The European Commission is entrenching US hyperscaler dominance and calling it digital sovereignty.

When Washington sanctioned Beti Hohler, a Slovenian judge at the International Criminal Court, her credit cards, her Apple account, her Amazon account, and her PayPal vanished overnight. The sanctions were political. The infrastructure that made them instantaneous was American. That dependence is the problem the Commission’s new digital sovereignty package claims to solve. The package does not solve it. It codifies it.

It is true that the threat is real. The Trump administration has already used Elon Musk’s control of Starlink and X to tilt the war in Ukraine and to shape European public debate. The US government has ordered Anthropic to limit foreign access to its AI models on security grounds. Washington could, in the next trade dispute, throttle Europe’s access to advanced chips or turn the cloud infrastructure that runs European government IT into a surveillance and coercion tool. The Commission deserves credit for naming this vulnerability. The trouble, as any engineer who has ever read a procurement specification can tell you, is in what it built as a response.

The centrepiece is the Cloud and AI Development Act — Cada — which would rank cloud providers by “sovereignty assurance level,” a tiered system under which the most sensitive government operations would be reserved for providers meeting the highest sovereignty standards. At that top tier, US big tech would be barred from bidding. The problem is that the scope of the bar matters more than its existence. The highest tier applies only to a narrow sliver of public‑sector cloud spending. The rest of the government cloud market — the vast bulk of it — remains open to Amazon Web Services, Microsoft Azure, and Google Cloud, with a “sovereignty” label that functions as a marketing advantage for the incumbents rather than a competitive handicap.

That narrow scope is paired with a delegation of enforcement to individual EU governments, many of which have powerful incentives to implement the rules weakly. Ireland’s decade of General Data Protection Regulation underenforcement is not a cautionary tale. It is the precedent. Ireland’s status as the EU jurisdiction whose tax base is structurally tied to the European operations of Apple, Google, Meta, and Microsoft — the same low corporate-tax regime that attracted those subsidiaries — means the regulator does not need to be corrupt to underenforce. The incentive architecture does the work. The Commission spent years litigating Ireland’s failure to collect €13 billion in back taxes from Apple and won the judgment. Ireland’s enforcement culture did not change. Delegating sovereignty enforcement to the same incentive structure is not a design oversight. It is a documented failure mode being replicated by the institution that documented the failure.

The data‑centre acceleration zones expose a different deficiency. Cada requires every EU country to set up zones in which local authorities must approve data‑centre applications within twelve months, watering down environmental and planning reviews to hit the deadline. The Commission’s own impact assessment includes no criteria on company size or nationality. The zones will be open, on the same terms, to a French cloud startup and to Amazon Web Services. But Amazon’s planned capital expenditure of $200 billion in 2026 dwarfs that of any European startup. An acceleration zone without a nationality preference is a fast‑track permitting regime for the companies that already own the market. It is the data‑centre equivalent of a factory manager putting up a “locally owned” sign while leasing the same floor space to the same multinational that controls the supply chain. The Selkirk mill had a version of that sign after Gerdau acquired it in 1995. The sign stayed; the profits went to Porto Alegre.

The distinction that matters is the one between servers on European soil and infrastructure under European control. A data centre in Frankfurt owned by Amazon Web Services is not European infrastructure. It is American infrastructure physically located in Europe, subject to American corporate governance, American legal process, and — as Hohler’s ordeal and the recent scrutiny of Palantir’s NHS contract by British MPs both demonstrate — American political instruction. Ownership determines who sets the terms. The cloud lock‑in mechanism is not mysterious. It rests on three legs: data‑egress fees that make moving terabytes punishingly expensive, proprietary APIs that turn applications into hostages, and the network effects of a marketplace that make leaving feel like an amputation. The Commission’s ranking system leaves all three untouched. A government that moves its workloads into the highest assurance tier will still face the same egress fees if it ever wants to leave. The APIs will still be proprietary. The marketplace will still be owned by the same three American firms whose combined share of European cloud spending already exceeds two‑thirds. The sovereignty package does not break the lock‑in; it gives the lock‑in a government seal.

On AI, the Commission abandons even the pretense of an independent vision. Rather than establishing what careful, evidence‑based AI adoption would look like — where the technology is genuinely useful, what its limitations are, what harms it produces, and how to minimize them — the strategy simply adopts the Silicon Valley line that AI is an end in itself and must be deployed as quickly as possible. The plan to triple Europe’s data‑centre capacity in five to seven years, driven by the same acceleration zones, is justified by the imperative to “catch up” with the US. It is the same argument every hyperscaler uses on its earnings calls, repackaged as Commission policy. The contrast with Pope Leo’s recent encyclical — which argued that technological development without corresponding ethical progress yields “an increase in means without a growth in humanity” — is not a difference of tone. It is the difference between a sovereignty project and a procurement project.

The analytical frame is older than the technology. Harold Innis’s staples economy — the framework that described Canada’s political economy as shaped by the extraction of raw staples to metropolitan centres — maps onto Europe’s digital condition with uncomfortable precision. European citizens and governments generate the data. American companies collect, store, process, and monetise it through infrastructure they own, under terms they set, governed by laws written in Washington. The raw material is user data; the processing and monetisation happen in metropolitan jurisdictions; the periphery captures no rents. Europe is not a digital sovereign. It is a digital periphery, and the sovereignty package, as currently architected, does not reverse the direction of the flow.

Cory Doctorow’s four‑forces framework — the checklist of competition, regulation, interoperability, and labour power that historically constrained platform monopoly — offers a useful diagnostic. The sovereignty package addresses competition, partially, and regulation, nominally. It does essentially nothing on interoperability or labour. CADA mentions interoperability; what it does not contain is a binding mandate requiring US hyperscalers to expose data‑portable interfaces that would let European governments migrate providers without catastrophic switching costs. There is no programme to develop the European technical workforce genuine independence would demand. Genuine sovereignty would require interoperability mandates with enforcement teeth, a centralised enforcement authority insulated from the member‑state capture that has defined European digital regulation to date, and an AI policy beginning from European public‑interest objectives rather than Silicon Valley’s deployment imperative. The package delivers one and a half of these and calls it sovereignty.

The Canadian parallel is instructive, though not in a way that flatters Ottawa. Canada faces the same structural dependence: the CRTC has spent a decade attempting to regulate American streaming platforms under the Online Streaming Act with results that range from modest to embarrassing, and Parliament’s attempt to compel Meta to pay Canadian news publishers under the Online News Act resulted in Meta removing Canadian news from its platforms entirely — a sovereign act of defiance Ottawa had no infrastructure to counter. The dynamic is identical. A government discovers it wants sovereignty over digital infrastructure only after the infrastructure is already owned by someone else.

The public consultation on Cada is open. Hohler’s credit cards were cancelled in an afternoon. The sovereignty package took two years to draft and will take another three to implement. The gap between those two timelines is the gap between declaring sovereignty and possessing it. A European government that wants to understand what its digital infrastructure actually depends on need only ask what would happen if Washington decided, on any given Tuesday, to turn it off. The Commission’s own impact assessments contain the answer. The deadline is the only part of this process the hyperscalers respect. The Commission declined to build accordingly.