Figures shared by Beltug reveal just how deep-seated these concerns are. 87 percent of the organizations surveyed cite data security as their biggest concern regarding data in the cloud, and more than 70 percent are concerned about sensitive data ending up outside Europe.
The central question is simple, but the answer is anything but: How can we become more digitally independent without isolating ourselves?
The EU Tech Score for Technology
To provide more clarity on this, Europe is working on a framework for cloud and AI sovereignty: the CADA framework (Cloud and AI Development Act). It’s still a draft, but the intention is clear. Technology and services will be classified according to four security levels, depending on how much control remains within the Union. It’s a bit like the Nutri-Score in the supermarket, but for technology.
In practice, it works like this: The government selects the appropriate level for each situation based on a risk assessment, and providers are certified for each level following an audit.
| LEVEL | WHAT IT MEANS |
| Level 1 | Data is processed and stored on infrastructure located within the European Union. |
| Level 2 | The provider demonstrates independence from third countries and transparency regarding its software supply chain. |
| Level 3 | The provider is owned by the EU and is regulated from within the EU, with additional criteria such as the nationality of its staff. The Commission may also recognize providers from third countries. |
| Level 4 | The provider has full transparency and control over its software supply chain, without interference from a third country. |
*Based on the CADA proposal (European Commission, June 2026).
If you, as a supplier, want to demonstrate just how European your solution really is, issues like these will come up:
- where the infrastructure is located
- who owns the technology
- where the staff are located
- who controls the software
- which subcontractors are involved
- how cybersecurity and governance are organized
And, of course, this is validated through audits. You can probably see where this is going: a whole new market for certification and auditing related to digital sovereignty may emerge.
The risk of sovereign washing
At the same time, a new phenomenon is emerging: sovereign washing. Just as we are familiar with “greenwashing” in the context of sustainability today, suppliers will be eager to position themselves as sovereign entities.
A European sales department or a local data center does not guarantee that the technology is actually controlled from within Europe. The real question is who ultimately has control over the technology and the data.
The paradox facing Europe
What strikes me most is the paradox Europe finds itself in today. On the one hand, political and social pressure is growing to reduce our dependence on American technology companies. On the other hand, we have to be honest: thinking that Europe can build and manage everything on its own is an illusion.
While we debate regulations and certification levels, countries like China and India are investing heavily in energy infrastructure and AI capacity. They have economies of scale and access to energy that we in Europe simply lack today.
An uncomfortable question comes to mind. What if, in twenty years, we end up using Chinese AI and cloud infrastructure on a massive scale because European capacity turns out to be too expensive or insufficiently available? It reminds me of what’s already happening in the auto industry today. Many European consumers can no longer afford the price of a European electric car and are opting for Chinese alternatives that are becoming increasingly competitive technologically. Could the same thing happen with AI and data center capacity? I don’t know. But it’s a scenario that we should at least have the courage to discuss seriously.
Sovereignty must not become synonymous with isolation
Digital sovereignty therefore remains an important goal—quite the contrary. I am convinced that Europe must take greater control over critical infrastructure and over strategic data and services. We must invest in this and work together to achieve sufficient scale.
At the same time, let’s not create new digital barriers that only make things more complex and expensive. If every government and every company builds its own mini-sovereign island, we weaken ourselves. My hope, therefore, is for a pragmatic approach:
- manage certain strategic infrastructure and critical data ourselves where necessary
- Otherwise, we will continue to work together with partners, both in the West and in the East
- and, above all, create sufficient scale to ensure that Europe remains relevant
Digital sovereignty is important. True autonomy is achieved by consciously choosing where you want to be independent and where collaboration is actually a strength.
Xylos takes this new reality into account. We help our customers make informed choices today about where their data and workloads belong, so they’re prepared for what’s to come.
About the author
Patrick Leysen is the CEO of Xylos. As a next-gen entrepreneur, he leads the company from Antwerp, guided by the belief that technology is, first and foremost, about people. He is an active voice in the debate on AI adoption in businesses and digital sovereignty, and regularly shares his views on these topics with a wide audience.
Connect with Patrick on LinkedIn.