For decades, Europe let Silicon Valley run the machinery of its governments. American companies handled the email, the cloud storage, the video calls, the documents, the servers, and increasingly, the intelligence systems that process sensitive public data. This arrangement was sold as efficiency. As a matter of geopolitical reality, it was dependence.
That arrangement is now ending. Slowly. Unevenly. But it is ending.
Europe is in the middle of what I would call a techno-political pivot — a deliberate, policy-driven effort to pull critical digital infrastructure out of American hands and bring it under European legal and operational control. It is not primarily a technology story. It is a sovereignty story. And it is more serious than most American observers want to admit.
The Moment That Clarified Everything
Somewhere along the way, European policymakers stopped treating this as an abstract concern and started treating it as a concrete vulnerability. The clearest illustration is what happened to the International Criminal Court in The Hague.
Microsoft blocked the email account of the ICC prosecutor after the United States imposed sanctions. Let that settle in. A European international legal institution lost access to its own communications because an American software company complied with an American government order. No bombs. No tanks. No formal diplomatic incident. Just a cloud service doing what cloud services do when Washington makes demands — and an institution discovering, in real time, that its digital infrastructure was never really its own.
That incident did not start the European sovereignty push. But it made the argument visceral in a way that policy papers never do.
What Europe Is Actually Afraid Of
The underlying fear runs deeper than one compromised email account. The U.S. CLOUD Act is the legal mechanism that keeps European governments up at night. Under the CLOUD Act, American companies can be compelled to hand over data stored anywhere in the world — including in European data centers — to U.S. law enforcement and intelligence agencies. It does not matter that the data physically sits in Frankfurt or Paris. If the provider is American, the data is reachable.
This puts Europe in an impossible position. GDPR says European data must be protected. The CLOUD Act says American companies can be forced to hand it over. These two legal regimes are in direct collision, and for years Europe tried to paper over the conflict with adequacy agreements and diplomatic assurances. The Schrems II ruling in 2020 blew most of that up. European governments have been quietly drawing conclusions ever since.
The conclusion is uncomfortable but straightforward: if the platform is American, the legal exposure is American. It does not matter how many European flags you put on the website.
This Is Not Cosmetic
The most important thing to understand about what Europe is doing is that it is not slapping a European label on American software and calling it sovereign. The serious initiatives are full replacements.
In the German state of Schleswig-Holstein, somewhere between 30,000 and 60,000 state employees are being moved off Microsoft Office, Microsoft Exchange, Microsoft SharePoint, and eventually Microsoft Windows. LibreOffice is replacing Office. Open-Xchange and Thunderbird are replacing Exchange and Outlook. Nextcloud is replacing SharePoint and OneDrive. The long-term plan includes Linux desktops. The projected savings are over €15 million. More importantly, the dependency is projected to end.
In France, the government has reportedly ordered roughly 2.5 million civil servants to stop using American videoconferencing tools — Zoom, Teams, Webex — by 2027. The replacement is a French-built platform called Visio, built on LiveKit, Django, and React, incorporating French AI transcription. The Health Data Hub, which handles sensitive patient data for an entire country, has reportedly moved from Microsoft Azure to Scaleway, a French provider.
The European Parliament, as of early June 2026, switched its default search engine from Google to Qwant, a French privacy-focused alternative. This is a small thing. It is also a signal about where the institution thinks its obligations lie.
At the EU institutional level, a €180 million sovereign cloud framework contract was awarded to a consortium of European providers — OVHcloud, STACKIT, and others — to host EU institution workloads. The European Commission has a formal Open Source Strategy. France, Germany, Italy, and the Netherlands are pooling resources through a mechanism called Digital Commons EDIC to fund critical open-source alternatives in AI, cloud, and cybersecurity.
None of this is a wrapper over American software. It is a parallel stack being built, piece by piece, to replace it.
The Architecture: What “EuroStack” Actually Means
The conceptual framework for what Europe is building is sometimes called EuroStack. It is not a product. It is a vision for a layered, sovereign digital infrastructure that Europeans would control at every meaningful level.
At the bottom is connectivity — 5G networks and strategic communications infrastructure. Above that is cloud and compute, operated by European providers under EU law. Above that are shared data spaces, designed so European industries can exchange data without routing it through American platforms. Above that are AI and digital services. At the top, eventually, are semiconductors — the physical chips that make all of it run.
The procurement logic is deliberate: for sensitive public workloads, European providers get preference. For everything else, open standards and interoperability so Europe is not locked into any single vendor, domestic or foreign.
Gaia-X is the federated governance model layered over the cloud portion of this. A French hospital and a German manufacturer should be able to share data through a trusted framework with common standards, certified providers, and European legal grounding — not through AWS or Azure. Gaia-X has critics, and the criticism is partly fair. The framework has been slow, the governance has been messy, and U.S. hyperscalers have managed to insert themselves into parts of the project. But the underlying concept — federated, interoperable, European-governed cloud infrastructure — is not going away.
France’s SecNumCloud certification is the enforcement mechanism at the national level. To be certified SecNumCloud, a cloud provider cannot be owned by, or subject to legal demands from, a non-European government. U.S. hyperscalers cannot currently obtain this certification. For sensitive French government data, that means only genuinely European providers qualify.
The AI Layer: Where It Gets Existential
Replacing office software and email is meaningful but manageable. AI is the harder, higher-stakes layer of the same problem — and European policymakers know it.
The argument is simple. You cannot claim digital sovereignty if your AI systems are running on American foundation models, processed on American cloud infrastructure, trained on data that flows through American pipelines, and governed by American terms of service. The intelligence layer of modern digital operations is increasingly AI. If that layer is foreign, the sovereignty of everything underneath it is illusory.
This is why Europe is treating AI as the next front in the same sovereignty fight — and why the investment numbers are staggering relative to what was spent on office software replacement.
The compute side of the answer requires a scale of physical capital that most people do not appreciate when they hear about it in policy announcements. We are talking about purpose-built supercomputing facilities, industrial-scale data centers housing hundreds of thousands of next-generation AI chips, dedicated funding in the tens of billions of euros, and the land, power grid capacity, cooling infrastructure, and engineering workforce to run all of it. Europe is trying to build this from scratch in a timeframe measured in years, not decades, while American and Chinese AI infrastructure continues to expand. That is the actual weight of what compute sovereignty demands.
On the model side, Mistral AI is France’s answer to the American AI giants. Mistral has produced open-weight models, secured government framework contracts, partnered with SAP and Dassault Systèmes, and is pushing sovereign deployment options that allow European institutions to run its models on European infrastructure under European law. Aleph Alpha has been Germany’s equivalent for enterprise and government AI.
OpenEuroLLM is a consortium of roughly 20 European partners building transparent, multilingual models across all 24 EU languages, with access to over 10 million GPU hours on EuroHPC systems. This is a public-interest AI project, not a commercial one — which is exactly the point. Some things cannot wait for the market to deliver them.
The AI Act is the regulatory side of all of this, and it is being undersold by everyone who frames it only as a compliance burden. The AI Act creates documentation, transparency, risk-management, and human-oversight requirements for high-risk AI systems. It creates transparency and accountability obligations for general-purpose AI models. Access to the European market — 450 million people — now comes with strings attached. The strings are designed to look like European strings.
This is the Brussels Effect in action, and it is more aggressive than it looks. Europe cannot out-invest the United States in AI. But it can set rules for its own market that effectively force everyone who wants to operate there — OpenAI, Google, Meta — to meet European standards. And when companies meet European standards, those standards spread because it is easier to build one product than two.
More importantly, compliance with EU AI standards is not just a paperwork exercise. Transparency requirements constrain how models can be deployed. Documentation mandates expose what data was used and how. Human-oversight rules limit automated decision-making in ways that cut directly against the business models of American AI platforms. When an American company has to meet these requirements to access 450 million European consumers, it cannot run the same opaque pipeline in Europe that it runs everywhere else. That is a direct neutralization of the leverage that comes with controlling the model. The regulatory strategy is, at its core, a power strategy.
The Countries Doing It
France is the most aggressive. The scope of what France is attempting — millions of civil servants moved off American platforms, sensitive health data migrated to domestic cloud, a sovereign videoconferencing system built from scratch, serious investment in Mistral and French AI infrastructure — is without parallel in scale and ambition.
Germany is the most methodical. Schleswig-Holstein is the flagship because it is actually being executed, not just announced. The openDesk project combines Nextcloud, OpenProject, XWiki, and other open tools into a modular government collaboration environment. The “Deutschland-Stack” concept frames open source and national data storage as matters of industrial strategy.
The Austrian military moved from Microsoft Office to LibreOffice for exactly the reason you would expect: it did not want a foreign company controlling the software environment for sensitive defense documentation.
Denmark is following the German example. Italy has regions and cities running free office suites. Estonia is conducting feasibility studies on reducing U.S. tech dependency. The Netherlands is formally pushing for coordinated EU action on cloud sovereignty. The European Parliament made a point of switching its search engine.
None of this is uniform. None of it is complete. The notes I drew from contain an honest acknowledgment that even France — the most aggressive mover — still has its domestic intelligence agency running Palantir contracts. The gap between sovereignty ambition and operational dependency is real. But the direction is unmistakable.
The Problems Are Real
I am not writing a press release for European tech nationalism. The challenges are genuine and some of them are serious.
The usability gap is probably the biggest short-term obstacle. Government employees trained on Microsoft Office for twenty years do not switch to LibreOffice happily or without friction. Document compatibility — especially complex spreadsheets, macros, and legacy formatting — breaks during migration in ways that are expensive and time-consuming to fix. Change management at the scale of national governments is brutally difficult.
The cloud capability gap is the medium-term structural problem. OVHcloud, Scaleway, STACKIT, and Hetzner are real companies providing real services. They are not AWS. They do not have the global footprint, the breadth of AI-native services, the developer tooling, or the enterprise sales infrastructure. For standard government workloads, the gap is manageable. For cutting-edge AI infrastructure, the gap is significant and the European public investment needed to close it is enormous.
The fragmentation risk is the existential one for the European project specifically. Twelve different national sovereignty stacks that cannot interoperate are not sovereignty — they are twelve different silos, and they undermine the single market that makes Europe economically powerful in the first place. The whole point of EuroStack, Gaia-X, and federated cloud governance is to avoid this outcome. Whether the institutional coordination required to actually achieve it is possible across 27 member states with different governments, different procurement rules, and different risk tolerances is an open question.
The funding question is the hardest. One set of estimates in the research suggests that genuinely competitive European AI may require €34 to €114 billion annually. The announced European public investments, while significant, are a starting point rather than a complete answer. Without private capital following public investment at scale, the build-out stalls.
And sovereignty theater is a real risk. Hosting data in a European data center that is operationally controlled by an American company, running American software, under American cloud management planes, is not sovereignty. It is liability management with European branding. Some of what gets called “sovereign cloud” in Europe falls into this category, and it is worth saying so plainly.
The Unresolved Question
The fundamental question at the center of all of this is whether Europe can turn political will into operational capacity before the dependence deepens further.
AI is accelerating. Every month that European public-sector and industrial workloads run on American foundation models, American cloud infrastructure, and American AI pipelines, the switching costs grow. Technical lock-in compounds. The data that trains the next generation of models flows to the platforms that already have the most data. The gap between where Europe is and where it needs to be to have genuine alternatives does not shrink naturally. It widens.
The window for building a parallel stack is not indefinitely open. This is why the pace matters as much as the direction.
Europe has the regulatory tools, the political doctrine, the institutional frameworks, the industrial champions in early stages, and the public demand for change. What it has historically lacked is the coordination to execute at speed and the capital to do it at scale.
What is different now is that the geopolitical environment has made the cost of inaction visible in a way it was not five years ago. The ICC email incident is one data point. But the larger context is a Washington that has spent the past several years making explicit what was previously implicit: that technology access, trade relationships, and alliance commitments are not guaranteed, they are negotiable, and they can be weaponized. Tariff threats deployed against allies. Export controls used not just against adversaries but as leverage in bilateral negotiations. Platform access treated as a bargaining chip. An American president who openly frames relationships with European partners in transactional terms and has shown no reluctance to pressure them. When Washington operates this way, European dependency on American digital infrastructure stops being an abstract vulnerability and becomes a concrete political liability that every European government has to account for.
That is the force behind this pivot. It is not primarily about open source, or procurement rules, or even AI strategy. It is about the uncomfortable realization, arrived at slowly across multiple European governments, that you cannot be sovereign in the twenty-first century if the infrastructure of your state runs on someone else’s servers, under someone else’s law, at someone else’s discretion.
The European response is imperfect, incomplete, and in some places more symbolic than structural. But it is real. And it is accelerating.