EU Digital Sovereignty
table of contents about

English / Machine translation: Čeština · Deutsch

Diagnosis

The risk landscape

Three qualitatively different types of risk, three different defences

Published 2026-05-04 · Last reviewed 2026-05-04

The European Union enters 2026 with a paradoxical technological position: regulatorily sovereign, industrially dependent. The EU holds the global lead in lithography (ASML controls 100 % of the EUV-equipment market), in automotive and industrial chips (Infineon, NXP, STMicroelectronics), and in enterprise manufacturing software (SAP). At the same time:

  • Advanced logic: 90 % of the world's chip production at 2nm and 3nm comes from TSMC in Taiwan; the EU produces 0 %. ESMC in Dresden, the flagship of the Chips Act, will from late 2027 fabricate at 28/22 nm and 16/12 nm processes — three to four generations behind the leading edge.
  • HBM memory for AI accelerators: 100 % of world capacity is held by three manufacturers (SK hynix ~57 %, Samsung ~22 %, Micron ~21 %); 2026 capacity is sold out. The EU has no domestic producer.
  • Hyperscale cloud: three U.S. providers (AWS, Microsoft Azure, Google Cloud) hold approximately 70 % of the European IaaS/PaaS market valued at €75 billion. European providers hold 15 % on their own continent.
  • Frontier AI models: no European model reaches the performance of the best models from OpenAI, Anthropic, or Google. Mistral is the most significant European player, but its market position is an order of magnitude smaller.
  • Critical mineral inputs: China controls over 90 % of the world's processing of rare earths, and between 2023 and 2025 imposed export controls on gallium, germanium, graphite, and rare-earth magnets.

The European Court of Auditors' 2025 conclusion is unambiguous: the 2023 Chips Act target — doubling the EU share of world chip production from 10 % to 20 % by 2030 — will not be met. After the cancellation of Intel Magdeburg (July 2025), STMicro–GlobalFoundries in Crolles, and Intel Wrocław, the EU share remains stuck at 10 %.

This site is not in the business of generating panic or calling for isolationism. It works from the premise that the difference between dependency and partnership lies not in the geography of the supplier but in the architecture of the contractual and technical relationship. The U.S. is an indispensable technology partner for the EU; the risk lies in extraterritorial legal regimes (CLOUD Act, FISA 702) that can be activated at any moment, regardless of the European customer's wishes. China is a qualitatively different risk in this framework: it has been documented as an actor that uses technological infrastructure — from solar inverters to industrial chips — as an instrument of geoeconomic pressure.

The real question for the European CIO, procurement director, or legislator in 2026 is not "whom can we rely on?" but "what architecture of legal, contractual, and technical layers must we build to preserve the option of switching, in case any of these dependencies materialises in a crisis?" The answer is the concept that this site, following Forrester analyst Dario Maisto, calls Minimum Viable Sovereignty (MVS) — a pragmatic middle ground between costly autarky and strategically untenable total dependency.

Three qualitatively different risks

The global technology landscape of 2026 is defined by what the World Economic Forum's Global Risks Report 2026 calls "geoeconomic confrontation" — the use of economic instruments (export controls, tariffs, sanctions lists, investment restrictions, data sovereignty rules) as standard components of state power. This is no longer a marginal phenomenon of crisis years; it is the new operating normal that European IT leaders must build their planning on in 2026.

This shift has three qualitatively distinct layers, each requiring a different defensive architecture:

Layer 1: Adversarial geoeconomics (China)

The case of Chinese solar inverters, exposed by Reuters in May 2025, ceased to be a theoretical risk. U.S. experts conducting security audits found undocumented communication modules — typically 4G/LTE radios — in equipment from multiple Chinese manufacturers. These modules are capable of bypassing operator firewalls and creating a covert communication channel back to China. The European industry association ESMC estimates that over 200 GW of European solar capacity depends on Chinese inverters — the equivalent of more than 200 nuclear power stations. A joint report by SolarPower Europe and DNV from April 2025 concludes that the compromise of just 3 GW of connected capacity would suffice to destabilise the European electricity grid (for comparison: the 2025 outage in Spain and Portugal began with a loss of around 2 GW of generation capacity). In November 2024, Chinese-supplied inverters in the United States were remotely deactivated by the Chinese supplier Deye, which led to a commercial dispute with U.S. firm Sol-Ark. The same logic applies to industrial chips, connected vehicles, drone components, and smart-grid equipment.

Layer 2: Extraterritorial legal exposure (USA)

The relationship with U.S. technology providers is qualitatively different — the U.S. is a democratic ally and partner within NATO, the EU-US Trade and Technology Council, and the EU-US Data Privacy Framework. The risk here does not lie in any intent to harm the European customer; it lies in legal architecture. The CLOUD Act of 2018 permits U.S. authorities to compel data held by U.S. providers anywhere in the world. FISA Section 702 permits surveillance of non-U.S. persons' communications at U.S. electronic-communications providers. The EU-US Data Privacy Framework, approved in July 2023, partly addresses the problem for commercial transfers but faces repeated legal challenges at the Court of Justice of the European Union. For European enterprises this means continuous structural uncertainty: even when a U.S. provider acts in good faith, its legal framework can compel an action in conflict with the GDPR or with the customer's commercial interests.

Layer 3: Concentration risk without geopolitical intent

Not every supply-chain risk has a geopolitical origin. The CrowdStrike Falcon outage of July 2024 — which crippled an estimated 8.5 million Windows devices worldwide in a single day — demonstrated that concentration on a single security supplier is itself a systemic risk. The xz-utils library backdoor, exposed in April 2024, in which an attacker spent two years operating as a legitimate maintainer of an open-source project, demonstrated the same for the software supply chain.

Each risk requires a different defence

These three layers require different instruments. Adversarial risk (China) is addressed through a graduated approach by application sensitivity: in critical infrastructure (energy, telecoms, smart grid, defence) total exclusion of the supplier; in moderately sensitive systems isolation or air-gapping, where the Chinese component is technically cut off from the critical network and cannot affect it; in ordinary consumer and low-risk applications, where the economic benefit outweighs the security risk, the choice is left to the customer with standard monitoring tools in place. Extraterritorial risk (USA) is addressed through contractual and architectural isolation — data residency, encryption keys under European control, BYOK (Bring Your Own Key) and HYOK (Hold Your Own Key) models, sovereign cloud partnerships. Concentration risk is addressed through diversification and redundancy across suppliers and architectures.

The remaining chapters of this site develop these three responses into concrete diagnostics, alternatives, partnership structures, and operational steps.

Top 5 global risks per WEF Global Risks Report 2026 (short-term, 2-year)

# Risk category Impact on technology supply chain
1 Geoeconomic confrontation Weaponisation of export controls, tariffs, sanctions lists, state subsidies, and unfair trade practices
2 State-led armed conflict Disruption of production centres (Taiwan) and logistics
3 Misinformation and disinformation Erosion of trust in digital provenance and AI-generated content
4 Extreme weather events Outages at water-intensive fabs (Taiwan, Arizona)
5 Adverse impacts of AI Systemic risk from uncontrolled autonomous agents

Sources cited

  1. European Court of Auditors, Special report 12/2025: The EU's strategy for microchips – Reasonable progress in its implementation but the Chips Act is very unlikely to be sufficient to reach the overly ambitious Digital Decade target , 2025-04-28 . link · archived
  2. World Economic Forum, The Global Risks Report 2026 , 2026-01-14 . link · archived
  3. Reuters, Rogue communication devices found in Chinese solar power inverters , 2025-05-14 . link · archived
  4. European Solar Manufacturing Council, Restrict Remote Access of PV Inverters from High-Risk Vendors , 2025-04-30 . link
  5. SolarPower Europe and DNV, Solutions for PV Cyber Risks to Grid Stability , 2025-04-29 . link · archived
  6. U.S. Congress, H.R.4943 - Clarifying Lawful Overseas Use of Data Act (CLOUD Act) , Public Law 115-141 (Consolidated Appropriations Act, 2018, Division V) , 2018-03-23 . link · archived
  7. U.S. Congress, FISA Section 702 — Foreign Intelligence Surveillance Act of 1978 Amendments Act of 2008, Title VII Section 702 , Public Law 110-261 , 2008-07-10 . link · archived
  8. Kovrr, The UK Cost of the CrowdStrike Incident , 2024-08 . link · archived
  9. Andres Freund, backdoor in upstream xz/liblzma leading to ssh server compromise , oss-security mailing list , 2024-03-29 . link · archived