Regulation for Digital Sovereignty

There is one uncomfortable truth that Brussels is reluctant to say out loud: you can't prescribe what you haven't built. And Europe is trying to do just that.

In the last half century, the continent that gave the world both the industrial revolution and the foundations of modern computer science has systematically underinvested in technological and security infrastructure. While the United States was building platforms and China was building its own closed ecosystem, Europe was building a market and becoming a top buyer and consumer of other people's technologies. Today, our data, our computing power, and increasingly our business logic rest on an infrastructure we don't control. This is a fact from every serious risk assessment I have seen in the past ten years of work, especially on projects related to governance and compliance.

And now, faced with this dependence, Europe is reaching for the only tool it has truly perfected, and that is regulation. This logic was offered by the European Commission itself. When asked directly about hyperregulation, its representatives sent a message to the market that, unlike other markets, Europe is a highly democratic society in which decisions are made only when all members agree, and regulation is indispensable at the global level, so someone must launch such initiatives. It's an answer that deserves fair criticism. It is true that the agreement of twenty-seven countries is a precious achievement of civilization and that someone had to be the first to set the standard, and the GDPR proved that Europe can try to do it for the whole world. But from the perspective of someone running a business, the democratic legitimacy of the process does not eliminate its cost. The consensus of twenty-seven members is not free, and it means slowness, compromises that do not suit everyone, and regulatory frameworks that are already behind the technology they are trying to regulate by the time they enter into force.

In other words, what is a virtue in the domain of values is a weakness in the domain of competitiveness. The markets we compete with do not wait for consensus; they make decisions quickly, invest aggressively, and set standards with facts on the ground, not negotiations. Being the first to regulate is not the same as being the first to build.

Regulation as a reflex, not as a strategy

GDPR, NIS2, CRA, EU AI Act. Each of these frameworks has a legitimate core. The GDPR imposed a standard of data protection on the world that, let's face it, not everyone adhered to, and may have copied it later. NIS2 finally treats cybersecurity as a matter of the Board of Directors, not the IT department, although the involvement of the Management Board is not new either, but is well known to us from the ISO standard. CRA introduces responsibility for product safety throughout the entire life cycle. The AI Act is the first serious attempt to set the rules of the game for AI technologies that will redefine every industry.

The problem is not in the intention. The problem is that regulation addresses the symptom, not the cause.

Sovereignty does not arise when you prescribe how someone else's technology can be used. It occurs when you have your own alternative. When a European company has to choose between the US cloud and another US cloud, any data localisation regulation is just an elegant way to manage dependency, not to remove it.

For those of us who enforce these frameworks through real organizations daily, the contradiction is palpable; we spend energy proving compliance with rules on technologies that are questionably compliant with regulatory requirements and ultimately cannot be replaced anyway.

A burden that falls on the wrong shoulders

Large global players have entire departments dedicated to compliance. For them, each new European framework is a cost of doing business, unpleasant but bearable. For European small and medium-sized enterprises, which form the backbone of our economy, this same framework can be an existential issue. The paradox is cruel. Regulation is designed to protect us from the domination of the big, but it often reinforces precisely that dominance, because only the big ones have the resources to absorb it painlessly. Compliance has become an entry barrier. And every entry barrier benefits the one who is already inside.

What Would Sovereignty Actually Ask For

To be clear, this is not an argument against regulation. The rules of the game are necessary, and good regulation can be a competitive advantage. This is an argument against the illusion that regulation is enough. True digital sovereignty requires three things that cannot be prescribed by regulation. Europe undoubtedly has the money, but it is investing it cautiously. Sovereignty is built on patient, brave capital willing to finance infrastructure whose returns are measured in decades, not quarters. No European cloud, chip or AI model will survive if European institutions and companies do not buy it. Sovereignty is also a procurement decision, not just a policy decision. For too long, we have been exporting our best engineers to Silicon Valley. Keeping them means building an ecosystem where ambition has a place to grow at home.

What awaits us

Although we may not see the point in all regulations, we cannot avoid harmonization. In the short term, compliance is not optional; NIS2 and CRA impose real responsibility on the governing body, and treating them as mere paperwork is a strategic mistake. But in the long run, don't trade compliance for security, and by no means for independence. An organization that is perfectly aligned and completely dependent on a single foreign supplier is not sovereign; it is only neatly documented in its vulnerability. We still have everything: talent, capital, and the market. What we lack is the decision to build, not just prescribe. Sovereignty is not written in the Official Gazette. Sovereignty is being built.