How Europe can get digital sovereignty right

With rapid technological and geopolitical change, it’s understandable that Europe seeks control over the critical digital infrastructure essential for our security, resilience, and competitiveness.

Cloud and AI technologies are a driving force behind everything from industrial innovation to public services. But Europe depends heavily on a handful of global providers for cloud services – and none of them are European.

According to Synergy Research, the European cloud market grew sixfold between 2017 and 2024. In the same period, the market share of European providers fell from 29% to just 15%.

Whilst Europe’s ambition for digital sovereignty is both urgent and legitimate, the pragmatic reality is that building fully European alternatives will take time and sustained investment.

That’s why the answer to this question needs careful consideration. If Europe responds with blunt restrictions, it risks slowing digital transformation, raising costs, or undermining Europe’s global competitiveness.

At the same time, Europe knows it must invest in the areas where it still has the chance to lead, including quantum, connectivity, edge cloud and industrial AI applications.

The optimum solution is therefore one of mitigation over exclusion – a risk-based, strategically open approach that strengthens Europe’s control, but without cutting it off from world-leading innovation.

Digital sovereignty is not a binary choice

To address this challenge, we must recognise that digital sovereignty is not binary. It exists across three dimensions:

For each dimension, there are layered measures - technical, contractual, and organisational - that can reduce risk without sacrificing capability.

Most businesses and public sector organisations face little risk of foreign state interference. Their focus is resilience against cybercrime, not geopolitical coercion.

In these circumstances, CIOs should have at their disposal the tools and transparency to choose the right level of sovereignty for their risk profile. This would be backed by EU-wide standards, auditable disclosures, and strict portability. Interoperability rules would avoid vendor lock-in.

Critical workloads require higher assurance

Those responsible for national security, critical infrastructure, or high-value intellectual property will understandably demand more.

Here, Europe should engage Trusted European Operators to provide European businesses and governments with managed access to foreign technologies, in assured EU-based environments under effective European control.

These Trusted European Operators should be responsible for operational decision-making business continuity, encryption, access control policies and other essential infrastructure, networking, and security operations.

Trusted European Operators are strongly anchored within the European Union’s legal, financial, and industrial ecosystem, able to operate free from foreign interference.

Companies wishing to qualify must be robustly, transparently assessed to avoid criticism of ‘sovereignty washing’. Eligibility should be asserted through risk-based assessment, not blanket bans.

In the case of Vodafone’s European operating companies, that trust is earned from decades of experience providing licensed, regulated services to European citizens, Governments and Critical National Infrastructure providers. It’s built on tens of billions of euros invested in European infrastructure and innovation, and a long track record of secure and reliable service.

This model would ensure that customer data and critical operations remain in trusted European hands. At the same time, customers would continue to benefit from the innovation and scale of the global platforms.

Keeping Europe strategically open

In cloud and AI, non-EU providers dominate because they have invested at scale for over a decade. Cutting off access to these technologies now would slow Europe’s current digital transformation and undermine productivity. It would leave us ill-equipped to achieve strategic autonomy in the next generation of critical technologies.

That is why Europe must continue to benefit from access to these capabilities, enabled by Trusted European Operators

At the same time, the EU should adopt a strategically open approach to attracting innovation and investment in technology areas where Europe still has a chance to lead. The EU must accept that it’s not viable to quickly build, or replicate, world-leading global technologies by itself. Acting alone, It would take 5-10 years and untold billions in investment for Europe to catch up.

But over the longer term, Europe should align with trusted, likeminded countries such as Japan, South Korea, and the UK to pool funding, talent, and industrial capacity.

Vodafone’s framework for European digital sovereignty

Vodafone’s working model for a risk-based, strategically open approach to European digital sovereignty is based on five levels of data, operational, and technological sovereignty. Higher levels incorporate more controls and offer greater assurance, but the trade-off is an increase in cost and complexity.

The primary concern of most European companies and public sector organisations is protecting their customers’ data from foreign actors. They will not need high levels of operational or technological security.

For example, hospitals or financial services firms handling sensitive customer health and financial data could require that customerdata i stored and processed within the EU. The data would need to be encrypted following EU Cybersecurity Certification guidelines, with keys held within the EU. They might insist no-spy guarantees are written into customer contracts and that those contracts reflect the primacy of European law and arbitration bodies.

In contrast, a critical national infrastructure provider might require a higher level of operational sovereignty. This could mean requiring sensitive operations to be managed within the EU, stronger protections on operationally critical metadata, or using only trusted vendors to supply and service critical technologies.

Vodafone is calling on the Commission/European Institutions to take a similar transparent, strategically open, risk-based approach to European digital sovereignty.

This should start with the publication of a common, EU-wide framework, describing different levels of data, operational and technological sovereignty. It should offer guidance for CIOs and digital service providers on which sovereignty levels are most suitable for which use cases.

Digital service providers claiming to offer sovereign services should also be required to make auditable disclosures on which sovereignty levels their services meet.

The protections provided by the EU Data Act for data portability and interoperability should be robustly enforced so that CIOs can shop around to find the service provider that best meets their sovereignty needs.

Protecting Europe today while building for tomorrow

The bottom line is that Europe’s digital sovereignty will not come from closing doors. It can be managed effectively by opening the right ones - on Europe’s terms.

By combining risk-based safeguards, strategic partnerships, and investment in European capability, we can protect today while building the technologies and skills of tomorrow.

This is the most practical path if Europe wants resilience, competitiveness, and true strategic autonomy as part of a vibrant global digital ecosystem.

Vodafone stands ready to work with policymakers, industry, and partners to make this happen. Together, we can deliver a sovereign, secure, and globally competitive digital Europe.