The European tech sovereignty package explained

The European Commission announced the European Technological Sovereignty Package, a plan to reduce the EU's reliance on foreign tech in semiconductors, AI, cloud, and open source. The package includes Chips Act 2.0, the Cloud and AI Development Act, an EU Open Source Strategy, and a digitalization roadmap for energy, aiming to address risks like kill switches and legal backdoors from US tech dependencies.

The European Commission has announced an ambitious plan to free itself from its almost complete reliance on foreign tech. In what it has called “a defining moment to assert its technological sovereignty,” the commission has presented a European Technological Sovereignty Package: a comprehensive proposal to new window https://ec.europa.eu/commission/presscorner/detail/en/ip 26 1187 strengthen Europe’s capacity in semiconductors, AI, cloud and open source. Its goal is unambiguous: to reduce Europe’s infrastructure dependency on foreign tech. Official communication from the Commission states that “the EU remains structurally reliant on non-EU providers for over 80% of its digital products new window https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52026DC0503 , services, infrastructure and intellectual property”. The plan is essentially a call to action for European businesses to examine their own US tech liabilities. This article provides an overview of each of the four components of the package: - Chips Act 2.0 - The Cloud and AI Development Act CADA - The EU Open Source Strategy - A strategic roadmap for digitalization and AI in energy Why Europe is prioritizing infrastructure independence now The bloc is now acknowledging what many tech experts have long warned: Europe needs to stop treating structural dependency as an acceptable price for convenience. As Commission President Ursula von der Leyen put it: “We cannot afford to depend on others for the technologies that keep our hospitals running, our energy grids stable and our services secure. This is about protecting our citizens, defending our interests and making our own choices.” Infrastructure dependency leaves every nation within the EU open to the risks of: Kill switches. A foreign government can disable or disrupt the services your hospitals, energy grids, and public institutions depend on. EU tech chief Henna Virkkunen named it explicitly new window https://www.reuters.com/business/eu-targets-big-tech-dependence-with-made-in-europe-drive-2026-06-03/ : “We want to be sure that in the critical fields we are always able to control the services and control the data in Europe.” Legal backdoors. US law requires US-based cloud providers to hand over data to American authorities, even when it’s stored in Europe new window https://wire.com/en/blog/cloud-act-eu-data-sovereignty . European data on US infrastructure isn’t protected by European jurisdiction. GDPR compliance doesn’t change that. Locked-out procurement. Critical public contracts — healthcare, energy, defence are currently fulfilled by vendors who aren’t European-controlled new window https://www.reuters.com/business/retail-consumer/eu-cloud-rules-curb-amazon-google-access-strategic-tenders-draft-document-shows-2026-06-01/ . The commission’s proposed fix, requiring EU-made software and hardware for the most sensitive public tenders, is an acknowledgment that the current situation is untenable. Political leverage. When the companies running your infrastructure have close ties to a government hostile to your interests, dependency becomes a negotiating liability new window https://www.politico.eu/article/europe-tech-sovereignty-donald-trump-us-dependence/ . The ICC didn’t choose to leave Microsoft — it was effectively pushed. That’s a kill switch by other means, and it’s already happened. Read more: Report on the risks of US tech /business/blog/us-tech-risk-report-for-europe What the European Technological Sovereignty Package proposes The package has four components. For European businesses, two matter most: the Cloud and AI Development Act and the Open Source Strategy. Chips Act 2.0 Europe produces only around 10% of global semiconductors and remains heavily dependent on the US and East Asia for both mainstream and advanced chips. Chips Act 2.0 new window https://digital-strategy.ec.europa.eu/en/policies/chips-act-2 act sets out to strengthen Europe’s semiconductor industry and supply chain. For European businesses: Watch for semiconductor supply chain disclosures becoming more common. They would be required during a “declared crisis”, conditional for companies seeking EU funding, and encouraged for procurement. If your vendors can’t tell you where their chips come from, expect for it to be treated as a trust deficit. The Cloud and AI Development Act CADA More than 70% of Europe’s cloud market is controlled by three US providers while the EU’s own share fell from 29% in 2017 to 15% in 2022. CADA introduces four Union Assurance Levels that push cloud sovereignty beyond data residency toward harder questions of control, jurisdiction, ownership, software supply chain transparency, and third-country interference. Level 1: Data is processed and stored in infrastructure located in the EU. Level 2: Providers must demonstrate independence from third countries and transparency over their software supply chain. Level 3: Providers must be owned and controlled in the EU and meet additional criteria, while leaving room for recognized trusted third-country providers. Level 4: Providers must have full transparency and control over their software supply chain and no third-country interference. For European businesses: Data residency is not the same as sovereignty. Watch for vendors rebranding existing US-controlled infrastructure as “European” without meeting the ownership and control requirements the assurance levels actually demand. Level 3 requires EU ownership and control. A European-branded wrapper around AWS is not Level 3. The EU Open Source Strategy The EU currently spends €264 billion a year mostly on US proprietary IT products and services. The strategy’s answer is software that can be inspected, reused, adapted, and maintained in Europe — backed by an Open Source Maintenance Instrument to fund the security and upkeep of essential components, plus dependency mapping and mirroring capabilities to ensure continued access to the most critical infrastructure. It specifically targets cloud infrastructure, digital workplace applications, collaboration and productivity tools, instant messaging, and secure email, with a goal of 30 million active users of open-source alternatives by 2030. The “public money, public code” principle commits public administrations to default to open source where possible. For European businesses: Procurement criteria are shifting toward auditability, interoperability, and software you can inspect. If your current tools are closed, proprietary, and US-controlled, expect pressure — regulatory and competitive — to justify that choice. A strategic roadmap for digitalization and AI in energy A new Delegated Regulation will introduce EU-wide sustainability ratings for data centers, creating transparency on environmental performance and cutting off greenwashing. If the software running critical energy infrastructure sits outside European jurisdiction, energy sovereignty is as theoretical as data sovereignty. For European businesses: Watch for sustainability ratings becoming a procurement signal — and for domestic data center capacity unlocking a new generation of European providers that weren’t previously competitive on infrastructure alone. What the package will mean for Europe The European Commission’s package is important, but it’s not a revolution yet. The package is ambitious, but the mandates are limited. Much depends on how the proposals are developed, negotiated, implemented, audited, and enforced. If Europe wants technological sovereignty to mean something, it must move beyond diagnosis. Procurement rules, public funding, certification frameworks, and risk assessments must reward providers that reduce dependency rather than reinforce it. Digital independence is built through thousands of technology choices by governments, businesses, and individuals. At Proton, we’re helping to ease the digital transition toward sovereign, privacy-first European alternatives new window /learn/european-alternatives . Proton is already strongly aligned with the EU’s tech sovereignty package: All our apps are open source new window /community/open-source and use strong cryptography new window /business/trust proton-security , including end-to-end encryption and zero-access encryption. As a Swiss-based provider /blog/switzerland , customers benefit from strong privacy protections. To help more businesses switch to European tech, we have recently introduced Easy Switch for Business /business/blog/proton-mail-easy-switch-for-business , which allows teams to migrate their emails, calendars, and contacts from Google Workspace to Proton with minimal effort and zero downtime.