News
May 27, 2025
-converted-from-png.webp)
Summary
The European Technological Sovereignty Package (published June 2026) is not a regulatory overreach — it is Europe's formal response to a dependency that has become strategically unsustainable. More than 80% of Europe's core digital infrastructure comes from non-EU providers. This package begins the structural work of changing that.
Europe spends €264 billion annually on third-country digital products and services. CADA creates the legislative mechanism to redirect that — and makes the jurisdiction governing your AI infrastructure a board-level compliance variable for the first time.
For companies, this means three things are now exposed: your cloud contracts, your AI partnerships, and your data architecture. If your primary provider operates under non-EU law, you have a sovereignty gap that CADA will make visible and consequential. The immediate priority is knowing what AI you have, where it runs, and who governs the infrastructure beneath it — then auditing your providers before the assessment framework becomes mandatory.
Organizations that treat this window as preparation time will enter the enforcement period with mapped dependencies, auditable controls, and sovereign infrastructure already in place. Those that wait will be building under pressure — in front of regulators, not ahead of them.
The strongest sovereignty posture in 2027 is being built today.
More than 80% of Europe's core digital products, services, infrastructure, and intellectual property comes from non-EU providers.
That figure comes from the European Commission's own package documentation, citing a 2025 Cigref study. It represents €264 billion in annual spend flowing out of Europe to third-country technology providers every year.
That is a structural vulnerability — visible in your vendor contracts, your data architecture, your legal exposure, and your competitive positioning.
EU Commission President Ursula von der Leyen was unambiguous when presenting the package: "We cannot afford to depend on others for the technologies that keep our hospitals running, our energy grids stable and our services secure."
The Technological Sovereignty Package is Europe's formal, legislative response to that dependency. Understanding it is now a board-level responsibility — not a task to delegate to legal or IT alone.
The European Technological Sovereignty Package is a coordinated legislative initiative published by the European Commission in June 2026. Its purpose is to reduce Europe's structural dependency on non-EU digital technology providers, strengthen homegrown industrial and digital capacity, and establish a sovereign framework governing AI, cloud infrastructure, semiconductors, and energy digitalization.
It is the most significant EU digital policy initiative since GDPR. And like GDPR, it will reshape how every European organization — and every organization operating in Europe — structures its technology decisions.
The package has four components. Each targets a different layer of the dependency stack. Together, they form a coherent industrial and regulatory architecture — not a collection of isolated policies.
The package arrived in June 2026 because three forces converged simultaneously — and Europe could no longer defer action.
1. Geopolitical fragmentation made dependency a live risk.
The assumption that access to US-based cloud, compute, and software would remain unconditional and legally stable has been tested repeatedly. European organizations have watched that assumption erode — in their contracts, in their compliance frameworks, and in the geopolitical environment surrounding their technology supply chains.
2. The financial scale of dependency became impossible to ignore.
€264 billion per year flowing to third-country providers is not just a cost exposure. It is jurisdictional exposure, legal exposure, and competitive exposure at industrial scale. That number, surfaced in the Commission's own documentation, made the political and legislative case unanswerable.
3. The AI Act created a governance layer without a sovereignty layer.
The AI Act governs how AI systems behave. It does not govern where the compute is running those systems lives, or who can access it under what legal regime. As AI workloads scaled rapidly across European enterprise, that gap became a structural risk. CADA exists specifically to close it.
Short answer: they are complementary, not duplicative. They operate at different layers — and you need both.
The AI Act is a product regulation. CADA is an infrastructure regulation. Treating AI Act compliance as sufficient misses the core strategic point of the sovereignty package entirely.
The Technological Sovereignty Package affects every organization that operates in Europe and relies on digital infrastructure — which, in 2026, means every organisation.
The degree of impact varies by sector and by current technology posture:
Most immediately affected:
Significantly affected:
Less immediately but still affected:
The sovereignty package has direct implications across three dimensions of how your organization runs technology.
Cloud contracts signed without sovereignty criteria now carry regulatory and legal exposure. If your primary cloud or AI provider is subject to non-EU law — including legislation that permits government data access without your consent — your governance posture has a gap that CADA will make visible and consequential.
Where your AI models are trained, where inference runs, and what legal regime governs your provider are no longer IT team questions settled in procurement. They are board-level questions with board-level consequences. The jurisdiction governing your AI infrastructure is now a business-critical variable.
The AI Control Gap
Most organizations have a gap between the AI they think they control and the AI they actually have deployed. Shadow AI — tools adopted without formal procurement or governance — is part of it. But so is the broader question of whether formally approved AI systems run on infrastructure your organisation actually controls.
The AI Control Gap is the most common and most consequential governance failure we see. CADA will make it a regulatory liability, not just a governance concern. Closing it starts with visibility — knowing what AI you have, where it runs, and who governs the infrastructure beneath it.
The package was published by the European Commission in June 2026 and is now moving through the EU legislative process.
The Commission publication marks the beginning of the formal legislative journey — not the end. For CADA specifically, the timeline to watch includes:
The practical implication: Organizations that wait for final legislative text before beginning their sovereignty assessment will spend the transitional period in catch-up mode. The organisations acting now are building the infrastructure, mapping the dependencies, and negotiating the contracts that will define their sovereignty posture when compliance becomes mandatory.
Yes — on a realistic horizon, with the mechanisms now being put in place.
The package is not a declaration that Europe will replace US hyperscalers by 2027. It is a structural intervention: redirecting investment, creating procurement incentives, establishing assessment frameworks, and building capacity in chips, data centres, and open source software.
What Europe has that other sovereignty programmes lack:
Sovereignty is a spectrum, not a binary. The package moves European organizations meaningfully along that spectrum and creates the legislative, financial, and infrastructural conditions for the private sector to move further.
The Technological Sovereignty Package is moving through the legislative process now. The organizations that will be best positioned when CADA becomes enforceable are the ones that start the structural work before they are required to.
These are the six steps that matter most — for every function, at every level.
1. Put sovereignty on the board agenda — this quarter.
Not the compliance queue. Not a delegated workstream. The board agenda. The Technological Sovereignty Package restructures vendor relationships, procurement criteria, data architecture, and competitive positioning simultaneously. Those are strategic decisions, and they need strategic ownership.
2. Map your AI — all of it.
You cannot govern what you have not found. Most organizations discover significantly more AI systems in active use than they had formally accounted for — shadow AI is not an edge case, it is the norm. The AI Auto Registry automatically detects, registers, and monitors all AI across your environment, giving you the complete picture that every subsequent step depends on.
3. Conduct a sovereignty audit of your cloud and AI stack.
For every AI system and cloud dependency your organization runs, answer three questions: Where does it run? Who controls the compute? What legal jurisdiction governs the provider — and what does that jurisdiction permit regarding third-party data access? Most organizations cannot answer these with precision today. That needs to change before CADA's assessment framework becomes operational.
4. Review your data protection posture at the infrastructure layer.
GDPR compliance at the application level is necessary — but it is not sufficient under CADA. The sovereignty framework CADA establishes makes the boundary between your data and external AI infrastructure a compliance boundary, not just a best practice. Chat Guardian screens data before it reaches any model, making that boundary auditable and defensible.
5. Engage your providers now — before the framework is finalized.
Ask your cloud and AI providers directly: what is your CADA sovereignty posture? What documentation can you provide? Their readiness to answer — and the quality of that answer — will tell you what you need to know about the long-term viability of the relationship and where your renegotiation priorities sit.
6. Build your documentation infrastructure ahead of the obligation.
Sovereignty compliance will require documented assessments of your cloud and AI infrastructure — parallel to the records of processing activities GDPR introduced. Organizations that build this infrastructure now will have auditable evidence when regulators ask. Organizations that build it under pressure will have gaps. If your organization operates in healthcare, energy, finance, or public administration, treat this as immediate — these sectors face the earliest and most prescriptive requirements under CADA.
The direction is set and it will not reverse. The question is whether your organization shapes its own sovereignty roadmap — or inherits someone else's.
The EU AI Act was your home field advantage. The Technological Sovereignty Package just expanded the stadium.
At 2021.AI, we built the GRACE AI Platform on exactly this principle — European-built, with EU AI Act and GDPR as a foundation, designed to run on infrastructure you control, delivering the governance depth that Sovereign AI Governance requires. Governance and sovereignty are inseparable. The Commission has now confirmed that in law.
We built it from conviction before it was a mandate. That is what it looks like to act ahead of regulation rather than in response to it.
The European Technological Sovereignty Package converts a strategic conversation into a legislative mandate.
The 80% dependency figure is not a target. It is the problem. The €264 billion annual spend is not a forecast. It is the baseline the package is designed to shift.
Four components. One coherent architecture. A clear direction that will not reverse.
The organizations that move first will shape their own roadmap. The ones that wait will inherit someone else's — along with the costs, constraints, and competitive disadvantage that come with it.
Digital sovereignty is no longer optional in Europe. The question is whether your organization leads within it or scrambles to catch up.
Want to know where your organization stands today? The GRACE AI Platform gives you the visibility, control, and governance infrastructure to answer that question — and act on it.
Sources:
Stay up to date on our latest news and industry trends
-converted-from-png.webp)
-converted-from-png.webp)