Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
Where does Brussels stand on sovereignty? The short answer is: it is hard to tell. A slightly longer answer might be: between a rock and a hard place.
In any case, Europe must reconcile its ambitions, ways to achieve them and the marketplace and geopolitical realities at play.
The definition of sovereignty in Europe changes depending who you ask. European Commission Executive Vice-President Henna Virkkunen, who is responsible for tech sovereignty, security and democracy, has yet to voice her view on defining "sovereignty." The mission letter she received at the start of her mandate from President Ursula von der Leyen explains Europe's ambitions, stating, "We must exploit our strengths in order to maintain or attain leadership in strategic technologies, to establish essential assets for technological sovereignty and resilience, and to foster commercialisation of deep tech innovation."
During the previous Commission mandate, sovereignty came up in various ways, more prominently in the cybersecurity certification space, data localization, cloud and software public procurement, telecommunications and critical infrastructure supply chain, and at times with a confrontational posture toward third countries such as China and the U.S.
Virkkunen is known for her pragmatic, industry-friendly and geopolitically sensible approach. If this appears as a quiet-after-the-storm from the last mandate, it may not equate to a drastic change of direction from a policy standpoint. Indeed, we do see signs of robust posturing on sovereignty coming from some corners of industry, European Parliament, Commission services and member states alike.
Exhibit A: The Cybersecurity Act which lays the framework for certification — including for cloud services — is currently undergoing a revision, happening in part in the context of the simplification agenda. The Commission's public consultation asks about nontechnical factors — foreign ownership.
The certification process has been complex and politicized since its inception. The draft EU Cloud Certification Scheme, first discussed in 2020 has yet to be finalized five years on, amidst a mix of political, technical and trade considerations to untangle.
In the context of the CSA review, the Commission may look at how to leverage the review to override the challenges pertaining to the certification scheme, not fully excluding going more directly toward mandatory certification in public procurement which could then include sovereignty requirements.
Exhibit B: Sovereignty is also coming into play at a time when connectivity is key to the EU policy and competitiveness objectives. During a DigitalEurope event this week, Nokia CEO Justin Hotard asked how Europe can go from targeted areas of technology leadership to creating many more leaders in Europe in the artificial intelligence super-cycle. He offered three priority areas, which notably do not all reflect a common position across the European telecommunications industry:
- European companies need access to a market that delivers scale. There are sovereignty considerations to keep in mind, but a consolidation of industry players in some sectors like telecommunications may trigger an acceleration in investment and in technology advancement, such as agentic AI.
- European companies need a true digital single market.
- Europe needs to trust technology, and technology from trusted partners. Times of adversity often bring tremendous innovation. European governments need to replace untrusted technology with trusted solutions, extending the 5G toolbox to all connectivity technology and make it compulsory in all member states.
Exhibit C: The European Parliament is putting forward proposals designed to boost European technological sovereignty and digital infrastructure, led by the Europe of Sovereign Nations Group.
A draft report states the EU "depends on third countries for over 80% of its digital products, services, infrastructure and intellectual property." It sees the shift in the geopolitical landscape as "an opportunity for European products and services."
The draft report calls on the Commission to propose legislation addressing risks from high-risk vendors from third countries and to relocate the hosting of sensitive data to Europe among others. The draft report was adopted by the Industry, Research and Energy committee this week and will be debated in Plenary session soon.
Isabelle Roccia, CIPP/E, is the managing director, Europe, for the IAPP.
This article originally appeared in the Europe Data Protection Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.