More than 13 years ago, when whistleblower Edward Snowden leaked thousands of classified documents revealing the US Government was running mass surveillance programmes, the heads of leading tech companies strongly denied any knowledge of the way their services were being used.
At the time, Javier Ruiz, Amnesty International’s UK lead for tech and digital policy, was working at the digital rights non-profit Open Rights Group. As the world came to grips with the massive breach of trust the Snowden leaks had created, the organisation was working closely with Google, Facebook and other tech companies on the fallout. “They themselves felt that they had been violated,” Ruiz explains.
Smarter leaders trust GlobalData
Discover B2B Marketing That Performs
Combine business intelligence and editorial excellence to reach engaged professionals across 36 leading media platforms.
So had the rest of the world, as revelations that the US had spied on world leaders, embassies and entire continents poured out of the files. Apologies and renewed commitments from the US to stop the extensive surveillance practices swiftly followed. As shocking as the revelations were, the US remained Europe’s strongest ally. The idea that US tech would be weaponised against Europe – in the same way legislators have come to fear how China could wield influence abroad via a company like Huawei – was still a decade away from reaching the mainstream agenda.
Now, as nationalist politics has taken over the political and economic direction of the US, historical allies have become warier of the extent to which US companies underpin the digital infrastructure – from data centres and software to digital public infrastructure – that their societies rely on. Developing a digital sovereignty strategy, once an idea talked about in the fringes of Brussels corridors by the more risk-prone legislators, has shot up the priority list.
Cultural resets in the pursuit of digital sovereignty
Despite the sense of urgency that is fuelling the current wave of interest in digital sovereignty, it is not the first time that countries have realised the importance of building domestic technological capabilities. In the early days of the internet, amid the buildout of fibre-optic cables, there were ongoing debates about decentralising internet infrastructure, which was mostly controlled by the US. The Africa ONE project, for example, had ambitions to build a fibre-optic cable network that would connect the whole continent (although that particular project never materialised due to financial and political obstacles).
In 2013, the Snowden leaks shifted the focus to the cloud, privacy and cybersecurity, as the feeling grew that these aspects of technology had been dangerously overlooked.
US Tariffs are shifting - will you react or anticipate?
Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.
By GlobalData“The discussion around sovereignty moved from infrastructural sovereignty – who owns the cables – to, am I able to send my data directly to country X, without another country being able to intercept it?” Ruiz explains.
Interest in data localisation laws surged following the Snowden leaks, with many governments demanding that companies store certain types of data within their borders. India was an early adopter of these laws, addressing many of the worries around infrastructural sovereignty and data management under the Digital India programme, launched in 2015.
A few years later, in 2018, the US passed the Clarifying Lawful Overseas Use of Data (CLOUD) Act, enabling the government to request data from tech companies, even if stored overseas, to investigate serious crimes, once again reigniting the debate on digital sovereignty. There is no specific data on how many times the CLOUD Act has been enacted, but disclosures from Microsoft say requests for enterprise data are “comparatively rare”. Out of 173 requests for cross-border enterprise disclosures in the second half of 2024 (H2 2024), the company provided US law enforcement with five non-US customers’ data stored outside of the US, none of which were in the EU/European Free Trade Association area. Amazon Web Services’ (AWS) latest report, detailing requests for H1 2025, says no requests from US law enforcement resulted in the company handing over “enterprise or government data” stored outside the US.
Kassim Vera, a consultant at Public Digital, notes that the conversation around digital sovereignty has been stuck in an unhelpful binary, where it is either about “physical infrastructure (where are the data centres, who owns the cables) or it is about privacy and cybersecurity”. Both are important, but “they don’t give leaders a practical way to act”.
A more comprehensive way of understanding digital sovereignty, Vera notes, is as “the agency and capacity of any organisation to make intelligent informed choices to shape its digital future by design”, the definition embraced by Public Digital. This approach, he notes, centralises an organisation’s agency and capacity, the importance of making informed choices and of operating by design, rather than being shaped by market forces or inertia.
Reevaluating partnerships
In November 2025, the French and German governments convened the Summit on European Digital Sovereignty, where EU member states agreed that strengthening the bloc’s digital sovereignty was a “cornerstone of [its] economic resilience, social prosperity, competitiveness and security”. For years, the countries have been some of the strongest advocates for pursuing digital sovereignty initiatives, as the dependence on US services starts to feel like a liability.
However, attempts at building domestic solutions have historically floundered, as a complicated regulatory system and competing priorities clashed. A major Franco-German initiative to build a European cloud was described as a “crushing failure” and “colossal waste of time” by one of its founding members.
One area where this risk has been observed is in the buildout of digital public infrastructure (DPI). DPI systems – which can include digital ID systems, payment systems and data exchange protocols – have long been built via private-public partnerships. However, given the sensitive data that these systems often deal with, the involvement of foreign players has been a point of contention in some cases.
In the UK, the National Health Service’s contract with US data software company Palantir has come under scrutiny by staff, MPs and members of the public, who question why a company that has been tied to Immigration and Customs Enforcement operations in the US and the Israel-Gaza war should be involved in the handling of sensitive health data. In India, activists and lawyers have questioned why foreign companies that were involved in building the national ID system had access to the biometric data of Indian citizens.
“When it comes to foreign suppliers, the risk assessment changes. It goes beyond regulatory compliance to how domestic regulation interacts with international frameworks. Under whose legal jurisdictions does the infrastructure operate? And critically – if the relationship needs to change, can you move?” Vera notes.
In France, the government is replacing its use of US video conferencing platforms such as Zoom and Microsoft with domestic platform Visio, saying the switch would save Paris as much as €1m ($1.19m) annually for every 100,000 users. The Netherlands has made similar moves, announcing a blueprint last December to reduce the country’s dependency on foreign tech companies for critical government operations. The country is currently in the middle of tensions over US IT company Kyndryl’s proposed acquisition of Solvinity, the Dutch organisation that underpins the country’s digital ID system. The proposed takeover prompted a parliamentary roundtable and a 140,000-signature petition.
However, embracing sovereign solutions can also come with the risk of unnerving US companies. A few years ago, Brazil developed an instant payment platform called PIX, which has had a huge uptake in the country. The platform is now at the centre of an investigation by the US Trade Representative, launched last July, which is alleging unfair trade practices. Major US payment platforms Visa and Mastercard have long complained that PIX prevents their ability to grow their market share in the country.
However, the way countries develop digital systems will ultimately be shaped by their specific set of circumstances.
“The idea of building your own things, there are countries that can allow themselves to have their own data centres, and there are countries that cannot afford that or don’t have the conditions to have it,” Daniel Abadie, head of technology and partnerships at the Centre for DPI, says. “Every country chooses its own path.”
Strategic sectors
The arguments as to why fully decoupling from US tech is an unrealistic goal are well known. In terms of software alone, US companies control about three-quarters of the EU market. In Whitehall, a report found that all departments surveyed used one of two leading cloud providers – AWS and Microsoft. The buildout of data centres in Europe is complicated by the continent’s relatively high cost of energy compared to the US or Middle East and North Africa region, for example. Not to mention, despite the many attempts and incentives over the years, there are few to no European companies of a comparable size that could swiftly take over the management of the continent’s digital infrastructure. As the CEO of Berlin-based search engine Ecosia puts it: “If the US decided to pull US technology from Europe… then we would have to go back to phone books.”
However, a fractured environment, where the highest risk areas – government communications and companies in strategic sectors such as critical minerals and nuclear technology – shift towards domestic or in-house tech infrastructure, may already be under way.
“The direction of travel, I think, is a breaking down of digital sovereignty into specific granular risks, in specific granular contexts, and then seeing whether suppliers can offer sufficient mitigation on those specific risks in that specific context,” GlobalData principal analyst Gavin Sneddon notes.
Ruiz echoes this view.
“There is just no guarantee that you are not being surveilled. Now, most people are obviously not going to be, but if you are running anything like a business, for example, having to do with critical minerals, I don’t think you can. You really cannot do anything on an American server. That would be insane,” he notes.
Looking inward
While distrust has been building since the start of Donald Trump’s term, it nearly reached what would have been an unprecedented outcome this January, when the US President’s threats to invade Greenland – the autonomous territory belonging to Denmark – reached an all-time high, prompting several European countries to send troops (albeit in small numbers) to the territory. The worst-case scenario was abated following a conversation between Trump and Nato Secretary General Mark Rutte, during which a “framework of a future deal with respect to Greenland” was reached.
French President Emmanuel Macron has urged the EU to use the momentum from the “Greenland moment” to push long-stalled reforms to make the bloc more competitive. He says he is “certain” that, despite a lull in tensions, the US will “attack” the EU over digital regulation in the coming months.
“We are in an environment of much less trust. We seem to be moving away from the previous liberal, globalised world order, where everyone imported everything from everyone,” Alaa Owaineh, research director at GlobalData, notes.
Last year, the AP reported that Microsoft cancelled email access for the International Criminal Court’s (ICC) chief prosecutor, Karim Khan, following the US backlash to the ICC bringing multiple cases against Israeli leaders for alleged war crimes in Gaza. The incident prompted fears of a US “kill switch” of the digital services provided by US companies to European institutions.
Some could argue that the Snowden leaks, which happened during a more trusting era, were a much larger offence, yet, at that time, fears could still be assuaged. However, as Canadian Prime Minister Mark Carney said in his now-famous Davos speech, the “old world order is not coming back”.
