EU Unveils Tech Sovereignty Package to Cut US, China Dependency

The European Commission unveiled a sweeping technology sovereignty package on June 3, aiming to reduce the bloc's dependence on American and Chinese technology suppliers across semiconductors, cloud computing, and artificial intelligence.

"We live in a world where geopolitics and technology are inseparable," said Henna Virkkunen, the Commission's executive vice president for tech sovereignty, security, and democracy. The message was blunt: Europe cannot continue outsourcing critical digital infrastructure to foreign powers.

The Numbers Behind the Push

The dependency statistics driving this initiative are stark. The EU currently relies on non-EU countries for over 80% of key digital products, services, infrastructure, and intellectual property. American cloud providers—Amazon, Microsoft, and Google—control more than 70% of the European cloud market. The bloc produces less than 10% of global semiconductors. Recent cloud platform breaches affecting multiple customers have only amplified concerns about concentrated dependencies.

And one-third of Europe's 5G cell sites still run on equipment from Chinese vendors Huawei and ZTE—a figure that hasn't budged since 2022 despite years of security warnings.

The package aims to change these equations through four interconnected initiatives.

Chips Act 2.0: Shifting from Supply to Demand

The original 2023 European Chips Act mobilized over €52 billion in public and private investment. The sequel shifts focus from building fabrication capacity to connecting European chipmakers with domestic customers.

Key provisions require national governments to complete approvals for new fabrication plants within 12 months—down from the multi-year timelines that have plagued European manufacturing projects. The TSMC Dresden facility, a cornerstone of Europe's chip ambitions, targets late 2027 for production.

With AI-related chips expected to comprise 70% of the semiconductor market by 2030, the Commission also announced consultations on "AI gigafactories" starting in July. The goal: ensure Europe doesn't repeat its current dependency patterns as AI hardware demand explodes.

Cloud and AI Development Act: Four Trust Tiers

The Cloud and AI Development Act introduces a tiered trust framework for cloud services used by European governments and critical infrastructure operators.

Four assurance levels—labeled 1 through 4—will classify cloud providers based on:

• Ownership structure and control
• Immunity from extraterritorial laws
• Data processing and storage location
• Supply chain transparency
• Cybersecurity posture

The highest tier will effectively require European ownership and data residency, potentially excluding American hyperscalers from the most sensitive government workloads. Officials framed this as necessary insurance: "We want to be sure nobody has a kill switch," one Commission source told CNBC.

This matters for security teams. Organizations processing EU government data or operating in critical infrastructure sectors will need to map their cloud dependencies against these new tiers. Expect compliance assessments and potential vendor transitions in the coming years.

Chinese Equipment: From Guidelines to Mandates

The package includes binding rules that would force telecom operators to phase out Chinese vendors from critical infrastructure—a significant escalation from previous voluntary guidelines that operators largely ignored.

The European Investment Bank has already denied financing for operators using Chinese equipment. Recovery and Resilience Facility funds now include anti-Huawei conditions. The next EU budget framework will ensure European money doesn't fund high-risk vendor infrastructure.

The Commission's revision creates a legal pathway to identify "high-risk" suppliers and exclude them from critical sectors. What was a patchwork of national approaches becomes a unified EU framework with standardized risk assessments.

Open Source and Energy Components

Two additional initiatives round out the package. The Open Source Strategy will fund European alternatives to critical infrastructure software and support long-term maintenance of open-source projects the continent depends on.

A Strategic Roadmap for Digitalization and AI in Energy addresses security concerns around smart grid infrastructure. As nation-state actors increasingly target industrial control systems, hardening energy sector digital infrastructure has become a security priority alongside efficiency gains. Follow our hacking news coverage for ongoing developments in critical infrastructure security.

What This Means for Security Teams

For organizations operating in Europe, this package signals several practical changes:

Cloud vendor assessments will need to include sovereignty considerations. The four-tier framework may require migrating sensitive workloads to providers meeting higher assurance levels.

Supply chain documentation requirements will intensify. Organizations will need clearer visibility into where their technology components originate and which laws govern their vendors.

Semiconductor sourcing may shift as European fabs come online. The semiconductor sector remains a high-value target for both espionage and ransomware operators—diversifying supplier geography also diversifies risk.

The package requires approval from all 27 EU member states, meaning final implementation details remain fluid. But the direction is clear: Europe is betting that technological autonomy is worth the friction costs of building parallel capabilities and restricting foreign suppliers.

Whether European alternatives can match the scale and innovation of American cloud giants and Taiwanese chip foundries remains the open question. For now, security and compliance teams should start mapping their dependencies—the regulatory environment is about to get more complex.