By Alice Stradi, Senior Manager – Policy, EMEA
This week, the European Commission is expected to unveil its Tech Sovereignty Package, a broad set of initiatives aimed at strengthening Europe’s position in critical technologies. The package will include measures on cloud and AI infrastructure, open-source software, digital infrastructure deployment, and semiconductors.
The ambition behind it is understandable. Europe is operating in a very different environment than it was five years ago. Geopolitical tensions have exposed vulnerabilities in global supply chains. Cyberattacks have become more frequent and more sophisticated. Competition in strategic technologies is intensifying. Against that backdrop, it is entirely reasonable for policymakers to ask how Europe can become more resilient, more competitive, and less exposed to critical dependencies.
The question is no longer whether Europe should pursue technological sovereignty, because it should. The more important question is what kind of sovereignty Europe wants to build.
Sovereignty Should Strengthen Europe’s Digital Ecosystem
Too often, sovereignty debates become discussions about ownership structures, company headquarters, or where a particular technology was developed.
But that misses the bigger picture.
Europe’s digital ecosystem is far more interconnected than these debates sometimes suggest. Many companies that could be affected by restrictive sovereignty requirements employ thousands of people in Europe, invest in European infrastructure and research, host data locally, and operate under European law. Some European-headquartered companies could find it harder to compete under ownership-based approaches due to international investors or globally integrated business models.
Europe needs stronger digital capabilities, more investment, greater scale, and more innovation. Those goals cannot be served by measures that reduce competition or limit access to technologies that businesses and public authorities use every day.
There is also a broader question about what users actually value when they choose technology. Earlier this year, a YouGov survey commissioned by BSA across France, Germany, Italy, Poland, and Spain found that quality, price, and security were the most important considerations when selecting technology services. The location of a company’s headquarters ranked far lower. The survey also found that Europeans strongly support the ability to choose providers that comply with EU rules, regardless of where they are headquartered. As policymakers consider how best to strengthen Europe’s technological capacity, those findings are a useful reminder that trust is earned through performance, security, and reliability.
Security Cannot Be Localized
One of the strongest arguments for sovereignty is security. It is also one of the areas where simplistic solutions can produce unintended consequences.
Cybersecurity is global by nature. Threats move across borders in real time. Attackers do not operate according to jurisdictional boundaries, and neither do the security teams that defend against them.
Modern cybersecurity relies on global threat intelligence, internationally distributed expertise, and round-the-clock monitoring. Major providers operate “follow-the-sun” security models that enable threats to be continuously identified and addressed as they emerge worldwide.
This matters because some of the ideas emerging in sovereignty discussions place heavy emphasis on localization and geographic control. While these approaches may appear to increase security, they can sometimes reduce access to the expertise, visibility, and operational capabilities that modern cyber defense requires.
The same principle applies to AI and cloud services. These technologies depend on globally distributed infrastructure, research collaboration, and continuous innovation cycles. Europe benefits from being connected to those ecosystems.
Security should be measured by the safeguards that are in place: strong governance, encryption, accountability, transparency, risk management, and compliance with robust regulatory frameworks. Europe already has many of these tools through legislation such as NIS2, the Cyber Resilience Act, the AI Act, and GDPR.
The focus should remain on managing risks effectively, rather than assuming that geography alone can eliminate them.
Real Resilience Comes From Choice
At BSA, we have consistently argued that resilience comes from diversification. The most resilient systems are rarely the most isolated. They are the systems with multiple suppliers, interoperable technologies, strong standards, and the flexibility to adapt when circumstances change.
That is why interoperability, portability, and global standards matter so much. They give organizations choice, reduce lock-in, and create competitive markets where innovation can thrive.
The same principle should guide public procurement. Public authorities should be able to select technologies based on security, performance, reliability, and value. Procurement frameworks that reward these outcomes help deliver better services while maintaining healthy competition.
Europe’s influence in the digital world has never depended on closing itself off. Its greatest strength has been its ability to shape rules, standards, and frameworks that others choose to follow. That influence can continue to grow as Europe invests in infrastructure, skills, AI adoption, cybersecurity expertise, research, and innovation.
The Commission’s sovereignty package offers an opportunity to advance these goals. The challenge will be ensuring that efforts to strengthen resilience reinforce Europe’s competitiveness, security, and capacity to innovate.
BSA will continue to engage with policymakers and monitor the development of the tech sovereignty agenda in the months ahead. For a deeper look at our approach to digital sovereignty, including the role of interoperability, trusted partnerships, global standards, and risk-based governance, we invite readers to explore our recent paper, Keeping the Door Open: The EU’s Path to Digital Sovereignty.