Europe’s new Cloud and AI Development Act signals a decisive shift in the digital sovereignty debate—from broad policy ambition to an operational framework for resilience, autonomy and trusted cloud adoption.
At its core, the European Commission’s proposal reflects a clear judgment: Cloud and AI infrastructure are now strategic assets. They underpin not just economic competitiveness, but also public-sector continuity, national security and societal resilience. Against that backdrop, reducing excessive dependence on a small number of non‑EU providers is a legitimate and understandable policy objective.
However, the question is not whether Europe should pursue greater technological autonomy. The question is how to implement it in a way that is proportionate, effective and aligned with the realities of modern technology ecosystems. Protectionist policies are also not new; the balance between open and closed has played out for as long as countries have been trading. The question is not whether those trade-offs exist, but whether participants are prepared to absorb them.
Europe has a strong case for investing in its own digital capacity. Expanding domestic cloud infrastructure, strengthening AI capabilities, supporting open-source adoption and reducing lock-in dependencies are all constructive steps toward long-term resilience and competitiveness.
Sovereignty is a worthwhile goal, but not all strategies are equal
One of the most important contributions of the proposal is that it moves the debate beyond simplified assumptions about sovereignty.
Sovereignty cannot be reduced to where data is stored, nor can it be equated solely with cybersecurity compliance. Data location and security controls are critical, but they are only part of the picture. True operational autonomy also depends on who ultimately controls the service, how it is governed, whether it can be maintained under geopolitical stress, and how dependency risks are managed over time.
This broader framing reflects the realities of an increasingly complex threat environment. Governments are not only concerned about unauthorized access to data, but also about continuity of service, supply-chain resilience, and the potential for disruption arising from geopolitical events, sanctions or external coercion.
Recognizing these dimensions allows for a more sophisticated policy discussion—one focused not only on theoretical risks, but on the practical ability to operate critical systems reliably under adverse conditions.
Cooperation among allied economies will remain essential to addressing shared challenges—particularly as cyber threats become more sophisticated and globally coordinated. The master variable should be implementing policies that help enable domestic ecosystems to grow (investments in skills and infrastructure, for example) rather than constraining user choice. The distinction may feel subtle, but governments aren’t merely setting guardrails with some of these rules. They’re—either intentionally or incidentally—limiting the available technology in their jurisdictions.
An important subtext is that the effectiveness of security measures scales with the availability of innovative tools—so it’s critical governments don’t wall themselves off from leveraging the most advanced cybersecurity defenses, especially as global threats become infinitely more sophisticated.
Preparing for Frontier AI models, for instance–including all the necessary cyber defenses that governments, industry, and individual users will need to protect themselves from malicious actors—will require extensive cooperation and unprecedented collaboration between policymakers and companies with the highest capabilities.
It would be unfortunate if enterprises were faced with the choice of either complying with evolving sovereignty constraints or partnering with providers with the most-relevant solutions and best-fit technologies. The impact of these Frontier models won’t stop at national borders. Access to the best tech to manage risk will serve everyone better than going alone.
The AI race increasingly rewards scale—including access to talent, capital, data, compute, customers, and research ecosystems. Regulatory structures that unintentionally fragment those networks may slow innovation precisely when global competition is accelerating.
Especially for democratic allies, it’s critical that domestic regulatory regimes don’t prevent European organizations from benefitting from advances made by American technologists. But it’s not just the United States. It’s critical Europe can seamlessly access solutions being produced in Canada, Australia, Japan, and so forth. As adversarial nations increasingly work together to improve their cyber offenses, it’s even more critical that allied nations have the regulatory infrastructure for more cohesive defenses.
This isn’t to say there won’t be disagreements or localized preferences—but that these disagreements shouldn’t prevent us from jointly addressing fundamentally shared security interests. Countries can disagree on particulars, but on the fundamentals: security policy, digital infrastructure, and resilience, it’s vital we’re working together and sharing resources.
Government and industry must work together
Regardless of the specific policy debates within the digital sovereignty space, there’s a more important question of who should be invited to the debate in the first place. As technology and geopolitics increasingly collide, it is mission critical that policymakers and companies are grappling with these challenges together and working in good faith. Private industry, especially the technology sector, is now being pulled into geopolitical dynamics and domestic politics it did not create but must nonetheless navigate.
We saw this play out firsthand last week, when the Netherlands’ Minister of Digital Sovereignty took the step of prohibiting Kyndryl from acquiring secure managed cloud services provider Solvinity. We shared how our security protocols could help keep citizens’ data private and secure, and how we could bring modern security and resiliency strategies to the company’s operations. Despite these efforts, we were caught in a geopolitical dynamic over which we had no control; our technological case was strong, but the decision ultimately wasn’t about capability.
Global providers like Kyndryl, with thousands of security experts, have the unique advantage by having relationships with technology partners and regulators across many jurisdictions, along with the experience of working in mission-critical estates that cross borders. A technology partner can enforce sovereignty through sheer technical means, not just promises.
If a US-headquartered vendor can be legally ordered to hand over your data, and even if the vendor loses its appeal, if that data is encrypted with keys they don't hold, neither they, nor the government that requested it, can access it. The most durable form of data security isn't a corporate pledge or a regulatory provision—it's cryptography.
As the Commission’s package moves through the legislative process, the key task will be calibration. If Europe gets that balance right, the Cloud and AI Development Act could become a powerful foundation for both resilience and competitiveness—strengthening domestic capacity while maintaining openness, interoperability and cooperation with trusted partners.
Kyndryl supports that goal. Europe’s sovereignty agenda is real, legitimate and increasingly unavoidable. The opportunity now is to implement it in a way that strengthens Europe’s digital future while preserving openness, interoperability and trusted cooperation across allied ecosystems.
