EU's technological sovereignty package sets new direction for the digital economy

The European Commission moved on 3 June to address the EU's growing technological dependency on non-European providers, publishing a package of measures centring on Europe's capacity in semiconductors, artificial intelligence (AI), cloud computing and open-source software. The European Technological Sovereignty Package marks what the Commission describes as a decisive change in the EU's approach to technology, focusing on reducing dependencies by building up its own capacity and strengthening control over its critical technologies and digital infrastructure. 

The EU is currently structurally reliant on non-EU providers for more than 80% of its digital products, services, infrastructure and intellectual property. With geopolitical pressures growing and supply chains under strain, the EU is looking to relieve technological dependencies in critical sectors to maintain economic strength, security and long-term competitiveness.

The package comprises four initiatives: the Chips Act 2.0, the Cloud and AI Development Act (CADA), the Open Source Strategy and the Digitalisation and AI in Energy Roadmap. Together, they are expected to overhaul the commercial technology landscape in the years ahead, particularly around procurement, competition and market access. 

The package now proceeds through the legislative process for consideration by the European Parliament and Council. With extensive negotiations expected, adoption before the end of 2027 is unlikely. 

Chips Act 2.0

Semiconductors are the third most traded product in the world after oil and vehicles. The market was valued at around €595 billion in 2025 and is expected to exceed €1 trillion by 2030, with AI-related components accounting for over 70% of the global semiconductor market. The European Chips Act generated around €80 billion of public and private investment commitments into Europe's semiconductor ecosystem, yet the EU produces only around 10% of global semiconductors. It remains heavily dependent on the US and East Asia for mature and advanced nodes including AI chips, which are becoming increasingly important for core European industrial ecosystems.

The Chips Act 2.0 addresses these vulnerabilities on both the supply and demand sides of the value chain. It aims to improve the framework conditions for investment and competitiveness, boost demand for European chips, strengthen capacity building across the value chain and improve resilience of the semiconductor value chain.

On the supply side, the Chips Act proposes an EU-based open foundry for advanced semiconductor manufacturing to produce AI chips and other semiconductors with a node size of 3 nanometres (nm) and below. This would be the first EU semiconductor plant combining leading-edge node chip manufacturing with chiplet integration and 3D packaging, with pilot production envisaged by 2030-2033. 

On the demand side, demand for European semiconductors is projected to double by 2040 across consumer electronics, the automotive sector, energy and data centres. Demand is expected to grow throughout all node ranges but particularly sub-16nm nodes, owing to AI and advanced logic technologies. The legislation aims to support demand for high-performance AI chips by leveraging AI infrastructure including AI factories, AI gigafactories and cloud related measures under the CADA.

Through demand accelerators, the Chips Act will promote EU-designed and EU-made chips through an industry demand forum and encourage public innovation procurement as a route to purchasing EU semiconductor technologies.

The Chips Act also contains provisions ensuring that semiconductor technology facilities and strategic projects qualify for accelerated environmental approval under the EU's fast-track permitting rules. The Commission is also developing an EU blueprint for semiconductor crisis management by the second quarter of 2027.

Cloud and AI Development Act 

EU cloud providers have seen their market share fall sharply from 29% in 2017 to 15% now, with the rest of the market controlled by three US "hyperscaler" cloud infrastructure providers. The CADA aims to reset the balance by ensuring that Europe is not reliant on non-EU cloud service providers and is in a position to deploy sustainable cloud and data centre infrastructure. 

CADA is central to the Commission's AI Continent Action Plan. It aims to triple data centre capacity in Europe over the next five to seven years and ensure that the EU has the necessary capacity to meet its needs by 2035, while ensuring high sustainability standards and balanced deployment across member states. It also aims to strengthen the role of the new "Apply AI" strategy to boost adoption.

CADA establishes a Union cloud and AI sovereignty framework for cloud computing services, comprising four sovereignty assurance levels. These levels are defined by criteria related to control over the service and software supply chain; processing of AI inference data; the location of the infrastructure, assets and personnel; and the level of cybersecurity. Member states and Union entities will need to conduct a sovereignty risk assessment to determine which assurance is necessary for each use case. This aims to eliminate what the Commission describes as “sovereign washing”: the practice of providers making unverifiable claims about the sovereignty or security of their services without a standardised definition or framework against which to test them.

Energy roadmap 

The growth of digital infrastructure across the continent is increasing electricity demand, adding pressure on decarbonisation initiatives, industrial competitiveness, access to grids and households' budgets. The digitalisation and AI in energy roadmap aims to address these challenges and sets out how AI and other digital solutions can ensure the sustainable integration of digital infrastructure across the energy system and promote energy efficiency.

The roadmap covers three areas. It addresses the integration of data centres into the energy system sustainability: they currently account for 2.5% of EU electricity consumption and demand is expected to rise. It drives the acceleration of digital and AI solutions in the energy system, with a focus on smart grids, smart metering, AI-based grid management and forecasting, and developing sovereign AI models for the energy sector. Finally, it establishes a comprehensive framework for cross-border data exchange to strengthen EU energy data exchange.

The roadmap includes a delegated regulation on an EU-wide scheme, previously due to be adopted on 3 June but delayed following extensive criticism from industry. This aims to address "greenwashing" in the data sector by increasing transparency on environmental performance and promoting sustainable EU-wide digital infrastructure.   

The roadmap will also support the development of sovereign and secure AI models for the energy sector, trained on European data and developed by European companies. By simplifying the exchange of cross-border energy data, it intends to support the uptake of smart energy services and flexibility. 

Open-source strategy

Open-source software refers to software whose source code is in the public domain under licences that allow others to use, modify and share it. It is the foundation for most of the world's digital infrastructure including web platforms and AI infrastructure. 

The Commission reports that the EU currently spends €264 billion a year primarily on US proprietary IT products and services, creating dependencies that affect its ability to control key digital infrastructures, reduce lock-in risks and ensure security and compliance. While the EU has existing strong open-source capabilities, it faces several challenges including a lack of sustained funding in the early stages of a project, uncertainty around maintenance and security, and access to capital and barriers to public procurement. 

Building on existing legislation and policy, the strategy sets out four objectives: to leverage open source for technological sovereignty; strengthen and promote a vibrant open source ecosystem; promote open and interoperable digital ecosystems for public administrations, including EU institutions; and reinforce digital standards and international outreach.

The strategy carries a certain irony. Much of what it offers, including  stewardship toolkits, security-attestation schemes, dependency lists, governance frameworks, amounts to the Commission helping the open-source world cope with regulatory weight the EU itself has imposed. Once again, the answer to regulation that has left European IT companies trailing foreign competition is more regulation. The strategy is, in its own right, soft law: it promises to mobilise, promote, scale up and strengthen, but creates almost no binding obligations. The lever that could actually move the market is public procurement, which sits in CADA and in the forthcoming revision of the EU procurement rules, not in this communication.

A digital policy advance

The package represents potentially one of the most significant developments in EU digital policy since the foundational regulatory frameworks of the last decade including the General Data Protection Regulation, the Digital Markets Act, the Digital Services Act and the AI Act. For businesses, changes around procurement rules, sovereignty frameworks, open-source mandates and new cybersecurity standards look set to reshape how digital products and services are developed, procured and governed across the EU market.

Given the emphasis on reducing strategic dependency and increasing reliance on European technologies, businesses supplying EU institutions, public sector entities and critical infrastructure operators can expect growing requirements around EU-based control structures, supply chain transparency, EU data governance and resilience against foreign interference.

The EU Open Source Strategy, in particular, carries a number of practical and strategic implications for businesses. As open source is a strategic enabler for small and medium-sized enterprises (SMEs), it aims to lower barriers to entry, reduce dependencies and promote the reuse of digital building blocks to help businesses reduce production costs. It also seeks to reduce so-called vendor lock-in, where customers are dependent on a single vendor for products and services, to give businesses more choice and foster collaborative innovation.

SMEs that are open-source providers are often disadvantaged in EU procurement processes, as specifications in individual tenders tend to have been designed around the characteristics of proprietary vendors, which often encourage vendor lock-in. The strategy, alongside CADA, promotes an “open-source first” principle in public sector software procurement, with guidelines and best practices for drafting tenders that allow open-source solutions to compete with proprietary alternatives.

The strategy also envisages measures to support open-source businesses, particularly start-ups, to scale by promoting adoption in the public and private sectors and access to practical tools such as training, legal and licensing advice and mentoring. 

The Commission will also work to expedite the development of voluntary security-attestation programmes under the Cyber Resilience Act and create a voluntary EU assessment framework for open source, covering compliance of solutions with key EU security rules. Backed by the European Union Agency for Cybersecurity, it will also create a list of the most exposed open-source software and infrastructure dependencies. 

The European Business Wallet and the EU Digital Identity Wallet, which are based on open source solutions, are expected to broaden demand for their core technologies. Businesses that build products or services on these foundations stand to benefit in this commercial environment. 

Osborne Clarke comment

Given that adoption is unlikely before the end of 2027, the intervening period gives businesses time to assess and anticipate their exposure accordingly. For those relying on non-EU cloud service providers, examining existing contractual arrangements in light of CADA's sovereignty assurance framework is likely to be worthwhile:  the four-tier classification may require migration to EU-compliant infrastructure or renegotiation of service-level agreements. 

Businesses operating in the semiconductor, automotive and energy sectors would benefit from monitoring the development of the EU blueprint for semiconductor crisis management and evaluating the potential impact on their supply chain reporting and diversification obligations. Data centre operators  can anticipate enhanced transparency and sustainability requirements under the forthcoming delegated regulation on environmental performance.

For businesses working with open source or positioning themselves around sovereignty, a number of points warrant attention now:

• CADA and the supply chain. The CADA reaches beyond its public-sector addressees. The assurance level an authority procures at flows down the contract chain to suppliers and integrators. Open-source companies in that chain should treat the levels as prospective procurement requirements today, not after  2027.
• “Sovereign washing” becomes a litigation risk. The four-tier assurance framework turns “sovereign” into a testable standard. Providers claiming a level they cannot substantiate face misleading-advertising claims and potential exclusion from tenders.
• The stewardship toolkit  note the running order. The stewardship toolkit lists legal set-up first and business models last. The real entry barrier is legal and structural, not technical. Legal and governance before establishing or restructuring a foundation is a practical early step.
• Procurement  readiness. Vendors can reposition offers around open standards and CADA’s non-price award criteria. Public bodies will want tenders that genuinely let open-source solutions to compete.
• Antitrust structuring. Collaborating with competitors carries antitrust questions. The industrial open-source platforms the strategy encourages in sectors such as automotive and rail carry competition law implications  and will need careful structuring  to stay on the right side of the rules.