Europe's reliance on cloud services poses a political risk, in addition to being a technical issue.

      Europe’s reliance on external sources highlights not only its AI sovereignty concerns but also influences its data sovereignty and exposes it politically.

      In a prior article, we examined Europe’s significant dependence on outside providers for AI advancement, especially via GPU as a Service (GPUaaS) and in the semiconductor sector. Companies like Nvidia and AMD from the US supply the GPU chips that power European supercomputers and AI operations, while major cloud providers dominate access to cloud services.

      This dependency goes beyond technical and economic considerations; it also puts Europe’s data infrastructure at geopolitical risk. More critically, it makes Europe vulnerable to external political influences and increasing political instability.

      Structural Context

      The EU continues to be structurally reliant on external suppliers. Despite significant investments and policy efforts to boost European AI autonomy, US hyperscalers such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) are projected to dominate 70% of the European cloud market by early 2026.

      At the semiconductor level, Europe remains reliant on foreign players. The design of AI chips is mainly led by US companies like Nvidia and AMD, and production heavily depends on Asian foundries, primarily TSMC in Taiwan and Samsung in South Korea. European semiconductor manufacturing constitutes less than 10% of global production.

      To address this disparity, the EU has initiated several projects. The 2023 EU Chips Act and the Chips Joint Undertaking (Chips JU) aim to accumulate over €43 billion in public and private funding to increase global semiconductor market share to 20% by 2030. Additional efforts, such as the AI Continent Plan and Invest AI, seek to enhance European competitiveness and technological independence in AI.

      Politics in Technology

      Europe's pursuit of AI autonomy involves not only technological competitiveness but also retaining authority over data governance and digital infrastructures.

      Along with industrial investments, the EU has created a comprehensive regulatory framework concentrating on data protection and digital governance. This framework includes the European data strategy for establishing a single market for data, the General Data Protection Regulation (GDPR) under the Data Governance Act (DGA), and the Data Act, all aimed at enhancing trust, security, and control over European data exchanges.

      To enable transatlantic data transfers, the EU and the US established the EU-US Data Privacy Framework (DPF) in 2023. This framework allows US firms to self-certify compliance with European data protection standards, forming a legal mechanism for cross-border data transfers among the EU, the European Economic Area, the UK, Switzerland, and the US.

      However, these frameworks have a shared vulnerability: they rely on contractual and regulatory mechanisms that cannot supersede US statutory law. No matter where data is held, American cloud companies are subject to US legal and political authority, including export controls, sanctions, and executive orders that may override contractual agreements with European clients.

      The Legal Framework of Dependency

      In 2018, the US enacted the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), which established procedures for both US and foreign authorities to access data held by service providers during criminal investigations, regardless of the data's physical location.

      This act is a unilateral US tool that eliminates domestic law barriers for service providers complying with direct disclosure orders. Simultaneously, the Foreign Intelligence Surveillance Act (FISA) section 702 allows US intelligence to collect and process intelligence data regarding national security threats.

      This does not grant blanket access to data stored by cloud providers but affirms that US authorities can compel American firms to provide data access when requested under US law.

      Consequently, the CLOUD Act, FISA Section 702, and broader executive order powers create a legal structure allowing US jurisdiction to reach data and infrastructure hosted in Europe through US providers, irrespective of EU-US DPF or GDPR safeguards.

      This creates a fundamental tension between EU and US legal systems. Existing EU mechanisms, including Standard Contractual Clauses, depend on contractual safeguards and mutual agreements, but cannot counteract statutory obligations dictated by foreign law.

      The European Data Protection Board (EDPB) has emphasized that service providers governed by EU law cannot depend solely on CLOUD Act requests for justifying data transfers to the US. However, American hyperscalers may confront conflicting legal responsibilities: adhering to the CLOUD Act while violating GDPR Article 48, or rejecting the warrant and incurring penalties under US law.

      The Schrems II decision established a precedent: the Court of Justice of the European Union (CJEU) determined that US surveillance laws pose risks incompatible with EU fundamental rights, effectively invalidating the EU-US Privacy Shield due to concerns about US surveillance and inadequate protections for Europeans’ data.

      What Changed During Trump’s Second Term?

      The legal disparity between Europe and the United States has been existing for some time. What changed during President Donald Trump’s second term was the strategic use of that disparity as a political tool.

      Pressure has come from various directions. Regarding regulation, the Trump administration swiftly acted to contest Europe’s digital governance framework