digital sovereignty – The European Commission unveiled a sweeping European Technological Sovereignty Package in Brussels on June 3, 2026—complete with a Chips Act, a Cloud and AI Development Act, and an Open Source Strategy. Yet a survey of IT leaders suggests the biggest gap may b
On June 3, 2026, in Brussels, the European Commission rolled out its European Technological Sovereignty Package—and the message landed with urgency.
European Commission President Ursula Von der Leyen warned the EU “cannot afford to depend on others for the technologies that keep our hospitals running. our energy grids stable and our services secure.” She tied the proposal to more than industrial ambition. saying it was “about protecting our citizens. defending our interests and making our own choices.”.
The numbers she placed behind that argument are hard to ignore: the EU relies on suppliers outside its borders for more than 80% of its key digital products. services. infrastructure. and intellectual property. And the package is framed as more than a procurement issue. It treats digital dependence as a matter of strategic security and self-determination.
The package signals a shift in policy tools as well as intent. It introduces a new Chips Act, a Cloud and AI Development Act, and a full Open Source Strategy. The point is not just to increase spending. but to change the way the problem is handled—steering it away from the margins of buying decisions and toward the heart of strategic choice.
But the Commission’s framing doesn’t stop at national borders, and that’s where the tension begins. A company that runs on infrastructure. models. and platforms it cannot readily leave can end up in the same bind as a continent dependent on foreign suppliers—just on a smaller scale. The question is blunt: if technological dependence can threaten strategic autonomy at continental scale. why are so many companies doing so little to protect their own?.
That gap shows up in how companies actually behave. In a recent survey conducted by enterprise software firm SUSE, IT leaders in 98% of organizations called digital sovereignty a priority. Yet only 52% reported taking any action on it.
Even when action happens, the pattern is described as reactive rather than principled. When companies do move, it is rarely the principle of maintaining sovereignty that sets them in motion. Instead. sovereignty work often starts when circumstances force it—either because the cost of ignoring it finally shows up from within. or because customers demand it and those demands spread through the market.
In the financial services sector. the source of pressure is illustrated through a particular kind of pain: firms became heavy investors in open source technologies after years of steadily increasing IT bills tied to vendor lock-in. where companies found themselves locked into relationships with vendors with no easy route out.
For other companies. the trigger comes from outside—sometimes regulatory pressure. but more often because important customers set their own sovereignty demands. and those requirements ripple across the marketplace. In either case, the timing tends to be unfavorable. Reacting under time pressure. the reporting argues. is usually the least effective approach and becomes expensive twice over: in organizational disruption and in money.
There is a different path described—one that treats sovereignty as something you can buy with preparation rather than with emergency firefighting. A company that moves early can choose its own timing. survey the full range of options. and pick what fits best. A company forced to move on someone else’s schedule has less leverage. less optionality. and higher costs to bear in making the shift.
The idea is captured in the warning embedded in the reasoning: freedom of this kind is never free, but it is far cheaper bought now than paid for under duress later.
The concept itself is also harder than slogans make it sound. Before building a strategy. a company has to understand what digital sovereignty means—and the source says that is not straightforward. The term comes laden with many meanings. and confusion is compounded by vendors. who often locate sovereignty in whatever they happen to sell.
For some, sovereignty is framed as control over data. For others, it centers on who runs infrastructure or the programs behind software. Yet the underlying definition given here is that sovereignty isn’t a feature a buyer can simply purchase. At its highest level. it rests with the user: the capacity to understand what a system is doing. govern it. and change course when circumstances demand.
A product that looks sovereign today may not be sovereign tomorrow. What endures is whether the organization can still make and revise its own choices.
That is why adaptability sits at the center of the approach described: the ability to change your mind. drop a vendor or product. or alter strategic direction with minimum friction. Open source is presented as one tool that can help—but not as a complete solution. An organization can run an entirely open-source stack and still be trapped if it lacks the skills to manage that stack or migrate it.
The source also rejects the idea that sovereignty requires only open source. It argues that companies can build a sovereign posture on proprietary foundations through hard-won contract terms. guaranteed exit rights. portability designed in from the start. and deliberate multi-sourcing—while acknowledging each carries real cost and fragility.
Then comes the new stress point. Artificial intelligence raises the stakes for enterprise sovereignty because the dependencies AI creates can run deeper than those created by other kinds of technology. The behavior of an AI model is not written in code that can be read and edited; it is trained into the model’s weights. Operating or licensing a model. the reporting says. confers far less authority over how it actually behaves than operating a traditional piece of software once did.
The difficulty grows as AI moves inward into how organizations analyze, weigh options, and decide. The source describes this as lock-in beyond contractual cost. with the potential to erode the capacity to judge whether exit is warranted at all. The faculty a company would use to assess its dependence is the same faculty the dependence can absorb.
And yet the adoption trend runs in the opposite direction for many organizations. Most are leaning into dependence rather than guarding against it. When additional budget becomes available. it tends to go toward implementing new AI capabilities instead of managing the dependencies the existing capabilities already create. The gap between recognizing risk and acting on it is described as not closing—and widening fastest where the stakes are highest.
The proposed response is practical, organized around action before pressure forces decisions. The first step is to map what cannot be easily left: identify which systems. models. and providers are so woven into operations that leaving would be slow. expensive. or impossible. because you cannot manage an exposure you have never identified.
The second is to make exit a design requirement. not an afterthought—securing exit planning before committing. building exit planning into contracts and architecture from the start. including guaranteed exit rights. data portability. and avoiding single points of dependence. The absence of an exit is framed as a cost, even when the system still works well.
The third is to invest in the capacity to judge, not only the tools to run. Sovereignty is described as resting with the user. which depends on people who can evaluate what a system does. weigh alternatives. and operate what they own. Outsourcing that judgment entirely creates dependence regardless of contracts.
The fourth is to treat AI dependence as different in kind. Because a model’s values aren’t readable from source code the way software once was, the choice of model becomes a governance decision that must be interrogated before deployment—when leverage still exists—rather than discovered afterward.
In the end. Europe’s Technological Sovereignty Package functions as a signal that technological dependence has become a question of self-determination. But the source also flags what it calls a mismatch: the resources committed come nowhere near the scale of the problem named. and for most companies. the binding rules will never apply at all. That shifts the responsibility inward.
The bulk of the work, the reporting concludes, falls to business leaders, not lawmakers—especially for companies that appear to recognize sovereignty as a priority long before they treat it as a practice.
European Technological Sovereignty Package Ursula von der Leyen Chips Act Cloud and AI Development Act Open Source Strategy digital sovereignty SUSE survey AI dependence vendor lock-in enterprise IT leaders exit rights data portability
So it’s basically “buy European”?
80% from outside sounds crazy but also who even knows what’s European anymore with chips. They say it’s for hospitals and energy grids like that’s gonna magically fix shortages.
This is what happens when companies stay “passive”?? Like they’re admitting they can’t force anyone to do anything. Also “open source strategy” sounds good but I feel like it’ll just become another paperwork thing and then we still depend on the same places.
Wait, so the EU is trying to make their own AI and cloud so they don’t rely on the US? But isn’t the whole internet already kinda built on US tech anyway? I’m confused how you do “digital sovereignty” when everything runs through AWS or whatever. Also the headline says companies stay passive, so who’s actually doing the work, politicians?