Industry bodies pick holes in EC’s digital sovereignty plan

• The EC’s effort to increase digital independence for Europe and define and promote sovereignty has been both welcomed and criticised by industry bodies
• The key sticking point is the EC’s effort to define AI and cloud sovereignty using four levels of assurance

An industry body that represents the major hyperscalers and many of the world’s largest tech vendors has labelled the European Commission’s latest effort to boost European tech sovereignty, the European Technological Sovereignty Package, as potentially counterproductive and has highlighted a major sticking point that is currently dividing opinion about the best way to define digital sovereign by stating that “sovereignty criteria should reward trust over origin”. 

The EC’s package was unveiled on 3 June in an effort to define a way for Europe to reduce its dependency on technology from beyond its borders and to stimulate the development of European alternatives and investment in European digital infrastructure, such as AI factories – see EC bigs up its tech sovereignty ‘package’.

In this announcement, tech sector trade association ITI (the Information Technology Industry Council) “welcomed the package’s measures to scale Europe’s digital infrastructure but cautioned that the sovereignty framework” as laid out currently in the Cloud and AI Development Act (CAIDA) part of the package “could work against the dynamic cloud market the commission is trying to build.”

Its main sticking point is with the Act’s definition, using multiple levels of assurance, of digital sovereignty.   

The EC’s Cloud and AI Development Act “defines cloud and AI sovereignty comprising four assurance levels, to be used by public sector bodies based on their risk assessments. Cloud service providers can be recognised under this framework by member states, after undergoing an audit,” noted the EC in this overview of the Act. 

The four assurance levels are:

• Level 1: Where data is processed and stored in infrastructure located in the EU
• Level 2: Where providers must demonstrate independence from third countries and transparency over their software supply chain
• Level 3: Where providers must be owned and controlled from the EU and meet additional criteria, such as personnel citizenship. The commission can recognise third-country providers
• Level 4: Where providers have full transparency and control over their software supply chain and no interference from a third country.

Guido Lobrano, director general for Europe at ITI, stated: “Europe’s push for sovereignty to ensure security and resilience of digital infrastructure is a legitimate ambition. However, the proposal’s focus on geographic and nationality-based criteria is not conducive to effective sovereignty outcomes. Also, significant new administrative requirements, such as third-party auditing, would make the very market Europe is trying to grow less dynamic and competitive. On the positive side, CAIDA gets the capacity question right: Easing permitting and creating better conditions for datacentre development is how you support Europe’s growing cloud and AI needs. The sovereignty framework should follow that same logic. Trusted provider criteria – governance, risk assessment, transparency, control – are what produces real outcomes and a competitive ecosystem. We’re ready to work with co-legislators on striking that balance.”

“Trusted providers” in that context would, of course, include ITI members, such as Amazon, Google and Microsoft, the three hyperscaler heavyweights, as well as the likes of Japan’s SoftBank Group, another ITI member organisation that has just announced plans to invest €75bn in AI datacentre infrastructure in France that, it claimed, will “strengthen France’s AI infrastructure [and] support European technological sovereignty”. 

The debate is currently fierce about whether a service delivered from infrastructure ultimately owned by a company located outside of a particular area of jurisdiction (for example, the Europe Union, or a single country) can be regarded as truly sovereign: TelecomTV’s recent free-to-download Digital Sovereignty: What It Means for Telcos report showed there is a broad range of views in the telco community about what currently constitutes a sovereign service. 

Another industry body that represents cloud infrastructure providers in Europe, the Cloud Infrastructure Service Providers in Europe (CISPE), also welcomed the sovereignty package, stating that it is “a step forward for Europe’s strategic autonomy” but “challenges remain.”

CISPE, which is “committed to strengthening Europe’s digital sovereignty by promoting real, workable choices for European customers in the cloud market”, also found fault with the EC’s four levels of assurance. 

“With its assurance Level 3 and above, the commission lives up to its promise and provides some strong definitions of sovereignty that align with the CISPE Sovereign and Resilient Cloud Framework [unveiled in April]. The text is clearly aimed at political and security concerns and may, if well implemented, help to challenge the commercial dominance of established foreign cloud and AI vendors,” noted CISPE. 

However, “some fundamental flaws and significant omissions in public procurement remain, which underestimate the power of convenience and inertia when it comes to implementation. These include:

• No obligation to even assess European alternatives in public cloud procurement.
• Confusion and potential abuse of level 1 and 2 ‘sovereignty’.
• Sovereignty assessed at company rather than service level.
• Some clauses in Annexes threaten the entire sovereignty definition”.

In the meantime, the sovereign label is being pinned on many digital services around the world as enterprises and governments try to figure out what makes sense for them.  

- Ray Le Maistre, Editorial Director, TelecomTV