European Tech Sovereignty and the Security Risks of Decoupling
By Martyna Chmura | 11 March 2026
Summary
European governments are accelerating “digital sovereignty” measures, including moves away from United States (US) platforms in public administration and increased support for open-source and domestic infrastructure.
Security planners warn that rapid decoupling could create short-term capability gaps because European militaries and critical services rely on US software, cloud, and data tools.
Selective diversification is likely to deepen over the next months, while full decoupling remains constrained by interoperability, procurement lock-in, and defence dependencies.
Context
At the European Union (EU) level, dependence on US technology and services is substantial. The European Parliament has cited reliance on non-EU providers for more than 80% of Europe’s digital infrastructure. In payments, Visa and Mastercard accounted for almost two-thirds of Eurozone card transactions in 2022, with 13 member states lacking a national alternative. These figures illustrate that reliance extends beyond software applications to financial infrastructure and data ecosystems.
Recent geopolitical developments have intensified the debate. Following US sanctions targeting International Criminal Court (ICC) Chief Prosecutor Karim Khan in 2025, reports indicated that his Microsoft email account was suspended. The episode reinforced concerns in European capitals about the extraterritorial reach of US law and the vulnerability of institutions dependent on foreign platforms.
On 31 January 2026, France ordered ministries to transition 2.5m civil servants away from Zoom and Microsoft Teams by 2027, moving to Visio, a French-built videoconferencing platform hosted on national infrastructure. The move was framed as necessary to guarantee security, confidentiality and resilience in state communication. Austria’s Armed Forces have migrated 16,000 workstations from Microsoft Office to LibreOffice, and Germany’s Schleswig-Holstein plans to move around 30,000 public-sector users from Windows and Microsoft Office to Linux and LibreOffice. Denmark’s data protection authority, Datatilsynet, issued serious criticism of 51 municipalities for their use of Google products in primary schools, highlighting governance and compliance risks. Switzerland has introduced an open-source law (EMBAG) requiring publicly funded software to be released as open source.
Implications
The shift toward digital sovereignty reflects a broader recalibration of geopolitical risk. European policymakers increasingly view digital infrastructure as comparable to energy or defence supply chains. Dependency on US cloud providers, collaboration tools, payment systems, and AI models is no longer assessed solely by efficiency and cost, but also by political leverage.
The ICC sanctions episode became a practical demonstration of this vulnerability. Even if service disruptions stem from legal compliance rather than deliberate coercion, the operational outcome remains the same: foreign jurisdiction can affect communications and continuity. Mario Draghi warned that interdependence can become “a source of leverage and control.” This logic underpins renewed calls in Brussels for structural solutions rather than piecemeal substitutions.
At the EU level, policymakers have called for a full “Eurostack” spanning chips, cloud, software, and AI. The European Commission has also advanced “cloud sovereignty” work, including a EUR 180m tender linked to a Cloud Sovereignty Framework intended to support public-sector adoption under EU-aligned governance rules. These measures indicate that digital sovereignty is evolving from national procurement decisions into coordinated industrial policy.
However, security institutions warn that sovereignty narratives can clash with defence realities. European military officials have argued that European forces depend on US software and networks for communications, intelligence, and data storage, and that rapid restrictions on US providers could undermine operational effectiveness. Recent procurement choices reflect this dependency. Germany’s armed forces have partnered with Google Cloud to deploy an air-gapped sovereign cloud operated in domestic data centres, with buildout described through to end-2027. The United Kingdom (UK) Ministry of Defence has also awarded Palantir a follow-on enterprise agreement of GBP 240.6m for data analytics supporting operational decision-making across classifications.
This creates a dual-track sovereignty approach. Civilian administrations are more willing to migrate away from US collaboration software when alternatives exist, while militaries and security agencies are prioritising continuity through “sovereign configurations” of US technology (such as air-gapped deployments and local operating controls) rather than full replacement. This approach may reduce some legal and operational risks, but it does not eliminate dependency on US vendors’ update cycles, licensing, and technical roadmaps.
Economically, the push may build European capacity in open-source, cloud governance, and multilingual AI. Spain’s AESIA has launched ALIA as a national open-model initiative, while Switzerland has launched Apertus as a fully open, multilingual model. Poland has also entered the field with Bielik AI, a locally developed open model trained primarily on Polish-language data to strengthen national AI capability and reduce reliance on foreign systems. Yet critics warn that a push toward technological “autarky” could increase costs and reduce scale advantages if pursued as a broad political project rather than targeted resilience planning.
Guillaume Perigois/Unsplash
Forecast
Short-term (Now - 3 months)
European governments are highly likely to expand procurement guidance favouring open-source and EU-hosted services for sensitive civilian functions.
Defence ministries are likely to prioritise “sovereign controls” for US systems (local hosting, air-gapped deployments, and contractual assurances) rather than rapid vendor exits.
Medium-term (3 - 12 months)
It is likely that the European Commission’s planned sovereignty initiatives focus on cloud governance, procurement rules, and funding for European suppliers, rather than mandatory bans on US providers.
It is a realistic possibility that some large public-sector migration programmes face delays due to interoperability or workforce constraints, slowing replication across agencies.
Long-term (>1 year)
It is likely that Europe continues to pursue selective decoupling in civilian administration, while defence dependence on US software ecosystems remains structurally significant.
It is highly likely that digital sovereignty becomes a standing element of EU crisis planning, alongside energy and defence resilience, shaping procurement and industrial policy across member states.
