The **European Commission** this week put forth a transformative set of laws and strategies designed to lessen the **European Union**'s (EU) dependence on foreign technology, addressing long-standing tech dependencies now perceived as critical security vulnerabilities. **Henna Virkkunen**, the Commission's tech lead, described the proposals as "a major shift in how Europe approaches technological sovereignty." The package includes the **Chips Act 2.0** and a **Cloud and AI Development Act (CADA)**, alongside an **Open Source Strategy** and a roadmap for digitalizing the energy system. These initiatives are intended to "help widen choice in core technologies for EU businesses, citizens and public administrations." **Virkkunen** emphasized the inseparable link between geopolitics and technology, stating, "It is time for Europe to be in control of its data, of its supply chains, and of its future in a clean and sustainable way." According to the Commission, the EU currently relies on foreign countries for over 80% of its key digital products, services, infrastructure, and intellectual property. This strategic pivot aims to loosen the grip of major American and Chinese suppliers, driven by concerns that such dependence could be weaponized. ## Open-Source Security at the Forefront The **Open Source Strategy** is a cornerstone of the new proposals, promising to scale up European open-source alternatives in priority areas, explicitly including cybersecurity. A key component is funding for the long-term maintenance and security of Europe's critical open-source infrastructure. This funding addresses the vulnerability of under-resourced components, highlighted by incidents such as the **XZ Utils backdoor**. The strategy aims to leverage the more than 3 million European open-source contributors and encourage public administrations to adopt open-source tools through new procurement guidance. Open-source vendor **SUSE** welcomed the approach, validating its argument that inspectable, openly maintained software is better suited for sovereignty goals than proprietary stacks, though it cautioned that implementation would be the real test. **Alexandra Paulus** from the **German Institute for International and Security Affairs** has previously argued that fostering European cybersecurity alternatives is intrinsically linked to promoting open source. This makes the strategy's open-source security funding a potential, albeit unproven, launchpad for European vendors. ## Bolstering Chip Sovereignty Regarding semiconductors, the Commission acknowledges Europe's heavy reliance on third countries for advanced production and chip design. While dependence on **Taiwan Semiconductor Manufacturing Company (TSMC)** for advanced fabrication is near-universal, affecting the United States as much as the EU, the strategy notably omits mentioning **ASML**, the Dutch lithography maker that holds a near-monopoly on machines essential for producing advanced chips globally. Chip design presents a clearer weakness for Europe. U.S. companies like **Nvidia**, **AMD**, **Qualcomm**, **Apple**, and **Broadcom** dominate advanced logic design, and Britain's **Arm** controls processor IP licensing worldwide. The **Chips Act 2.0** introduces concrete tools to address the manufacturing gap. It mandates national governments to complete planning, environmental, and regulatory approvals for new fabrication plants within 12 months. It also extends state aid for "first-of-a-kind" facilities not yet present within the EU. The original 2023 Chips Act mobilized over €52 billion ($60.3 billion) in public and private investment but fell short of its goal of 20% global semiconductor production by 2030, largely because global capacity grew faster than Europe's share. Recent investments have yet to yield results. **Intel**'s planned advanced manufacturing plant in Magdeburg, Germany, was cancelled in February. Another venture involving **TSMC** in Dresden aims for production by late 2027, though it will focus on mature 28nm and 16nm chips, not the advanced AI chips central to the package's ambitions. For design, the Commission plans a demand-pull strategy, using orders from EU-funded data centers and AI gigafactories to attract chip designers to Europe. It anticipates AI-related components will constitute over 70% of the semiconductor market by 2030. **Erik Rein**, president of the **European Semiconductor Industry Association**, remarked, "Europe cannot regulate its way into semiconductor leadership." The Commission expects to launch a call for AI gigafactories in July and will consult with member states and the **European Investment Bank Group** to build a "European equity capacity at scale" to finance its goals. ## Cloud and AI Sovereignty: A Contested Frontier The most debated element of the package is **CADA**'s cloud sovereignty test. This framework defines four assurance levels for public bodies, ranging from Level 1, requiring data processing and storage within the EU, to Level 4, demanding full supply-chain control with no third-country interference. Industry reactions have been sharply divided. **CCIA Europe**, representing large U.S. technology firms, criticized **CADA** as discriminatory and a "dangerous recipe for progressive market shutdown," arguing that Level 3 and Level 4 requirements are closed-market conditions no international provider could meet. Conversely, European cloud providers largely welcomed the direction but cautioned against loopholes. Trade body **CISPE** hailed it as "a step forward for Europe's strategic autonomy" but noted its failure to mandate public buyers to check for European alternatives before contracting foreign providers. **CISPE** had previously warned against "sovereignty-washing," where mere EU presence or cybersecurity compliance is misrepresented as genuine European control. Meanwhile, the **Centre for European Policy Network** cautioned that sovereignty pursued through procurement preferences often "produces protected industries, not competitive ones," urging lawmakers to reserve strict requirements for genuinely sensitive systems. The proposals emerge amidst a broader debate on whether sovereignty inherently delivers security. Analyst **Josh Gold**, in a prize-winning essay, argued that European cyber resilience depends more on design than control. He advocated for "thin and targeted" sovereignty combined with "thick autonomy," prioritizing transparency, portability, and recoverability over EU ownership and location requirements. **Gold** cited the troubled **Gaia-X** cloud initiative, which a participant described as "a crushing failure, a colossal waste of time, and just as many years gained for the hyperscalers; in other words, an industrial disaster," as a cautionary tale against duplicating infrastructure at scale. By **Gold**'s standard, the package is strongest where it funds resilience—such as semiconductor crisis preparedness, open-source maintenance, and interoperability—and most exposed where it relies on EU ownership and location. Its ultimate security payoff will depend on how member states apply the various tiers. All proposals require approval by the **European Parliament** and **European Council**, where sovereignty criteria, procurement obligations, and funding will be subject to political negotiation.