What is Digital Sovereignty, and why does it matter for Europe?

Key points:

• Digital sovereignty is the ability, in this case of a State, to control and manage its software, data, and network infrastructure independently, without relying on third parties, especially for critical aspects.
• Europe is incredibly reliant on this since it imports an estimated 80% of its digital technology and infrastructure, especially from the US.
• Digital sovereignty is fundamental for maintaining healthy institutions and reducing other countries' leverage on Europe.

There has been a lot of talk about the need for Europe's energy autonomy, especially since the Russian invasion of Ukraine, because Russia could (and still can) use Europe's long-standing reliance on Russian gas to leverage the EU. The risks associated with extreme dependence on third countries are well-known for critical sectors, such as energy, but we can also think about critical materials and technologies. For instance, many countries are anxious about their reliance on China regarding rare earths, of which China represents an estimated 80% of the global supply and which are critical for certain sectors, especially those related to battery manufacturing and renewal energy technologies.

But it is equally important to think about digital sovereignty, which can be defined as the capacity of a certain state to not rely on other countries to meet their demands of software (whether that be for communications, social media, or cloud computing, to name a few examples), network infrastructure, data control and ownership. In this article, I will focus on where Europe stands when it comes to digital sovereignty and the concerns this has raised.

Disclaimer: I will not cover all the sectors and examples here since that would go beyond this article's scope and require a report of dozens of pages. Nonetheless, I will keep expanding my coverage of some aspects, whether omitted or not here, in the future. I will also use here "tech sovereignty" and "digital sovereignty" interchangeably.

Europe's current dependency

First of all, how much does Europe rely on to meet its software and digital infrastructure demands? To put it simply, it is estimated that Europe imports an impressive 80% of its digital infrastructure and technology. Let's look at social media, for example. Facebook, Instagram and Threads (all owned by Meta), X (Musk-owned), YouTube (part of Google's ecosystem), LinkedIn (which belongs to Microsoft), Telegram (yes, Telegram basically is a hybrid between a messaging app and social network, which is based in Dubai) and TikTok (developed by the Chinese ByteDance) are all from outside Europe. As it can be noted, most of these companies are US-based, which is a recurrent trend when it comes to daily used software. More than that, when it comes to cloud computing services, Amazon Web Services dominates the market, alongside Microsoft Azure and Google Cloud.

Regarding Microsoft, its most apparent preeminence comes with PCs and their Office ecosystem (which includes Word, OneDrive, and Teams...), while Google (which belongs to Alphabet) dominates the web-browsing market through its searcher, Google, and its browser, Chrome; and also the smartphone market through Android. Android is actually based on Linux, but it comes with built-in Google software such as Google Play Services, which provides APIs and services to many Android apps, and which can pretty invasive towards the user. Then, of course, we have Apple, another American company that presents itself as the main alternative to Google regarding smartphones and Microsoft regarding PCs.

If this list of examples was not enough, Europe relies on the US to meet its connectivity demands, too. An obvious example is Europe's reliance on Starlink, a satellite system that operates as a telecommunications provider, including internet access. Turning towards AI, OpenAI, Perplexity AI, Anthropic, and Meta AI are still the most used solutions, and all are US-based, besides DeepSeek, which is Chinese-based. Nonetheless, it is true that Europe is putting a lot of effort into not falling behind the AI race - and I'd say it has been quite successful in that regard, notably thanks to Mistral AI - mainly because of AI's implications when it comes to modern warfare.

Now, this list is by no means exhaustive. Still, even an abridged explanation like this shows how much Europe relies on third countries (especially the US) for digital services and infrastructure. So, why does all of this actually matter?

I will consider two main aspects here: Europe's ability to have its own conversation about political matters and its capacity to deploy the necessary technologies when needed. Let's start from the first point.

Dependency as a political vulnerability

As mentioned above, the social media market is mainly ruled by US companies. How are these companies able to make a profit? Because they rely on targeted ads. In turn, these ads can only be targeted if a vast pool of data can be used to shape individual profiles to whom those ads can be served. Data brokers act as intermediates by collecting and selling data to advertisers in places like social media platforms. Therefore, the more information we give up through social media companies and the more time we spend engaging within them, the more profitable these companies become, because there will be more incentives to be advertised there.

Now, it's easy to think about social media companies as public spaces, as digital agoras where the citizens gather together to discuss political matters. But they are not. They are private spaces where those who own them can decide which content they want to promote. An obvious example of this has been Musk's huge influence on the last German elections, thanks to which the far-right party AfD saw a massive surge in votes. Moving to Eastern Europe, the last presidential Romanian elections were cancelled, not without controversy, due to alleged Russian interference, mainly through vast amounts of money directed to support Georgescu's campaign on TikTok. The opaqueness of these companies makes it even more difficult to trace where the money for a campaign comes from, making some laws that aim to control this de facto obsolete. This, again, always comes under the form of targeted ads and promoted content, which, as we said, depend on vast amounts of demographic data. Outside Europe, a more "classical" example of how targeted ads relying on large amounts of data decided the course of an election is the Cambridge Analytica - Facebook scandal, which played a decisive role in US' presidential elections of 2016.

Some regulatory efforts on Europe's side, like the AI Act, the Data Act, and the General Data Protection Regulation (GDPR), aim to soften the impact of invasive data collection practices. This measures are highly valuable, since they set a better standard for privacy and consent management, and do a great job in protecting user's rights across the continent. Still, they are not enough, because as long as there is a business model that renders technically and even legally possible to manipulate an election, it will just keep happening. And not because these companies are a part of a conspiracy or something of the sort, it is just because they serve their particular interests, and to flood the media with hate speech and misinformation is extremely lucrative. As simple as that. I will write another article to cover this topic specifically and discuss the best alternatives to this situation. In advance, the solution is not just to replicate the same business model but to pivot to open-source, recommendation-free and federated social media like Mastodon or Pixelfed.

Dependency as a strategic vulnerability

Moving to another sector, satellite connectivity is also crucial, especially when it comes to defence. Europe's reliance on Starlink has manifested a critical vulnerability, namely the dependence on foreign critical infrastructure and what can happen when the owners of such infrastructure have different goals and interests than European ones. In this case, this gives the US enormous leverage capacity against Europe since it can cut it off whenever it's needed to exert pressure. We have seen this recently in the conflict between Russia and Ukraine, when the US used Starlink as a bargaining chip to force Ukraine to accept a quite demanding minerals deal, which has been described as a form of economic colonialism.

Furthermore, another key infrastructure that is easily outsourced consists in data centers, of which a significant part is, again, in the US. As it might be noticed, digital services and infrastructure are two sides of the same coin: several services, such as social media or other daily-use software, allow massive data collection. This data is then processed abroad, and it serves to power those same services - by making them engaging - that are in charge of the collection. Data sovereignty, which can be considered as a subset of digital sovereignty, is of high importance here in order to mitigate the problems exposed in the previous section. This also requires that data is physically preserved and processed in Europe in compliance with the current regulations. This is concerning when it comes to personal privacy, but it must be noted that privacy is not an individual issue but a societal one.

We can also think about data storage from an institutional point of view. As an example, the fact that a university stores abroad its research-related data, which in sectors like engineering can be of strategic importance, constitutes a significant disadvantage since it leaves that information in a vulnerable position, ready for the taking if the company that host such data decides to grant a request from a rival actor, such a hostile government. Moreover, a similar claim can be made about our email providers. Google, by default, automatically scans the emails that users write and receive, among other things, under the premise of spam mitigation. And the same holds for some of the most popular messaging apps, such as WhatsApp, which collects a vast amount of metadata despite being end-to-end encrypted. It is evident then that putting communications and information in a vulnerable position can undermine Europe's efforts when it comes to innovation also in regard to political articulation, by making it easier to monitor and, eventually, to coerce.

A response from Europe

Recently, the Trump administration has sparked anxieties in Europe about its reliance on the US, and for instance last week the Dutch Parliament called for an ending of the dependence on US software. The private sector also acknowledges this, and it sees a significant economic opportunity in Europe's potential revival of its industry. In fact, last week, around 100 European organizations called to end reliance on the US and build the Euro-stack, a suite of digital infrastructures made and operated in Europe. On the side of satellite-based connectivity, the European Commission announced by the end of last year a major investment of 10 billion euros in satellite infrastructure to end its reliance on Starlink. A similar trend can be found regarding major growth and expected investment in data centers, partially driven by its importance for the AI industry.

Europe is still extremely dependent, and digital sovereignty is a goal, not a reality. Nonetheless, both policymakers and private sector representatives seem to be more aware of the risk this dependency entails and the potential benefits of major autonomy, both in political and economic terms. We will discuss further how this autonomy could and should look, particularly - but not only - when it comes to public digital spaces and tools, such as social media, and the fundamental role that privacy protection plays in it. As an anticipation, it is clear that further investments are needed, both from the public and the private sector. That being said, Europe does not necessarily need to spend that much more but definitely needs to spend better. To aim for more transparent, open-source solutions tends to increase the security of such products precisely because of the possibility for anybody to inspect and audit the code. In addition to this, they are not only safer but also cheaper since they are easier to replicate and scale. And some European governments are starting to acknowledge this as well. But beyond that, some business models for critical sectors, such as social media and data brokers, should not be replicated by Europe, at least if it still aims to stick to its values, especially the rule of law.