The European Commission proposed a sweeping set of laws and strategies this week aimed at reducing the European Union's reliance on foreign technology, amid concerns that its long-standing tech dependencies are becoming a security vulnerability.

Spanning semiconductors, cloud computing, artificial intelligence and open-source software, the proposals amount to what the Commission's tech lead Henna Virkkunen called “a major shift in how Europe approaches technological sovereignty.”

The package bundles two draft laws — a Chips Act 2.0 and a Cloud and AI Development Act (CADA) — alongside an Open Source Strategy and a roadmap for digitalizing the energy system, intended together to “help widen choice in core technologies for EU businesses, citizens and public administrations.”

“We live in a world where geopolitics and technology are inseparable. Those who champion technological innovation will shape the future — and we must ensure that Europe plays a leading role in this,” said Virkkunen.

“It is time for Europe to be in control of its data, of its supply chains, and of its future in a clean and sustainable way. We are strengthening Europe’s digital autonomy and resilience while keeping our economy open to partners around the world.”

According to the Commission, the EU relies on foreign countries for more than 80% of its key digital products, services, infrastructure and intellectual property. The move to loosen the grip of American and Chinese suppliers comes amid worsening relations with the Trump administration and fears dependence could be weaponised — over tariffs, threats over Greenland, and the administration’s support for far-right parties.

Open-source security

The Commission says it will scale up European open-source alternatives in priority areas that explicitly include cybersecurity, and fund the long-term maintenance and security of Europe's critical open-source infrastructure — the kind of under-resourced components behind incidents such as the XZ Utils backdoor.

The strategy builds on what the Commission says are the more than 3 million European open-source contributors, and would push public administrations toward open-source tools through procurement guidance and an open internet stack.

Open-source vendor SUSE said the approach validated its argument that inspectable, openly maintained software is better placed to meet sovereignty goals than proprietary stacks, while warning that implementation would be the real test.

U.S. firms dominate Europe's cybersecurity market, with European buyers relying heavily on American suppliers. Alexandra Paulus at the German Institute for International and Security Affairs argued that nurturing European alternatives depends precisely on promoting open source — making the strategy's open-source security funding a potential, if unproven, foothold for European vendors.

Chip sovereignty

When it comes to semiconductors, “Europe still relies heavily on third countries for advanced production and chip design,” the Commission said — although equating production and design arguably misstates the EU's predicament.

Dependence on Taiwan's TSMC for advanced fabrication is essentially universal, applying to the United States as much as to the European Union. Notably, the strategy does not mention the greatest European strength in the semiconductor supply chain, the near-monopoly of Dutch lithography maker ASML, whose machines are essential to TSMC producing the most advanced chips anywhere in the world.

Chip design is the clearer weakness. U.S. companies — Nvidia, AMD, Qualcomm, Apple and Broadcom — give the American industry an enormous footprint in advanced logic design, and Britain's Arm dominates processor IP licensing globally.

The Chips Act 2.0 introduces concrete tools for the manufacturing gap. It would require national governments to complete planning, environmental and regulatory approvals for new fabrication plants within 12 months, and extend state aid for “first-of-a-kind” facilities not present anywhere in the EU. 

The original 2023 Chips Act mobilized more than €52 billion ($60.3 billion) in public and private investment but fell short of its flagship target of 20% of global semiconductor production by 2030, as global capacity grew faster than Europe's share of it.

The fruits of recent investments are yet to be seen. Intel had planned to build a manufacturing plant in Magdeburg, Germany — intended to be one of the most advanced in the world — before pulling the plug on the decision in February.

Another venture involving TSMC in Dresden aims to enter production by late 2027, although this will produce 28nm and 16nm chips — mature chips used in automotive and industrial electronics, but not the advanced AI chips at the center of the package's ambitions.

On design, the Commission is relying on demand-pull — using orders from EU-funded data centres and AI gigafactories to draw chip designers to Europe over time. The Commission said it expects AI-related components to make up more than 70% of the semiconductor market by 2030.

Erik Rein, president of the European Semiconductor Industry Association, said: “Europe cannot regulate its way into semiconductor leadership.”

The Commission also said it expected to launch a call for AI gigafactories in July and would open a consultation with member states and the European Investment Bank Group to build what it called “a European equity capacity at scale” to finance its ambitions.

Cloud and AI sovereignty

The most contested element of the package is CADA's cloud sovereignty test, with lower tiers providing legal assurances while the upper tiers effectively demand graded protections against foreign jurisdictional reach and supply-chain compromise.

The act defines four assurance levels for public bodies to apply based on risk: Level 1 requires data to be processed and stored in the EU; Level 2 requires demonstrated independence from non-EU countries; Level 3 requires EU ownership and control, including personnel criteria; and Level 4 requires full supply-chain control with no third-country interference.

Industry reaction has been sharply split. CCIA Europe, which represents large U.S. technology firms, called CADA discriminatory and “a dangerous recipe for progressive market shutdown,” arguing that its Level 3 and Level 4 tiers were closed-market requirements no international provider could meet.

European cloud providers welcomed the direction but warned of loopholes. Trade body CISPE called it “a step forward for Europe's strategic autonomy” but said it failed to require public buyers even to check whether a European alternative existed before contracting foreign providers.

Ahead of the launch, CISPE had urged the Commission not to legitimize “sovereignty-washing,” in which EU presence or compliance with cybersecurity standards is treated as genuine European control.

The Centre for European Policy Network cautioned that sovereignty pursued through procurement preferences “produces protected industries, not competitive ones,” and urged lawmakers to confine strict requirements to genuinely sensitive systems.

The proposals have landed amid a broader debate about whether sovereignty delivers security. In a prize-winning essay, analyst Josh Gold argued that European cyber resilience depends on design rather than control.

Gold’s standard was that the bloc should keep sovereignty “thin and targeted while building thick autonomy” — favouring transparency, portability and recoverability over EU ownership and location requirements.

He cited the troubled Gaia-X cloud initiative — described by a participant in a Politico report as “a crushing failure, a colossal waste of time, and just as many years gained for the hyperscalers; in other words, an industrial disaster” — as a warning against duplicating infrastructure at scale.

By that standard, the package is strongest where it funds resilience — semiconductor crisis preparedness, open-source maintenance and interoperability — and most exposed where it leans on EU ownership and location, leaving its security payoff to depend on how member states apply the tiers.

All of the proposals will need to be passed by the European Parliament and European Council, where the sovereignty criteria, procurement obligations and funding are subject to political negotiation.