Europe keeps trying to regulate its way to technological sovereignty. It has the paperwork to prove it. What it still lacks is the technology.
On June 3, the European Commission presented its Technological Sovereignty Package as the next great step towards digital independence. Henna Virkkunen, the executive vice-president whose brief now includes “tech sovereignty”, framed it as the moment Europe would stop leaning on American cloud providers and Asian chipmakers. She told reporters in Brussels the aim was to ensure no provider of critical workloads held a “kill switch” over European systems. The proposed Cloud and AI Development Act would rank cloud providers by how “sovereign” they are, sorting them into four trust tiers, and steer sensitive public contracts towards the favoured tier. A revised Chips Act, badged Chips Act 2.0, would give Brussels more power to prioritise chip output in a crisis, including the power to override existing commercial agreements.
The package is pitched as a turning point. It is not. Europe has been trying to legislate sovereignty into existence for more than a decade. The results should give Brussels pause. You do not become innovative by writing rules, and you do not become independent by regulating the firms you still need.
The effort is already sprawling. Between 2014 and 2025, the European Union adopted more than 30 binding digital regulations and directives. The Data Governance Act lets the Commission decide which countries may receive protected European public-sector data, borrowing the adequacy logic the Court of Justice of the European Union (CJEU) built for privacy in the Schrems cases. The AI Act and the Cyber Resilience Act route products through a Conformité Européenne (CE) mark that certifies conformity with European standards.
The same impulse runs through the rest of the digital rulebook. The Data Act shields industrial data held in Europe from foreign governments seeking access. The Markets in Crypto-Assets Regulation (MiCA) limits how widely dollar stablecoins can be used for payments, in the name of protecting the euro. By December 24, 2026, under the revised eIDAS regulation, every member state must offer citizens a government-backed digital-identity wallet, a public alternative to the systems run by Apple and Google. Under the Foreign Subsidies Regulation, Brussels can block the takeover of a European firm by a buyer backed by a foreign state.
Each measure pulls another piece of the digital economy under European supervision. Together, they amount to a theory of sovereignty through jurisdiction: Control the rules, control the market, control the future.
The trouble is that control is not capacity. Europe has gained influence over how foreign technology behaves inside its borders. It has not built a frontier-scale cloud provider or a leading-edge semiconductor fab under European control. American providers still hold more than 70 per cent of Europe’s cloud market, while the EU produces less than 10 per cent of the world’s chips, on the Commission’s own figures. The same Commission puts the EU’s annual bill for mostly American proprietary IT products and services at €264 billion. Regulation shaped other people’s products. It did not build Europe’s.
The June package tries to close that gap by moving from software rules to industrial command. It would steer public contracts towards clouds Brussels deems sovereign and give the Commission emergency authority over chip supply. The instinct that built the digital rulebook is now being applied to hardware.
It will run into the same limit. Almost no top-tier provider of rentable AI compute is headquartered in the EU, according to the SemiAnalysis ClusterMAX 2.1 ranking published in April 2026. The single provider it rates platinum is CoreWeave, an American firm. The chip capacity needed to change that will remain constrained through at least 2027. A procurement preference cannot summon an industry that does not exist. Nor can crisis powers manufacture fabrication plants, engineers, supply chains, energy capacity or customers.
Europe’s problem is not that it lacks sovereignty language. It lacks scale. If the EU wants more innovation and less dependence, it needs a single market that works. The one it has does not.
The digital rulebook is now so layered that a single event can trigger several regimes at once. One security breach at a European company can require separate reports under the General Data Protection Regulation (GDPR), the Network and Information Security Directive 2 (NIS2), and the Cyber Resilience Act, each on its own deadline and to its own authority. Brussels knows this. Its proposed Digital Omnibus, published on November 19, 2025, exists because the Commission has begun to simplify the overlapping duties its own laws created.
That burden falls hardest on the firms Europe says it wants to grow. Large incumbents can absorb another compliance process, hire another specialist, and wait out another interpretive guidance document. A smaller firm trying to sell across 27 national markets faces the same maze without the same army of lawyers. The result is not strategic autonomy. It is regulated dependence.
The better project is less glamorous and more useful: Remove duplication, harmonise enforcement, clear legal overlaps and make it easier for a European company to scale across 27 states as readily as an American rival scales across 50. Europe does not need another sovereignty badge for cloud providers. It needs a market large enough, simple enough, and predictable enough to let its own firms grow.
Sovereignty, if it comes, will come from capacity. Capacity comes from scale, capital, talent and customers. Brussels cannot decree those into being. It can only stop making them harder to assemble.