EU Tech Sovereignty Package: Sovereignty as a prerequisite of openness in times of geopolitical shift

The package at a glance

Building on the 2023 version, the Chips Act 2.0 shifts focus from research to commercialisation. Despite the original Act’s intention to establish pilot lines and coordination structures within the EU, Europe remains almost entirely dependent on American and Asian suppliers for advanced chips below 5 nanometres, which is exactly the type needed for AI workloads. The new Act proposes the first EU open foundry for sub-3nm manufacturing, with pilot production planned for 2030-33. It also introduces “Demand Accelerators”, which will link chip producers to buyers through offtake agreements. This is crucial, as new factories will not stay solvent long enough to establish themselves without anchor customers.

CADA is related to the cloud and AI dimension of Europe’s tech sovereignty. Here, the key idea is that member states should assess which of their public-sector systems depend on foreign cloud, classify them by sovereignty level, and procure accordingly. The Regulation also aims to triple EU data centre capacity in the next 5-7 years, requiring around €200 billion in, mostly private, investment. In parallel, CADA introduces four cloud sovereignty tiers based on criteria linked to the control over the service and the supply chain, the processing of AI inference data, the location of the infrastructure and the level of cybersecurity.

Despite being the least discussed, the Strategy for an EU Open Digital Ecosystems is the most interesting part of the package. The EU currently funds open-source initiatives across sectors, such as the openEuroLLM project and the European Digital Identity Wallet, but without a coherent maintenance model. To fix this problem, the strategy proposes a new “Open-Source Maintenance Instrument” for sustained financial support, a “European Digital Public Infrastructure Foundation” to hold repository stewardship, and an open-source default for publicly funded R&D calls.

Finally, the Strategic Roadmap for Digitalisation and AI in Energy addresses what is arguably the Package’s biggest practical bottleneck: power. Data centre electricity demand in the EU is expected to more than triple by 2030, from roughly 10 GW to around 35 GW of installed capacity. The Roadmap sets out three pillars: integrating data centres into national grid planning through tripartite agreements between operators, public authorities, and energy parties; deploying AI across the energy system itself (for grid optimisation and demand-side flexibility); and establishing a rating scheme for data centre efficiency, covering energy efficiency, water efficiency, renewable energy use, and waste heat reuse.

Sovereignty and open source: where we think the thinking is right

The Commission’s strategy says explicitly that technological sovereignty “does not mean isolation, protectionism, or tech decoupling”. We fully agree with this premise, as sovereignty, in any serious sense, is the capacity to act freely. What matters, ultimately, is fair competition. In the digital realm, this means having the freedom to choose between providers, to switch without ruinous costs, and to keep sensitive workloads under domestic legal jurisdiction when that really matters, e.g. to protect trade secrets. Crucially, this does not automatically mean that foreign competition must be excluded from public tenders.

According to Anselm Küsters, expert for digitalisation at cep: “Sovereignty is a precondition for openness, not the opposite. If Europe cannot build and maintain at least some of its critical digital infrastructure itself, it loses the ability to negotiate with vendors but also with geopolitical rivals. Open-source ecosystems are central to this, because they give institutions and companies a way to build without capture. The Strategy for an EU Open Digital Ecosystems gets this right in principle. However, it is still unclear whether the envisioned funding model will hold across the full software lifecycle”.

The cloud debate is not finished

CADA’s sovereignty assessment framework can help public administrations in understanding their exposure. However, the problem is what might follow from this initial analysis. This can be seen from the debate over the EU Cloud Cybersecurity Certification Scheme (EUCS), which has stalled for years partly because member states and the Commission tried to embed contested political choices, such as data localisation and immunity from third-country law, inside a technical certification process. As cep has argued in previous work, the establishment of sovereignty requirements are legislative decisions that require proper parliamentary scrutiny, impact assessment, and a clear legal basis. Importing the flawed and merely unsuccessful cybersecurity related EUCS-approach wholesale into CADA would risk repeating the same mistake in a new vehicle. The current state of the AI-relevant cloud market does not justify sweeping procurement preferences: For instance, prices have fallen consistently over two decades, and most European firms today use multi-cloud strategies.

According to cep expert Philipp Eckhardt, economist in the Information Technologies department at cep: “The EUCS failed because the most contested choices were delegated to a technical body without the mandate or legitimacy to make them. CADA needs a clear legislative framework for any sovereignty requirements it introduces, one that distinguishes between truly sensitive systems of public sector entities and critical infrastructure operators, and the vast majority of cloud use cases where the priority should be competition, portability, and price”. He stresses that such a distinction is decisive for several reasons. First, establishing sovereignty requirements all over the place would only make public procurement more expensive and poses the risk of wasting taxpayers’ money. Second, it would add to a growing bureaucratic burden to bidding processes and, third, would risk creating further trade-offs between the very different procurement objectives. “Legitimate industrial policy should not override competition policy, particularly when European providers are themselves relying on foreign chips and software.”

Chips: the demand problem

The Commission acknowledges that the original Chips Act delivered well on research infrastructure but made “limited” progress on actual manufacturing autonomy. Given that European fabs face higher construction costs, slower permitting, and skill shortages relative to competitors in East Asia, a new Chips Act 2.0 must also address the issue of demand: Without large domestic customers for EU-designed and EU-manufactured chips, new production capacity will not be commercially viable in the short term. Matthias Kullas, semiconductor expert at cep, comments: “Given the current geopolitical situation, Europe needs to become more self-sufficient in chip production. The Chips Act II’s greater focus on demand for European chips could send the credible signal that investors need to commit to new factories. The challenge will be to address supply-side weaknesses in the medium term.”

Three recommendations for legislators

On Open Source: The “Maintenance Instrument” is the right idea, but the funding envelope, currently estimated by the Commission at €2 billion over seven years across public and private sources, is thin for a strategy that is supposed to replace €264 billion in annual proprietary IT spending. The Commission should tie funding explicitly to maintenance lifecycle obligations, not just project launches.

On CADA: Sovereignty risk assessments for public administrations can be a helpful exercise to deal with the current geo-political climate and increase European resilience. If companies and/or public administrations are required to comply with specific sovereignty criteria, such obligations should always be established by the legislature. Such requirements should not be delegated to implementing acts or certification systems. Furthermore, to strengthen Europe’s sovereignty in the digital field, the level of public procurement should only be used to a limited extent and be restricted to narrowly defined security-related areas.

On the Chips Act 2.0: The AI Gigafactories and Data Centre Acceleration Zones are only useful as anchor demand if procurement rules are written to back that up. Without binding preferences for EU-origin hardware where it exists and competes on quality, the investment case for new fabs in Europe remains fragile.

Conclusion

The Tech Sovereignty Package is, taken as a whole, the most coherent attempt the European Commission has made so far to address structural technology dependencies. That does not mean it is free of risk. Sovereignty pursued through procurement preferences and protectionist certification produces protected industries, not competitive ones. The EU had to experience this before in sectors from solar panels to steel. However, sovereignty is not an all-or-nothing choice between openness and self-sufficiency. When executed correctly, it involves developing dynamic capabilities, such as engineering talent, capital, and an industrial base, that enable Europe to compete on its own terms. A Europe that wins by excluding the competition has not solved its technology problems, it has merely postponed it. Europe’s ambition must be to be competitive on the basis of the quality of its technologies. This is, admittedly, a challenging goal – but the right one.