EU sovereignty push gives tech buyers a new alphabet soup to swallow

Gartner has warned that the EU's plans to triple datacenter capacity in Europe over the next five to seven years will add complexity for public sector tech buyers.

The sweeping plans, which encompass sovereign cloud, AI, microprocessors, and open source, will have ramifications for EU tech supply chains and beyond if they get through the legislative process.

In the European Technological Sovereignty Package launched last week, the European Commission sought to strengthen its digital autonomy.

Commission President Ursula von der Leyen said: "We cannot afford to depend on others for the technologies that keep our hospitals running, our energy grids stable, and our services secure. This is about protecting our citizens, defending our interests, and making our own choices."

The backdrop to the EU's action is widespread concern about European providers only offering around 15 percent of cloud infrastructure in the region, with the dominant American providers subject to US jurisdiction.

The risks were spelled out when US sanctions on International Criminal Court (ICC) prosecutor Karim Khan led to his Microsoft services being suspended. Microsoft denied responsibility, saying it was the ICC's decision. The Dutch press later reported that the decision was made under duress after Microsoft pointed out that its obligations under the sanctions meant it would have to cut off service to the entire organization unless the ICC removed Khan's access.

European concerns over reliance on hyperscalers also stem from the US CLOUD Act of 2018, which allows American authorities to compel US-based tech companies to provide requested data, regardless of where that data is stored globally. In June 2025, Microsoft admitted under oath in a French court that it couldn't guarantee digital sovereignty if American authorities demanded access to data held on Microsoft servers on foreign soil.

The EU's plan – a set of laws and policies – "creates a transparent, non-discriminatory blueprint for digital autonomy that allows the EU to build resilient, sovereign tech infrastructures at home while providing a trusted, legally sound model for international partnerships and multilateral governance abroad."

However, public sector CIOs across Europe are likely to find the Technological Sovereignty Package a challenge to implement.

The EU proposes bringing the nebulous concept of "digital sovereignty" to life with an auditable, four-level control system. Union Assurance Levels (UALs), as the political and economic bloc calls it, will be based on where the user organization sits across cumulative measures of control, jurisdiction, data processing, supply chain, and security.

"The introduction of UALs will likely cause confusion for providers and buyers, as it adds to an already crowded landscape of existing cloud sovereignty criteria," according to Gartner.

UALs are set to become legally enforceable under the Cloud and AI Development Act (CADA), and for public sector tech leaders they will add to an alphabet soup of existing rules and recommendations.

These include the European Cybersecurity Certification Framework's Sovereignty Effectiveness Assurance Levels (SEAL), a non-binding framework for scoring and selection; the German Federal Office for Information Security's (BSI) Cloud Computing Autonomy (C3A) policy, also currently non-binding; and France's SecNumCloud, an ANSSI binding certification scheme for government procurement.

The new rules mean government CIOs should think about their cloud-based data workloads, digital infrastructure, and core applications not in terms of physical territories, but as defined by legal jurisdiction, Gartner recommends.

EU boost for open source

Another big chunk of the EU's escape plan is based on promoting open source software. The new Open Source Strategy aims to scale up open source alternatives in cloud, AI, internet technologies, cybersecurity, and semiconductors. The EU plans to invest in skills, support open source startups, and improve the long-term maintenance and security of Europe's open source digital infrastructure.

The strategy also introduces procurement guidelines and best practices to support greater use of open source alternatives to proprietary software in the public sector stack.

In a separate paper, Gartner says the EU's approach to open source IT services is a fundamental shift. No longer is open source only about cost and innovation. For the EU, it becomes "a mechanism to ensure transparency, auditability, and independence from external control, increasingly supported by EU-led efforts to fund and sustain critical open source components, including their long-term maintenance and security."

As a result, the market needs to respond. "Rather than being selectively adopted, open source components will increasingly underpin core platform layers, particularly in sovereign environments," Gartner said. "This requires a move toward industrialized open source capabilities, including governance, security, long-term support, and integration into enterprise-grade delivery models, in line with emerging EU initiatives to ensure their sustained funding and resilience."

The last lever the EU wants to pull to rid itself of US-dominated tech comes in the form of a revamped Chips Act, first created to strengthen Europe's research and innovation capacity in semiconductors. It is not to be confused with the US CHIPS and Science Act, which in 2022 allocated a $52.7 billion federal package to boost the American semiconductor industry and reduce reliance on East Asian vendors.

The Chips Act 2.0 includes measures to end Europe's reliance on the rest of the world for advanced chips – below 10 nanometers – by prioritizing facilities in the EU. It promises to cut red tape and simplify state aid applications for building chip factories, thereby accelerating development. The EU also plans to join up support between R&D and manufacturing.

Taken together, the Technological Sovereignty Package is the EU's first concrete attempt to implement outwardly focused regulations governing public sector technology procurement, Gartner said.

"By leveraging common definitions of digital sovereignty, future public sector procurement will shift from purely open competition toward a 'European preference' model for highly secure workloads.

"The legislation's focus on chips, datacenters, cloud, AI, and open source establishes a comprehensive 'stacks' view of digital sovereignty as formal EU policy. This shift will trigger a second wave of governments to heavily prioritize European digital sovereignty, following early leaders like France, Germany, and the Netherlands."

Before they are adopted and come into force, the proposals will have to be negotiated by the European Parliament and the Council of the European Union. In the process, they are bound to provoke the US tech industry, and likely the Trump administration.

However, the EU has mostly stood by plans for various legislation under the Digital Services Act and Digital Markets Act, meting out rulings and fines. Provided it does the same with the new sovereignty package, suppliers will have to respond to a complete reshaping of tech buying across Europe's public sector.

How this stimulates the supply market might change the calculus for all tech buyers throughout Europe and beyond. ®