Sovereignty or Illusion?

A Term Without Substance

An open letter from 25 European cloud and digital companies reveals what European digital policy has been avoiding for years: The term “digital sovereignty” is consistently used without its prerequisites being met.

The Reality of the Market

The market reality leaves no doubt about this. US hyperscalers like AWS, Microsoft Azure, and Google Cloud control around 70 percent of the European market, while European providers collectively account for about 15 percent. This distribution is not simply the result of technological superiority but a reflection of political decisions—particularly in regulation and public procurement.

The Central Misconception

This is precisely where the letter’s criticism begins. It targets a practice that has become established in politics and administration: Offers from US providers are deemed “sovereign” as long as they operate data centers in Europe or meet certain certifications. This argument seems pragmatic at first glance but does not hold up under closer scrutiny.

Sovereignty is not achieved through location but through control. Companies like Microsoft, Amazon, or Google are subject to US law regardless of physical infrastructure. The CLOUD Act is just the most visible instrument; it is complemented by regulations like FISA or the Patriot Act, which also provide extensive access possibilities. The location of data storage does not change this legal situation.

The Consequence: Political Self-Deception

This shifts the meaning of a central political term. Sovereignty no longer describes actual power of disposal but becomes a label that can be established through certificates and location arguments. The consequence is systematic self-deception.

This self-deception has tangible consequences. Public institutions and companies shift critical systems to platforms whose legal control lies outside Europe, while European providers are politically emphasized but often overlooked in practice. Dependency grows—and is simultaneously obscured in language.

The Response from the Industry

The open letter presents a clearly formulated counter-position to this state. The five proposed principles do not aim at industrial policy wishful thinking but define minimum conditions under which digital sovereignty can be meaningfully conceived.

At its core, it is about re-linking sovereignty to actual control. Where this is not fully achievable, at least structural resilience should be created—through user-controlled encryption, true data portability, and technical reversibility that practically enables a change of provider.

At the same time, the companies demand a realignment of public procurement that systematically considers European providers, as well as clear rules for competition and interoperability. Open standards and open source are not understood as ideological positions but as necessary prerequisites for control and independence. This is complemented by the demand to direct public investments specifically towards building a European ecosystem instead of further financing existing dependencies.

Why It Becomes Critical Now: Cloud and AI

The strategic dimension of these demands becomes particularly clear in the context of artificial intelligence. Cloud infrastructure is no longer just an operating model; it forms the basis for data processing, model training, and scaling. Whoever controls this infrastructure determines the conditions under which future value creation occurs.

If Europe continues to primarily rely on external platforms in this area, it not only loses market share but also the ability to shape technological developments independently.

CADA as a Test

The planned Cloud and AI Development Act thus becomes a political test. It is the first legislative proposal to address cloud and AI together, and its strategic importance is correspondingly high. The decisive factor is not whether regulation takes place, but whether it actually reduces existing dependencies.

Europe has the technological prerequisites to build its own solutions. What has been lacking so far is the consistency in implementation. As long as public contracts continue to be awarded to dominant non-European providers, interoperability is not mandatorily enforced, and open source remains structurally secondary, little will change in the current dynamics.

The Real Decision

The starting position is clear, the risks are identified, the tools are on the table.

What is missing is the willingness to make this political reality.