Why Europe Is Drawing Its Own Digital Borders & What That Means for Your Business

As of the date of this post, on 3 June 2026, the European Commission is expected to release its Tech Sovereignty Package — the latest in a string of moves designed to reduce Europe’s reliance on foreign technology providers. It joins a regulatory environment that has quietly become one of the most consequential shifts in enterprise IT in years: the EU Data Act now in active application, NIS2 entering its first real enforcement cycle, GDPR fines climbing past €7.1 billion cumulatively, and a Cloud Sovereignty Framework that scores providers on eight separate criteria, including legal jurisdiction and operational control.

If you run IT, security, or operations for a business that touches Europe — whether you’re headquartered in Berlin, Boston, or anywhere in between — this is the year the conversation stops being theoretical.

What changes with the Tech Sovereignty Package?

For most of the cloud era, “where the data lives” was treated as a deployment detail. Pick a region close to your users, satisfy GDPR by checking a few boxes, and move on. Meanwhile, the architecture of the modern enterprise — SaaS apps, public cloud, managed services — quietly outsourced more and more of the decision-making to a small number of very large, very American providers. As of 2025, three US hyperscalers held roughly 70% of the European cloud infrastructure market. European providers held about 15%.

However, the scales have begun to tilt in Europe for a few reasons, and the regulatory floor has been raised.

The EU Data Act, which was enacted on 12 September 2025, challenges cloud providers operating in the EU to support customer switching and to actively block unlawful access requests from non-EU governments.

NIS2 has expanded the definition of “essential” and “important” entities across sectors from energy to digital infrastructure, with penalties of up to €10 million or 2% of global turnover and personal accountability for senior management. The Commission is now openly considering further curbs on US cloud providers handling sensitive government data.

The political climate has shifted. European institutions are no longer treating dependence on foreign tech as an inconvenience to be managed — they are treating it as a strategic vulnerability to be reduced. The European Commission launched a €180 million sovereign cloud procurement tender in October 2025. The EuroStack initiative — backed by industry, member states, and EU institutions — has put a number on the ambition: roughly €300 billion of investment by 2035 to build a sovereign European digital infrastructure spanning cloud, compute, AI, semiconductors, and networks.

All of that is not even to mention that private capital is moving with this change. For example, Lidl’s parent company, Schwarz Gruppe, has invested €11 billion in STACKIT, its own European cloud provider. Further, Gartner projects global sovereign cloud spending will hit $80 billion in 2026, with European spending growing 83% year over year. This is not insignificant when we look at the bigger picture for not only Europe, but the world as a whole.

Why this matters beyond Europe

It would be a mistake to read this as “an EU problem.” Three things make it everyone’s problem.

First, the regulations are extraterritorial. The EU Data Act applies to any business offering cloud or data processing services in the EU, regardless of where the company is headquartered. GDPR has worked this way for years, but NIS2 sweeps in supply chain partners as well. If you serve European customers, you are inside the regulatory perimeter, whether you have an office in Europe or not.

Second, European procurement is starting to demand sovereignty as a feature rather than a marketing claim. The Cloud Sovereignty Framework scores providers across eight dimensions, including legal jurisdiction, operational control, and supply chain transparency, among others. Vendors who cannot meaningfully answer those questions are increasingly being filtered out before the conversation even starts. And so-called “sovereignty washing” — the practice of relabeling existing services with a sovereign sticker — is being called out by European cloud operators and regulators alike.

Third, the legal foundation underneath transatlantic data transfers remains visibly fragile. The EU-US Data Privacy Framework survived its first major challenge in September 2025, but a second case is pending at the Court of Justice, FISA Section 702 is scheduled to sunset on 20 April 2026, and privacy advocates have publicly committed to bringing what is widely expected to be a “Schrems III” challenge. Any architecture built on the assumption that adequacy decisions are permanent is building on sand.

The question every business should be asking

The sovereignty conversation is often framed as cloud vs. cloud: do you run on AWS or on a European hyperscaler? That framing is too narrow.

Sovereignty is not a vendor logo. It is a property of your architecture — who can compel access to your data, where your keys live, what happens if a provider is acquired, deprecated, or subjected to a foreign legal order.

That lens applies to every layer of your stack, including ones that are easy to overlook. Identity. Secure remote access. The network plane that connects your offices, your cloud workloads, your remote workforce, and your partners.

Many businesses have done thoughtful work on their data layer and almost no work on the access layer. They have spent two years tightening GDPR controls on their customer database, then route every employee connection through a SaaS VPN whose control plane lives in a US data center under US jurisdiction.

You cannot have a sovereign data strategy without a sovereign access strategy.

What we’ll cover next

In the next post in this series, we’ll dig into the specific risks of running European operations on US-dependent infrastructure — the CLOUD Act and how it cuts across GDPR, the NIS2 implications of opaque supply chains, and the concentration risk that the past two years of hyperscaler outages have made impossible to ignore.

In the third post, we’ll look at what a sovereignty-aligned architecture actually looks like in practice, and where a self-hosted VPN like Access Server fits into that picture — not as a checkbox, but as one of the few points in the stack where you can genuinely take back control without rebuilding everything from scratch.

For now, the takeaway is simple. The European market is no longer asking “are you compliant?” It is asking “are you in control?” Those are two very different questions, and 2026 is the year a lot of businesses are going to discover the difference.