Europeâs Tech Sovereignty Package: the right diagnosis, an honest question about the cure
On 3 June 2026, the European Commission put forward the European Technological Sovereignty Package, a coordinated set of measures meant to strengthen Europeâs capacity in semiconductors, artificial intelligence, cloud and open source. The Commission calls it a âmajor shiftâ in how the EU approaches technology, and for once the framing is not pure communications gloss. After years of regulating digital markets it does not own, Brussels is now trying to build the thing it has spent a decade governing.
Whether it can is a different question. This post sets out what is actually in the package, and then asks the question every serious analyst asked within hours of the launch: is the money, and the political will behind it, anywhere near the size of the problem?
The diagnosis, stated plainly
The package opens with a number that does most of the rhetorical work. Drawing on the Draghi report, the Commission concedes that the EU remains structurally reliant on non-EU providers for over 80% of its digital products, services, infrastructure and intellectual property. It is rare to see an EU document begin from a position of such candour about dependence.
The supporting figures are worse than the headline. Europe produces around 10% of the worldâs semiconductors. European cloud providers hold roughly 15% of their own market, down from 29% in 2017, leaving about 70% in the hands of three US hyperscalers. The EU captures just 5% of global venture capital, against 52% in the United States and 40% in China. And the bloc spends an estimated âŹ264 billion a year, mostly on US proprietary IT products and services.
The Commissionâs definition of technological sovereignty is the ability to develop, control and scale the critical technologies, infrastructure, services and data that underpin Europeâs economy and society, while diversifying supply chains and reducing strategic dependencies. Crucially, it insists this is not protectionism or decoupling: sovereignty âgrounded in openness, partnership and fair competition.â Hold that phrase. It is both the packageâs strength and the seam along which it may come apart.
What is actually in the box
The package bundles four instruments, two legislative proposals that must clear Parliament and Council, and two strategy documents.
Chips Act 2.0. Building on the 2023 Chips Act, this adds demand-side measures the first version lacked: a demand forum, public innovation procurement, and a new excellence label for âSemiconductor Regions of Excellence.â Its flagship is an EU-based open foundry for advanced manufacturing at 3 nanometres and below, the first EU plant to combine leading-edge nodes with chiplet integration and 3D packaging, with pilot production envisaged for 2030â2033. Estimated additional investment need: âŹ120 billion.
Cloud and AI Development Act (CADA). The centrepiece. It aims to triple EU data centre capacity in five to seven years and, more consequentially, introduces a Union cloud and AI sovereignty framework with four assurance levels. Public bodies pick a level via risk assessment; providers are certified by Member States after an audit. At Level 2, providers must show independence from third countries and transparency over their software supply chain. At Level 3, they must be owned and controlled from the EU and meet additional criteria, including personnel citizenship.
EU Open Source Strategy. For the first time, open source sits at the centre of EU digital policy rather than at its margins. Four objectives: leverage open source for sovereignty; build a vibrant ecosystem; open up public administration (âpublic money, public codeâ); and reinforce standards and international outreach. Concrete commitments include an Open Source Maintenance Instrument, a European Digital Public Infrastructure Foundation, a target of 30 million active users of open source collaboration tools by 2030, and a âŹ2 billion envelope over seven years.
Strategic Roadmap for Digitalisation and AI in Energy. Seven flagship actions to integrate data centres into the energy system sustainably, accelerate smart-meter rollout, and build sovereign AI models for the grid, trained on European data, developed by European firms.
The connecting logic is what the Commission calls an âecosystem approachâ: supply-side capacity, demand-side pull, and horizontal enablers (finance, skills, an agile rulebook) acting together across the whole stack, from chips to cloud to applications. On paper, it is the most coherent industrial-strategy architecture the EU has produced for digital. The coherence is real. The follow-through is the open question.
Where the experts are pointing
The official documents tell you what Brussels intends. The reaction in the first 48 hours tells you where the contested ground is. Three fault lines stand out.
The CLOUD Act doesnât disappear because you named four levels
The sharpest critique of CADA is structural and predates the launch. As the practitioner Julien Simon has put it, a US hyperscaler can build a data centre in Frankfurt, staff it with German citizens, hold the encryption keys with a French company, wrap it all in an EU-incorporated joint venture, and the parent in Seattle or Redmond still falls under US jurisdiction through the CLOUD Actâs extraterritorial reach. No assurance level rewrites US law.
To his credit, Simon is honest about the threat model: to date there have been no major disclosures to US authorities under the CLOUD Act for European customers, so whether this is a manageable risk or an unacceptable structural exposure depends on what you are protecting. For defence, classified systems and critical infrastructure, most Member States have already concluded it is the latter. For everything else, the calculus is genuinely contested, which is precisely why the framework is voluntary and risk-based rather than prohibitive.
And note what the trade press spotted immediately: CADA is drafted so that US hyperscalers face no explicit barrier, because EU tenders cannot discriminate on the basis of a providerâs location. Sovereignty levels relabel exposure and make it legible. They do not, by themselves, remove it.
The open source money is an order of magnitude short
Here the most useful voice is OpenForum Europe, which has campaigned toward this moment for over two decades and is therefore not a hostile witness. Their verdict is celebratory about the principle and pointed about the arithmetic.
The âfirstâ they credit is real: the Commission now concedes, in writing, that proprietary software hinders sovereignty, rather than treating dependence as a mere market inefficiency. And the evidence base is sound, an earlier OFE/Fraunhofer study found that every euro of public investment in open source returns four to five euros to the European economy.
But the âŹ2 billion envelope, spread over seven years across accelerators, the Open Internet Stack, stewardship and skills, leaves very little for the one thing 1,600 respondents to the Commissionâs own call for evidence named as the central market failure: maintenance. OFEâs point is hard to argue with: âŹ2 billion is a rounding error against the proposed âŹ409 billion European Competitiveness Fund, and against the âŹ264 billion the document itself says leaves Europe every year. If the dependency is structural, a âŹ2 billion answer is a gesture, not a remedy. The other gaps they flag, open source hardware barely featuring beyond RISC-V, and a skills plan that trains users rather than maintainers and contributors, are the kind of detail that decides whether implementation matches ambition.
The enabler the whole thing rests on is the one left hanging
Read the finance section closely and you find the packageâs most revealing hedge. The Commission acknowledges Europeâs chronic shortage of late-stage risk capital, the very gap that pushes high-growth deep-tech companies to relocate or be acquired as they scale. Its proposed answer is a new âstrategic tech equity mechanism,â an equity co-investment anchor to crowd in private capital.
But look at the verbs. The Commission will âconsult.â It flags the âfeasibilityâ of such a mechanism. Its findings âmight be accompanied by a legal proposal.â For a package whose entire theory of change depends on mobilising private equity at scale, the financing instrument is the least committed element in the document. That is not an accident of drafting; it reflects the limits of what Member States have agreed to so far.
The tension worth naming
Every independent analyst, the industry lobby DIGITALEUROPE, the open source advocates at OFE, sovereign-cloud practitioners, market forecasters at Forrester, converges on the same doubt from different directions. The instruments are real and, in places, genuinely well designed. They are also under-resourced and under-committed relative to the dependency they are meant to close.
The recurring question, the one the package cannot answer by itself, is the demand-side one: will Member States actually spend their procurement euros on European alternatives, or keep cutting bilateral deals with hyperscalers while championing sovereignty in Brussels? An âecosystem approachâ lives or dies on demand. The supply-side measures can be perfect and still fail if public buyers default, as they have for fifteen years, to the incumbent with the slickest tender response and the lowest line-item price.
So I land roughly where the open source community lands: this is the most serious attempt the EU has made, and the diagnosis is finally honest. The Commission has stopped pretending Europe can regulate its way to sovereignty and started trying to build. That deserves recognition rather than reflexive cynicism.
But ambition and specificity are not the same thing, and rhetoric is not capital. âWe have the talent, the research excellence, the industrial base and the Single Market,â von der Leyenâs refrain, is true. It has been true for a decade, during which the dependency deepened. The strengths were never the problem. The willingness to fund them at the scale of the gap, and the discipline to buy European when the procurement decision actually lands on a desk, always were.
The package is a credible plan. Whether it becomes more than a plan will be decided not in this Communication but in twenty-seven national budgets and ten thousand procurement procedures over the next seven years. That is where I will be watching, and where, on past form, Europe has most often dropped the ball.
The legislative proposals, Chips Act 2.0 and CADA, now go to the European Parliament and the Council. A call for AI Gigafactories is expected in July. Member States are invited to translate the package into national action through the December 2026 revision of their National Digital Decade Strategic Roadmaps. The four CADA sovereignty levels, and the Level 3 personnel-citizenship criterion in particular, are the most politically sensitive element and likely to shift during negotiation, so treat them as the proposal as published, not as settled law.
#AIGigafactories #CADA #ChipsAct20 #CLOUDAct #CloudAndAIDevelopmentAct #cloudComputing #digitalSovereignty #DraghiReport #EU #EUOpenSourceStrategy #EuropeanCommission #EuropeanCompetitivenessFund #hyperscalers #openSource #OpenForumEurope #semiconductors #technologicalSovereignty
Bernhard Biedermann
Falk Steiner
David Meyer
Jos Poortvliet
Antonio Vieira Santos
Dag
Jan Penfrat
CCIA Europe
Jan Blockx