Image: Gerd Altmann, on Pixabay.
By Mariana Meneses
Why are countries like Denmark and France moving away from Microsoft systems? Why are governments raising alarms about the environmental cost of massive data centers? And why is so much of the world’s digital infrastructure concentrated in just a handful of companies? As digital systems become foundational to economic and political life, these questions converge on a single issue: who controls the infrastructure that everything else depends on.
How much technology is in the hands of giant tech companies?
Data Journalist Felix Richter, in an analysis posted in Statista, shows that the global cloud infrastructure market is dominated by three major giant U.S.-based companies: Amazon Web Services (28%), Microsoft Azure (21%), and Google Cloud (14%). The sector continues to grow rapidly, surpassing $400 billion in annual revenue in 2025, driven in large part by rising demand linked to artificial intelligence and its computing needs. This concentration underscores the strategic importance of cloud infrastructure and raises fundamental questions about digital sovereignty.
According to Anna Desmarais, writing for EuroNews in August 2025, about three-quarters of Europe’s publicly listed companies rely on U.S. technology providers for core services like email and cloud infrastructure, with dependence exceeding 90% in some countries and reaching full reliance in key sectors such as banking, telecommunications, and energy.
Kai Nicol-Schwarz, writing for CNBC in February 2026, also states that Europe remains heavily dependent on U.S. digital infrastructure, with American companies dominating key sectors such as cloud computing, enterprise software, and customer relationship management. U.S. providers, primarily Amazon, Microsoft, and Google, control more than 70% of the European cloud market, while European firms hold less than 15%. Similar patterns exist in software, where U.S. companies account for the majority of market share.
Nicol-Schwarz attributes this concentration to scale advantages, early market entry, and sustained investment by U.S. firms, making it difficult for European competitors to catch up. However, as geopolitical tensions rise, policymakers increasingly frame technological capacity as central to digital sovereignty. Often cited is legal exposure under U.S. laws such as the CLOUD Act, a 2018 law enabling law enforcement to obtain a court warrant compelling U.S.-based technology companies to disclose data (including emails and files), regardless of whether the data is stored domestically or abroad. Desmarais further notes that dependence on U.S. providers translates into concrete vulnerabilities, from foreign surveillance to potential service disruptions, reinforcing calls for investment in domestic infrastructure and reduced reliance on foreign providers.
Image: Gerd Altmann, on Pixabay.
In “Cross-Border Data Transfer Regimes: Current Landscape and Outlook Ahead”, published in February 2026 by the Centre for International Governance Innovation (CIGI), S. Yash Kalash shows that cross-border data transfers have become a foundational infrastructure of the global digital economy that enable trade, innovation, and coordination across sectors. By 2025, however, the regulatory systems governing these flows had grown increasingly complex and fragmented, shaped by competing priorities such as privacy, national security, and economic growth.
“In the twenty‑first century, data has emerged as both a critical economic resource and a strategic asset.” – CIGI
Cross-border data flows underpin activities ranging from cloud computing and artificial intelligence to global supply chains, contributing trillions of dollars to global GDP. At the same time, governments increasingly seek to assert control over data generated within their borders, creating tension between the need for seamless data mobility that generatemaximum value and the political and security imperatives of digital sovereignty.
“Cross-border data transfers are estimated to contribute US$2.8 trillion to global GDP, a share that exceeds the global trade in goods and is expected to grow to $11 trillion by 2025.” – CIGI
Regulatory systems rely on core principles such as adequacy (ensuring equivalent protection abroad), safeguards (such as contractual clauses), purpose limitation, and data minimization. Alongside these, some countries pursue data sovereignty through localization requirements, mandating that certain data remain within national borders to reduce exposure to foreign surveillance and enhance domestic control.
Data sovereignty responses and initiatives differ both among and within many global regions.
Early efforts in cross-border data governance relied on soft-law instruments such as OECD guidelines, which promoted voluntary alignment among the 38 member nations of The Organisation for Economic Co-operation and Development. Enactment of the European Union’s General Data Protection Regulation (GDPR) in 2018 marked a shift toward enforceable, rights-based regulation that continues to have significant global influence. More recently, a third phase has emerged, characterized by growing geopolitical concerns and the treatment of data as a strategic national resource. This has led to stricter controls in some jurisdictions, including localization mandates and security assessments, while others pursue more open or hybrid approaches.
Still according to CIGI, the European Union’s GDPR represents a rights-driven model, in which cross-border data transfers are permitted only under conditions that ensure an “adequate” level of protection or equivalent safeguards. This is unlike the United States, which has adopted a market-driven and sectoral approach that allows relatively free outbound data flows while relying on contractual mechanisms and international frameworks to facilitate inbound transfers. China, by contrast to both the U.S. and EU, enforces a state-centric regime that conditions outbound data transfers on stringent security assessments and government oversight, reflecting its view of data as a strategic asset tied to national security.
Image: Gerd Altmann, on Pixabay.
The document further notes that across political groupings in the Asia-Pacific region and the Association of Southeast Asian Nations, countries emphasize interoperability and trade facilitation through mechanisms such as certification frameworks and model contractual clauses. For example, India follows a selective model under its Digital Personal Data Protection Act, permitting transfers primarily to government-approved jurisdictions through a whitelist system.
In Africa and Latin America, regimes are largely inspired by the EU’s GDPR principles that require adequacy or safeguards but remain influenced by varying levels of institutional capacity and enforcement. Within this landscape, Brazil stands out as a leading example due to its Brazilian General Law of Data Protection (LGPD) framework (pdf), active data protection authority (National Data Protection Authority, ANPD), and ongoing efforts to establish adequacy relationships with major partners.
CIGI concludes that the global system is characterized by partial convergence and persistent fragmentation. While common tools and principles are spreading, underlying political and economic differences prevent full harmonization, resulting in clusters of interoperability rather than a single global regime. Looking ahead, the paper outlines possible futures ranging from a fully interoperable system to a fragmented, localized environment. It argues that the direction will depend on policy choices, technological developments, and international cooperation, emphasizing the need for frameworks that balance data mobility with privacy, security, and sovereignty.
Across this fragmented landscape, countries are translating the idea of digital sovereignty into distinct models, ranging from state-centric control to strategic efforts to reduce external dependence within open economies.
Reporting for Reuters, Andrew Osborn writes that Russia has mandated that its state-backed messaging app MAX, positioned as a domestic rival to WhatsApp, be pre-installed on all mobile phones and tablets sold in the country as part of a broader effort to strengthen state control over the digital environment. The app, which will be integrated with government services, is being promoted alongside other domestically developed platforms, including a national app store and state-aligned media services, reflecting a coordinated push to reduce reliance on foreign technology.
This move occurs amid Russia’s war in Ukraine and ongoing tensions with the West, and it follows regulatory pressure on platforms like WhatsApp and Telegram that Russian authorities accuse of failing to cooperate with law enforcement. While state media denies claims that MAX could be used for surveillance, critics raise concerns about privacy and user tracking, highlighting the broader trade-off between national control and individual rights.
In democratic countries, digital sovereignty is being pursued through different models, reflecting distinct priorities around control, security, and dependence on foreign technology.
According to Steven Vaughan-Nichols, writing for ZDNet, Denmark’s decision to phase out Microsoft Office and Windows in favor of alternatives like open-source LibreOffice and Linux is driven primarily by concerns over the desire to reduce dependence on foreign (especially U.S.-based) technology providers and regain control over critical digital infrastructure, data, and services. Concerns were heightened during the time that the U.S. was threatening to take over Greenland, which is a territory of Denmark.
Still according to Vaughan-Nichols, the move reflects broader European anxieties about geopolitical risk, including the possibility that political tensions could disrupt access to essential digital systems as illustrated by concerns over alleged service interruptions involving Microsoft and international institutions. Vaughan-Nichols notes that Danish officials and local governments also cite security, economic, and strategic motivations, including rapidly rising software costs from American big tech companies and the need for stronger data ownership. While the transition is expected to be complex and contested, with some experts questioning its feasibility, it represents a broader European effort to balance technological reliance with political autonomy.
Similar initiatives are emerging across Europe, reflecting a broader effort to reduce dependence on foreign technology providers.
Image: Gerd Altmann, on Pixabay.
A similar pattern can be observed in France. According to Will Shanklin, writing for Engadget, France’s decision to replace Microsoft Windows with Linux is aimed at reducing dependence on foreign, particularly American and Chinese, technology providers and strengthening control over critical digital infrastructure. The move includes additional steps such as shifting videoconferencing to a domestic platform and migrating health data systems, reflecting a coordinated effort to build local technological capacity. As in the case of Denmark, these measures reflect concerns that reliance on external providers could expose critical systems to political pressure or disruption, as part of a broader European effort to reduce dependence.
Digital sovereignty is also being pursued within the European Union through coordinated frameworks designed to align regulation, infrastructure, and governance.
According to the European Union’s data strategy, digital sovereignty is defined as the ability to control how data is accessed, used, and protected while remaining engaged in global data flows. The document frames data as a strategic asset in a context of geopolitical competition, where dependence on external infrastructure can create risks such as foreign surveillance, cyber vulnerabilities, and loss of economic control. To address this, the EU relies on a set of key legal instruments, including the General Data Protection Regulation (GDPR), the Data Governance Act, the Data Act, and the Open Data Directive, which establish rules for data sharing, access, and protection. Together, these instruments aim to ensure that cross-border data transfers occur under conditions of adequacy, safeguards, and reciprocity, balancing openness with control.
At the same time, the strategy emphasizes that sovereignty cannot be achieved through regulation alone. It requires building the underlying systems that enable control in practice, including sovereign cloud infrastructure, AI computing capacity, and sector-specific data spaces. These frameworks allow data to be used within trusted environments without transferring ownership, preserving both security and economic value.
Rather than promoting isolation, the EU aims to advance a model of controlled openness, in which participation in the global data economy depends on the ability to define the technical, legal, and institutional conditions under which data circulates, an approach made more urgent by the growing importance of AI and the risks it introduces to critical systems.
Image: Gerd Altmann, on Pixabay.
Beyond these frameworks, digital sovereignty is increasingly understood as a response to the systemic risks generated by digitalization itself.
The article entitled “The politics of digital sovereignty and the European Union’s legislation: navigating crises” was published in the journal Frontiers in Political Science, in February 2025, by Gábor Hulkó, professor at the Széchenyi István University, in Hungary, and colleagues.
According to the authors, as digital systems have become embedded in economic, social, and political life, they have introduced new forms of systemic risk that include cyberattacks, data breaches, and the growing dominance of giant technology companies. These crises occur more quickly, with less transparency and more transnational issues than longstanding laws were written to address, often involving decentralized infrastructures and actors that operate across many jurisdictions. In this context, sovereignty is not only about setting rules, but about the capacity of states and institutions to anticipate, manage, and adapt to disruptions that can affect critical systems and public trust.
Within this framework, digital sovereignty extends beyond data governance to encompass control over infrastructure, markets, and technological development. The European Union’s legislative architecture reflects an attempt to address these challenges in a coordinated way, by regulating platforms, limiting market concentration, protecting media independence, and shaping the development of artificial intelligence. At the same time, these efforts reveal an ongoing tension between supranational coordination and national autonomy, particularly in smaller or less-resourced member states.
These risks raise broader questions about how digital sovereignty should be governed, particularly in relation to citizens’ rights, democratic values, and societal outcomes.
According to the Policy Position released by the European Movement International in November 2021 on “Digital Sovereignty and Citizens’ Rights”, digital sovereignty must balance technological innovation with the protection of citizens’ rights, democratic participation, and environmental sustainability. The document argues that while tools such as data, artificial intelligence, and the Internet of Things can drive economic growth and competitiveness, they must be governed by strong regulations that ensure privacy, transparency, accountability, and fair competition.
It emphasizes the need for European control over digital infrastructure, such as cloud capacity and data centers, alongside measures like the Digital Markets Act, Digital Services Act, and cybersecurity frameworks to reduce dependence on external actors and protect critical systems. At the same time, digital sovereignty is framed as a societal project, requiring investments in digital literacy, inclusive participation, labor protections, and sustainable technologies to ensure that the digital transition enhances well-being and resilience without undermining fundamental rights or environmental goals.
In practice, these principles translate into concrete strategic and operational challenges for governments and organizations.
According to Wire, digital sovereignty in Europe has become a strategic priority for governments and enterprises alike. However, despite efforts such as sovereign cloud initiatives and EU investments in infrastructure, challenges remain, particularly reliance on U.S. hyperscalers – a term applied to large cloud service providers like Amazon Web Services – as well as legal exposure to foreign jurisdictions and complex compliance environments. Concerns about over-reliance are leading organizations to pursue solutions like European cloud providers, self-hosted systems, and stronger encryption to maintain control and meet sovereignty demands.
Image: Gerd Altmann, on Pixabay.
Complying with these pressures, Amazon Web Services (AWS) created an independent cloud which it markets as follows: “The AWS European Sovereign Cloud is a new, independent cloud for Europe, designed to help public sector organizations and customers in highly regulated industries meet their evolving sovereignty needs. The AWS European Sovereign Cloud is designed to give customers additional choice to meet the EU’s stringent sovereignty requirements without compromising on the robust capabilities of AWS.”
However, earlier in the same webpage, the company presents the “AWS Digital Sovereignty Pledge” which, stripped of the marketing language, says that AWS wants to convince governments and companies that they don’t need to move away from U.S.-based cloud providers to achieve “digital sovereignty.”
Advances in artificial intelligence add a new layer to digital sovereignty, as systems built on shared infrastructure can generate and expose vulnerabilities at scale.
According to journalist Thomas L. Friedman, writing for The New York Times, Anthropic’s decision to release the company’s new AI model, Claude Mythos Preview, only to a limited group of major technology companies signals a significant and potentially dangerous leap in artificial intelligence capabilities. The model can not only generate highly advanced code but also identify vulnerabilities across virtually all major software systems, including operating systems and web browsers that underpin critical infrastructure worldwide. While this creates an opportunity to strengthen cybersecurity by identifying and fixing weaknesses, it also raises the risk that, if widely accessible, such tools could enable even small actors to carry out large-scale cyberattacks.
Friedman argues that this development marks a turning point with major geopolitical implications, as the ability to conduct sophisticated cyber operations could become broadly accessible. He highlights the urgency of controlling the dissemination of such technologies, strengthening defensive systems, and fostering international cooperation, particularly between the United States and China, to mitigate potential risks.
While these developments are often framed as emerging geopolitical risks, they are also prompting early coordination efforts within the technology industry.
Wired has recently reported on Anthropic’s launch of Project Glasswing, a collaboration involving more than 45 organizations that include major technology, cybersecurity, and infrastructure companies, to explore the implications ofClaude Mythos Preview. In addition to the AI’s advanced capabilities in identifying software vulnerabilities, it can also generate potential attack strategies, even though it was trained primarily for coding. Anthropic is limiting access to a small group of partners to allow them to test their systems, identify weaknesses, and mitigate risks before broader deployment.
Image: Gerd Altmann, on Pixabay.
The article also emphasizes that these capabilities are not unique to a single model but reflect a broader trend in which AI systems are becoming increasingly effective at tasks related to cybersecurity. Researchers cited in the article warn that such advances could challenge existing assumptions about software security, since tools that enhance defensive capabilities may also lower the barrier for carrying out complex attacks. The initiative is presented as an early effort to understand and respond to these shifts as AI capabilities continue to evolve.
Digital sovereignty concerns extend beyond Earth’s atmosphere.
Another domain where digital sovereignty is increasingly relevant is outer space, where critical satellite-based digital infrastructure is now being deployed and governed. In the opinion text entitled “The “Third Way” to Space Power: Europe’s Digital Sovereignty Advantage” and published on the Stanford Space Law Society page in January 2026, Marco Franzoso argues that satellite systems, used for communication, navigation, and Earth observation, generate vast amounts of sensitive data, from location tracking to behavioral patterns, making them potential tools for large-scale surveillance if left unchecked.
Fragoso notes that, in response, the European Union is developing what the author calls a “third way,” integrating space capabilities with its existing regulatory framework for data protection and privacy. This includes extending principles from laws like the GDPR and the Data Act into space governance, alongside new initiatives such as the EU Space Act and projects like the IRIS² satellite constellation, designed to provide secure, sovereign communication infrastructure.
Low Earth Orbit Is Becoming Structurally Unstable with Megaconstellations, Space Debris, and Governance Issues. Image: European Space Agency.
Digital sovereignty creates a fundamental trade-off between control and integration: too much control can fragment the global systems that sustain digital economies, but too little control leaves states, institutions, and citizens increasingly vulnerable as digital technologies become more powerful and harder to govern.
As digital technologies evolve, sovereignty may become more about the capacity to anticipate, constrain, and respond to risks that propagate across borders and systems. In globally connected and technologically complex systems, it could ultimately become a matter of managing interdependence.
Craving more information? Check out these recommended TQR articles:
- Thinking in the Age of Machines: Global IQ Decline and the Rise of AI-Assisted Thinking
- Cleaning the Mirror: Increasing Concerns Over Data Quality, Distortion, and Decision-Making
- Quantum Governance: Can the Gap Between Technological Acceleration and Risk Management be Closed?
- Low Earth Orbit Is Becoming Structurally Unstable with Megaconstellations, Space Debris, and Governance Issues
- Digital Sovereignty: Cutting Dependence on Dominant Tech Companies
Enjoyed this? Help us improve.
Have we made any errors?
Spotted an error or want to contribute your expertise? We’d love to hear from you — reach us at info@thequantumrecord.com. The Quantum Record exists to bring researchers and curious minds together around science and technology that matters.
