For years, China and Russia argued that the Internet was fundamentally American.Their case rested on a simple proposition: critical parts of the network depended on institutions, companies, and infrastructure ultimately subject to U.S. jurisdiction. If push came to shove, they argued, Washington could exercise control over the Internet in ways no other government could.

The United States spent decades proving them wrong. The most powerful example came in 2016 when the U.S. government completed the transition of stewardship over the Internet Assigned Numbers Authority (IANA) functions to the global multistakeholder community. Washington voluntarily gave up a privileged role in one of the Internet's most important coordination mechanisms. It was a remarkable act of restraint. At a moment when concerns about American dominance were growing, the United States chose trust over control.

The message was clear: the Internet was not an instrument of American power but a global resource governed through shared stewardship. That decision helped preserve confidence in the Internet as a platform for global collaboration and reinforced the idea that participation would not depend on nationality, political alignment, or geopolitical loyalty. Most importantly, it strengthened one of the Internet's least understood but most important characteristics: its security model.

The Internet became secure not because any one country controlled it, but because no country did. Cybersecurity has always been a collaborative enterprise. Vulnerabilities discovered in one part of the world are routinely shared with others. Researchers cooperate across borders. National computer emergency response teams exchange threat intelligence. Companies disclose weaknesses, coordinate patches, and work together to prevent attacks from spreading. Security researchers in Europe help protect systems in the United States while American researchers help secure networks in Asia. Knowledge moves quickly because threats move quickly.The principle is simple: the more people looking for vulnerabilities, the safer everyone becomes.

Consider the banking sector. Modern financial institutions rely on globally interconnected software, cloud services, authentication systems, and communications infrastructure. A vulnerability discovered in a European bank may affect institutions in North America, Asia, and Africa. If a researcher identifies a flaw in a widely deployed authentication system, sharing that information allows banks around the world to patch their systems before criminals can exploit it. This is how much of modern cybersecurity works. Security is not achieved because every institution independently discovers every vulnerability but because knowledge circulates.

The recent U.S. decision forcing Anthropic to suspend access to some of its most advanced AI models for foreign nationals introduces a new and potentially dangerous dynamic into this ecosystem. The immediate debate has focused on artificial intelligence and export controls but the broader significance lies elsewhere. For the first time, the United States has demonstrated its willingness to restrict access to a globally relevant digital capability based primarily on nationality. Whether the security concerns behind the decision are justified is almost beside the point. What matters is the precedent.

A kill switch now exists.

Not a kill switch for the Internet itself, but a kill switch for increasingly important components of the digital ecosystem. That matters because advanced AI systems are rapidly becoming security tools. They can help identify vulnerabilities, analyse malicious code, detect attack patterns, and accelerate defensive research. Restricting access to such capabilities does not merely affect the organisations being denied access but also the broader security environment within which everyone operates.

The consequences are unlikely to be immediate or dramatic; the danger is more subtle. Security depends on visibility. The more trusted actors examining systems, the more vulnerabilities are found before attackers discover them; the more researchers participating in security ecosystems, the greater the collective understanding of emerging threats; and, the more organisations contributing knowledge, the stronger the overall defensive posture becomes. When participation narrows, visibility narrows. The result is not necessarily insecurity but reduced collective awareness as fewer vulnerabilities are discovered, fewer weaknesses are identified and, fewer perspectives contribute to understanding threats that increasingly affect everyone.

This is particularly important because cyber threats themselves are fundamentally international. A ransomware group operating from one jurisdiction can target victims across dozens of others. A vulnerability discovered in California can affect hospitals in Germany and banks in France. The software supply chains underpinning modern economies are global by design. The response to such threats has historically been global as well. Yet, the introduction of geopolitical restrictions into this collaborative ecosystem risks changing that logic. Access to security capabilities may increasingly become a function of nationality rather than expertise, trust, or shared interest.

For Europe, this development should be impossible to ignore. Substantively, discussions about technological sovereignty often revolved around industrial policy, economic competitiveness, or strategic autonomy. Critics frequently dismissed sovereignty initiatives as protectionist exercises searching for a justification. Those arguments have become harder to sustain.

The Anthropic decision provides a concrete example of what strategic dependence looks like in practice. A government in Washington can make a political decision that immediately affects access to critical digital capabilities across Europe. The issue is not whether the United States remains a trusted ally but that dependence creates vulnerability regardless of who the partner happens to be.

The lesson many European policymakers will draw is straightforward: if access to critical technologies can be restricted overnight, alternatives become a matter of resilience rather than economics. That conclusion will likely accelerate Europe's existing efforts around cloud infrastructure, semiconductors, digital infrastructure, and artificial intelligence. Technological sovereignty will increasingly be framed not as a commercial objective but as a security imperative.

The geopolitical implications extend far beyond Europe. For more than two decades, China and Russia have argued that reliance on foreign technology creates unacceptable strategic risks. Their preferred solution has been greater state control over infrastructure, platforms, data, and networks. Western governments have long rejected that vision. They argued that security and resilience emerge through openness, interoperability, and distributed governance rather than state control. The strength of that argument rested not only on principle but also on practice. The United States could point to decades of restraint as evidence that global interdependence worked.

The Anthropic decision weakens that position, however, it also does not prove that Beijing or Moscow are right. Their models remain centred on state control, censorship, and fragmentation. It does strengthen, however, a key element of their argument: dependence on foreign technology can create strategic vulnerability.

Countries across the Global South are likely to notice. European policymakers certainly will. And China will undoubtedly point to the decision as evidence that critical digital technologies remain subject to American political authority.

This is where the real danger lies. The existence of a kill switch changes behaviour even if it is rarely used. Governments begin planning for the possibility that access could disappear. Companies seek alternatives. Alliances become less important than self-sufficiency. Trust gives way to contingency planning. The result is not a more secure world.

The Internet's greatest achievement was not simply connecting networks. It was creating a framework within which cooperation became more valuable than isolation. Security improved because knowledge crossed borders and risks were managed collectively because threats were shared collectively.
​
If countries increasingly conclude that access to critical digital capabilities can be withdrawn for geopolitical reasons, they will inevitably invest in separation rather than collaboration. That may produce greater sovereignty but it will almost certainly produce less security.

The EU’s long-awaited Tech Sovereignty Package is not just another EU digital strategy paper but an attempt to redefine Europe’s relationship with technology power, especially after years of relying heavily on US cloud providers, Asian semiconductor supply chains, and foreign software ecosystems. The paper essentially says: Europe can no longer afford to be mostly a regulator while others build the infrastructure.

The easiest way to understand the package is this:

• Europe believes it became too dependent on non-European technology.
• It fears those dependencies are now geopolitical risks, not just business risks.
• So the EU wants to build more of its own technology stack: chips, cloud, AI, software, data infrastructure, open source ecosystems, and standards.
• At the same time, it insists this is not “digital protectionism” or “decoupling.”

The package has four major pillars:

1. Chips Act 2.0
   Build more semiconductor capacity inside Europe.
2. Cloud and AI Development Act (CADA)
   Expand European cloud and AI infrastructure and reduce reliance on foreign hyperscalers.
3. EU Open Source Strategy
   Use open source software as a sovereignty tool and reduce vendor lock-in.
4. AI and Digitalisation in Energy
   Build greener and more energy-efficient digital infrastructure.

What makes this document important is that it openly frames technology as geopolitical power. The language is much sharper than earlier EU digital policy documents, using phrases like “strategic liabilities,” “foreign interference,” “trusted partners,” “jurisdictional reach,” and “supply chain weaponisation.”
So here is the “good, really good, bad, and ugly.”

The Good
1. Europe is finally addressing a real problem

The core diagnosis is mostly correct.

Europe missed much of the platform era and it became highly dependent on:

• US cloud providers;
• US software ecosystems;
• Asian semiconductor manufacturing;
• foreign AI infrastructure;

​The document openly admits that more than 80% of Europe’s digital products, services, infrastructure, and IP come from outside the EU.
That is not sustainable if:

• geopolitics worsen;
• export controls increase;
• sanctions spread;
• or infrastructure becomes politicised.

The EU is no longer treating technology merely as a market issue. It now sees it as strategic infrastructure, similar to energy or defense.

That shift is overdue.

2. The open source strategy is surprisingly strong

This is probably the most intellectually coherent part of the package.

The EU finally understands that open source is not just about software philosophy but about reducing dependency and increasing strategic flexibility.

Several ideas here are genuinely important:

• public money/public code;
• open source-first procurement;
• interoperability requirements;
• reducing vendor lock-in;
• support for open digital commons;
• funding maintenance of critical open source infrastructure;
• European stewardship foundations for strategic codebases.

The proposal for an “Open Source Maintenance Instrument” is especially important.

One of the biggest weaknesses in global open source ecosystems is that critical infrastructure is often maintained by underfunded volunteers. Europe is correctly identifying maintenance and stewardship as strategic issues.
The emphasis on interoperability is also significant. The package repeatedly stresses portability and the ability to switch providers.

That could genuinely improve competition.

3. The document understands ecosystems better than earlier EU policy

Past EU digital policy often focused too heavily on regulation. This paper is different as it talks constantly about:

• supply-side support;
• demand-side measures;
• public procurement;
• scaling;
• industrial ecosystems;
• financing;
• skills;
• infrastructure;
• and market creation.

That matters because you cannot regulate your way into technological leadership. The paper finally acknowledges that Europe needs:

• industrial capacity;
• compute;
• manufacturing;
• procurement power;
• and scale.

That is a major conceptual shift.

4. The document is trying to preserve openness
This is important and should not be ignored. The paper repeatedly says sovereignty does not mean isolation or decoupling.
​
That distinction matters because there is a meaningful difference between:

• building resilience,
  and
• building digital nationalism.

The EU is trying to position itself somewhere between:

• US market concentration,
  and
• China’s state-controlled digital model.

Whether it succeeds is another question, but the attempt matters.

The Really Good

1. The package quietly recognizes that cloud dependence is a political problem

This may be the most consequential part of the entire paper. The document openly states that dependence on foreign cloud providers creates risks related to:

• foreign jurisdiction;
• surveillance;
• public order;
• and extraterritorial reach.

That is really about US legal reach and the EU has been struggling with this issue since Snowden, Schrems, the Cloud Act debates and transatlantic data transfer disputes. This document, therefore, effectively says:
Europe cannot build strategic AI capability while most compute infrastructure remains externally controlled.

2. The focus on procurement could actually change markets

The procurement parts may sound boring, but they are potentially transformative. The document correctly identifies that procurement rules often favor incumbent proprietary vendors.
If Europe genuinely shifts public procurement toward:

• open standards;
• interoperability;
• reusable public code;
• and open source-first systems

then this could:

• create viable European software ecosystems;
• reduce lock-in;
• and create space for smaller firms.

This is one of the few areas where Europe can realistically move markets at scale.

3. The package understands that AI sovereignty is impossible without compute sovereignty

This is another strong point. The paper links chips, cloud, AI infrastructure, data centers, and energy systems
as one interconnected stack. That is strategically correct. Too many AI policy discussions treat models as the center of power. This document understands that: compute, infrastructure, energy and cloud control matter just as much.

The Bad

1. “European technology stack” language is risky
The phrase “full European technology stack” appears several times. That sounds coherent politically, but technologically it is much harder.
Modern digital systems are deeply global:

• semiconductors;
• open source libraries;
• cloud architecture;
• AI models;
• Standards;
• developer ecosystems; and,
• cybersecurity tooling,
  all depend on international interconnection.

The risk is that sovereignty language slowly shifts from resilience, to localization expectations, to implicit protectionism.

That is where things can become problematic for the open internet.

2. There is tension between openness and sovereignty

The paper says:

• Europe wants openness,
• interoperability,
• and global cooperation.

But it also proposes:

• sovereignty classifications,
• trusted provider structures,
• European control requirements,
• and “exclusive EU oversight” for strategic systems.

Those goals may eventually collide.
The central question becomes:


How much foreign participation is acceptable before something is no longer considered “sovereign”?
The document never fully answers that.

3. The economic assumptions may be too optimistic

The paper assumes Europe can simultaneously:

• reduce dependencies;
• build domestic alternatives;
• stay globally competitive;
• and avoid fragmentation.

That is difficult.

Digital ecosystems benefit enormously from:

• scale;
• network effects;
• capital concentration;
• and developer gravity.

Europe has talent and research capacity, but historically it has struggled to scale digital champions. The package acknowledges the investment gap, but it may still underestimate how hard it is to compete with:

• US hyperscalers;
• Chinese state-backed ecosystems;
• and global AI capital concentration.

4. There is a lot of industrial policy optimism

The document assumes coordination will work smoothly across:

• Member States;
• Regulators;
• public procurement;
• infrastructure;
• standards;
• and industrial policy.

History suggests Europe often struggles with execution.

The danger is that this becomes:

• many strategies;
• many governance frameworks;
• many funding instruments;
  but not enough operational delivery.

The Ugly

1. Sovereignty could become a justification for fragmentation

This is the biggest risk for the open Internet.

The document insists it supports openness. But parts of the framework could gradually normalize:

• regional technology blocs;
• sovereignty-based infrastructure requirements;
• local control mandates;
• trusted vendor lists;
• and differentiated market access.

If replicated globally, this could accelerate:

• fragmentation of digital infrastructure;
• fragmentation of cloud ecosystems;
• and fragmentation of technical governance.

In practice, the Internet works best when:

• systems interoperate globally;
• standards remain open;
• and cross-border infrastructure remains trusted.

A sovereignty-first logic can slowly weaken those assumptions.

2. “Trusted” language can become political very quickly

The document constantly refers to “trusted” partnerships and providers.
But trusted by whom? Based on what criteria? Political alignment? Jurisdiction? Ownership?
Supply chain? Security certification?

Once governments start classifying technology ecosystems politically, markets can become increasingly geopolitical.

That may be unavoidable to some extent. But it also changes the character of the Internet from globally interconnected infrastructure,to competing geopolitical technology spheres.

3. The package could unintentionally strengthen bureaucracy over innovation

There is a tension throughout the document:

• simplification rhetoric on one side;
• heavy governance architecture on the other.

The EU often excels at frameworks, standards, and governance processes.

It is less successful at creating:

• fast-moving innovation ecosystems;
• venture scale;
• or global digital champions.

If implementation becomes overly compliance-heavy, Europe may create:

• more reporting;
• more certification;
• more sovereignty assessments;
  without generating enough actual innovation capacity.

 
Could this impact the open Internet?
Yes — potentially in both positive and negative ways.

Positive impact

The package could strengthen important open Internet principles by:

• promoting interoperability;
• reducing vendor lock-in;
• supporting open standards;
• investing in open source;
• and decentralizing digital power.

Those are healthy counterweights to extreme concentration in a few global firms.
The open source parts especially could reinforce:

• transparency;
• portability;
• decentralization;
• and user choice.

That is broadly aligned with the spirit of the open Internet.

Negative impact

But the sovereignty framing could also contribute to Internet fragmentation.

If “digital sovereignty” evolves into infrastructure localization, sovereignty certification, jurisdiction-based access controls, or political trust blocs, then interoperability across regions could weaken over time.

The Internet would still technically exist as one network, but operationally it could become more segmented and geopolitical.

In many ways, this package reflects a larger global shift: the Internet is increasingly being treated not just as communications infrastructure, but as strategic state infrastructure.

That changes everything.

Final assessment

This is probably one of the EU’s most strategically important digital policy documents in years.

At its best, it is:

• realistic about geopolitical dependency;
• smart about open source;
• serious about industrial capacity;
• and more economically grounded than earlier EU digital policy.

At its worst, it risks:

• turning sovereignty into techno-nationalism,
• contributing to fragmentation,
• overestimating Europe’s execution capacity,
• and replacing dependency with bureaucratic complexity.

The most important unresolved question is this:
Can Europe build technological resilience and strategic capacity without undermining the openness and interoperability that made the Internet valuable in the first place?

​That tension sits at the center of the entire package.
 

[Note: This essay builds on recent remarks reflecting on fifteen years of work by the Freedom Online Coalition (FOC) to advance a free and open internet.]

Fifteen years into the modern era of Internet governance debates, it is tempting to reach for the language of continuity and to frame the present as a natural extension of a once widely shared vision of a free and open Internet. But that framing no longer holds. The environment in which the Internet freedom agenda emerged has shifted so fundamentally that continuity risks obscuring more than it clarifies. What began as a project grounded in optimism about connectivity, participation, and the expansion of rights, now unfolds in a landscape defined by contestation.

The early Internet was widely understood as a liberation technology. It promised to flatten hierarchies, lower barriers to expression, and connect individuals across borders in ways that would strengthen democratic life. That belief was not naïve and it was grounded in real affordances. The architecture of the network enabled openness while the governance ecosystem, though imperfect, leaned toward interoperability and shared norms. The political moment of the post-Cold War and pre-platform consolidation, allowed for a degree of alignment between technological possibility and normative aspiration.

Today, that alignment has fractured. The Internet is no longer primarily imagined as a shared civic space. It is increasingly treated as an arena of strategic competition, one in which states seek control, firms consolidate power, and technological systems are deployed to advance geopolitical and economic interests. In this context, openness is no longer the default condition but a position that must be argued for, defended, and continually renegotiated.

This shift matters not only at the level of discourse but also at the level of design and governance. When the Internet is framed through the lenses of sovereignty, security, and resilience, the incentives change. Interoperability becomes negotiable, cross-border data flows become conditional and, technical standards become sites of geopolitical influence. What emerges is not a single, coordinated transformation, but a cumulative drift toward fragmentation -- what is often described as the “splInternet,” but which is more accurately understood as a governance project.

The implications are profound. Interoperability is not merely a technical feature; it is a civic condition. It enables communication across jurisdictions, facilitates the circulation of information, and sustains transnational forms of association. As fragmentation deepens, through data localization mandates, sovereign routing ambitions, platform restrictions, and competing standards, the capacity to exercise rights across borders diminishes. The architecture of the network begins to mirror the divisions of the geopolitical landscape.

In this sense, the defense of the open Internet cannot be reduced to a defense of norms alone. It requires attention to infrastructure, to protocol and to the material and institutional conditions that make openness possible. Once borders are hardcoded into the network, they are difficult to undo; and, once interoperability is eroded, the political consequences follow.

At the same time, the terrain of digital governance is expanding beyond the Internet as it was once conceived. Artificial intelligence, platform ecosystems, and digital public infrastructure are becoming foundational layers of contemporary governance. These systems shape access to services, mediate participation in public life, and increasingly structure the exercise of rights. They are not neutral tools; they embed assumptions about authority, accountability, and legitimacy.

Here, the risk is not simply the persistence of existing forms of power, but their transformation. The critique of surveillance capitalism has been well established. But its potential replacement, forms of centralized, state-driven digital control, does not resolve the underlying problem. It simply redistributes it. Without safeguards, the shift from private to public control can result in surveillance statism: systems that are more centralised, less contestable, and equally opaque.

The challenge, then, is to ensure that emerging digital systems are rights-respecting by design. This requires moving beyond ex postaccountability toward ex ante governance. Transparency, privacy, due process, and non-discrimination must be embedded in the architecture of these systems, not as optional features, but as structural constraints. The question is not whether digital infrastructure will shape social and political life but whether it will do so in ways that expand or constrain human agency.

Equally important is the question of legitimacy. The Internet freedom agenda, if it is to remain effective, cannot be perceived as the project of a narrow geopolitical bloc. In a context of increasing polarization, legitimacy is not a secondary concern; it is a strategic imperative. A coalition that does not reflect the priorities and perspectives of the Global Majority will struggle to sustain influence. More importantly, it will struggle to articulate an agenda that resonates across different contexts.

This requires a shift in both representation and substance. Representation must be broadened, not only in terms of participation, but in terms of leadership and agenda-setting. Substance must expand to address issues that extend beyond traditional concerns with censorship and access. Infrastructure gaps, affordability, language inclusion, platform dependency, and data extraction are not peripheral issues; they are central to how digital power is experienced in much of the world. An agenda that does not engage with these realities will remain normatively compelling but politically limited.

Rebuilding the Multistakeholder Model
It is within this broader context that the multistakeholder model must be reconsidered, not as an idealized framework, but as a practical mechanism for governing complexity. The model has long been associated with inclusivity, consensus, and shared stewardship. But these associations, while not entirely misplaced, risk obscuring its more fundamental function.

The multistakeholder model is not a model of harmony. It is a model of structured contestation.

The Internet is governed through a distribution of authority that does not map neatly onto traditional institutional boundaries. Governments legislate and regulate; companies design, deploy, and operate infrastructure; technical communities develop protocols and standards; and, civil society advocates, scrutinizes, and holds actors accountable. These forms of power are distinct, and they are not easily subsumed under a single hierarchy.

Any governance model that privileges one form of authority to the exclusion of others produces distortion. A state-centric model may offer clarity and enforceability, but risks narrowing the space for openness and innovation. A market-driven model may enable scale and efficiency, but often lacks mechanisms for accountability. A purely technical model may optimise for performance, but does not inherently address questions of legitimacy or rights.

The multistakeholder model, at its core, acknowledges this plurality. It does not eliminate power asymmetries, nor does it resolve conflicting interests. What it does, at least in principle, is bring these differences into a shared process by creating a space in which competing claims can be articulated, challenged, and negotiated.

This is its defining feature: not consensus, but negotiation.

Negotiation, in this context, should not be understood as a temporary phase leading to agreement. It is a permanent condition. The interests at stake, sovereignty, profit, technical integrity, rights, are not fully reconcilable. They evolve over time and they intersect in complex ways. The role of the model is not to produce perfect alignment, but to prevent unilateral determination.

In a fragmented geopolitical environment, this function becomes even more critical. As state-led models, promising control, coherence, and strategic autonomy gain traction, the multistakeholder approach can appear slow, diffused, and uncertain. These are not trivial criticisms. They reflect real limitations and a misunderstanding of what is at stake. The alternative to structured negotiation is not efficiency but concentration of power. If the Internet is to remain open, it must remain contestable. Contestability requires mechanisms through which decisions can be influenced, challenged, and revised. It requires the presence of multiple actors with the capacity to intervene. It requires, in other words, a governance model that institutionalises disagreement.

The first challenge is credibility. There is a growing perception that multistakeholder processes are performative in the sense that they provide the appearance of inclusion without altering outcomes. When participation is broad but influence is narrow, the model loses legitimacy. This is not merely a reputational issue as it affects the willingness of actors to engage. If processes are seen as predetermined, participation becomes symbolic.

The second challenge is geopolitical. In a context of rising techno-nationalism, the appeal of state-centric approaches is understandable. They offer clear lines of authority, faster decision-making, and alignment with national priorities. For many governments, particularly those navigating complex security and development pressures, these features are attractive. If the multistakeholder model cannot demonstrate comparable effectiveness, without sacrificing its core principles, it risks marginalisation.

The third challenge is participation. Access to multistakeholder forums remains uneven. Financial constraints, geographic concentration, language barriers, and technical complexity all limit who can engage. This is particularly acute for actors from the Global South, whose perspectives are often underrepresented despite being directly affected by the outcomes. An open process that is structurally inaccessible reproduces the very inequalities it seeks to mitigate. Strengthening the model, therefore, requires more than rhetorical commitment. It requires institutional reform.

First, participation must be made meaningful. This entails moving beyond consultation toward co-decision. Clearer rules of engagement are needed to ensure that contributions from different stakeholders have a tangible impact on outcomes. Mechanisms for accountability, both procedural and substantive, should be strengthened. Frameworks such as the São Paulo Multistakeholder Guidelines point in this direction, emphasizing transparency, inclusivity, and shared responsibility. But principles alone are insufficient; they must be operationalized. Meaningful participation requires capacity. Civil society organizations, particularly in resource-constrained contexts, need sustained support to engage effectively. This includes not only funding, but access to information, training, and networks. Without such support, the model risks privileging those who already have the means to participate.

Second, governance must be decentralized. The concentration of digital governance processes in a small number of global hubs creates structural imbalances. It shapes agendas, influences participation, and reinforces existing power dynamics. Building stronger regional and local ecosystems is essential, not as a substitute for global coordination, but as a complement. Regional institutions can provide context-specific insights, facilitate broader engagement, and serve as conduits between local realities and global norms. In this context, decentralization enhances resilience. A more distributed governance architecture is less vulnerable to capture and better able to adapt to diverse conditions. It allows for experimentation, learning, and the development of contextually appropriate solutions.

Third, the gap between technical design and policy must be bridged. Increasingly, decisions that shape rights are made at the level of code through protocols, standards, and system architectures. Yet the communities that design these systems and those that regulate them often operate in parallel, with limited interaction. This disconnect creates blind spots. Technical decisions may overlook social and political implications, while policy interventions may lack technical feasibility. Bridging this gap requires new forms of expertise and collaboration. Policymakers need a deeper understanding of technical systems while engineers need greater awareness of normative frameworks. Interdisciplinary spaces, where these perspectives can intersect, should be expanded. This is not a peripheral concern; it is central to the future of digital governance.

Ultimately, strengthening the multistakeholder model is not about preserving an institutional arrangement for its own sake. It is about maintaining a mode of governance that can accommodate complexity without collapsing into domination and ensuring that the broader digital ecosystem remains a space where power is subject to constraint.

The open Internet, at this stage, is no longer an inherited condition. It is an ongoing achievement. It depends on choices which are highly technical, political, and institutional as well as on the willingness to accept friction, to engage in negotiation, and to resist the allure of simplified solutions.

There is no return to the early optimism of the Internet age. The conditions that made that optimism possible have changed. But this does not imply inevitability because fragmentation is not preordained and control is not the only outcome. What remains possible is a system in which power is distributed, contested, and accountable. The multistakeholder model, for all its imperfections, remains uniquely suited to this task. Not because it resolves conflict, but because it organises it; and, not because it guarantees openness, but because it keeps openness within reach.

In the end, the choice is not between idealized openness and absolute control but between different ways of structuring power. A system where power is negotiated will always be more demanding. It requires patience, resources, and institutional commitment. But it also offers something that more centralized models do not: the possibility of revision, the space for dissent, and the capacity to adapt. If the Internet is to remain global, interoperable, and rights-respecting, it must remain contestable. And contestability, in a fragmented world, is not a byproduct of governance. It is its purpose.

Digital sovereignty has become one of the defining policy debates of the European decade. It sits at the intersection of geopolitics, industrial policy, cybersecurity, and constitutional values. Yet despite its prominence, the term remains contested. For some, sovereignty means control over infrastructure and data — preferably within national or European borders. For others, it means the ability to act independently in a world of technological interdependence. The distinction is not semantic. It shapes how Europe regulates platforms, designs cloud policy, and positions itself between the United States and China.

Cloud computing lies at the heart of this debate. The global market is heavily concentrated in the hands of a few hyperscalers and their dominance is not merely commercial; it is infrastructural. They provide the backbone for public administrations, hospitals, financial institutions, universities, and increasingly for artificial intelligence systems. Their vertically integrated ecosystems — compute, storage, identity, AI tooling, proprietary databases — generate immense efficiencies. They also create structural dependencies. Once deeply embedded in one environment, switching becomes technically complex and economically costly. Vendor lock-in remains a central feature of the cloud economy.

The European Union’s response to this concentration has taken multiple forms. Through legislative initiatives such as the Data Governance Act and the Data Act, and through cybersecurity certification schemes, the European Commission has attempted to strengthen data portability, clarify governance rules, and reduce asymmetries of power. At the same time, the ambition of “technological sovereignty” has inspired industrial initiatives such as GAIA-X — an attempt to create a federated, European-aligned cloud ecosystem grounded in shared standards and values.

Yet GAIA-X illustrates both the necessity and the difficulty of sovereignty projects rooted in infrastructure-building alone. Launched with considerable political symbolism, it promised a European alternative to hyperscaler dominance. Over time, however, it struggled with governance complexity, diverging member interests, unclear market incentives, and the paradox of including the very non-European providers it initially sought to counterbalance. The initiative did not fail for lack of ambition; it faltered because constructing parallel infrastructure in a highly capital-intensive and globally integrated market proved extraordinarily difficult. Sovereignty by replication — building European “equivalents” to American or Chinese platforms — encountered structural limits.

At the same time, pure market concentration remains deeply problematic. Network effects, economies of scale, and the gravitational pull of proprietary ecosystems risk entrenching a small number of providers as systemic gatekeepers. This concentration raises competition concerns, but also constitutional ones. When digital infrastructure becomes indispensable for public administration, the dependency of democratic institutions on a handful of foreign-headquartered corporations acquires geopolitical significance. The debate is therefore not reducible to antitrust policy; it concerns the architecture of democratic self-government in a digital age.

Between enclosure and resignation lies a third path: interoperability.

Interoperability reframes sovereignty not as isolation or duplication, but as capacity within interdependence. It emphasizes the ability to move, to connect, to federate, and to exit. In practical terms, interoperability means shared protocols, open standards, portability requirements, and interconnection mechanisms that lower switching costs and prevent structural lock-in. It transforms sovereignty from a static notion of territorial control into a dynamic ability to reconfigure dependencies.

There are strong historical precedents for this logic. Consider the standardized shipping container. Before containerization, global trade was slow, fragmented, and vulnerable to theft and delay. The breakthrough was not a new empire or a supranational port authority, but a shared technical specification. Once container dimensions were standardized through international agreement, any compliant ship, crane, truck, or railway could interoperate with any other. Trade volumes expanded dramatically. Yet no state surrendered customs authority, maritime jurisdiction, or regulatory power. Sovereignty did not shrink; it became more operational because infrastructure could connect across borders without political merger.

Or take something as seemingly mundane as measurement. Before the spread of the metric system, Europe was a patchwork of local units — feet, ells, stones, and cubits that varied by region. Industrial scaling across borders was nearly impossible. The adoption of the metric system did not abolish national governments. It did not dissolve borders. It created a shared language of quantification. Engineering, science, and trade flourished precisely because sovereign states agreed on interoperable standards while retaining full political independence. Measurement became infrastructure for autonomy, not its negation.

The same pattern appears in identity systems. After the First World War, chaotic and inconsistent travel documentation hampered cross-border mobility. Through League of Nations negotiations, passport formats and visa practices were standardized. States retained complete discretion over who could enter their territory. But interoperable documents allowed those sovereign decisions to be recognized and processed by others. Borders did not disappear; they became administratively manageable at scale.

Even scientific knowledge offers a parallel. Before the eighteenth century, plants and animals were described differently across languages and empires. The Linnaean system of binomial nomenclature created a universal taxonomy. A species identified in Sweden could be discussed in Spain or Brazil under the same classification. No global government enforced this order. Yet by standardizing naming conventions, sovereign states and scientific institutions could coordinate research and exchange findings across continents. Shared standards amplified intellectual capacity without centralising political authority.

One could extend the analogy further. The Gregorian calendar gradually replaced a patchwork of incompatible dating systems across Europe and beyond. States adopted a common temporal framework for civil purposes while maintaining religious and political autonomy. Commerce, diplomacy, and navigation benefited from synchronized timekeeping. Again, sovereignty persisted — but it functioned within a shared temporal infrastructure.

Across these examples — shipping containers, measurement systems, passports, taxonomies, calendars,— a consistent lesson emerges. Interoperability does not dissolve sovereignty. It enables it to operate within networks. Shared standards reduce friction, lower coordination costs, and create exit options without requiring political unification.

The same principle applies to digital infrastructure. When cloud systems are sealed silos, sovereignty becomes fragile: dependency hardens, mobility declines, and strategic options narrow. But when systems are designed to interoperate — through shared protocols, portability standards, and governed interconnection — sovereign actors retain the ability to choose, to shift, and to coordinate. Just as containerization did not create a world state, and the metric system did not abolish national law, interoperable cloud architectures need not erase jurisdictional authority.

Historically, the most resilient political orders were not those that isolated themselves from networks, but those that shaped the standards under which networks operated. Interoperability has repeatedly functioned as a quiet but decisive instrument of sovereign capacity. In the digital age, it may once again prove to be the difference between dependency and democratic control.

The internet itself offers a more recent example. Its foundational protocols — TCP/IP, SMTP, HTTP — were designed as interoperable standards rather than proprietary enclosures. No single actor “owned” email or the web. This openness allowed innovation, competition, and global scaling while enabling states to regulate services built atop the network. The democratic potential of the internet was not guaranteed, but its interoperable architecture prevented early monopolisation at the protocol layer.

Cloud computing evolved differently. Hyperscalers built vertically integrated environments optimized for performance and security, but not for portability. The economic logic is understandable: differentiation and integration drive competitive advantage. Yet this architecture complicates sovereign choice. When data gravity, proprietary AI services, and bespoke integrations accumulate within one provider, exit becomes economically irrational even if legally permissible.

Recent technical developments suggest a subtle adjustment. When a provider such as Amazon Web Services introduces managed multicloud connectivity — beginning with interconnection to Google Cloud — it does not eliminate concentration. Nor does it dissolve lock-in. But it reduces friction in cross-cloud architectures. It makes distributing workloads across providers somewhat more feasible. Interoperability becomes part of the product offering rather than an adversarial afterthought.

This shift is modest but politically significant. It reflects pressure from enterprise customers, regulators, and public-sector procurement policies that increasingly demand resilience and optionality. In Europe, sovereignty debates have amplified this demand. Public institutions now ask not only where data resides, but how easily it can be moved. Exit options become a measure of autonomy.

The value of interoperability becomes clearer when contrasted with enclosure-based sovereignty models. Building national or regional “fortress clouds” may promise control, but it risks fragmentation, reduced economies of scale, and diminished innovation capacity. It can also entrench domestic monopolies. Democratic sovereignty requires more than jurisdictional boundaries; it requires pluralism, contestability, and resilience. Systems that cannot interoperate are brittle. They trap users as effectively as foreign platforms do.

At the same time, interoperability is not a panacea. Without governance, it can entrench dominant actors by allowing them to define standards. Without competition enforcement, portability rights may exist only on paper. Without cybersecurity coordination, interconnection can increase attack surfaces. Democratic interoperability therefore demands institutional scaffolding: certification schemes, enforceable data portability rights, competition oversight, and transparent standards-setting processes.

Here the European Union holds structural leverage. As a large regulatory market, it can condition access on interoperability requirements. It can mandate technical documentation, standardized APIs, and data export formats. It can align procurement rules with portability criteria. In doing so, it shifts the sovereignty debate from ownership to rules of engagement.

The critical question is not whether Europe should build its own hyperscalers — a goal that has thus far proven elusive — but whether it can shape the interoperability environment in which all providers operate. 
A democratic theory of digital sovereignty therefore rests on three pillars. First, concentration must be constrained through competition policy and transparency. Second, attempts at infrastructural replication must be assessed realistically, avoiding symbolic projects that lack economic viability — a lesson underscored by the struggles of GAIA-X. Third, and most importantly, interoperability must be treated as a constitutional principle of digital governance.

Historically, states became stronger not by isolating themselves from networks, but by shaping them. Railways, telegraphs, postal systems, financial clearinghouses — each required common standards to function across borders. Sovereignty survived because it was embedded in interoperable architectures governed by shared rules. The same logic applies to the cloud.

Digital sovereignty in a democratic context should not be defined by the thickness of digital walls, but by the credibility of exit options, the enforceability of standards, and the resilience of interconnected systems. Interoperability provides the technical foundation for these qualities. It lowers dependency without demanding isolation. It enables cooperation without surrendering regulation. It turns interdependence into governable structure.

Cloud markets remain concentrated, and hyperscalers retain immense structural power. European industrial initiatives have struggled to counterbalance that reality directly. Yet the path forward may not lie in constructing parallel fortresses, but in mandating bridges.Interoperability is not a concession to globalization; it is the mechanism through which democratic societies can shape it.

In recent years, “data governance” has moved from a technical policy niche to the center of global political debate. Governments, corporations, civil society groups, and international organizations are now locked in conversations about how data should be collected, processed, shared, and regulated. Yet this debate is no longer just about data management. It is fundamentally about artificial intelligence. As advanced AI systems—particularly generative models—depend on vast datasets to function, questions about data access, control, and cross-border flows have become proxies for deeper struggles over AI governance, economic competitiveness, and geopolitical influence. Countries in the Global South have become increasingly vocal in these discussions, aware that the rules being shaped today will determine whether they are merely sources of raw data or active participants in the AI economy.

Data governance itself is not new; privacy laws, cybersecurity frameworks, and digital trade rules have existed for decades. What is new is its elevation to a strategic priority at the highest levels of government. Over the past year, a UN working group on data governance has been deliberating on principles for global cooperation, reflecting how central the issue has become to multilateral diplomacy and to ongoing processes around digital cooperation and AI governance. The shift signals a recognition that data governance is no longer a narrow regulatory concern—it is now a critical pillar of economic policy, development strategy, and global power in the age of AI.

From Data Governance to AI GovernanceHistorically, data governance referred to frameworks ensuring data quality, privacy, security, and ethical use. It was often associated with compliance regimes such as the European Union’s General Data Protection Regulation (GDPR) or sectoral data-sharing standards. These frameworks focused on protecting personal information, enabling trusted data exchanges, and clarifying institutional responsibilities. Today, however, the stakes are higher. AI systems are trained on vast quantities of data, and their performance, bias, safety, and economic value are deeply tied to who controls that data and under what conditions it can be accessed. Data is no longer simply something to be protected or managed—it is the foundational resource of AI-driven economies.

In this context, governing data increasingly means governing AI. The availability and diversity of training data determine who can build competitive AI systems and whose languages, cultures, and realities are represented in them. The regulation of cross-border data flows shapes where AI infrastructure can operate and which firms can scale globally. Intellectual property rules influence who captures value from AI-generated outputs, while competition law affects whether data advantages entrench dominant platforms. As a result, debates about data governance are no longer confined to privacy regulators; they now sit at the intersection of industrial policy, trade negotiations, national security strategies, and development agendas. Control over data translates into influence over innovation capacity and geopolitical leverage in the AI era.

The surge of attention reflects three converging trends. First, the commercial explosion of generative AI has demonstrated both the transformative potential and the concentration risks of large-scale models. Second, mounting concerns about algorithmic bias, misinformation, labor displacement, and systemic risk have exposed the societal consequences of poorly governed data ecosystems. Third, intensifying geopolitical rivalry—particularly among the United States, China, and the European Union—has elevated AI and data policy into instruments of strategic competition. In this environment, data governance can no longer be treated as a technical compliance exercise. It has become a strategic imperative: a core element of economic resilience, democratic accountability, and global power. Governments now recognize that decisions about data access, standards, and flows will shape not only innovation trajectories but also the distribution of benefits and risks in the AI age.

Why the Global South Has So Much at Stake
For countries in the Global South, AI governance is not an abstract regulatory issue. It is a question of development, sovereignty, and inclusion. Many of these nations are rich in data—through large, youthful populations and rapidly digitizing economies—but poor in computational infrastructure and capital. If global AI governance rules are set without their meaningful participation, they risk becoming mere suppliers of raw data to foreign technology giants, replicating extractive patterns reminiscent of colonial resource economies.

First, there is the economic dimension. AI is projected to contribute trillions of dollars to the global economy. If value creation is concentrated in a handful of countries that control data infrastructure, cloud computing, and foundational models, the development gap between North and South may widen. Countries in Africa, Latin America, South Asia, and Southeast Asia therefore seek frameworks that ensure fair access to data, infrastructure investment, and opportunities to build local AI ecosystems.

Second, there is the cultural and linguistic dimension. AI systems trained predominantly on Western datasets often perform poorly in underrepresented languages and contexts. This creates digital exclusion. Ensuring diverse, representative datasets is not merely a technical matter but a matter of cultural preservation and democratic participation. Countries in the Global South want governance structures that prevent their societies from being misrepresented—or entirely absent—in the AI systems that increasingly mediate information and services.

Third, there is the issue of regulatory sovereignty. Many developing countries fear being forced to adopt standards designed elsewhere—whether American market-driven models, European rights-based approaches, or Chinese state-centric frameworks. They seek a voice in shaping norms that balance innovation, equity, and human rights in ways aligned with their own social and economic priorities.

Complexity and Misunderstanding
Despite its urgency, data governance remains deeply complex and frequently misunderstood. One of the most persistent misconceptions is the tendency to equate data governance with data localisation—the requirement that data be stored or processed within national borders. While localisation is often presented as a straightforward assertion of sovereignty, it is at best a narrow policy instrument and at worst a distraction from the deeper structural challenges of governing data and AI in an interconnected world.

Data governance is inherently multi-layered. It spans privacy protection, cybersecurity, competition policy, intellectual property, algorithmic accountability, cross-border data transfers, and trade obligations. AI governance introduces further dimensions: model transparency, safety testing, risk classification, auditing, liability for harm, and systemic risk management. These domains intersect in complicated and sometimes contradictory ways. For example, stringent privacy protections may restrict the availability of data for AI training; open data initiatives may clash with intellectual property regimes; competition policy may be needed to prevent data advantages from entrenching dominant firms. Reducing this complexity to a territorial question of “where data sits” fundamentally misdiagnoses the problem.

Data localisation is often framed as a tool for enhancing sovereignty, national security, or economic development. In reality, it tends to promote closed systems rather than collaborative ecosystems. By privileging territorial control over interoperability, localisation fragments the global digital environment into silos. It runs counter to the spirit of openness, shared standards, and cross-border innovation that has historically driven the growth of the internet and the digital economy. AI development, in particular, depends on diverse, high-quality datasets and distributed research collaboration. Artificially confining data within national borders risks narrowing datasets, reducing model performance, and isolating domestic researchers and firms from global networks.

Moreover, localisation frequently offers only a short-term political signal rather than a durable solution. Storing data domestically does not automatically ensure meaningful control over it. Foreign technology companies can still access, analyze, and monetize locally stored data through contractual arrangements, cloud partnerships, or subsidiary structures. Without strong competition policy, regulatory capacity, and technical infrastructure, localisation alone does little to rebalance power in digital markets.

In the long run, the economic costs can be significant. Localisation requirements can raise compliance and infrastructure costs for startups and small firms, limiting their ability to scale internationally. They can deter foreign investment, complicate cross-border service provision, and invite retaliatory trade measures. For developing economies seeking to integrate into global digital value chains, such fragmentation can reduce competitiveness and innovation potential. Citizens may ultimately bear the cost through higher prices, reduced access to digital services, and slower technological progress.

Equating data governance with localisation also obscures the broader structural challenge: how to ensure that countries retain meaningful agency over data generated within their borders while remaining connected to the global digital economy. True sovereignty in the AI era is not about isolation; it is about capacity—regulatory, technical, and institutional. Effective governance requires nuanced and forward-looking solutions: interoperable regulatory standards that enable trusted data flows; data trusts and cooperative governance models that embed accountability; strong competition enforcement to prevent data monopolies; and equitable data-sharing frameworks that support development and innovation.

Data localisation may appear decisive, but it ultimately entrenches fragmentation and inefficiency. A sustainable approach to data and AI governance must move beyond territorial reflexes toward cooperative, interoperable systems that balance openness with accountability. 

Trade at the Center of the Debate
Today’s debate over data and AI governance cannot be separated from the turbulent global trade landscape. Trade is no longer a neutral backdrop to digital policy; it is the arena in which many of these battles are being fought. Rising tariffs, export controls, sanctions, and digital trade disputes have reshaped the environment in which rules on data flows and AI are negotiated. From semiconductor export restrictions imposed by the United States on China, to retaliatory tariffs in broader technology disputes, to disagreements at the World Trade Organization over e-commerce rules, digital governance has become entangled with economic statecraft.

Modern trade agreements increasingly include binding provisions on digital trade: guarantees for cross-border data flows, limits on data localisation requirements, protections for source code, and constraints on customs duties on electronic transmissions. These rules are not abstract—they shape the regulatory autonomy of states. For example, debates within the WTO’s Joint Statement Initiative on E-commerce have centered on whether countries can require local data storage or restrict transfers for public policy purposes. Meanwhile, disputes over digital services taxes—such as those introduced by several European countries and contested by the United States with threats of retaliatory tariffs—demonstrate how digital economy governance quickly escalates into broader trade conflict. Even outside strictly digital sectors, the imposition of tariffs on technology products and the use of export controls on advanced chips underscore how AI supply chains are deeply embedded in trade geopolitics.

For countries in the Global South, this environment creates acute strategic dilemmas. On one hand, committing to open data flows and strong digital trade disciplines may attract investment and integration into global value chains. On the other, locking in such commitments through trade agreements may reduce policy space precisely when governments are trying to build domestic AI industries, develop digital infrastructure, or address data-driven harms. The tension between openness and sovereignty is no longer theoretical—it is unfolding in real time, under conditions of trade fragmentation and geopolitical rivalry.

Developed economies often promote the principle of the “free flow of data with trust,” arguing that seamless data transfers are essential for innovation and economic growth. Yet recent trade conflicts reveal how asymmetrical the system can be. In practice, large multinational technology firms headquartered in a few advanced economies dominate cloud infrastructure, AI model development, and platform ecosystems. Open data flows without complementary competition policy or industrial support measures can enable value extraction from developing markets, with data collected locally but monetized abroad. When trade rules entrench these patterns, they risk constraining digital industrialization strategies in emerging economies.

At the same time, retreating into protectionism carries its own risks. Sweeping localisation mandates or digital trade restrictions can increase costs, discourage cross-border collaboration, and invite retaliatory tariffs or exclusion from trade agreements. The broader trend toward tariff escalation and supply chain “de-risking” shows how quickly fragmentation can spread, harming smaller economies that depend on global integration.

The challenge, therefore, is not to abandon trade frameworks but to rethink them. Digital trade disciplines must better reflect development realities, incorporating safeguards for legitimate public policy objectives, flexibility for emerging regulatory models, and commitments to capacity-building and technology transfer. In a world where tariffs, export controls, and digital trade rules are increasingly intertwined, AI governance is inseparable from trade governance. The question is no longer whether trade will shape the future of data and AI—but whose interests those trade rules will ultimately serve.

Toward a Balanced and Inclusive Approach
Addressing the complexities of AI governance requires a multi-layered strategy.

First, global governance forums must become more inclusive. Institutions such as the United Nations, the G20, and regional bodies should ensure meaningful participation from developing countries, not merely as rule-takers but as co-authors of norms. This includes technical and financial assistance to strengthen regulatory capacity and negotiating power.

Second, governance frameworks should move beyond binary debates about openness versus restriction. A principles-based approach—centered on transparency, accountability, fairness, and interoperability—can allow diverse regulatory models to coexist while maintaining global cooperation. Mechanisms for regulatory equivalence, rather than uniformity, may enable cross-border data flows without sacrificing domestic priorities.
Third, trade policy must be aligned with development goals. Countries should negotiate digital trade provisions that preserve policy space for public-interest regulation, including competition oversight and AI risk management. Provisions supporting digital infrastructure investment and local innovation ecosystems are essential to prevent further concentration of AI capabilities.

Finally, capacity-building is critical. Without domestic expertise in AI, cybersecurity, and digital law, even the most carefully negotiated governance frameworks will fail. International cooperation should therefore prioritize knowledge-sharing, open research collaborations, and equitable access to computing resources.

Conclusion
The sudden prominence of data governance reflects a deeper transformation: the realization that data is the lifeblood of AI, and AI is reshaping economies and societies. For countries in the Global South, the stakes are particularly high. The rules crafted today will determine whether they become passive data providers or active architects of the digital future.

Data governance is complex because it sits at the intersection of technology, law, economics, and geopolitics. It is often misunderstood when reduced to simplistic debates about localisation. And it is inseparable from trade, where the distribution of value and power is negotiated in binding agreements.

The path forward lies not in isolation or in uncritical openness, but in inclusive, development-oriented governance that balances innovation with equity. As AI continues to evolve, the global conversation about data governance must evolve with it—ensuring that the future of intelligence is shaped not by a few, but by many.

European capitals are right to be blunt: the idea that Europe can simply “delete” U.S. technology from its digital ecosystem is neither realistic nor desirable. As reported in Politico, policymakers increasingly acknowledge that European economies, public administrations and security infrastructures are deeply entangled with American cloud services, software stacks, semiconductors and platforms. These dependencies are not accidental, nor are they the product of European naïveté alone; they are the outcome of decades of innovation cycles, scale effects, and geopolitical alignment within the transatlantic space.

Yet realism should not be mistaken for resignation. Europe is neither numb to these dependencies nor condemned to permanent passivity. The real failure so far has not been dependency itself, but the absence of a coherent strategy for understanding, governing and gradually reshaping it. If Europe is serious about security—whether in relation to Russia, unstable neighbours, or internal resilience—it must move beyond slogans and defensive reflexes and begin doing the harder work of strategic clarity.

Step One: Understanding What Dependency Really Means
The first task is intellectual, not technological. Europe still lacks a granular, shared understanding of what its digital dependencies actually are. “Dependence on U.S. tech” is often treated as a monolith, when in reality it spans very different layers: cloud infrastructure, operating systems, development tools, cybersecurity services, AI models, data governance frameworks, and even tacit dependencies such as skills pipelines and venture capital norms.

Some dependencies are shallow and substitutable; others are deep, systemic and reinforced by network effects. Some are commercially inconvenient but strategically tolerable; others have direct implications for national security, intelligence autonomy and crisis response. Treating all of them as equally problematic leads either to paralysis or to performative policy.

From a security perspective, this distinction matters enormously. In a crisis scenario—say, heightened tensions with Russia or instability in the Eastern Mediterranean—Europe’s reliance on foreign-controlled digital infrastructure could become a strategic vulnerability. This is not only about espionage or data access. It is about continuity of service, legal jurisdiction, update control, and the ability to adapt systems rapidly under stress. Security today is not just about tanks and borders; it is about whether digital systems can be trusted to function predictably in moments of geopolitical friction.

Mapping these dependencies—where they exist, how deeply embedded they are, and how feasible it is to override them—should be treated as a core security exercise, not a technocratic afterthought. This mapping should also be shared across member states, because asymmetric dependencies create internal EU fragilities. A union is only as resilient as its weakest digital link.

Step Two: From Defensive Posture to Strategic Direction
The second step is decisional. Europe has spent the past decade reacting—regulating platforms, blocking mergers, erecting defensive legal frameworks—without articulating a clear sense of where it actually wants to go. The term “digital sovereignty” has become a catch-all that signals concern without conveying intent. Sovereignty over what, exactly? For whom? And to what end?

Increasingly, digital sovereignty is being associated with open source, and this is a welcome development. Open source reduces lock-in, increases transparency, and allows for collective scrutiny—important virtues in a security-conscious environment. However, open source is not a panacea. Code that is open but poorly governed, underfunded or fragmented can be just as fragile as proprietary alternatives. Moreover, open source alone does not solve questions of scale, liability, or long-term maintenance.

A more mature strategy would treat open source as one pillar among several. Europe should also actively promote open standards and protocols, insisting on interoperability as a default condition in both public procurement and regulation. Interoperability is not just a competition tool; it is a security mechanism. Systems that can be swapped, recombined and reconfigured are harder to coerce and easier to defend.
Decentralised architectures deserve particular attention. In a geopolitical environment marked by hybrid threats, centralisation is a liability. Decentralised systems—whether in data storage, identity management or communications—reduce single points of failure and make large-scale disruption more difficult. For countries with “tricky neighbours,” such as Greece or the Baltic states, this kind of architectural resilience is not theoretical; it is existential.

Security Beyond Russia: The Full Spectrum
While Russia understandably dominates European security thinking, a broader lens is needed. Europe’s digital vulnerabilities intersect with migration pressures, energy dependencies, supply-chain disruptions, and internal political polarisation. In the Eastern Mediterranean, for example, digital infrastructure has become entangled with energy exploration, maritime surveillance and military posturing. In such contexts, dependence on external digital systems can constrain diplomatic and military flexibility.

Cybersecurity itself is no longer a niche domain. Ransomware attacks on hospitals, interference with electoral infrastructure, and manipulation of information spaces all sit at the intersection of digital dependency and societal security. Europe’s response cannot rely solely on regulation and incident response; it must include structural choices about how systems are built and governed.

Creating the Right Incentives—and the Right Governance
None of this will happen without investment, and investment will not flow into an environment perceived as hostile, unpredictable or ideologically confused. Europe needs a framework that is predictable, proportionate, rights-based and consistent—not just across policy areas, but across time. Constant regulatory churn may feel active, but it discourages long-term commitment.

In addition to funding and regulation, Europe should experiment with new incentives: security-weighted public procurement, long-term public-private partnerships for critical digital infrastructure, and “resilience premiums” that reward architectures designed for interoperability and decentralisation. These tools would signal that Europe values not just innovation, but durable and secure innovation.

Finally, governance matters. Europe’s current digital governance is fragmented across institutions, policy silos and national competencies. A credible strategy would require a standing governance structure that brings together security agencies, digital regulators, industrial policy actors and foreign policy expertise. This body should not micro-manage technology, but it should set priorities, coordinate dependency assessments, and stress-test Europe’s digital ecosystem against plausible geopolitical scenarios.

Crucially, governance must also include mechanisms for learning and adaptation. Digital security is not static. A system that is resilient today may be brittle tomorrow. Europe’s strength should lie in its ability to adjust collectively, rather than to cling to fixed models.

Conclusion
European capitals are correct: cutting off U.S. technology is neither realistic nor necessary. But accepting dependency without strategy is equally untenable. In a world of renewed geopolitical tension and hybrid threats, Europe’s digital choices are security choices. The path forward is not technological autarky, but strategic intentionality—grounded in a clear understanding of dependencies, a coherent vision of where Europe wants to go, and governance structures capable of turning that vision into reality.

Across Europe, concern about the online environment is intensifying. Digital platforms are increasingly associated with the spread of disinformation, political polarisation, and social harms—particularly for children. In a context marked by geopolitical uncertainty, eroding trust in institutions, and fragmented public debate, it is understandable that governments feel compelled to respond. The issue is no longer whether some form of regulation is needed, but how such measures are conceived, justified, and put into practice.

In recent years, attention has often centred on the power of large technology companies, whose scale and influence over public discourse are unprecedented. While these concerns are well founded, there is a parallel risk that regulation becomes a vehicle for broader state intervention in the digital public sphere. Under the language of democracy, security, or national autonomy, efforts to address genuine problems online may slide into attempts to exert greater control over speech and information flows. The challenge, therefore, lies in developing regulatory frameworks that meaningfully address online harms without undermining the open and pluralistic character of democratic debate.

Spain’s Prime Minister Pedro Sánchez has become one of the most prominent advocates of a hard-line approach. His proposals—including ending anonymity on social media, holding platform executives criminally liable for illegal or “hateful” content, criminalising certain forms of algorithmic amplification, and adopting a “zero-tolerance” enforcement posture—are framed as necessary responses to a digital environment he has described as a “failed state.” The stated objective is to protect democracy and society, particularly the most vulnerable.

These concerns should not be dismissed. Children do face real harms online: exposure to abuse, predatory behaviour, harassment, self-harm content, and manipulative design practices that exploit their attention. Marginalised communities are disproportionately targeted by online hate and coordinated harassment. Platforms have often been slow, inconsistent, or opaque in responding. Governments are right to demand higher standards of care, transparency, and responsibility.

At the same time, regulation that focuses primarily on punitive control risks overshooting its target.
When policies emphasise criminal liability, prosecutorial investigations, and broad content restrictions, their effects rarely stop with powerful tech executives. They cascade down to millions of ordinary users—people discussing immigration, foreign policy, public health, religion, or identity. These are precisely the topics that become most sensitive during periods of political uncertainty and social change. In such contexts, the line between combating harm and constraining legitimate democratic disagreement can become dangerously thin.

Ending anonymity, for example, may reduce some forms of abuse, but it also removes a vital layer of protection for whistleblowers, political dissidents, journalists, survivors of violence, LGBTQ+ youth, and members of ethnic or religious minorities. For many, anonymity is not about evading responsibility; it is about participating at all. Any policy that treats anonymity primarily as a problem risks silencing voices that democracy most needs to hear.

Similarly, holding executives personally criminally liable for content decisions may create powerful incentives—but not necessarily the right ones. Faced with the risk of prosecution, platforms are likely to default to over-removal, automated filtering, and risk-averse moderation. 

This risk is not merely theoretical; Europe has seen it before. This is not an argument against regulation, but a reminder that it must be designed carefully. When Germany introduced the Network Enforcement Act (NetzDG), which imposed significant fines for failing to remove illegal content within short timeframes, platforms responded by erring on the side of caution. Numerous lawful posts—including satire, political commentary, and journalistic content—were removed or blocked because platforms prioritised legal risk reduction over contextual judgment. Similar dynamics emerged following the introduction of Article 17 of the EU Copyright Directive, where automated upload filters led to the removal or blocking of lawful material such as memes, parodies, and educational content. These risks were sufficiently significant that the Court of Justice of the European Union intervened to clarify and limit the scope of such filtering obligations, emphasising that any implementation must respect fundamental rights, including freedom of expression and information.

These examples illustrate how heightened liability and unclear standards can incentivise over-removal, automated filtering, and risk-averse moderation. While such approaches may reduce visible controversy, they also suppress lawful speech and disproportionately affect minority voices and political dissent. The resulting chilling effect is difficult to quantify, but its impact on democratic participation and public debate is real and enduring.

Europe’s historical experience makes this tension particularly salient. Countries like Spain know intimately what it means to live under systems where speech is tightly controlled in the name of order, unity, or national interest. That legacy has shaped Europe’s strong commitment to fundamental rights, proportionality, and the understanding that democracy depends not only on security, but on pluralism and open debate. Yet this concern is not only historical. Over the coming years, several European countries—including Hungary, France, Germany, Italy, Spain, Poland, and Greece—will hold elections that may significantly reshape their political landscapes, as voters weigh competing visions of governance, identity, and democratic norms. Regulatory powers designed today under centrist or liberal administrations may look very different if exercised by future governments with a more exclusionary or authoritarian approach to dissent. Measures introduced in the name of protecting democracy can, under changed political circumstances, become tools for narrowing it. This reality underscores the need to design digital regulation with long-term resilience in mind—grounded in rights, safeguards, and institutional restraint, rather than trust in the intentions of any one government.

This is why the current framing of “digital sovereignty” deserves careful scrutiny. Once understood primarily as a strategy for technological resilience and strategic autonomy, it is increasingly politicised as a justification for assertive state intervention in online discourse. At times, digital sovereignty is presented as inherently at odds with open, transnational communication—despite the fact that democracy itself has always relied on cross-border flows of ideas, information, and innovation.

This tension between state control and open communication is most visible in the debate over child safety, where 'digital sovereignty' is frequently invoked as a shield for restrictive policies. But, children deserve more than symbolic protection. They need safer digital environments, but they also need to be empowered—to learn, explore, create, and participate. This requires age-appropriate design, meaningful transparency, digital literacy, robust reporting mechanisms, and enforceable duties of care. It does not require turning the internet into a heavily policed space where speech is filtered primarily through fear of punishment.

Crucially, children also grow into citizens. Protecting them should not come at the cost of hollowing out the democratic culture they will inherit. An online environment stripped of contestation, anonymity, and diversity of expression may be calmer—but it will also be poorer, less resilient, and less capable of absorbing social conflict without repression.

The same applies to marginalised communities. Regulation that prioritises order over rights often ends up reinforcing existing power imbalances. Groups that already face discrimination offline are frequently the first to feel the effects of broad speech controls online. A rights-based approach must therefore be central, not incidental, to digital governance.

None of this implies that Europe should be passive or naïve. Platforms must be held to account—but accountability should be precise, transparent, and proportionate. It should focus on systems and incentives rather than individual speech acts; on due process rather than zero-tolerance rhetoric; on empowerment rather than control.

This is not the moment for Europe to “show its teeth” by asserting authority over digital discourse in ways that blur the line between regulation and repression. It is the moment to show confidence: confidence that democratic societies can address harm without sacrificing fundamental freedoms, that children can be protected without being over-shielded, and that innovation and rights can coexist.

The challenge of the digital age is not simply taming Big Tech. It is learning how to govern a pluralistic, networked public sphere without turning fear into a substitute for judgment. Europe’s strength has always been its commitment to balance. That commitment is needed now more than ever.

Europe is undergoing a visible shift in mood. What was once an abstract debate about “strategic autonomy” has turned into a series of concrete political decisions, particularly in the technology sector. Concerns about Europe’s dependence on U.S.-based platforms such as Google, Meta, X, and Microsoft have long been present, but they are now translating into action. France plans to ban public officials from using American videoconferencing tools, replacing them with Visio, a service hosted on infrastructure provided by a French company. German lawmakers are debating alternatives to U.S. data analytics software, while members of the European Parliament are urging a broader move away from American software and hardware. Even in traditionally pro-Atlantic countries such as the Netherlands, political pressure is growing to shield sensitive digital infrastructure from foreign control.

These developments reflect a growing recognition that digital technologies are no longer neutral utilities but strategic assets. As EU tech commissioner Henna Virkkunen recently noted, Europe has realised that dependence on “one country or one company” for critical technologies creates structural vulnerabilities. The impulse to reduce exposure—to de-risk and, where necessary, decouple from foreign technologies—is therefore understandable and, in some cases, justified.

Yet Europe is repeating a familiar error. Rather than undertaking the difficult work of clarifying what digital sovereignty truly entails for its strategic goals, it is relying on piecemeal, defensive fixes. Platforms are replaced, procurement rules tightened, and data flows restricted—all without a coherent framework connecting these moves to a broader vision of power, resilience, and global influence. The outcome is a patchwork that may appear assertive on the surface but is strategically hollow.

This weakness is compounded by a second, more subtle error: the assumption that digital sovereignty should primarily be about “building a stronger European tech ecosystem.” While this mantra is politically appealing, it is also myopic. Framed in isolation, it risks turning digital sovereignty into a project of technological self-containment—one that prioritises European origin over interoperability, and autonomy over collaboration.

Digital sovereignty should not mean building technology only for Europe. That approach risks siloing the continent, alienating partners, and reducing Europe’s relevance in shaping global digital systems. Europe may be bruised by recent developments in transatlantic relations, particularly the growing unpredictability of its longest-standing and most trusted partner. But disappointment is not a strategy. Retreating into a purely inward-facing digital ecosystem would be a strategic overcorrection.

History offers a clear warning. In the 1970s and 1980s, Europe repeatedly attempted to achieve technological sovereignty by nurturing national or regional champions in computing and telecommunications. These initiatives were driven by legitimate concerns: dependence on U.S. firms, fear of strategic vulnerability, and a desire to retain industrial value within Europe. Yet many of these projects ultimately failed—not because Europe lacked engineering talent or political ambition, but because autonomy was pursued at the expense of interoperability, openness, and alignment with global standards.

One of the clearest examples is Europe’s fragmented approach to computing in the 1970s. France’s Plan Calcul, launched in 1966, sought to create a sovereign national computer industry capable of competing with IBM. Substantial public investment went into companies such as Bull, with the explicit aim of insulating France from U.S. technological dominance. While technically sophisticated, these systems were largely incompatible with the rapidly emerging global software and hardware ecosystems dominated by U.S. firms. As computing shifted toward standardised architectures and software portability, European systems struggled to adapt. IBM’s open, scalable ecosystem—combined with its ability to set de facto global standards—ultimately prevailed. Europe did not secure sovereignty; it entrenched dependence.

A similar pattern emerged in telecommunications switching systems. Throughout the 1970s and 1980s, European countries developed proprietary digital switching technologies—such as France’s E10, Germany’s EWSD, and the UK’s System X—often with heavy state backing and limited concern for cross-border compatibility. These systems worked well domestically, but their lack of interoperability hindered integration and export. While Europe eventually succeeded with GSM—a rare case where coordination, openness, and standard-setting aligned—the earlier fragmentation delayed progress and weakened Europe’s position just as global telecommunications markets were taking shape.

The videotex experience offers another cautionary tale. France’s Minitel is often remembered as a technological success, and in many ways it was: widely adopted, user-friendly, and years ahead of its time. But Minitel was also a closed, nationally specific system, built around proprietary standards and tightly controlled by the state. When the open, interoperable architecture of the Internet emerged, Minitel could not adapt. Its success at home became a liability abroad. France lost the opportunity to shape the global digital information ecosystem because it had optimised for domestic control rather than international scalability.

Perhaps the most consequential example is Europe’s early approach to networking standards. In the 1980s, European governments and institutions strongly backed the OSI (Open Systems Interconnection) model, viewing it as a sovereign, standards-based alternative to the U.S.-developed TCP/IP protocol suite. OSI was theoretically elegant and institutionally endorsed, but it was slow to implement and disconnected from real-world deployment. TCP/IP, by contrast, spread through academic and commercial collaboration, evolving through use rather than central planning. By the time Europe acknowledged TCP/IP’s dominance, the global Internet’s architecture—and governance—had already been shaped elsewhere. Europe became a rule-taker in a system it might once have led.

The common thread across these cases is not failure, but misalignment. European policymakers equated sovereignty with control, and control with closed systems. In doing so, they underestimated the strategic power of openness, interoperability, and early standard-setting. Meanwhile, more collaborative ecosystems—particularly in the United States—allowed markets, developers, and users to coalesce around shared technologies that scaled globally. Those systems became the infrastructure of the digital age, embedding the political, economic, and governance assumptions of their creators.

The lesson for today is stark. Digital sovereignty built around exclusion, substitution, or inward-facing industrial policy may deliver short-term reassurance, but it risks long-term irrelevance. In a networked world, influence flows to those who design the systems others rely on. Europe’s historical experience shows that sovereignty without interoperability leads not to independence, but to dependency—only delayed and often more costly.

The lesson is not that Europe should avoid building capacity, but that capacity without openness leads to marginalisation. In a deeply interconnected digital world, sovereignty cannot be achieved through isolation. It must be built through the ability to choose dependencies, shape standards, and collaborate from a position of strength.

This is where Europe’s current approach falls short. By focusing narrowly on replacing foreign tools with European ones, policymakers risk conflating sovereignty with substitution. Replacing Microsoft Teams with a European videoconferencing platform may address immediate political or legal concerns, but it does little to answer the larger question: how does Europe intend to design digital systems that are resilient, interoperable, and influential beyond its borders?

The security implications of this gap are significant. Digital infrastructure underpins critical state functions, from public administration and energy networks to defence logistics and intelligence cooperation. If each member state defines “trusted” or “sovereign” technology differently, Europe risks fragmenting its own digital foundations. Interoperability suffers, cross-border services weaken, and coordinated responses to cyber incidents or hybrid threats become harder to execute.

Cloud infrastructure illustrates this danger clearly. A proliferation of national or “sovereign” cloud initiatives, absent a common European and international framework, may reduce dependence on specific foreign providers but at the cost of scale, efficiency, and resilience. In crisis scenarios, fragmented systems could slow information sharing and complicate collective defence. Sovereignty that undermines coordination ultimately weakens security.

The same logic applies to artificial intelligence. Regulation can set guardrails, but it cannot substitute for strategic leadership. If Europe focuses primarily on constraining AI within its borders while failing to shape global AI architectures, standards, and governance models, it risks becoming a regulatory island. Influence flows not from restriction alone, but from offering systems that others can adopt, trust, and integrate.

This is where Europe must rethink its approach. Digital sovereignty should be about de-risking critical dependencies while actively building an ecosystem that is open by design, interoperable by default, and attractive to partners. Europe does not need a technology stack that works only for Europeans. It needs one that allows Europe to be self-sufficient where it matters, while leading in collaboration where it counts.
​
The answer to the current strain in transatlantic relations is not alienation. Nor is it technological autarky. If Europe still believes in cooperation and in shaping global norms rather than retreating from them, then its digital strategy must reflect that belief. That means investing in shared infrastructure, open standards, and governance models that enable cooperation with like-minded countries—and even structured engagement with those that are not.

Until Europe confronts this challenge directly, it will continue to manage digital sovereignty through defensive, piecemeal decisions. It will swap platforms without setting strategy, build walls where bridges are needed, and mistake insulation for influence. Teams may be out, but unless Europe moves beyond substitution and isolation, digital sovereignty will remain more slogan than strategy.