The European Commission has published its latest bid for “technological sovereignty” — and this one is more blunt than most. The proposal: ensure that no foreign government or company can use a “kill switch” to turn off or disrupt critical tech services across the EU. In plain terms, Europe is acknowledging what it has been papering over for years: it is dangerously dependent on American and Chinese technology, and it’s terrified of what that dependency means.

The numbers are stark. The EU relies on foreign providers for more than 80% of its digital products, services, infrastructure, and intellectual property. When China restricted semiconductor exports in late 2025, it nearly brought the European car industry to a standstill. The lesson landed. And the concern about the US is equally acute: the 2018 Cloud Act allows American federal authorities to access data held by US providers in other countries for national security reasons. That means any European company or government body using AWS, Azure, or Google Cloud is, in theory, one US government request away from having that data handed over.

Henna Virkkunen, the Commission’s vice-president for tech sovereignty, put it plainly: the Cloud Act “was not in line with our rules here.” She’s right. The EU has been operating on a comfortable fiction that data stored on American servers in Europe is subject to European law. It isn’t. The Cloud Act has always superseded that assumption, and Europe has been slow to confront it.

The proposed remedy is a risk-assessment framework for cloud services in sensitive areas — defence, criminal justice, border management. If a provider is deemed risky, member states can be required to switch. US cloud companies wanting to operate in those areas would need to prove they can’t be compelled to surrender European data to American authorities. That’s a high bar, and the Commission is honest that it would be “very difficult” for US companies to meet it in areas like defence.

What’s interesting is the framing. Virkkunen was careful to say the EU isn’t planning to “work in isolation and produce everything ourselves.” But it is planning to be much more selective about who it trusts with its most sensitive infrastructure. This is the kind of mercantilist hedging that the EU usually dresses in the language of regulation and rights. Here, the mask is off: it’s industrial policy, plain and simple.

The political timing is worth noting. This comes amid ongoing transatlantic tensions over tariffs, digital regulation, and Trump’s general approach to allied relationships. The EU has spent years trying to thread the needle between attracting American tech investment and maintaining strategic autonomy. This proposal suggests that needle is getting harder to thread, and Brussels is choosing the side of sovereignty — even if it means alienating the White House.

The practical obstacles are considerable. The proposals need to be agreed by member states and the European Parliament, a process that will be fought over by well-resourced American tech lobbyists. And even if the law passes, the EU is not going to rip out all American cloud providers from its sensitive infrastructure overnight — there simply isn’t the domestic capacity to replace them. This is a statement of direction, not a blueprint for execution.

But the intent is clear. Europe wants to own more of its own tech stack, particularly in AI, cloud, and semiconductors. It has woken up to the fact that dependency is a form of vulnerability, and that the allies you rely on today may not be the allies you can rely on tomorrow. Whether it can execute on that ambition is another question. Europe is good at announcing grand plans. It’s historically terrible at following through on industrial strategy against well-funded competition.