The Economics of Digital Sovereignty and the Infrastructure Dependency Trap
Digital sovereignty is not about the location of servers; it’s about who controls many different aspects of them.
Digital sovereignty isn’t just data residency. It’s about ownership, economic power, AI infrastructure, and who controls the future.
Most conversations about digital sovereignty tend to get stuck in the same place. Data residency requirements. GDPR compliance. Cloud certification schemes. Or, in the most human terms, where exactly is the physical server?
While these are real concerns for some, all the nations around the world – except China and the USA – are being digitally colonised. Most people address these topics, but in most cases they are just some of the symptoms. As I have spent years telling governments and institutions, the problem is never the problem itself. It’s a symptom of a system. The system here is far larger, more consequential and more difficult to reverse than most policymakers currently realise.
Digital sovereignty – real sovereignty – is an economic, geopolitical and structural question about which countries will produce things and which will only consume them. If the diagnosis is wrong, the responses will only address the surface, while the underlying dynamics will continue to worsen.
Let me explain what I mean with some examples. But please note that this is not an exhaustive list of topics that are impacted and there are many more considerations that go deeper and are more complex than also this picture draws it:
Index
The Legal Necessity – And the legal fiction of “EU-hosted” data
Let’s start with the most obvious aspect: the regulatory layer. Most debates begin and, unfortunately, often end here.
The European Union has developed an impressive regulatory framework, including the GDPR, the NIS2 Directive, which came into force in October 2024 and imposes fines of up to 2% of a company’s global revenue, and the DORA Directive, which has enforced strict cloud resilience requirements for over 22,000 financial entities since January 2025. Other key pieces of legislation include the EU Data Act and the AI Act, which will come into full force in August 2026. These are serious instruments. The idea behind them – that Europe needs enforceable data rules – is correct and could actually become a real asset for Europe in the current geopolitical and economic climate.
However, the problem is a fundamental legal asymmetry that cannot be resolved by data residency requirements alone.
The US CLOUD Act, passed in 2018, means that American law enforcement can compel any US-owned company to produce data stored anywhere in the world, including on servers physically located in Frankfurt or Amsterdam. The location of the server in Germany is legally irrelevant if the company that owns it is incorporated in the United States. Dear ‘Sovereign Washing’ hyperscalers, you are not exempt from this, no matter how much marketing you do. Let’s take it a step further: FISA Section 702 enables US intelligence agencies to collect and process data on non-US citizens outside the United States. This was renewed in April 2024 with an expanded scope. Add to this Executive Order 12333, which governs intelligence collection outside US territory, and National Security Letters – whereby the FBI can demand data without prior court approval and often accompany this with permanent gag orders that legally prevent the provider from notifying you – and you have a surveillance architecture that is structurally incompatible with European data protection law.
The critical word in all of this is ownership, not location. If your provider is American, your data is never fully beyond the reach of US law, despite what marketing material about ‘EU sovereign zones’ might claim. As one legal analysis of this issue put it, ‘Data location is not the same thing as data sovereignty, and vendor nationality can matter as much as server geography’.
In 2025, AWS launched its ‘AWS European Sovereign Cloud’ in Brandenburg, backed by a self reported €7.8 billion investment. While this validates the demand, it also highlights the trend of ‘sovereign-washing’ and using it for branding purposes and how difficult and politcally loaded this topic has become. However, as my TechCrunch colleagues pointed out at the time of launch, the data is ultimately under the control of a US tech giant. Localised infrastructure, non-local ownership. The legal exposure does not disappear, and the potential for economic extraction remains.
This is not a problem that can be solved through clever contract drafting. It is structural. Until European and global policymakers acknowledge this, every ‘sovereignty’ certification scheme they develop will be fundamentally flawed.
Economic Extraction – The double-payment trap is how countries co-fund their own extraction
Now, let’s move from the legal layer to the economic one, because this is where the damage is least understood and underaddressed by the public.
The standard narrative is that hyperscalers invest in European data centres, providing Europe with infrastructure and benefiting everyone. The headline numbers are substantial. Microsoft, Amazon and Google were estimated to have spent over $250 billion on data centre capital expenditure in 2025 alone. Individual country announcements – such as Microsoft’s $3.2 billion expansion in Sweden and its $3 billion commitment to Denmark, or Amazon’s investments across multiple European markets – generate positive press and political goodwill. Such impressive numbers always make an impact, and people want to be associated with them.
However, the announcement cycle does not capture the actual cost structure imposed on the economies receiving these investments, nor the fact that most of the dollars invested directly go back to US vendors such as AMD, Intel and NVIDIA. Furthermore, there is limited job creation, as even the most massive data centres produce almost no jobs – it’s just the numbers that sound impressive.
So lets take a step back and look at the full picture – Data centre power demand in Europe is projected to rise from 96 TWh in 2024 to 236 TWh by 2035, increasing their share of total European electricity demand from roughly 3% to nearly 6%. Grid congestion costs in Europe already amounted to €4.3 billion in 2024, according to the EU Agency for the Cooperation of Energy Regulators – but as always this figure excludes indirect costs such as the economic consequences of project delays. Securing a grid connection for a new data centre in major European hubs currently takes between seven and ten years because of queue length alone. Europe’s electricity prices for energy-intensive industries already average roughly double those in the US, according to the IEA – a gap that will only widen as large AI workloads concentrate where energy is cheapest – outpricing the other industries and therefore rising prices.
This mechanism is important because when a hyperscaler builds a large data centre in your country, someone has to build the grid infrastructure required to serve it, including transmission lines, substations and capacity upgrades. This could be the state, the utility company or, ultimately, the ratepayer. While the data centre is a private asset that generates returns for its American owners, the grid is a public cost that is shared by everyone in the country.
Then consider what happens next. The hyperscaler runs these European data centres and sells services back to European companies, governments, hospitals, schools and developers at significant markups. The European sovereign cloud market is estimated to be worth $26.8 billion in 2024, and is projected to grow to between $191 billion and $321 billion by the early 2030s. These revenues flow to American balance sheets, subsidised by European consumers, businesses, and taxpayers. For US companies, this is direct cash flow, which is reinvested (and leveraged) into more computing power, data centres, talent and acquisitions – most of which are in the United States, of course, with only a few marginal jobs elsewhere. European customers pay for the privilege of funding infrastructure that strengthens their competitors.
This is not a conspiracy (despite some people literally treating it as such). However, it is a perfectly rational business model – something we know from a different time and context, but that would be a longer discussion. It means that, as a country, you are effectively paying twice: once as a co-funder of the infrastructure through public grid costs, grid upgrades and energy pricing pressure; and a second time as a customer, paying for the services that infrastructure provides. The value extracted from the transaction does not circulate in your economy. It is extracted and concentrated elsewhere.
Political Risks – When the switch gets turned off
Without a concrete demonstration of the stakes, the economic argument might still feel abstract. The argument about political dependency is not abstract at all.
When Russia invaded Ukraine in 2022, Western technology companies began withdrawing from the Russian market in coordination with sanctions. Oracle left ‘abruptly, along with prepaid licences’, which triggered litigation between distributors and end customers. Microsoft suspended all new sales in March 2022 and, by March 2024, had cut off access to over 50 cloud products, including Teams, Power BI and Dynamics, for Russian organisations. Amazon stopped accepting new AWS sign-ups from Russia and Belarus. The entire Western cloud stack, which Russian corporate and government clients had integrated deeply into their operations, ceased to function. At the time of the withdrawal, Microsoft was used by up to 90% of corporate and state clients in Russia.
In this case, the Russian government initiated a war, prompting a geopolitical response in the form of sanctions. The debate is about what this event demonstrates to other countries.
It shows that if your critical infrastructure, government systems, industrial operations and economic data depend on foreign technology – controlled by companies in a single jurisdiction with their own strategic interests – then your operational continuity depends on the continued goodwill of that jurisdiction. The switch can be flipped. It can be flipped.
This is not a hypothetical risk for allied democracies under normal conditions. But conditions are not always normal. Trade tensions can escalate. Administrations change. Strategic interests diverge. Countries that have observed the Russian case yet still assume that their dependency is harmless because they are currently aligned with Washington are placing a bet on geopolitical stability that is not supported by history.
The security dimension exacerbates this issue. When companies withdraw support and updates – as Oracle did immediately by cutting off security patches for Russian users – the systems left behind do not simply cease to function. They become exposed. Unpatched infrastructure is vulnerable infrastructure. Countries that have outsourced their operational continuity to foreign vendors are also outsourcing part of their security posture by extension.
However, there are many other ways in which this is impacting sovereign nations.
One of many more examples – The Innovation Extraction
And everyone knows I am big into startups – the economic and political arguments above are primarily about institutions like. governments, large companies, critical infrastructure operators. But there is a fourth dimension that gets far less attention and determines where the future is built: the startup ecosystem.
AWS, Microsoft, and Google have built aggressive credit programmes targeting startups from day one. AWS Activate offers up to $100,000 in credits (up to $1 million for select accelerator cohorts); Microsoft for Startups offers up to $150,000 in Azure credits; Google for Startups offers up to $350,000 for AI-focused startups. These are not small sums for an early-stage company watching its runway. They are genuinely valuable, and the hyperscalers know exactly what they are buying with them.
What they are buying is architectural dependency at the moment of maximum formability – like a drug dealer that focuses on the people with the biggest personal pain.
A startup that builds its entire product stack on AWS proprietary services-i.e., proprietary offerings such as Bedrock, Lambda, and DynamoDB-is not merely using cloud infrastructure. It is making architectural choices that become progressively more expensive to reverse as the company scales. Exit costs are therefore far from zero: egress fees are high, proprietary API dependencies necessitate rewrites, and the engineering team’s skills and muscle memory are calibrated to a single provider’s toolset. By the time the credits run out, the migration cost is often prohibitive compared with simply continuing to pay.
The competitive distortion this creates is not subtle. A European startup building on European sovereign cloud infrastructure starts with a cost base that American hyperscalers can undercut with subsidised credits for years. The structural result is that the most promising European startups get locked into American infrastructure at their most critical growth phase, before they are large enough to credibly evaluate alternatives. European alternatives like OVHcloud or Scaleway also offer such startup programs – but without the heavy marketing machinery its hard to compete.
Even the famous Draghi report on European competitiveness put the structural point plainly: “Given the dominance of US providers, the EU must find a middle way between promoting its domestic cloud industry and ensuring access to the technologies it needs.” Local EU cloud providers currently hold roughly 15% of the European cloud market; hyperscalers hold around 70%. The gap was not inevitable. It was built, incrementally, through precisely these dynamics – credits, lock-in mechanics, ecosystem gravity – compounding over a decade. We literally invited it and celebrated it.
What sovereignty actually requires
So after all the “complaining” – what does genuine digital sovereignty look like, given all of this?
Not a wall. Attempting to cut European companies off from American cloud services would destroy enormous amounts of value and is neither realistic nor desirable in any way. We are a global economy and this will not change as the complexity increases and there are certain things we cant change. The goal is not autarky – what actually most people argue in the sovereignty disccussion. It is the ability to make choices – to have viable alternatives, to maintain leverage, and to prevent the kind of critical dependency that eliminates your freedom of action when the stakes are highest.
That means several things operating simultaneously:
- Regulatory clarity on ownership, not just location. The EU Cloud Certification Scheme (EUCS) remains unresolved. Until it draws a clear line on the ownership question-not only where data are stored, but who legally controls access to them-it risks producing a compliance theatre that benefits no one. FISA 702 is up for reauthorization; European institutions should therefore be on record regarding its structural incompatibility with any workable transatlantic data governance framework. At least now, the Sovereignty Effectiveness Assurance Levels (SEAL) were launched in April 2026 to provide greater clarity on the definition of sovereignty. However, the initiative mixes multiple concepts-legal control, sovereignty, and autarky-that are not yet coherently distinguished, making this a step in the right direction but not fully aligned with practical realities.
- Genuine investment in European alternatives, not just compliance infrastructure. France’s €1.8 billion recovery plan allocation for cloud sovereignty and Germany’s €3 billion digital strategy commitment are meaningful. But the €50 billion per year in fresh CapEx that would be required to meaningfully duplicate European cloud capacity currently rented from the three hyperscalers – flagged in the Draghi report – shows the scale of what’s actually needed. Investment in European AI infrastructure (the EU AI Continent Action Plan targets tripling EU data centre capacity in five to seven years) has to be matched with procurement policy that gives European providers a realistic chance to compete for the contracts that fund their growth.
- Honest economics in data centre policy. Countries should stop evaluating hyperscaler data centre investments purely as wins or storylines. The public infrastructure costs – grid upgrades, energy pricing pressure, congestion costs – should be part of the ledger especially as also sovereign projects could be then outpriced or displaced. The question isn’t whether the data centre brings jobs (research is increasingly sceptical that it creates meaningful local tech employment); the question is whether the total economic exchange is favourable, or whether the country is effectively subsidising infrastructure that extracts value.
- Interoperability and portability as non-negotiable standards. The EU Data Act’s cloud switching provisions (phased to 2027) are a step in the right direction, but enforcement will determine whether they matter. High egress fees and proprietary API lock-in are not technical inevitabilities – they are deliberate design choices. Treating them as such in regulation changes the dynamic.
- Sovereign AI infrastructure as a strategic priority, not a nice-to-have. The economic and geopolitical arguments converge on a single point: as AI becomes the infrastructure layer of the economy – touching healthcare, education, finance, legal work, public services – the question of who controls that infrastructure is not a technology policy question. It is a question of economic sovereignty in the same category as energy or financial independence. The countries that recognise this earliest will be the ones that still have options in ten years.
The actual question
I want to finish where I started: with how the whole discussion is framed.
Whenever digital sovereignty is discussed in a parliamentary committee, on a board, at a political event or in a ministerial briefing, the conversation is framed as a regulatory compliance challenge or a data protection question (“Can someone access our data?”). These issues are real, but they are a consequence of something larger and much more worrying: the implications of becoming a customer rather than a producer of the infrastructure that will drive the next industrial revolution.
So we should ask the real question : where does value get created, and where does it accumulate, and what power does it concentrate?
Europe is home to hundreds of millions of users, some of the world’s most important enterprises and leading research institutions, as well as a generation of entrepreneurs developing world-class products. All this activity generates data, economic value and structural leverage. The question is whether this value remains within the system, circulating and compounding to fund the next generation of developers, or whether it is extracted through the infrastructure layer and reinvested elsewhere. While I am not in favour of nationalistic tendencies, closed-loop economies or protectionism, digital infrastructure is becoming an important part of society, and we should treat it in the same way as we treat our water or roads.
At the moment, we are mostly happy to give up our sovereignty and celebrate when we hand over critical infrastructure to others to exploit us. This is not because Europeans are less capable. It’s because the systems – the legal frameworks, investment flows, procurement habits and startup credit programmes – are structured in a way that makes extraction the path of least resistance.
As I like to say, the problem is never the problem, because people mostly see the symptom of a problem as the problem itself. And yes, most discussions nowadays are about a symptom of the system. The system here has a clear shape: Europe pays to use infrastructure it doesn’t control, co-funds that infrastructure through public costs it doesn’t fully account for, trains the next generation of builders to use tools that restrict them, and then watches economic leverage accumulate elsewhere.
Changing this requires first seeing it clearly. That is what this piece is for – and I hope many more people realize what is happening.
Comments are closed.