Let me paint you a picture of European digital sovereignty in action…

It’s June 2020. Berlin and Paris are finally doing it (no, not “doing it” doing it) — they’re finally standing up to the American cloud giants that have colonised European government, enterprise, and critical infrastructure. Germany’s economic affairs minister Peter Altmaier and France’s Bruno Le Maire hold a joint press conference. They announce GAIA-X — the federated European cloud initiative that will free the continent from its humiliating dependency on American hyperscalers. This is the moment. Digital sovereignty, at last. The future is European. The data stays home.

The four most prominent presenters at the inaugural GAIA-X summit are Google, Microsoft, Amazon Web Services, and IBM.

I’ll give you a moment with that.

The EU summoned the companies it was trying to declare independence from and handed them the microphone at the launch event for its independence declaration. This is the geopolitical equivalent of the American colonies inviting the East India Company to chair the Boston Tea Party planning committee. It is, in one beautifully concentrated image, everything you need to know about how seriously the European Union takes its own sovereignty ambitions. They announced the revolution and then asked the occupying forces if they had any thoughts on the agenda.

That was six years ago. What do we have to show for it?

GAIA-X: A Post-Mortem for Something That Was Dead Before It Started

GAIA-X — named, presumably, after the primordial Greek goddess of the earth, because nothing says “we’re serious about cloud infrastructure” like classical mythology — set out to create a federated, trustworthy, GDPR-compliant European data infrastructure that would reduce the continent’s dependency on North American hyperscalers. The objective was not insane. The execution was catastrophic, in the specific way that only European institutional processes can be catastrophic: slowly, expensively, with tremendous amounts of documentation, and with the final result being the precise opposite of the stated goal.

Six years later, GAIA-X has over 350 members, a Belgian nonprofit legal structure, and enough working group output to fill a small library. What it does not have is any meaningful impact on the European cloud market. Europe’s collective share of the global cloud computing industry has fallen since GAIA-X launched. Let that land. The initiative specifically designed to grow European cloud capability presided over its decline. That is an achievement of genuinely impressive reverse competence.

Scaleway — one of the actual European cloud providers that joined in 2020, hoping that this time Brussels meant it — eventually couldn’t take the performance anymore and left. Their CEO called it “sovereignty-washing.” Which is, I think, the most precise piece of terminology to emerge from the European tech sector in the last decade. Sovereignty-washing. You bolt the word “sovereign” onto an AWS-dependent certification framework, release a press statement, hold a summit where Google gives a keynote, and call it digital independence. It’s the cloud equivalent of slapping “organic” on a factory farm.

The CEO of Nextcloud — another company that actually builds real European software — described GAIA-X as “basically a paper monster that will exist but will not have any impact in the market.” The German government, having committed to backing the initiative it had championed, quietly withdrew funding from five of sixteen previously selected projects. Members with “conflicting visions” — some wanted an EU hyperscaler, some wanted to restrict US players, some wanted formal standards that US players could comply with, and at least a few apparently showed up because the canapés were good — never reached agreement on what the point actually was.

So what killed GAIA-X? Short answer: GAIA-X. Specifically, the structural feature of EU policy initiatives that ensures they reliably fail to threaten the interests of the parties they were supposedly designed to constrain. You invite the hyperscalers into the standards-writing process because they have the engineers, the legal teams, and the Brussels lobbyists. The standards then get written to accommodate the hyperscalers. The hyperscalers certify themselves against the standards they helped write. The certificate says “GAIA-X compliant.” You have achieved sovereignty. Congratulations. Your data is still in Virginia.

As I wrote in my analysis of the ECOG proposal and Europe’s structural cyber gap, the EU’s cyber and digital policy ambitions consistently and systematically outrun the institutional capacity and political will to execute them. GAIA-X is not an anomaly. It is a template. Write a strategy document. Launch an initiative with a mythological name. Hold summits. Publish certification frameworks. Declare victory. Watch nothing change.

Your Frankfurt Server Is Legally in Virginia. Surprise.

But let’s be charitable for a moment. Let’s imagine GAIA-X had worked. Let’s imagine that, by some miracle of institutional coherence, the EU had produced a genuinely competitive, genuinely European, US-hyperscaler-free cloud infrastructure, and that European governments and enterprises had all migrated to it. Sovereignty achieved, right?

Wrong. Because while the EU was busy holding summits with AWS, the US Congress was busy passing the Clarifying Lawful Overseas Use of Data Act in 2018. The CLOUD Act. And the CLOUD Act says something very simple that the sovereignty crowd does not seem to have fully processed.

It doesn’t matter where the data is.

If the company holding your data is a US company — if it operates under US jurisdiction, if it has a legal presence in the United States — a US federal warrant or subpoena can reach that data regardless of where the physical server sits. The server can be in Frankfurt. It can be in Dublin. It can be in a bunker under the Alps with a Swiss flag painted on it. If the company running that server answers to US law, so does your data.

This applies to Amazon Web Services. It applies to Microsoft Azure. It applies to Google Cloud. All three run major European data centre operations. All three are US companies. All three are subject to CLOUD Act compulsion. All three can be served with a US Department of Justice order compelling them to produce data belonging to European citizens, European government agencies, and European enterprises — without that data ever physically crossing an ocean, and without the European data subject being notified that it happened.

The GDPR, as I’m sure you are aware, has something to say about this. GDPR says that personal data cannot be transferred outside the EU without adequate protections. The CLOUD Act says a US company operating in Frankfurt can be legally compelled to hand over that same data to a US government agency. These two legal frameworks are in direct, irresolvable, screaming-across-the-table contradiction. Neither has blinked. The European Data Protection Supervisor has issued formal opinions noting the conflict… and we all know opinions are like assholes in that everybody has one. Multiple academic papers have been written on the incompatibility. Dozens of consultancy firms have billed thousands of hours advising clients on “compliance strategies” that mostly amount to hoping nobody looks too closely.

What has changed? Let me check. Nothing. US-EU negotiations for a bilateral CLOUD Act executive agreement have stalled. The only agreements in place are with the UK and Australia. The EU doesn’t even have an agreement in negotiation that’s going anywhere. And the organisations that were supposed to be enforcing GDPR — the national data protection authorities — have not, in any material way, moved to address the structural impossibility of guaranteeing GDPR compliance for data held by a CLOUD Act-subject provider.

Why not? Because enforcing it would require telling several hundred million European citizens that they need to stop using AWS, Azure, and Google Cloud for anything sensitive. It would mean telling European governments that their Office 365 tenancies are not GDPR-compliant by design. It would mean telling every enterprise that built its digital infrastructure on US hyperscalers that it has an unresolvable legal problem baked into its architecture. It would mean doing something that costs something, and EU digital policy does not, as a general rule, do things that cost things.

Instead, we get Privacy Shield. Which the Court of Justice struck down in 2020. Before that, we had Safe Harbor. Which the Court of Justice struck down in 2015. We are currently on the EU-US Data Privacy Framework, blessed by the Commission in 2023. Max Schrems — an Austrian lawyer who has been suing over transatlantic data flows since before GDPR existed and whose surname has become a verb for what happens to these frameworks — has already challenged it. The clock is running.

The EU has attempted to solve the legal problem three times. The legal problem has won three times. The legal problem is going to win a fourth time because the underlying conflict — GDPR’s privacy guarantees versus the CLOUD Act’s reach — hasn’t changed and isn’t going to change until either the US repeals the CLOUD Act or the EU actually enforces GDPR in a way that produces real consequences for US cloud providers operating in European markets. Neither of those is happening.

So when the EU talks about digital sovereignty, understand what it’s actually saying: we would like to have sovereignty, we have written many documents about sovereignty, we have launched an initiative with a goddess’s name about sovereignty, and we remain completely dependent on infrastructure that is legally accessible to a foreign government at any time, subject to secret court orders, with no notification requirement and no meaningful enforcement of the legal framework that was supposed to prevent exactly this.

Terrific work, everyone.

The NSA Doesn’t Need a Warrant. It Never Did.

Now. Here’s where it gets genuinely unpleasant, because everything I’ve described so far is the legal problem. The problem where there’s at least a theoretical pathway to a solution involving procurement mandates and enforcement actions and the occasional Max Schrems lawsuit.

The technical problem is older, messier, and the EU has spent thirty years pretending it doesn’t exist.

Let me introduce you to Enercon.

Enercon is a German company founded in Aurich by an engineer named Aloys Wobben in 1984. By the early 1990s, they had developed something genuinely fucking impressive: the E-40, a gearless wind turbine with full-converter technology that was technically ahead of anything their American competitors were building. No gearbox — which meant lower maintenance, higher efficiency, and a fundamentally different approach to energy conversion that put them several years ahead of the market. This wasn’t incremental improvement. This was a meaningful technological lead. (no green-washing intended)

By the early 1990s, Enercon had won a contract for eighty wind turbines in Texas. The American market was opening up. The technology was better. The business case was real.

Then the NSA allegedly got involved.

According to multiple whistleblower accounts — including, reportedly, a former NSA employee who admitted the organisation had intercepted Enercon’s data communications and monitored conference calls — the NSA passed intelligence gathered through the ECHELON signals intelligence network to Kenetech Windpower, a California-based competitor. What they passed wasn’t cash, or contacts, or a favour. It was Enercon’s own technical and commercial intelligence — their specifications, their plans, their business strategy, their conversations.

Now here is where I need to be precise, because the story is usually told wrong, and the accurate version is significantly worse.

People often say the NSA stole Enercon’s blueprints and Kenetech patented them. That’s not quite right — and the reality is more damning. Kenetech’s US patent on variable-speed wind turbine technology was filed in July 1993. The alleged NSA wiretapping came after. So this was not a case of intelligence-enabled patent theft. It was intelligence-enabled litigation. Kenetech already had a patent. What the alleged NSA intelligence gave them was the knowledge of exactly how Enercon’s technology worked, what their vulnerabilities were, and how to build a patent infringement case that would hold up at the International Trade Commission.

In March 1994, Kenetech’s Netherlands director Bob Jans and a colleague physically visited an operational Enercon turbine and documented what they saw — photographs, notes, technical observations. This visit was subsequently the subject of a German police investigation in Oldenburg when it came to light two years later. In January 1995, after Enercon had won their Texas contract, Kenetech filed an ITC patent suit. In August 1996, the administrative law judge ruled against Enercon. The ITC issued an exclusion order.

Enercon was banned from the entire United States market.

The ban lasted until 2010. Fourteen years. A German company with genuinely superior technology was legally excluded from the world’s most important wind energy market for fourteen years while a California competitor — which had the benefit of intelligence on exactly what Enercon’s technology did and how it worked — consolidated its market position.

The US intelligence apparatus didn’t steal anything to patent. It did something more sophisticated and arguably more destructive: it converted intercepted intelligence into litigation ammunition. The result was identical to theft. One European company’s technology advantage was neutralised. One American company benefited. Aloys Wobben didn’t get a phone call explaining what had happened. He got an ITC exclusion order.

Enercon was not running its data on American servers. There was no CLOUD Act to invoke, because it was 1993 and the CLOUD Act wouldn’t be written for another twenty-five years. They were a German company using German infrastructure communicating by telephone and electronic mail. None of that mattered. ECHELON was reading it anyway.

And Enercon was not alone. The European Parliament’s own investigation — the Temporary Committee on the ECHELON Interception System, which ran from 1998 to 2002 and produced a formal report with documented conclusions — found that ECHELON was being systematically used for economic espionage against European companies. The cases are on the record. Airbus, competing for a six-billion-dollar Saudi Arabian airline contract, allegedly lost to Boeing after NSA intelligence on the negotiation was passed to the American side. French defence company Thomson-CSF, competing for a 1.3-billion-dollar radar contract in Brazil, allegedly lost to Raytheon under similar circumstances. The press reporting from this period identified approximately thirty German businesses as targets of CIA and NSA electronic interception for commercial purposes.

The 2026 ODNI Threat Assessment makes unambiguously clear that nation-state economic espionage is not a Cold War relic. It is current, it is accelerating, and the targets have evolved from wind turbine specifications to semiconductor design files, AI model weights, pharmaceutical research, and cloud infrastructure dependencies. The methodology has been updated for the twenty-first century. The intent has not changed at all.

Throughout all of this, the official US government position was consistent and admirably straight-faced: “What we do not do, as we have said many times, is use our foreign intelligence capabilities to steal the trade secrets of foreign companies on behalf of — or give intelligence we collect to — US companies to enhance their international competitiveness or increase their bottom line.”

They said this. While ECHELON was operational. While the European Parliament was investigating it. While Enercon’s turbines were barred from American soil. While Airbus was losing contracts. While approximately thirty German businesses were being electronically monitored.

I am not suggesting that the United States is uniquely evil in this regard. Every major intelligence service on earth mixes strategic and economic intelligence collection in ratios they decline to publish. What I am suggesting is that the EU’s approach to digital sovereignty has been built on the explicit premise that its most important strategic partner would never, ever, under any circumstances, use intelligence collection to benefit its own commercial interests at Europe’s expense — a premise that the historical record finds, shall we say, unsupported.

The Pattern Nobody Wants to Name

Here is the thing that really gets me. The CLOUD Act isn’t secret. The ECHELON report was published by the European Parliament. The Enercon case was covered in the European press in 1996. The Safe Harbor framework was struck down publicly. Privacy Shield was struck down publicly. GAIA-X’s capture by the hyperscalers happened in broad daylight, on stage, in front of cameras, at the founding summit.

None of this was hidden. All of it was visible. And the EU’s response to each successive revelation that its digital sovereignty framework was a fiction has been to launch a new initiative with a new name and hold a new summit.

This is not incompetence. Incompetence would be forgivable — you’d fix it by hiring people who know what they’re doing. This is a structural political problem. Naming the United States as a threat to European digital sovereignty is politically impossible, because the United States is a NATO ally, a defence partner, an intelligence-sharing partner through Five Eyes adjacency, a trading partner, and the country that European capitals have relied on for security guarantees for eighty years. You cannot simultaneously tell Washington that you need its troops to deter Russia and that its cloud companies are an intelligence threat to your sovereign data.

So instead you write GDPR, which creates genuine compliance costs for everyone without actually addressing the CLOUD Act conflict. You launch GAIA-X, which creates a sovereignty theatre without actually threatening US hyperscaler dominance. You negotiate Privacy Shield frameworks that the Court of Justice keeps striking down because the underlying legal conflict — between European privacy rights and American surveillance law — hasn’t been resolved, just papered over.

As I covered in my analysis of the Gulf AI chip deals and the civilisational risk of offshoring the most powerful technology in history, the pattern of advanced economies creating strategic dependencies on partners with fundamentally different interests is a theme for our entire era. The EU’s cloud dependency on the US is not a unique failure — it is the same failure mode playing out across semiconductor supply chains, AI infrastructure, and satellite communications. The question is whether any institution is willing to incur the short-term costs of actually addressing the dependency, or whether the world just keeps passing notes in a burning building.

The EU is passing notes.

What Actual Sovereignty Would Look Like (and Why the EU Won’t Do It)

Let me be extremely concrete, because I’ve spent enough time mocking the problem and at some point the Fixer has to fix something.

Hard procurement mandates. Full stop. Every government agency, every critical infrastructure operator, every entity handling classified data, personal data at scale, or data subject to NIS2, must be legally prohibited from using cloud providers subject to CLOUD Act jurisdiction. This means no AWS, no Azure, no Google Cloud for those use cases. Not discouraged. Not asked nicely. Prohibited. The alternative providers exist: Hetzner, OVHcloud, Scaleway, Deutsche Telekom’s Open Telekom Cloud, T-Systems. They are real companies offering real services at competitive prices. The reason European public sector entities don’t use them is procurement inertia, existing vendor lock-in, and the absence of any legal obligation to change. A mandate creates the obligation. Everything else follows from that.

This will be politically uncomfortable because every major European government has multi-year contracts with US cloud providers for exactly the kind of sensitive government workloads this mandate would affect. Those contracts will need to be unwound. There will be transition costs. There will be capability gaps during migration. All of those costs are real and all of them are smaller than the cost of continuing to run sovereign government functions on infrastructure that is legally accessible to a foreign government.

Investment in European cloud providers as strategic infrastructure — not standards, actual money. The EU has run the Common Agricultural Policy for seventy years, subsidising European agriculture at enormous expense because food sovereignty is treated as a strategic necessity. Cloud infrastructure is more strategically critical than turnips, and I say that as someone who has opinions about turnips. The Nextcloud CEOs and the Scaleway founders of Europe are not asking for charity. They are asking for the kind of public investment backstop that would let them compete on price and capability with companies that benefit from the US Department of Defense’s cloud contracts and the implicit strategic backing of the world’s most powerful government. Fund them. Properly. Not with working group participation and GAIA-X certification stickers. With money.

Enforce the GDPR/CLOUD Act conflict into the open. The legal contradiction between GDPR and the CLOUD Act is not ambiguous. It is documented, analysed, and formally noted by the European Data Protection Supervisor. EU data protection authorities have the legal tools to require that US cloud providers either demonstrate they can contractually guarantee GDPR compliance despite CLOUD Act obligations — they cannot, because no US company can legally promise to defy a US court order — or cease processing personal data of EU citizens. This enforcement hasn’t happened at any meaningful scale because the political consequences of doing it are enormous. That is exactly why it needs to happen. Sovereignty without enforcement is decoration.

Update the threat model to include allied intelligence services. This is the one nobody wants to say in a policy document. The EU’s digital sovereignty framework needs to treat the United States’ intelligence apparatus as a potential threat to European commercial and strategic interests, because the European Parliament’s own investigation concluded that it has been exactly that. This is not anti-American. It is analytical. Countries conduct intelligence operations in their own interests, including economic interests, including against their allies. France does it. Germany does it. The UK does it. The US does it at a scale and technical sophistication that others cannot match. A sovereignty framework that doesn’t account for this isn’t a security framework — it’s a polite fiction.

As I’ve written in my research on why a Cyber 9/11 remains structurally inevitable, the fundamental vulnerability isn’t technical — it’s the political unwillingness to acknowledge who the actual threats are and design defences accordingly. Every major breach, every sovereignty failure, every intelligence-enabled competitive loss traces back to the same root cause: we built the threat model around the threats we were comfortable naming and left out the ones that were politically inconvenient. Enercon didn’t put the NSA in its threat model. The EU hasn’t put the US intelligence apparatus in its sovereignty framework. The outcomes speak for themselves.

And as I covered in my research on protecting critical infrastructure through satellite surveillance and AI, the infrastructure dependency problem is not unique to cloud — it runs through submarine cables, satellite communications, GPS systems, and every other layer of the digital stack where European strategic interest and American technical dominance are in tension. GAIA-X was never going to solve that. But it could have been a start, if anyone had been serious about it.

The Fixer’s Final Word

The European Union has been talking about digital sovereignty for the better part of a decade (lightyears on the IT-clock). The BEST they could do in multiple attempts is a paper monster that invited its own adversaries to write its governing documents, a legal framework that has been struck down three times and is being challenged a fourth, and a cloud market that has moved in exactly the wrong direction since anyone started paying attention.

For shits and giggles let’s assume they get it right this time… hey, one can dream! Then we have the case the the US won’t give a flying fuck about respecting EU privacy laws and the US intelligence services will hack the living daylights out of the European data, in European Servers in Europe… even with European quantum-ready encryption.

The Enercon turbines didn’t come back to the United States until 2010. Fourteen years of a superior technology locked out of its most important market while a competitor consolidated behind intelligence-enabled legal protection. Aloys Wobben’s company survived, eventually. But fourteen years is a long time to wait for a market you should never have been excluded from.

The EU has been waiting for genuine digital sovereignty longer than Enercon waited for its US market access. The difference is that Enercon was fighting against a specific legal order with a specific expiry date. The EU is fighting against its own political unwillingness to say what needs to be said and do what needs to be done.

Infrastructure projects named after primordial goddesses do not create sovereignty. Hard procurement mandates create sovereignty. Real investment creates sovereignty. Enforcement creates sovereignty. Threat models honest enough to name your allies as potential adversaries — where the evidence demands it — create sovereignty. And most importantly: killing fucking bureaucracy creates sovereignty!

The EU has none of those things. It has GAIA-X, GDPR, and a very full calendar of working group meetings to further increase bureaucracy…

Meanwhile, your government’s sensitive data is sitting on an AWS Frankfurt server that is, legally and practically, one US Department of Justice subpoena away from being someone else’s problem.

You guys keep your hands above the blanket, you hear!?