already struggles with fragmentation, regulatory friction, and barriers to scale. Re-regulating interconnection would add friction where none is needed and undermines one of the Internet’s most successful governance models. 3. What This Means for Internet Exchange Points (IXPs) Any serious discussion of interconnection must also consider Internet Exchange Points. IXPs are one of the Internet’s quiet success stories, and Europe hosts two of the largest and most important in the world: DE-CIX in Frankfurt and AMS-IX in the Netherlands. IXPs are neutral infrastructures that allow networks to exchange traffic efficiently, locally, and at low cost. They reduce latency, improve resilience, and enhance competition. They are also a major reason why Europe has been such an attractive place for CDNs, cloud providers, and global networks to deploy infrastructure. Europe’s leadership in IXPs did not happen by accident. It is the product of decades of regulatory restraint and legal certainty. IXPs thrive because peering at their facilities is voluntary, decentralised, and commercially negotiated. Changing the interconnection regime — even indirectly — puts this model at risk. If interconnection becomes subject to routine regulatory intervention:
One of the striking omissions in the draft DNA is the lack of recognition of IXPs as strategic digital infrastructure. At a time when the EU speaks about resilience, sovereignty, and competitiveness, failing to protect the conditions that made DE-CIX and AMS-IX global hubs is a serious blind spot. 4. CDNs: Not Named, but Very Much in the Crosshairs A second issue that becomes apparent on closer reading of the DNA is the position of Content Delivery Networks. Formally, the proposal insists that it does not regulate content or cloud services. CDNs are not explicitly named as regulated entities. But regulatory scope is often shaped less by what is named and more by definitions, authorisation regimes, and dispute mechanisms. The DNA repeatedly emphasises the convergence of telecom networks, cloud, and edge computing into a broader “digital networks” ecosystem. It also reshapes the general authorisation framework and strengthens dispute resolution mechanisms between “undertakings” involved in connectivity and interconnection. This creates a real risk that CDNs — particularly those with infrastructure deployed inside Member States — could be treated as falling within telecom-style regulation. Not because the DNA clearly mandates it, but because it provides regulators with the conceptual and legal tools to argue that it should. 5. Why This Matters for Europe’s Digital Future Pulling interconnection and CDNs into telecom-style regulation would have predictable consequences:
This sits uneasily with Europe’s ambition to attract talent, lead in AI and cloud, and strengthen its strategic autonomy. An open, well-functioning Internet is not a side issue; it is a prerequisite for innovation, economic growth, and security. 6. What Needs to Change If the DNA is to support Europe’s digital ambitions rather than undermine them, several adjustments are essential:
Closing Note This piece is part of an ongoing series examining the draft Digital Networks Act as it moves through the EU legislative process. Given the scope and complexity of the proposal, no single article can capture all of its implications. Subsequent instalments will look more closely at the role of national regulators, the risk of market fragmentation, and whether the DNA genuinely aligns with Europe’s competitiveness and security objectives. The DNA is ambitious. But ambition alone is not enough. Interconnection, CDNs, and IXPs are not peripheral concerns — they are central to how the Internet works and to whether Europe can compete in the next phase of the digital economy. Getting these issues wrong would not just be a regulatory mistake; it would be a strategic one. Executive Summary
The leaked draft of the proposed Digital Networks Act (DNA) marks a significant shift in EU electronic communications policy. While it formally preserves core principles like net neutrality, competition, and consumer protection, it weakens their practical enforceability. By reframing interconnection, traffic management, and ecosystem relations as primarily commercial matters, the draft reduces the role of public law safeguards and regulatory oversight. The most profound change is on the way the DNA treats interconnection. Technically, the Internet’s scalability, neutrality, and resilience rely on an interconnection model based on settlement-free peering and competitively priced transit, where capacity expansions respond to predictable traffic growth rather than bilateral negotiations. Congestion is treated as a network failure to be remedied through timely upgrades of ports, backhaul, and routing—not as an economic imbalance. This model ensures that quality of service is determined by network design rather than commercial affiliation, preserves the end-to-end principle, and allows new services to reach users without prior negotiation. BEREC has repeatedly found that EU interconnection markets function effectively, with traffic asymmetries reflecting normal demand patterns, and that there is no evidence of systemic congestion or market failure warranting traffic-based contributions or regulatory restructuring. The draft DNA departs from this evidence-based framework by treating interconnection congestion as a commercial dispute resolved mainly through bilateral negotiation or alternative dispute resolution. This enables operators to delay or condition capacity upgrades to strengthen bargaining positions, effectively monetising quality of service. While nominally maintaining access-level net neutrality, the approach permits de facto discrimination at the interconnection layer—functionally equivalent to paid prioritisation but outside the safeguards of the EU’s Open Internet Regulation. Politically, the DNA shifts from a rights-based, competition-oriented governance model toward an infrastructure-centric regime that favors incumbent telco operators and codifies their narrative on traffic imbalance and investment incentives. This risks fragmenting the Digital Single Market, raising barriers for smaller and European service providers, weakening regulatory oversight, and contradicting BEREC’s warnings that monetising interconnection undermines openness, competition, and long-term sustainability. In summary, the draft DNA departs from empirical evidence and regulatory guidance, aligns with incumbent lobbying telco positions, and underestimates the tangible risks to the open Internet, competition, innovation, and consumer welfare. If adopted without substantial revision, it could distort the European Internet ecosystem, accelerate market concentration, weaken practical net neutrality, and threaten the Digital Single Market. 1. Open Internet and Net Neutrality: Formal Continuity, Substantive Regression 1.1 The DNA’s approach The DNA formally integrates the Open Internet Regulation (EU) 2015/2120 into a broader regulatory framework, explicitly stating that it does not alter the “fundamental principles” of equal and non-discriminatory treatment of traffic. However, the draft simultaneously:
1.2 Comparison with BEREC conclusions BEREC has consistently concluded that:
The DNA diverges sharply from these findings by implicitly treating traffic asymmetry and interconnection disputes as systemic problems requiring regulatory reframing. 1.3 Policy risk By relocating critical neutrality issues to the interconnection layer and framing them as commercial disputes, the DNA creates a credible pathway for paid prioritisation and de facto discrimination without formally breaching access-level neutrality rules. This undermines the effectiveness of net neutrality while preserving its appearance. 2. “Fair Share” and Network Contributions: De Facto Adoption Without Accountability 2.1 Embedded assumptions Although the DNA avoids explicit references to “fair share” or mandatory network contributions from content and application providers (CAPs), it embeds the underlying logic by:
2.2 BEREC’s position BEREC has repeatedly found that:
The DNA disregards these conclusions without presenting new empirical evidence. 2.3 Policy risk The result is a stealth policy shift that enables outcomes previously rejected by EU institutions, without the transparency, safeguards, or democratic scrutiny that an explicit “fair share” proposal would require. 3. Interconnection and Access: From Open Architecture to Negotiated Bottlenecks 3.1 Structural change The DNA reframes interconnection as:
This marks a departure from the long-standing European approach that treated interconnection as a foundational element of end-to-end connectivity and market openness. 3.2 BEREC comparison BEREC has emphasised that:
3.3. Policy Risk The draft DNA risks dismantling the invisible regulatory scaffolding that keeps interconnection competitive, replacing it with negotiated bottlenecks that entrench power, fragment the Single Market, and are extremely difficult to unwind. 4. Alternative Dispute Resolution (ADR): Privatising Regulatory Outcomes 4.1 The role of ADR in the DNA The draft DNA strongly promotes ADR for both consumer disputes and interconnection conflicts between undertakings. While ADR can be useful for individual disputes, its expanded role raises concerns when applied to systemic market issues. 4.2 Structural imbalance ADR mechanisms:
4.3 Policy Risk By substituting regulatory oversight with negotiated outcomes, the DNA weakens the ability of NRAs and BEREC to address structural competition and neutrality issues, effectively privatising regulatory enforcement. 5. Competition and Market Structure: Incumbent Bias and Consolidation 5.1 Implicit policy choices The DNA repeatedly prioritises:
Competition is treated as instrumental rather than as a core policy objective. 5.2 Impact on smaller operators and innovators Smaller ISPs, alternative networks, and new market entrants:
This outcome is inconsistent with EU competition policy and digital innovation goals. 5.3 Policy Risk The policy risk is that the DNA hardcodes an incumbent-centric market structure by subordinating competition to scale and “investment certainty,” accelerating consolidation, weakening smaller operators and innovators, and ultimately undermining the EU’s own competition and digital innovation objectives. 6. Consumer Protection: Indirect Harm, Limited Remedies 6.1 The missing consumer perspective While the DNA includes extensive transparency obligations, it fails to address:
6.2 BEREC alignment BEREC has consistently stressed that consumer harm in connectivity markets is often indirect and systemic, requiring proactive regulatory safeguards rather than reliance on transparency and switching alone. 6.3 Policy Risk The policy risk is that the DNA normalises a shift from citizen-centred network governance to infrastructure-centred bargaining, redefining connectivity as a private commercial outcome rather than a public interest service—thereby eroding the EU’s ability to detect, attribute, and correct systemic consumer harm before it becomes structurally embedded. 7. Institutional Balance and Regulatory Capture Concerns 7.1 Shift in governance The DNA:
7.2 Alignment with incumbent lobbying The narrative structure and policy assumptions of the DNA closely mirror positions advanced by large telecom operators and industry associations, particularly regarding traffic imbalance, investment incentives, and ecosystem “fairness.” This raises legitimate concerns about regulatory capture and the marginalisation of evidence-based regulatory conclusions. 7.3 Policy Risk The policy risk is that the DNA recalibrates EU digital governance away from independent, evidence-based regulation toward a negotiation-driven regime shaped by incumbent preferences, creating a perception—and eventual reality—of regulatory capture that weakens institutional credibility, exposes the EU to legal challenge, and undermines trust in the Union’s capacity to govern critical digital infrastructure in the public interest. 8. Conclusions and Policy Imperatives 8.1 Strategic assessment The draft Digital Networks Act cannot credibly be framed as a technical simplification or neutral regulatory adjustment. It constitutes a strategic redirection of EU digital policy, moving away from a rights-based, competition-driven model and towards an infrastructure-centric regime in which access, interconnection, and market outcomes are increasingly shaped by private negotiation rather than public rule-setting. This shift has implications that extend well beyond the telecommunications sector. By prioritising scale, bargaining power, and incumbent sustainability over contestability and openness, the DNA risks weakening the structural conditions that have historically enabled European digital innovation, cross-border growth, and service diversity. In effect, it trades a dynamic, entry-friendly ecosystem for a more static model optimised around large, vertically integrated actors. 8.2 Competitiveness, growth, and the open Internet Europe’s digital competitiveness has never depended on global platform dominance or network scale alone, but on open connectivity, low barriers to entry, and predictable regulatory safeguards that allow new services, applications, and business models to emerge. The DNA’s reorientation threatens these foundations in three ways:
Rather than strengthening Europe’s digital position, the DNA risks locking in low-growth equilibrium dynamics, where rents are redistributed within the connectivity layer while innovation and value creation migrate elsewhere. 8.3 Policy imperatives To safeguard long-term competitiveness, growth, and the integrity of the open Internet, the following corrections are essential:
8.4 Closing warning Absent these corrections, the DNA risks reshaping Europe’s Internet from an open, innovation-enabling infrastructure into a managed network of negotiated access, with adverse consequences for competition, growth, and digital sovereignty. Once embedded, such a shift would be structurally difficult to reverse, diminishing the EU’s capacity to sustain a healthy digital ecosystem and weakening its ability to compete in an increasingly innovation-driven global economy. Disclaimer: This post is part of an ongoing series analysing the draft Digital Networks Act (DNA). Given the size and complexity of the proposal, each instalment focuses on a specific set of issues that deserve closer scrutiny as the legislative process unfolds.  In the midst of Iran’s brutal internet blackout — imposed as nationwide protests surged and authorities cut off connectivity to suppress dissent — a curious actor emerged as both lifeline and lightning rod: Starlink. According to The New York Times, satellite broadband from Elon Musk’s SpaceX appears to have been made freely available for users inside Iran, allowing some citizens to circumvent Tehran’s near‑total communications shutdown.
On its face, this sounds like unequivocal good news. In societies where digital censorship and blackouts have become tools of repression, any mechanism that pierces the information blockade and reconnects people with the world is welcome. Starlink has already proven its utility in Ukraine, Venezuela, and other contested environments. Forced offline by state fiat, Iranians scrambling for access turned to reactors in orbit — a striking demonstration of technology’s promise to uphold freedoms when governments snuff them out. Yet beneath the apparent triumph lies a deeper unease. The geopolitics of connectivity are changing, and fast — often without public debate, legal frameworks, or democratic oversight. For decades, global connectivity infrastructure — from undersea cables to satellite spectrum — was coordinated through intergovernmental bodies like the International Telecommunication Union (ITU), a United Nations specialized agency responsible for managing spectrum, orbital slots, and setting standards to ensure cross-border digital services respect international law and sovereign rights. Increasingly, that model is giving way to a new paradigm in which private technology companies wield de facto control over how people connect to the internet, where they access information, and even how states can exert power. Starlink’s role in Iran illustrates this shift starkly. A private U.S. company, operating a constellation of satellites beyond the jurisdiction of any single state, has bypassed Iranian law and state control to deliver connectivity inside Iranian territory. That’s an extraordinary power — one that previously belonged only to governments. The idea that a Silicon Valley firm can effectively override a sovereign government’s efforts to control the internet inside its borders — and become a counterpart to nation-state diplomacy and crisis response — raises urgent questions about governance, accountability, and the future of international law. The benefits for Iranian citizens are tangible. Families separated by borders can reconnect. Journalists can share information with the world. Protesters can document state abuses and organize when local networks fail. In these circumstances, Starlink appears to act as a digital lifeline, preserving the very freedoms that authoritarian regimes seek to suppress. But access is far from universal. Terminals are expensive, availability is limited, and authorities can still attempt jamming and electronic countermeasures. For many, the technology remains out of reach, deepening inequalities in who can exercise digital freedoms. The more profound concern lies in the precedent this sets. While Starlink is celebrated in authoritarian contexts, there is little to prevent a private company from acting in ways that undermine democratic processes elsewhere. Imagine a fictional scenario: a satellite company called SkyNetix, based in a powerful country, deploys broadband in a small democracy undergoing a heated election. In coordination with political factions sympathetic to an authoritarian neighbor, the company deliberately throttles access to news outlets and social media platforms supporting the democratically favored party while ensuring uninterrupted connectivity for channels aligned with the authoritarian-backed faction. In this scenario, a private firm, acting across borders and without oversight, becomes a tool for manipulating democratic processes — a stark demonstration of the geopolitical and ethical dangers of privatized global connectivity. This possibility is not purely speculative. Every major satellite constellation, every global content delivery network, every cloud-based infrastructure provider now holds the power to shape information flows across borders. That is influence traditionally reserved for states, now wielded by corporations whose priorities are determined by internal boards and shareholders rather than democratic institutions. The United Nations and the ITU must rise to the occasion. The old model of international coordination — effective when states were the principal actors in communications infrastructure — is overdue for modernization. The explosive growth of private satellite constellations, cross-border digital platforms, and multinational data flows calls for updated global norms and enforcement mechanisms that clarify when and how private connectivity services can operate across borders, protect human rights, respect state sovereignty, and ensure democratic accountability. Without these, intergovernmental organizations risk losing credibility as governance defaults to corporate interests. This is not simply a matter of law or treaty; it is a question of who shapes the future of global communication. Connectivity has always been political. From undersea cables cut in wartime to regimes controlling internet backbones, access to information is power. What is new is the scale and reach of private actors: a single constellation of satellites can now determine who sees the news, who can organize protests, and in extreme scenarios, who wins or loses political contests. The Iran case demonstrates one side of this reality: a private actor using its power to empower individuals in the face of authoritarian repression. Yet the fictional SkyNetix scenario reminds us that the same infrastructure could be used to erode democratic institutions, manipulate public perception, or favor external authoritarian interests over sovereign will. The dual nature of these technologies — liberating for some, destabilizing for others — underscores the urgent need for global oversight. The role of the ITU is critical. As the body responsible for coordinating the technical and legal frameworks for spectrum use and orbital slots, the ITU is uniquely positioned to establish rules for satellite deployment and operations that respect sovereignty and human rights. But technical coordination alone is insufficient. The United Nations more broadly must strengthen norms for digital infrastructure, ensuring that cross-border networks cannot be weaponized against democracies, manipulated to suppress citizens, or leveraged in geopolitical power plays. Without such frameworks, private companies will continue to define the rules by which connectivity — and by extension freedom, security, and democracy — operates worldwide. Connectivity is no longer just a utility; it is a geopolitical instrument. Starlink’s intervention in Iran highlights the immense potential for technology to empower citizens under repression, but it also exposes how private companies now command powers once reserved for states, shaping information flows, influencing political outcomes, and redefining sovereignty. The people of Iran deserve access to information. But the rest of the world must also ask: who holds the keys to that access, whose interests do they serve, and what rules govern this extraordinary power? Without urgent international oversight and the enforcement of global norms through bodies like the ITU and the broader UN system, we risk leaving the future of digital connectivity in the hands of corporate boardrooms, not democratic institutions — a shift with profound implications for the future of sovereignty, democracy, and the very fabric of the global order.  When I look back at 2025, the word that keeps coming back to me is not speed, or innovation, or AI. It’s fragility. Not the fragility of technology itself — the systems mostly work — but the fragility of the political, institutional, and normative arrangements that once gave digital transformation a sense of direction. The guardrails that made the internet feel like a shared global project are still there on paper, but in practice they’re thinner, weaker, and far more conditional than they used to be. For roughly three decades, the global internet rested on a loose but surprisingly resilient settlement: openness over control, interoperability over fragmentation, cooperation over dominance, and at least a nominal commitment to human rights. That settlement was never perfect, but it held. In 2025, it’s clear that it’s no longer holding in the same way. What’s emerging instead isn’t a new order. It’s a patchwork. A fragmented digital landscape shaped by geopolitical rivalry, transactional diplomacy, corporate concentration, and a growing willingness by states to trade long-term openness for short-term advantage. The story of 2025 isn’t that the internet is “breaking.” It’s that the world that sustained it is. The Quiet Retreat from Internet Freedom For much of the internet’s history, the United States acted — sometimes awkwardly, often inconsistently — as the system’s anchor. It defended the multistakeholder model in global forums, resisted efforts to formalise state control at the UN, and framed internet freedom as both a democratic value and a strategic interest. By 2025, that posture has changed in ways that are hard to ignore. Internet freedom has largely disappeared as an organising principle of US foreign policy. It hasn’t been rejected outright — it’s just no longer driving decisions. Instead, the focus has shifted to industrial competitiveness, export controls, national security, and technology rivalry with China. You can see this shift clearly in multilateral negotiations. The US still shows up, but often selectively: pushing back against language that might constrain American firms and its own ideology, while showing much less appetite for sustained coalition-building around openness, global public goods, or institutional reform. Multistakeholder language remains, but the political energy behind it is thinner. Funding priorities tell the same story. Global internet freedom initiatives that once sat near the center of US digital diplomacy now feel peripheral, while bilateral and minilateral tech deals absorb most of the attention. This isn’t abdication by accident — it’s reprioritisation. The consequence is structural. When there’s no consistent advocate for openness, multilateral institutions drift. Sovereignty-first logic fills the vacuum. Consensus still happens, but more often through ambiguity than shared purpose. Power doesn’t disappear when leadership retreats — it simply moves elsewhere. The End of Distance This retreat is compounded by another shift that felt impossible to miss in 2025: the deep integration of Big Tech into the political orbit of Washington. This is no longer about lobbying at the margins. US big tech and AI firms help frame national security debates while US chipmakers shape export control policy. The distance between corporate power and state power has collapsed. That collapse is felt far beyond the US. From Europe’s perspective, regulatory disputes with American platforms increasingly feel geopolitical rather than legal. Enforcement of competition rules, data protection, or platform accountability is often met with warnings about innovation, security, or strategic alignment. For many outside the US, it’s no longer clear where American public interest ends and corporate interest begins. The result is a growing sense that global digital governance is asymmetric: rules apply downward, leverage applies upward. That perception matters. It weakens trust, fuels regulatory assertiveness, and accelerates fragmentation — even among allies. Europe’s Digital Sovereignty Paradox In 2025, Europe re-engaged in the pursuit of digital sovereignty—but it is still unable to figure out how to bridge the gap between policy and power. The re-emergence of this urgency is largely a reaction to the “Trump factor” as the prospect of a more transactional and unpredictable U.S. administration has reignited fears of technological blackmail. This has sparked intense infighting among member states regarding their dependence on foreign tech; while some push for a radical decoupling to build a homegrown "EU Stack," others argue that Europe lacks the industrial scale to survive without American hyperscalers. Despite being a regulatory superpower through the AI Act and the DMA, Europe’s sovereignty agenda remains more rhetorical than operational. Ambitions for resilience are constantly undermined by a lack of investment in infrastructure and compute, leaving projects like the Chips Act struggling to gain traction against established global ecosystems. Sovereignty is currently functioning as a defensive reflex—a way to regulate against external influence—rather than a proactive strategy to lead in innovation. In a world that rewards speed and scale, Europe remains trapped in a cycle of regulating a future it has yet to build. China’s Strategic Clarity China, by contrast, ends 2025 with a level of coherence that’s hard to ignore. Its digital strategy spans infrastructure, platforms, standards, AI, data governance, and international engagement — and it’s embedded in long-term industrial planning and foreign policy. This isn’t abstract. You see it in Digital Silk Road projects providing cloud services, smart city technologies, and surveillance infrastructure across Africa, the Middle East, and Asia. You see it in China’s growing influence in standards bodies, particularly around 5G and emerging technologies. You see it in coordinated positions in multilateral negotiations that consistently emphasise data sovereignty and state authority. What’s different this time is that China isn’t just participating — it’s offering a full alternative. Countries are no longer choosing between connectivity and isolation. They’re choosing between digital ecosystems, each with different governance assumptions and political trade-offs. AI as the Defining Issue of 2025 If one technology crystallised all these tensions in 2025, it was artificial intelligence. Like the early internet, AI exposes and deepens inequalities — but not just in connectivity. The divides are now about data, skills, energy, and access to compute. And unlike the internet, AI is capital-intensive and centralised. Frontier model development is concentrated in a handful of firms, overwhelmingly in the US and China. Access to GPUs, cloud infrastructure, and large-scale datasets determines who can innovate and who can’t. Export controls and pricing structures shape participation in very real ways. Universities, startups, and public institutions in many developing countries aren’t excluded by censorship — they’re excluded by cost. The digital divide has returned, measured in compute hours and megawatts. Chips, NVIDIA, and the New Dependency No company captures the political economy of AI better than NVIDIA. By 2025, control over advanced AI chips has become a gatekeeping function — not just for innovation, but for economic development and national capability. Governments now negotiate directly with chipmakers and hyperscalers to secure access to compute. Export controls shape alignment as much as security. For many countries in the Global South, the problem isn’t talent or ambition — it’s access. This isn’t just a market issue. It’s a governance problem. We’re relying on private actors to supply what has effectively become critical infrastructure. Infrastructure, Standards, and Quiet Power Beyond chips, power in 2025 flew also through less visible channels: subsea cables, cloud regions, satellite constellations, internet exchange points, and technical standards. Standards-setting, in particular, has become one of the most decisive battlegrounds and will continue to be for the forthcoming future. AI safety benchmarks, digital identity systems, and smart city protocols embed governance assumptions long before any law is passed. China, India, and a growing group of middle powers invest heavily here. Western engagement often feels fragmented and reactive. Infrastructure is no longer neutral. It’s strategic. The Global South Isn’t Waiting Anymore One of the most underestimated shifts of 2025 is the agency of the Global South. Rather than waiting for leadership from Washington or Brussels, many countries are building their own digital pathways. India’s digital public infrastructure — Aadhaar, UPI, data-sharing frameworks — is being adapted elsewhere. The African Union is pushing for continental coherence on data policy. South–South cooperation on skills and AI capacity is growing. The posture has changed. Engagement with China, Western firms, and multilateral institutions is pragmatic and selective, driven by development needs rather than ideology. Transactional Politics, Everywhere All of this sits within a broader transformation in international relations. In 2025, digital cooperation is openly transactional. Market access is exchanged for regulatory concessions. Infrastructure financing comes with political strings. AI partnerships are framed as security arrangements. Trust erodes, long-term cooperation weakens, and fragmentation becomes the default rather than the exception. Human Rights: Still There, But Thinner Perhaps the most worrying shift of all is what’s happening to human rights. For decades, human rights provided the normative backbone of internet governance: privacy, freedom of expression, due process. In 2025, those principles are still referenced — but their practical force is fading. National security, child protection, and misinformation are routinely used to justify surveillance, content restrictions, and AI-driven decision-making, often without meaningful safeguards. This isn’t limited to authoritarian systems. Democracies increasingly deploy similar tools, narrowing the gap in practice even if intentions differ. AI accelerates the problem. Algorithmic systems shape access to welfare, credit, jobs, migration, and justice — but accountability becomes diffuse, harm probabilistic, and redress elusive. Human rights institutions themselves are under strain, underfunded, and politicised. The risk is that rights become decorative language rather than real constraints on power. Multilateralism Turns Inward One of the clearest through-lines of 2025, for me, was how visibly multilateral digital governance became more state-centric. WSIS+20, the UN cybercrime convention negotiations, and the Global Digital Compact all pointed in the same direction. None of these processes collapsed. In fact, on paper, they can be read as successes: consensus was preserved, institutions were reaffirmed, and cooperation was repeatedly invoked. But taken together, they also revealed something deeper — a quiet but consequential rebalancing of power away from the multistakeholder model and back toward governments as the primary, and increasingly exclusive, decision-makers. WSIS+20 captured this tension perfectly. The Internet Governance Forum was given permanent status, which mattered enormously for continuity and institutional memory. Data governance was acknowledged as central. And yet, the price of consensus was ambiguity. The outcomes stabilised what already exists rather than opening new space for shared problem-solving. In parallel, the UN cybercrime convention exposed the risks of this shift far more starkly. Despite widespread concern from civil society, technical experts, and parts of the private sector, the process remained overwhelmingly state-driven, with weak safeguards and broad definitions that many fear will be abused in practice. Meanwhile, the Global Digital Compact echoed familiar language about inclusion and cooperation, but ultimately reinforced a vision of digital governance anchored firmly in intergovernmental negotiation, with non-state actors consulted rather than meaningfully empowered. Governments increasingly see digital issues — from data and AI to cybercrime and content — as extensions of sovereignty and security, not shared global challenges requiring distributed governance. This will continue in 2026. Fragility as the Defining Condition If there’s one takeaway from 2025, it’s this: the fragility of the international order and the fragility of the internet are inseparable. As trust between states erodes, so does the willingness to maintain a shared digital commons. As institutions weaken, power concentrates with those who control infrastructure, capital, and leverage. The future of the internet won’t be decided by technology alone. It will depend on whether we can rediscover a minimum commitment to cooperation over control, rights over expediency, and legitimacy over dominance.  The halls of the United Nations are currently echoing with the self-congratulatory hum of a crisis averted. With the adoption of the WSIS+20 outcome document, diplomats are exhaling in collective relief. In the final hours of negotiation, the specter of a recorded vote—a move that would have shattered the fragile, twenty-year-old consensus on how the world governs the internet—was narrowly dodged. The "multistakeholder model" has been saved. The "people-centered" vision has been reaffirmed. The champagne, one assumes, is being chilled.
But beneath the veneer of diplomatic triumph lies a more unsettling reality. What occurred in New York was not a resolution of the profound ideological rifts that define our digital age; it was a masterclass in the art of the "gilded cage." We have preserved the structure of global cooperation while trapping within it the same unresolved grievances, power asymmetries, and structural failures that have haunted the World Summit on the Information Society (WSIS) since its inception in 2005. WSIS+20 has achieved consensus without closure. And in the fast-moving world of artificial intelligence and splintering networks, a consensus built on avoidance is a dangerous foundation. The Illusion of Permanence The headline victory of WSIS+20 is the decision to grant the Internet Governance Forum (IGF) permanent status. For nearly two decades, the IGF lived on death row, its mandate subject to the whims of five- or ten-year renewal cycles. By embedding the IGF structurally within the UN system, Paragraph 99 of the outcome document effectively declares that the "experiment" of multistakeholder dialogue—where civil society, tech giants, and governments sit at the same table—is now a permanent feature of the international order. On the surface, this is a triumph for the open internet. It insulates the forum from the cyclical hostage-taking of high-stakes political bargaining. But permanence changes the chemistry of power. By removing the threat of expiration, we have also removed the urgency for reform. Furthermore, the document contains a Trojan horse: Paragraph 101, which calls for the IGF to facilitate a dedicated "dialogue among Governments." While framed as a benign request for peer-to-peer exchange, it touches the third rail of internet governance. If we are not careful, we are witnessing the birth of a two-tier system: a "talk shop" for the masses and a "decision room" for the sovereigns. If the IGF becomes a place where governments deliberate in private while the rest of the world waits in the hallway to be "consulted," we will have preserved the name of the forum while hollowed out its soul. The Ghost of Enhanced Cooperation For those who hoped WSIS+20 would finally bury the cryptic phrase "enhanced cooperation," the outcome document serves as a cold awakening. The persistence of “enhanced cooperation” in the outcome document confirms what some of us suspected going into WSIS+20: the majority of governments form the Global South are not prepared to let this issue fade quietly into procedural ambiguity. The fact that this debate remains unresolved twenty years after the Tunis Agenda is not merely a case of institutional inertia. It is a symptom of a deeper, unaddressed trauma in the Global South. For the G77 and China, enhanced cooperation isn’t just about technical protocols; it is a proxy for their lack of a seat at the table where the real rules of the digital economy are written. What diplomats rarely say aloud is that the current system is perceived by much of the world as a Western-centric hegemony wrapped in the language of "openness." By failing to transcend this debate, WSIS+20 has ensured that the next decade will be defined by the same tug-of-war between those who want an internet without borders and those who want an internet defined by borders. We haven't solved the problem; we’ve simply scheduled it for 2035. The Centralization of the "Agile" UN Then there is the matter of the United Nations Group on the Information Society (UNGIS). The outcome document envisions an "enhanced role" for this body, aiming to synchronize the sprawling digital mandates of the UN—from the Global Digital Compact to the Pact for the Future. In the abstract, coordination is a virtue. The digital landscape is currently a chaotic mess of overlapping forums. However, there is a fine line between coordination and consolidation. The G77’s subtle warnings about this shift should be read as a "red alert." When the UN speaks of being "agile" and "effective," it is often a code for streamlining decision-making processes. The danger is that in the name of efficiency, we move toward a quiet centralization. If digital governance becomes an inter-agency steering mechanism accountable upward to the UN Secretariat rather than outward to the global community, the "multistakeholder ethos" becomes a mere checkbox in a bureaucratic manual. We risk trading the messy, vibrant participation of the public for the sterile efficiency of a committee. The $100 Billion Silence Perhaps the most damning indictment of the WSIS+20 process is its treatment of financing. Paragraphs 62 through 67 are a graveyard of familiar promises: blended finance, public-private partnerships, and the creation of yet another "assessment mechanism." It is the same script we read in 2005. The digital divide is no longer a gap; it is a canyon. While the Global North debates the ethics of generative AI, large swaths of the Global South are still struggling with the basic electricity required to charge a smartphone. The refusal to engage with "common but differentiated responsibilities"—the principle that those who have benefited most from the digital revolution should bear the greatest burden for its global expansion—is a failure of moral imagination. The inability to be creative about financing is not a technical hurdle; it is a political choice. It signals to the developing world that their inclusion is a secondary priority to the preservation of existing financial hierarchies. This is where the consensus is at its thinnest. You cannot build a "people-centered" information society on a foundation of systemic underfunding. The Road to 2035: Honesty Over Harmony The WSIS+20 outcome document is a masterpiece of diplomatic balancing. It says all the right things about human rights, internet fragmentation, and the "digital public good." But balance is often just a sophisticated way of avoiding the hard truths. The enthusiastic reception of this document in Western capitals risks overlooking a critical signal: the Global South does not feel heard. They have signed the document, yes, but they have not bought into the vision. They have accepted the consensus because the alternative—a total breakdown of the system—was too risky. But a "forced" consensus is an unstable one. As we look toward the 2035 review, the task is no longer to draft better sentences. The task is to rebuild the trust that has been eroded by twenty years of unfulfilled promises. This means:
WSIS+20 kept the lights on. It kept the actors on the stage. But the play is still the same, and the audience is growing restless. If the next decade is spent celebrating this "consensus" rather than addressing the grievances it conceals, then 2035 will not be a celebration—it will be a funeral for the global internet. The diplomats have done their job; it’s time for the entire internet community to do theirs. |