A Communication on the long-awaited EC Tech Sovereignty Package was leaked this week. A sprawling set of initiatives including the Cloud and AI Development Act (CADA), Chips Act 2.0, an Open Source Strategy, and an energy-sector roadmap. It is the most ambitious digital-industrial policy package Brussels ever produced. How does it fare? Europe, notoriously, endlessly admires its problems. Does this initiative move us forward?
We will be more definitive after the official launch next week, but for now some initial reactions from (some of) us in the Initiative.
The Good News: Brussels Finally Speaks OUR Sovereignty Language
The framing and tone are welcome, and align closely with EuroStack’s effort over the months. The Communication start with the recognition Europe is “structurally reliant on non-EU providers for over 80% of its digital products, services, infrastructure and intellectual property”, but directly echoes our focus on “growth” and capturing economic value along the stack as the main motivation – not just defensive “security” and “resilience”. It explicitly mentions “an accelerated shift in the EU’s posture from a reactive focus on resilience and risk mitigation to an assertive and proactive strategy”, based around building a “European technology stack” that “strengthens the EU’s capacity throughout the value chain”. AMEN. This is EuroStack’s pitch.
For cloud, the Communication explicitly names the risk of “sovereignty-washing” — the term EuroStack has been hammering for over a year — and proposes that CADA will “put an end to sovereignty-washing” by defining four tiers of cloud sovereignty services. We know hyperscalers’ “sovereign cloud” offerings amount to little more than data localisation theatre. The proposal to codify sovereignty levels – covering control over the service, control over the supply chain, data processing, infrastructure location, and cybersecurity – is a direct conceptual win for the sovereignty movement and EuroStack.
The Open Source Strategy is another bright spot. With its “public money, public code” principle, its open-source-first mandate for public cloud and AI procurement under CADA, and its goal of 30 million active users for European collaboration tools by 2030, it appears the Commission is finally treating open source as strategic infrastructure rather than a footnote. Europe’s 3 million open source contributors – and companies like Nextcloud, SUSE, Odoo, Mistral AI, and Arduino – now have a policy framework that explicitly recognises their strategic value.
Still Too Much “Supply Push,” Not Enough “Demand Pull”
The Communication still leans heavily toward the supply side. The package is full of yet more plans to build things: an advanced foundry for sub-3nm chips, more AI Gigafactories, expanded data centre capacity (a target to triple within 5–7 years), and new R&I funding programmes. These are necessary especially where capital requirements are large. But these are all supply-side subsidies, which is the usual Commission notion of “doing”. Building capacity is meaningless if European customers – starting with Europe’s own public sector – do not use that capacity.
In fairness the Communication does recognise the need to more proactively stimulate demand: “Demand Accelerators” in the Chips Act 2.0 with offtake agreements, public innovation procurement, and the sovereignty “risk assessments” under CADA. We would argue these remain too tentative and cautious. As feared, the kind of explicit, binding “Buy European” procurement mandate that EuroStack campaigned for is not there. A miss.
Eurostack’s position on this is unapologetic: sovereign European governments should commit at least 30% of their digital procurement budgets to European suppliers. Because without reference customers and scale, European products will never grow. Every other major technology power – the US, China, India – uses public procurement as a strategic lever. Europe still treats it as a neutral marketplace exercise, which in practice means entrenched incumbents win every time.
The Communication gestures toward this logic. It talks about “fostering the EU value added of public spending” and instructs Member States to conduct sovereignty risk assessments. But it stops short of mandating procurement preferences. And we know why: this is the escamotage to work around relentless hyperscalers threats that to explicitly adopt a European preference would amount to “Illegal discrimination”. We also know the origins of this nonsense: European rules include “no geographic discrimination” obligations because they were originally conceived to support the Single Market and avoid France buying only French, Germany German, etc. It is ironic these same rules are being weaponised by hyperscalers against Europe: “you would be flaunting your own rules if you adopted a European preference, see you in Luxembourg”. What is needed here is the courage to tell them to knock it off. Limited local preferences are legal as an industrial policy tool and we will defend them in every court of the land. Because without explicit demand signals, the supply-side investments risk becoming another generation of subsidised prototypes that never reach commercial scale. What the Communication is saying instead is “we will achieve a similar aim with less controversial means, adopting “objective” criteria hyperscalers cannot meet but also cannot challenge. Mmmh we will see about that.
More on CADA: Right Direction, Execution Risk
CADA is a major piece of the package, and it does appear to address a number of our concerns albeit indirectly with the four-tier sovereignty classification and the obligation for governments to assess which workloads require which sovereignty level. The open-source-first principle in public procurement, and the “grand challenge” to develop a complete European AI and cloud stack are also all measures the EuroStack community has advocated.
What about execution? The Commission estimates that expanding data centre capacity will require around €200 billion (mostly private money) by 2036, and the cloud R&I initiative needs about €2 billion over seven years at EU level. These are large numbers, but the real issue is whether the policy architecture will actually redirect spending away from AWS, Azure, and Google Cloud, or whether it will merely add a sovereignty compliance layer on top of continued American dominance.
Sovereignty cannot be “contracted away.” This remains foundational. As long as American companies remain subject to the CLOUD Act, no amount of data localisation, local partnerships, or corporate restructuring (like AWS creating EU-based subsidiaries) addresses the fundamental jurisdictional conflict. CADA’s four-level framework acknowledges this — but the devil is in how strictly Member States apply it, and whether the Commission issues guidelines with real teeth or merely advisory recommendations.
On the Chips Act 2.0: Ambition Meets Reality
The Chips Act 2.0’s proposal for a Union-based open foundry manufacturing at 3nm and below, with pilot production by 2030–2033, is on paper a bold bet. The estimated €120 billion in combined public and private investment through 2035 – including €30 billion for the advanced foundry alone – signals that the Commission understands the scale of the challenge.
We welcome the demand-side additions (the Accelerators, offtake agreements, and public innovation procurement), which were largely absent from the original Chips Act. However, without a major effort to ensure European customers actually buy European-designed and manufactured chips – rather than defaulting to TSMC or Samsung – any foundry risks becoming a prestige project rather than a commercial ecosystem. The inclusion of photonics and the emphasis on accelerating pilot line industrialisation are positive signals. But our fundamental test is always the same: does the policy create commercial customers, or just research capacity?
On the Open Source Strategy: Finally Strategic, But Underfunded?
The Open Source Strategy is where the Commission de facto channels EuroStack thinking. The “public money, public code” principle, the recognition that the EU spends €264 billion annually – mostly on US proprietary IT – and the commitment to building European alternatives across the stack (from RISC-V semiconductors to operating systems to AI models) are all things we campaigned for. We consistently championed open source as a strategic lever, noting that the open source community in Europe is enormous and incredibly capable. The Strategy’s plan to scale up the Open Internet Stack as a one-stop catalogue for European sovereign solutions, and its goal of using the EU Digital Identity ecosystem to broaden demand, would resonate with the EuroStack community.
The concern is again: demand by active procurement. The Communication estimates that €1 billion will need to be mobilised (public and private combined) over seven years for the full spectrum of open source measures. For context, the EU currently spends €264 billion per year on mostly American IT. A seven-year commitment of €1 billion – even if fully realised – is a rounding error compared to the scale of the dependency it aims to address. The EuroStack camp argues that open source deserves multiple orders of magnitude more, especially for maintenance of critical dependencies, security attestation, and scaling commercially viable European alternatives.
The proposed “Open Source Maintenance Instrument” and the strategic contingency programme for mirroring source code are welcome, but nearly half of all code commits in Europe come from small firms with fewer than 50 employees, which face structural barriers to scaling. Without significantly more dedicated funding and a genuine procurement preference that levels the playing field against entrenched proprietary vendors, these firms will continue to struggle.
The Bigger Picture: Industrial Policy vs. Regulatory Reflex
The deepest tension in the Communication is that Europe’s instinct is still to regulate first and build second. The package talks about “simplification” and “cutting red tape” – welcome moves – but the core architecture remains legislative. CADA is a regulation. The Chips Act 2.0 is a regulation. Even the Open Source Strategy operates through procurement rules, assessment frameworks, and compliance mechanisms.
The founding premise of EuroStack is that Europe needs an industrial strategy, not a regulatory one. The private sector must lead, governments must create demand through procurement, and capital must flow to European companies rather than evaporating into subsidy programmes that produce research prototypes. The Communication acknowledges this implicitly (it references the InvestAI programme, the Scale-up Europe Fund, and the European Competitiveness Fund), but the balance still tilts toward institutional architecture rather than market-making.
This said, the private sector needs to rise and do its thing NOW – not continue to hide behind the permanent default that “someone else (the Commission, the institutions) should be doing X”. Let’s see if this Communication spurs some adulting in the room, by our enterprise, private business and funders.
Overall: A Necessary Step, Not Yet the Destination
The Tech Sovereignty Package is a comprehensive attempt by the Commission to address Europe’s digital dependencies. It adopts a lot of EuroStack’s language, recognises the sovereignty-washing problem, puts open source at the centre, and for the first time combines demand-side and supply-side measures in a coherent framework.
It is promising but incomplete. The supply-side ambition is there. The demand-side muscle is not – at least not yet. Until Europe’s public sector stops spending the vast majority of its digital budget on American providers, and until “Buy European” becomes more than a slogan, the risk remains that this package will not do as much as it could and will join the long list of well-intentioned European strategies that never translated into commercial-scale European alternatives.
The next battle – in the European Parliament and the Council – will determine whether CADA’s sovereignty levels have real consequences, whether the Chips Act’s Demand Accelerators create genuine market pull, and whether the Open Source Strategy gets the funding it deserves. We will continue to push. And to kick the private sector to come out to play.
What’s your take — does this package go far enough to reverse Europe’s digital dependency? Let’s hear from those building European alternatives, procuring technology for public administrations, or investing in the European tech stack.
#EuroStack #TechSovereignty #CADA #ChipsAct #OpenSource #DigitalSovereignty #EuropeanTech #BuyEuropean #CloudSovereignty #EUPolicy
