On 22 January 2026, the European Parliament voted 471 to 68 for a resolution calling on Europe to break free from US tech dependency. EPP, Social Democrats, Liberals, Greens — all in favour. Polish MEP Michał Kobosko put it bluntly: “If we do not act now, we risk becoming a digital colony.” The rhetoric is political, but the underlying concern is structural: 70 % market share by three providers under a single jurisdiction is, by any definition, a concentration risk.

Months later, the numbers that prompted that vote are unchanged. Over 80 % of digital products, services, and infrastructure used in the EU come from providers outside Europe. Amazon, Microsoft, and Google control around 70 % of the European cloud market. European providers account for roughly 15 %. Installed European data centre capacity stands at 16 gigawatts of IT load — compared with 48 in the US and 38 in China. European organisations spend an estimated €265 billion annually on non-European digital products and services. Not all of this is substitutable — but the figure illustrates the scale of the economic dependency.

Given that software licence terms include compliance with US export controls — terms that have been enforced against entire countries — these figures describe a measurable concentration risk.

The Parliament vote capped a year of unusually concrete political developments. A Chancellor naming the dependency as a security failure. A Franco-German summit mobilising billions. Actual software being built, deployed, and federated across borders. Digital sovereignty has been on the agenda since the Snowden revelations — but 2025 produced more concrete outcomes than the twelve years before it combined.

The question is whether the momentum will last.

The Munich Speech

In February 2025, Friedrich Merz delivered his opening speech at the Munich Security Conference. Amid the expected passages on NATO and defence, one sentence stood out: “Nobody forced us into the excessive dependency on the United States in which we recently found ourselves. This lack of autonomy was self-inflicted.”

That is blunt language for a diplomatic stage. The conclusion was more remarkable still: “Competition policy is security policy, and security policy is competition policy. That is precisely why we want to be drivers of progress in future technologies.”

Merz did something his predecessor did not do in 16 years: publicly classify Europe’s technological dependency as a security policy failure. Whether that reflects conviction or the pressure of circumstances, the signal is significant. At the same time: no concrete legislation or funding programme was announced at the MSC. A speech at a security conference is a position statement, not a policy blueprint. Whether the government will actually redirect public IT procurement must be measured against concrete action.

The Berlin Summit

Nine months later, on 18 November 2025, came the summit on European digital sovereignty in Berlin. Germany and France had issued the invitation; all 27 EU member states sent representatives. Over 900 attendees from politics, industry, and research.

Macron framed the issue in characteristically pointed terms, calling Europe a “vassal” of US and Chinese tech. “We don’t want to be the client of the big entrepreneurs or the big solutions being provided from the US or from China. We clearly want to design our own solutions.” The rhetoric is political, but the operational concern is real: when your infrastructure depends entirely on providers under foreign jurisdictions, your strategic options are constrained by their decisions, not yours. Merz put it more soberly: “Digital sovereignty means the ability to shape technology across the entire value chain in line with European interests and needs.”

What sets this summit apart from earlier declarations of intent are the concrete outcomes. 12 billion euros in private sector investment commitments. The founding of ESTIA, an industry alliance for sovereign cloud services backed by Airbus, Dassault Systèmes, Deutsche Telekom, Orange, and OVHcloud. The joint development of openDesk and LaSuite, the open-source workplace platforms for government. And a Digital Commons-EDIC with the Netherlands and Italy.

Whether 12 billion euros can compete with the market power of Amazon, Microsoft, and Google is debatable. Moreover, investment pledges are not investments, and the participating governments continue to award major IT contracts to US providers in parallel. Still, as a political signal, it is more than anything that came before.

The Parliament Vote

The January 2026 report on technological sovereignty is the most ambitious digital policy document the European Parliament has produced. Its 471-to-68 margin reflects a consensus that crosses every major party line — and its demands go far beyond the usual calls for “more coordination.”

The headline: an “Open Source first” approach in public procurement — software developed with public money should be released under free licences. “Public Money, Public Code”, as the FSFE has demanded for years, is now Parliament’s official position. Beyond that: a Eurostack — an end-to-end European infrastructure from semiconductors to cloud. A Sovereign Tech Fund of 10 billion euros. Full EU jurisdiction over cloud infrastructure. And a Cloud and AI Development Act to triple the EU’s computing capacity within seven years.

The ambition is real. But the European Parliament’s reports are non-binding. Implementation rests with the Commission and the member states — and there, sovereignty ambitions routinely collide with budget realities and existing contracts. Every EU member state that voted for this resolution will, the following Monday, continue renewing Microsoft licences.

What Is Actually Being Built

While Brussels votes and Berlin hosts conferences, Germany, France, and the Netherlands are actually building open-source alternatives for the government workplace.

openDesk, developed by the Centre for Digital Sovereignty (ZenDiS), integrates Nextcloud, Open-Xchange, Collabora, Jitsi, and Element into a unified working environment. Version 1.0 has been running since October 2024. LaSuite, its French counterpart, is developed by the Interministerial Directorate for Digital Affairs (DINUM) and uses custom forks with a consistent UI. The Netherlands is combining components from both platforms under the name MijnBureau.

The crucial point: the three platforms can federate with each other. A German civil servant can collaborate with a French colleague on a document without the data passing through a US cloud service. That sounds like a technical detail, but it is precisely what digital sovereignty looks like in practice.

Why Scepticism Is Warranted

So much for the good news. Now the caveats.

First: Gaia-X. The Franco-German flagship project for sovereign cloud infrastructure was launched in 2019 with great energy and has since produced working groups, consortia, and position papers — but little that a system administrator could install. Gaia-X has become a byword for European announcement culture, and every new initiative must be measured against that benchmark.

Second: the talent drain. Europe’s developer and founder talent gravitates toward ecosystems with higher capital availability and faster procurement cycles. The talent gap is not a communications problem — it’s a competitiveness problem rooted in funding structures and regulatory overhead.

Third: the regulatory burden. AI Act, Data Act, GDPR bureaucracy — each regulation has its merits in isolation. In aggregate, they create an environment where compliance absorbs more resources than product development. The fact that the Berlin summit itself called for a 12-month postponement of the AI Act’s high-risk provisions is a quiet admission of this contradiction.

And fourth: time. Analysts estimate a decade or more for a meaningful overhaul of European digital infrastructure. During those ten years, dependency will not shrink — it will grow, driven by cloud migration, AI services, and the inertia of existing systems.

What Follows

The political and institutional groundwork laid in 2025–2026 is more concrete than anything that came before.

But for organisations making procurement decisions, the question remains practical: the “Open Source first” resolution has no binding force as long as individual governments continue to renew existing vendor agreements by default. The 12 billion in investment pledges are meaningless if they flow into showcase projects rather than infrastructure. And ESTIA must deliver where Gaia-X failed.

The next two years will determine whether the institutional momentum translates into procurement mandates — or whether it follows the pattern of earlier initiatives (Gaia-X, early eIDAS timelines) where ambition exceeded execution.

For organisations that are not willing to wait for politics to catch up, the policy developments above create concrete action triggers:

  • The Data Act is applicable now (September 2025), and switching fees disappear in January 2027. If you have been postponing a cloud migration because of egress costs, the regulatory window is opening. Start your cloud audit now.
  • The EUDIW deadline is 2026. If your services authenticate EU citizens, begin your integration assessment. Evaluate your identity stack.
  • The “Open Source first” resolution gives institutional cover for procurement decisions that favour open-source. If you have been waiting for political backing, you now have it at EU Parliament level. Use it in your next tender.
  • The AI Act high-risk provisions take effect through August 2027. If you deploy AI in HR, healthcare, or law enforcement, start your conformity assessment. Assess your AI sovereignty position.

None of these depend on whether ESTIA delivers or whether Gaia-X’s successors materialise. They are actions you can take today, within existing frameworks, regardless of what happens in Brussels.

Sources

Topic overview: Digital Sovereignty in Europe