Europe’s external dependency exposes more than its AI sovereignty. It also affects its data sovereignty and creates political exposure.
In a previous article, we discussed how Europe is heavily dependent on external providers for AI development, particularly through GPUaaS and the semiconductor industry.
US companies such as Nvidia and AMD provide the GPU chips powering European supercomputers and AI factories, while hyperscalers dominate access to cloud infrastructure.
Beyond the technical and economic implications, this dependency exposes Europe’s data infrastructure to geopolitical risk. More importantly, it exposes Europe to foreign political power, and increasingly, to political volatility.
Structural reality
The EU remains structurally dependent on external providers. Despite major investments and policy initiatives aimed at strengthening European AI sovereignty, US hyperscalers Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) control 70% of the European cloud market by early 2026.
At the semiconductor level, Europe also remains dependent on external actors. AI chip design is dominated by US companies such as Nvidia and AMD, while manufacturing relies heavily on Asian foundries, primarily TSMC in Taiwan and Samsung in South Korea. European domestic semiconductor production still accounts for less than 10% of global output.
To reduce this gap, the EU has launched several initiatives. The 2023 EU Chips Act and the Chips Joint Undertaking (Chips JU) aim to mobilize more than €43 billion in public and private investments to reach 20% of the global semiconductor market share by 2030.
Additional initiatives, such as the AI Continent Plan and Invest AI, seek to strengthen Europe’s competitiveness and technological sovereignty in AI infrastructure and deployment.
Technical is political
Europe’s push for AI sovereignty is not only about technological competitiveness, but also about maintaining control over data governance and digital infrastructure.
Alongside industrial investments, the EU has developed a broad regulatory framework focused on data protection and digital governance.
This includes the European strategy for data, to create a single market for European data, the General Data Protection Regulation (GDPR) under the Data Governance Act (DGA) and the Data Act, all aimed at strengthening trust, security, and control over European data flows.
To facilitate transatlantic data transfers, the EU and the US introduced the EU-US Data Privacy Framework (DPF) in 2023. The framework enables US companies to self-certify compliance with European data protection standards, creating a legal mechanism for cross-border data transfers between the EU, the European Economic Area, the UK, Switzerland, and the United States.
However, these frameworks share a common vulnerability: they are built on contractual and regulatory mechanisms that cannot override statutory US law.
Regardless of where data is stored, American cloud companies remain subject to US legal and political authority, including export controls, sanctions regimes, and executive mandates that can override contractual agreements with European customers.
The legal architecture of dependency
In 2018, the US introduced the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), establishing procedures for both the US and foreign authorities to request access to data held by service providers in the context of criminal investigations, regardless of where the data is physically stored.
It is a unilateral US instrument, removing domestic law restrictions for service providers to comply with direct disclosure orders.
At the same time, the Foreign Intelligence Surveillance Act (FISA) section 702 enables the US intelligence Community to collect and process foreign intelligence data related to national security threats.
This does not grant automatic or unrestricted access to data stored by cloud providers. However, it means that US authorities can legally compel American companies to provide access to data if requested under US law.
As a result, the CLOUD Act, FISA Section 702, and broader executive order authorities create a legal framework through which U.S. jurisdiction can reach data and infrastructure hosted in Europe through American providers, regardless of EU-US DPF or the GDPR protections.
This creates a structural tension between the EU and US legal systems. Existing EU mechanisms, including the Standard Contractual Clauses, rely on contractual safeguards and mutual agreements, but they cannot argue against statutory obligations imposed under foreign law.
The European Data Protection Board (EDPB) has stated that service providers subject to EU law cannot rely solely on CLOUD Act requests as a legal basis for transferring data to the US.
However, US hyperscalers may still face conflicting legal obligations: complying with the CLOUD Act and breaching GDPR Article 48, or refusing the warrant and facing penalties under US law.
The Schrems II ruling established a precedent: the Court of Justice of the European Union (CJEU) found that US surveillance law creates risks incompatible with EU fundamental rights, effectively invalidating the EU–US Privacy Shield framework over concerns regarding US surveillance powers and insufficient protections for European citizens’ data.
What changed under Trump’s second term?
The legal asymmetry between Europe and the United States is not new. What changed under President Donald Trump’s second term was the deliberate use of that asymmetry as political leverage.
The pressure has operated on multiple fronts. On regulation, the Trump administration moved quickly to challenge Europe’s digital governance framework. In February 2025, a White House memo signalled that the US companies would use tariffs, taxes, and trade policy to protect American technological dominance, framing European regulation as a barrier rather than a legitimate policy choice and threatening possible retaliations against the EU’s Digital Services Act (DSA).
Vice President JD Vance and Secretary of State Marco Rubio both publicly criticised the DSA and the Digital Markets Act (DMA), categorizing EU enforcement actions against Google, Apple, Meta, and X as attacks on American companies and American democratic values.
The administration also pursued visa restrictions against European Tech regulators and researchers involved in major tech platforms monitoring, and promoted lobbying from diplomats and Big Tech companies against attempts to regulate US tech companies handling foreigners’ data.
On trade, the US imposed 15% tariffs on EU steel and aluminium exports in 2025, with explicit signals that digital regulatory concessions could form ṕart of a tariff deal.
This marks a structural shift: Europe’s dependence on U.S.-controlled digital infrastructure was no longer just a technical vulnerability; it had become a bargaining chip in a broader geopolitical negotiation.
The pressure appears to be producing results. The EU’s proposed Digital Omnibus Regulation package, as initially proposed, reflects a European regulatory posture increasingly shaped by the need to manage U.S. political friction, a tension that was far less acute before 2025.
Whether this represents pragmatic adaptation or the beginning of regulatory retreat remains an open question.
How American cloud providers are caught in the middle
Regulations are not the only way for Europe to try to keep protection over its data. While American cloud providers remain bound to US regulations, which deepens the perception of data risk for Europe, they are also commercial actors with European operations and European clients.
Caught between US legal obligations and the commercial importance of the European market, hyperscalers have introduced sovereign cloud products across Europe, subject to local regulations.
Microsoft Azure EU Data Boundary restricts data flows outside the EU/EEA and staff access to data. The AWS European Sovereign Cloud is operated by a German legal entity under a new EU-regulated parent company, Amazon Web Services EMEA SARL. G
oogle Sovereign Cloud operates in partnership with European companies, offering local independent operations. All three store data locally and comply with GDPR and ISO/IEC 27018.
These commitments address operational concerns, where the data is stored, but cannot resolve the legal exposure or who controls the entity storing it. As U.S.-incorporated companies, all three remain subject to the CLOUD Act regardless of local structure.
This legal gap runs parallel to a political one. Big Tech lobbying within the European Parliament increased significantly in 2025, with companies including Meta and Google spending approximately €151 million €151 million pushing for extended data processing allowances and softer platform regulation.
Whether through legal exposure via cloud infrastructure or deregulatory pressure through the Digital Omnibus proposal, the effect is the same: sustained external influence over how Europe governs its own data.
Europe’s institutional responses and its limits
Europe has invested in alternatives. Last April, the Commission awarded four contracts up to €180 million over 6 years to four European companies to strengthen data sovereignty, although one of the awarded contracts relies on a joint venture between Thales and Google Cloud, illustrating how even locally contracted solutions remain partially dependent on U.S. infrastructure.
Launched in 2020, Gaia-X aimed to build a federated data and cloud infrastructure that guarantees compliance with European values and regulations. In practice, it has struggled to translate ambition into coherent infrastructure.
While Gaia-X is not a cloud provider, it provides the technical framework for the European cloud ecosystem.
Diverging expectations among members produced strategic dilution, and the inclusion of U.S. hyperscalers as private members created an internal contradiction that the initiative has never fully resolved.
Europe’s main independent cloud providers, OVHcloud, Hetzner, and Scaleway, represent genuine alternatives but face real limitations in scale, managed services depth, and competitiveness against U.S. incumbents.
Beyond the multiple regulations being implemented, the biggest institutional threat is the Digital Omnibus proposal, which risks rolling back key protections under GDPR and the DMA.
Many EU officials are aware of the lobbying dynamics driving it and are pushing back through updated antitrust tools, targeted public investment, and structural reform proposals.
Whether that resistance holds is one of the defining questions for European data sovereignty in the next two years.
Where genuine leverage exists
Europe is not powerless, but its leverage is regulatory and market-access based, not infrastructural.
The Data Governance Act and Data Act look to stimulate markets and companies to use European data for commercial purposes.
The reinforcement of such regulations applied to designate European cloud providers and invest in them as the “gatekeepers” under the DMA, which is now occupied by 5 out of 7 by US hyperscalers.
Strategic use of market conditions to increase the adoption of companies is another leverage point. For instance, creating mandatory requirements for sensitive data in defense, health care, and public administration, to use European-certified providers would create both demand and an investment signal for domestic alternatives without requiring full decoupling from U.S. infrastructure overnight.
The Brussels Effect remains Europe’s most underutilised strategic asset. The consistent EU’s efforts for regulations such as the DMA have made multiple countries successfully adopt it as part of their own legislation for digital rules.
While the DSA enforcement has already produced multimillion-euro fines against U.S. platforms, such as Meta and Apple, when it was found in breach, highlighting Europe’s regulatory power to set the terms of market access
Access is a starting point, not a destination
The real risk isn’t that Europe lacks technology. It’s that it doesn’t control the systems it depends on.
Europe is investing in its own infrastructure and has viable cloud alternatives, but closing the gap with U.S. hyperscalers requires sustained capital, coordinated policy, and time that the current political climate is compressing.
Whether the physical and economic constraints have been discussed, one thing is clear for Europe: real sovereignty is not about full independence, but about converting managed dependency into strategic leverage before the political window narrows further.
The Trump presidency did not create this vulnerability, but it has made the cost of ignoring it impossible to defer.
U.S.-EU tech cooperation remains mutually beneficial, and the goal is not decoupling but building resilience by leveraging it.
By treating the current dependency as a temporary foundation rather than a permanent condition, diversifying providers, investing in competitive European companies, and deploying its regulatory leverage deliberately, Europe can build a credible path toward data and infrastructure sovereignty.
The question is not if Europe has an opportunity, but whether it will use it.
