Digital Sovereignty has become the new buzzword in today’s European policy circles. The idea itself isn’t new, but its relevance to the EU’s digital economy has reached a fresh peak. The German-French Summit on digital sovereignty on 18 November 2025 in Berlin underlines Europe’s ambition to strategically reduce reliance on non-EU actors across critical layers of digital infrastructure. The European Commission is on the same wavelength, launching DMA investigations into cloud markets dominated by U.S. hyperscalers. The EU’s Henna Virkunnen brought the news to the Summit as a gift from Brussels. But then along comes the Digital Omnibus package (launched a day later) and it raises the question: does simplification pull in the same direction as sovereignty? Let’s have a look at what the Summit put in motion, what the DMA cloud investigations are chasing, and what the Omnibus is delivering for competition in the digital age.
By Sebastian Steinert
Europe Confronts Its Digital Dependencies
While Cloudflare triggered a major global outage, over 900 policymakers, businesses and tech experts gathered in Berlin for the German-French Digital Sovereignty Summit. The central topic on the agenda: how to become less dependent on non-European digital infrastructure providers. The Cloudflare incident was yet another reminder (coming on the heels of AWS and Azure outages last month) that the digital foundations of Europe’s society and economy remain largely controlled from abroad.
The growing importance of digital sovereignty in policy cycles was evident from the Summit’s lineup: Chancellor Friedrich Merz, President Emmanuel Macron, Commission Executive Vice President Henna Virkkunen and ministers from numerous EU member states. They all stressed the importance of making Europe more digitally resilient. While Europe’s dependency on cloud services, digital tools and chips from the US, China and others is nothing new, there seems to be an increasing realization that such dependencies can be and are being used strategically (think of allegations of Microsoft being instructed to cut the International Criminal Court’s access to its services). The Summit marks a “wake up” moment in European policymaking, as Politico framed it. There were no Zuckerbergs, Altmans or Pichais on the panels (they prefer to hang out with heads of state behind closed doors), but people like Cristina Caffarra, Filomena Chirico, Corinne Cath and Alexandre De Streel.
The Declaration on European Digital Sovereignty, an initiative launched by Austria, was signed by all Member States during the Summit. The (non-legally binding) declaration is a joint commitment “to reduce strategic dependencies, strengthen Europe’s technological capabilities, preserve democratic resilience, and position Europe as an open, reliable, innovative, and values-based partner in the global digital ecosystem.” The precise balance between independence and openness, however, needs yet to be found. While France is pushing the sovereignty agenda towards a “European preference” in public procurement, Germany appears more hesitant and the Danish Council presidency repeatedly warned against building digital walls.
Competing to Be Sovereign
One thing on which policymakers and businesses agreed was the need for greater competitiveness. Europe, as Macron put it, no longer wants to be the client of solutions from the US or China. Only with a sustainable European digital economy, the EU has viable alternatives to rely on. Although such European alternatives exist (e.g. OVHcloud, or openDesk) they often fail to match the scale advantages of big players from abroad. In that sense, the Summit directly connected to the broader competitiveness agenda: improving companies’ access to funding, leveraging quality data, fostering computing power for AI, and “simplifying” (read loosening) regulatory requirements. The EU seeks to address industry demands for simplification with its Digital and AI Omnibus packages (see below). In Germany, AI competitiveness is also explored by an expert commission of the Ministry of Economy, co-chaired by AI sage Sebastian Thrun, Schwarz Digits CEO Rolf Schumann and our very own Rupprecht Podszun – their first recommendations are online.
Given the focus on competitiveness, it was no surprise that the panels showcased players of Europe’s innovation ecosystems: Startups like Alice&Bob (quantum computing) and ARX Robotics (dual-use robots), as well as public investors (e.g. Hightech Gründerfonds). A particular focus was placed on AI, featuring European AI unicorns like Mistral and Black Forest Labs, cloud providers (e.g. Scaleway) and data center builders (Telekom, Schwarz Digits). German software developer SAP and Mistral AI announced a partnership at the Summit specifically focusing on industry-specific AI with a “sovereign AI foundation”.
Sovereignty as a service
Certainly, Big Tech was not invited to the sovereignty party Summit. And yet, it remained omnipresent. Many “sovereign” solutions are run on cloud services provided by Silicon Valley hyperscalers. SAP for example just expanded its collaboration with Amazon’s AWS for its “Sovereign Cloud capabilities”. SAP also announced sovereign solutions on the Delos Cloud and yet Delos itself is built on Microsoft Azure’s infrastructure and can only function for a few months in case Microsoft would block its services.
Silicon Valley players have long adopted the sovereignty jargon and are marketing products like the Microsoft/Google/AWS “Sovereign Cloud” since 2022. Just days before the German-French event, Google hosted its own “Digital Sovereignty Summit” in Munich and announced to spend €5,5 billion on the construction of data centers in Germany. While politicians welcomed the investment, experts like Katharina Hölzle warn that these infrastructures will make it harder to disengage later on. Big Tech is selling “Sovereignty-as-a-Service”, using the calls for more sovereignty to boost its own products. Genuine independence only seems achievable with reliable European cloud providers. But how to break the Silicon Valley dominance of the European cloud market? The European Commission has an idea.
The DMA Steps Into the Cloud
On stage at the Berlin Digital Sovereignty Summit, Henna Virkkunen, the EU Commission’s Executive Vice-President announced the launch of three investigations into the cloud sector under the Digital Markets Act (DMA). The first two examine whether Amazon’s AWS and Microsoft Azure should be designated as gatekeepers under the DMA, these investigations should be concluded within 12 months. The third investigation (of up to 18 months) assesses whether the DMA’s obligations need updating to effectively address the contestability and fairness concerns in the cloud market.
The cloud sector is growing rapidly in the age of AI. However, the clouds over Europe are mainly dominated by three US hyperscalers: Amazon’s AWS, Microsoft Azure and Google Cloud, which together account for 70% of the market. All European providers combined (e.g. SAP, Deutsche Telekom, OVHCloud, Scaleway) on the other hand only make up 15 %. Revenue data for France, the UK and globally (more or less recent) suggest that the market is mainly split between AWS and Azure. This likely explains why Google Cloud is not included in the newly announced investigations.
| Worldwide (2025) | UK (2024) | France (2021) | |
| AWS | 29% | 40-50% | 46% |
| Azure | 20% | 30-40% | 17% |
| Google Cloud | 13% | 5-10% | <10% |
| Source: | Synergy | CMA | OECD |
Given the strong market concentration among Amazon, Microsoft and Google, all of which have already been designated as DMA gatekeepers for other services, it is no surprise that calls for cloud designations have existed since the DMA’s inception. In December 2023, the European Parliament urged the Commission to open market investigations and also the SCiDA project advocated for cloud designations in its submission to the DMA consultation.
Too B2B to count?
The Commission had appeared hesitant, partly because of the conception of the DMA as a platform law. It targets companies that act as important gateways for business users to reach end users. The duty of companies to notify their potential gatekeeper status and the designation based on quantitative thresholds include the prerequisite that the service must have at least 45 million monthly active end users. The number is to be calculated based on the “unique end users who engaged with any cloud computing services from the relevant provider of cloud computing services at least once in the month, in return for any type of remuneration” (DMA Annex E). However, cloud services are largely a B2B market. Providers rarely have any direct relationship with consumers. DMA recitals allow businesses to be counted as end users when they use cloud services solely for their own purposes (Recital 14), but even then, the threshold of 45 million users is impossible to meet as this exceeds the number of enterprises in Europe (about 33 million). This explains why no designation of cloud services based on end user numbers has taken place.
However, the DMA also allows designations purely on the qualitative criteria of a) a significant impact on the internal market, b) an important gateway function and c) an entrenched and durable position. Such designations require a market investigation (Articles 3(8), 17(1-2) DMA), which the Commission now has initiated for AWS and Azure. During the investigation it will assess the firms’ size, their user numbers, network effects, data driven advantages, scale and scope effects, potential lock-ins, and ecosystem advantages.
The only successful designation purely based on qualitative criteria to date concerned Apple’s iPadOS. Despite having fewer than 45 million end users, the Commission concluded within 8 months that it functions as an important gateway for business users “to a customer base with a high willingness to pay”, supported by network effects, lock-in, and economies of scale.
In the cloud context, the key battleground will likely be the gateway function. The Commission will need to argue why Big Tech’s cloud services constitute an important gateway for businesses to reach end users, despite not having large bases of end user customers. Still, the legislator explicitly included cloud services in the list of potential core platform services (Article 2(2)(i)) and referenced them in regard to Article 6(2) (Recital 48). This suggests a clear intention that existing cloud services fall within the DMA’s scope.
As for the third investigation into an extension of the DMA obligations, it has previously been noted that the current list of rules does not specifically address the characteristics of the cloud market. Of the existing obligations, those most likely to matter would be data combination limits (Article 5(2)), the prohibition of tying CPS (Article 5(8)), the ban on using business users’ data to compete against them (Article 6(2)), data portability (Article 6(9)) and real-time data access (Article 6(10)). The market investigation will be valuable to identify whether structural features of the cloud market raise additional contestability and fairness concerns that merit new obligations. Here, it is to be kept in mind, that Chapter VI of the Data Act (i.e. the original Data Act version before the ride with the omnibus, see below) already includes provisions aimed at reducing cloud lock-in. The Commission announced to assess “obstacles to interoperability between cloud computing services, limited or conditioned access for business users to data, tying and bundling services, and potentially imbalanced contractual terms”.
The DMA’s Sovereignty Era
That cloud investigations were announced on the day of the Digital Sovereignty Summit sheds light on the DMA’s role for Europe’s quest for greater independence from foreign digital infrastructure. Although the DMA is formally agnostic to the nationality of the companies it regulates, 5 of the 7 designated gatekeepers are based in the US (with Bytedance in China and Booking.com in Europe). Contestability and fairness in digital markets are closely tied to creating opportunities for challengers and smaller players, which certainly can be European and thereby may contribute to Europe’s digital sovereignty. Previously, in view of trade disputes, the DMA was presented as fostering a competitive ecosystem benefitting firms “whether they are American, European or from other parts of the world”. It is only now in light of the call for stronger sovereignty that the Commission directly links the DMA to European competitiveness. The press release on the cloud market investigations explicitly mentions competitiveness instead of contestability: “The third market investigation will assess if the DMA can effectively tackle practices that may limit competitiveness and fairness in the cloud computing sector in the EU.” (emphasis added). During the Digital Sovereignty Summit, the DMA had its own panel entitled “Fairer Markets in Support of Digital Sovereignty”, it featured Filomena Chirico (European Commission), Verena Pausder (German Startup Association), Alexandre De Streel (CERRE) and Emmanuel Sardet (CIGREF). Startups and larger companies alike called for a strict DMA enforcement to give European companies the opportunity to strive and compete. Echoing this, Anne Le Hénanff, French Minister Delegate for AI and digital affairs, explicitly called DMA enforcement a “matter of sovereignty”. Has the DMA entered its sovereignty era?
While European businesses demand rigid DMA enforcement, they simultaneously (and much louder) call for softening other elements of the EU’s digital rule book, which they see as overly burdensome. In that sense, the Summit was a “firework of deregulation” as Aline Blankertz put it. To respond to these calls, the European Commission has now presented its simplification Omnibus package.
Sovereignty thrown under the (Omni)bus?
Since day one, the von der Leyen II Commission has been on a simplification mission, aiming to cut “administrative burdens” by 25%. It has now unveiled its proposals for a Digital Omnibus and a Digital Omnibus on AI. Omnibus legislation bundles a wide range of different legal matters into a single act. The term is derived from Latin (“for everything”), but it also works well as a metaphor for a bill just as packed as your morning bus commute. Alberto Alemanno warns that introducing substantive legislative changes through such packages may “bypass safeguards built into the ordinary legislative process, including public consultations [… and] impact assessments”.
Cutting Red Tape or Cutting Rights?
With the new proposals, the Commission aims to save businesses €5 billion in administrative costs through deregulation. The main proposals are:
For AI:
- Loosening GDPR rules for AI models: allowing AI development and operation based on legitimate interest (Article 6(1)(f) GDPR) and permitting the use of special categories of data (Article 9(2) GDPR, Article 10(5) AI Act) .
- Removing the AI literacy requirement and replacing it with a non-binding encouragement.
- Postponing the AI Actobligations for high-risk AI systems by 6 to 12 months.
- Assigning the AI Office responsibilityfor supervising AI integrated intovery large online platforms (VLOPs) and search engines (VLOSE) that are covered by the Digital Services Act (DSA).
For data, cybersecurity and platform laws:
- Excluding GDPR application for entities that do not have the means “reasonably likely” to be used to identify the data subject.
- Consolidating EU data rules from four existing laws into one single Data Act, including the Data Governance Act (DGA) and the Open Data Directive (ODD).
- Reducing the use of cookie banners by loosening consent requirements and storing cookie preferences on the browser level.
- Exempting SMEs and SMCs from certain cloud-switching rules under the Data Act.
- Creating a single-entry point for cybersecurity reporting across different laws.
- Repealing theplatform to business regulation (P2B).
Businesses have broadly welcomed these changes as a way to reduce compliance burdens, while civil society organizations are sounding the alarm over what they call “a major rollback of EU digital protections”. A coalition of 127 organizations signed a warning letter. The main criticism across stakeholders is directed at the weakening of the protection of personal data for AI development, “knifing privacy to feed the AI boom”. The proposed changes of the GDPR were not foreseen in the initial plan for the Digital Omnibus, say critics.
On platform rules, the planned repeal of the platform to business regulation (P2B) is presented as a technical simplification, because its provisions are now covered by the DSA and the DMA. Yet, the scope of the regulations diverge significantly as the DMA only applies to designated gatekeepers. For obligations where the Commission points only to the DMA as a suitable replacement it is questionable whether platforms below the gatekeeper thresholds should simply fall out of scope. This concerns for example transparency on business users’ access to data (Article 9 P2B) and on “most favoured nation” clauses (Article 10 P2B).
Simplifying Sovereignty
Regarding Europe’s digital sovereignty, critics argue that the Omnibus proposals largely benefit Big Tech, especially when it comes to using personal data for AI training. Here Art. 5(2) DMA might play a role for gatekeepers – unless of course you ask the Cologne Higher Court that (preliminarily) did not see an infringement of the DMA in combining data for AI training. According to reports, EVP Virkkunen has assured Big Tech CEOs that the EU will choose a more business-friendly approach in revisiting its rules. This raises broader questions: could simplifying the digital rulebook undermine rather than advance Europe’s sovereignty ambitions? Even supporters of the simplification packages admit that the geo-economic implications require deeper evaluation.
One person decidedly unconvinced is former EU Commissioner Thierry Breton, who used the Omnibus proposals as his cue for a political “comeback”, with a European op-ed simultaneously published in Les Echos, Handelsblatt, la Stampa, the Guardian and La Matinale Européenne – and LinkedIn. He cautions that European autonomy requires not only investment in sovereign infrastructure but also the defence of its digital rules: “We should resist any attempt to unravel these laws, through “omnibus” bills or otherwise […]. The second expression of our digital sovereignty must involve protecting, at all costs, the integrity of our digital legal pillars, including at the geopolitical level.”
The Omnibus packages will now undergo consultation until March 2026 and must then be adopted by the Council and the European Parliament. If the early reactions are any indication, the debate over digital sovereignty is only just getting started and this bus is nowhere near its final stop.
If you do not want to miss any of our future blog posts you can subscribe to the SCiDA-Newsletter here.
