Mastodon

Against a backdrop of increasing digital interconnectivity, the European Union finds itself in a situation of critical dependency: according to Cigref, 80% (i.e. €265 billion) of European spending on software and professional cloud services goes to American companies.

This unbalanced state of affairs testifies to a loss of control over tools that are now essential to strategic autonomy, economic continuity and national security. As the recent launch of a Digital Sovereignty Observatory reminds us, this issue is now a central one on the French political agenda. This is a time for more than mere words: what is now needed is the ability to act. And this means securing data transfers, mastering encryption technologies, developing certified infrastructures and asserting collective governance over data. So, given the rise in geopolitical tensions that are fragmenting the world and the complexity of digital threats, it is becoming vitally important to make this requirement a central component of all decisions relating to innovation, regulation and governance. Over and above technical frameworks and regulations, we need to develop a culture of digital sovereignty, based on a shared vision between governments, economic players and individuals.

 

The dangers of a lack of technological sovereignty

Digital sovereignty refers to the ability of a State or entity to control its own technological infrastructure, monitor its data, develop its own digital solutions and ensure that its working practices comply with the various regulations. Countries that do not explicitly choose to pursue such sovereignty become dependent on foreign technological players, limiting their strategic room for manoeuvre, hampering local innovation, and making them potentially subject to espionage or even interference.

Today, Europe is overly dependent on foreign technologies. This exposes European critical infrastructure to disruptions or spectacular cost increases (up to 4,000% for certain components, as observed in recent years). This fragility is accentuated by our dependence on raw materials, including components and their associated value chain.

And cybersecurity risks are an added concern. The data of European companies – whether military, industrial, commercial or political – finds itself exposed to overseas laws such as the American Cloud Act. In sensitive areas such as defence, energy and industry, these threats compromise security, competitiveness and strategic autonomy. These findings underline the urgent need to bolster Europe’s digital sovereignty, which is now a central issue.

 

European responses to this situation

To meet the challenges of digital sovereignty, Europe has embarked on a structured strategy based on several complementary action areas.

From a regulatory point of view, frameworks such as the GDPR, the Cyber Resilience Act and the EUCC(European Cybersecurity Certification Scheme) are laying the foundations for a sovereign digital economy in line with European standards. The aim of such legislation is to establish clear rules that protect individuals and provide a framework for economic players.

Cooperation between Member States provides the essential foundation for coordinated action on a continental scale, which includes sharing information, developing common standards and improving incident response capabilities. In addition, research and development benefit from targeted funding, with the aim of accelerating sovereign innovation in key sectors such as cybersecurity, the cloud, quantum computing and artificial intelligence (AI). To consolidate the European Union’s position on the world stage and support research and innovation in Europe, the European Commission is allocating more than €7.3 billion as part of its Horizon Europe 2025 programme, including €1.6 billion for the development of AI.

At the same time, the EU is supporting the development of European cybersecurity solutions. But despite recurring speeches on the need to create “European champions”, its practical implementation continues to falter. For example, according to an Ipsos and Yousign barometer, 78% of decision-makers recognise the importance of local technology solutions, yet just 32% make them a priority in their investment decisions. This raises the question of more assertive measures: should we go so far as to introduce a preference for European solutions in public procurement? Should quotas be considered to encourage the use of technologies from the European ecosystem?

 

Mitigating risk by making informed, sovereign choices

In other words, how can we move from well-intentioned talk of European strategy to truly tangible digital sovereignty? Should there be any obligation to use European technologies?

Economic and institutional players are now finding themselves required to make sovereign choices in order to maintain control over their data. They need to ensure that products and services comply with European requirements, while at the same time making an informed choice in terms of solutions, with full knowledge of the geopolitical and technological risks involved. It makes sense to make a conscious trade-off between geopolitical, security and strategic issues. However, the question of potential limits in the hierarchy of safety, origin and interoperability criteria must be carefully raised and examined. It is vitally important to determine whether one criterion should take precedence over another in all circumstances, or whether a more nuanced approach driven by the specific situation and objectives would be more appropriate. For example, in some cases security might be the overriding concern, while in others traceability of origin or smooth interoperability might take precedence. These complex interactions need to be examined in depth in order to avoid the pitfalls of an overly rigid hierarchy, which could compromise the overall effectiveness of the system or service in question.

In a digital landscape marked by instability and growing threats, the use of products that have been qualified by a national European cybersecurity authority, such as ANSSI in France, helps to lay a solid foundation of trust and security. A qualification of this kind is based on a rigorous, multi-dimensional assessment process. This includes a full audit of the source code to check development quality, identify any vulnerabilities and ensure compliance with best practice. It also involves specific checks to ensure that there are no backdoors. There should be no hidden functions providing unauthorised access to the system – an essential condition for ensuring confidentiality and confidence in the solution and preventing any risk of espionage.

Robustness tests are also carried out to assess the product’s resistance to simulated attacks or extreme conditions, ensuring that it can withstand real-world threats. Lastly, the entire production chain, from design through to updates, is strictly controlled to ensure that security is maintained throughout the product life cycle.

For European players, it is imperative to step up the use of technology partnerships (co-development, licences, mergers and acquisitions) and invest massively via support for universities and start-ups. Training and retaining for digital talent (engineers, experts) is also vitally important, via appropriate programmes and competitive salaries. Lastly, protection for regulatory values and standards (data protection, AI ethics) offers a “European-style” model and a competitive advantage.

Ultimately, in the face of rising geopolitical tensions and the complexity of digital threats, it is becoming vitally important make this requirement a central component of all decisions relating to innovation, regulation and governance. In the face of growing technological dependency and the extraterritorial nature of certain foreign laws, the development of digital sovereignty calls for practical action, from control over encryption to legal supervision of data transfers and support for certified European infrastructures. With this in mind, improvements in French cybersecurity could be based on a stronger link with the defence sector, where the growing synergy between civil and military uses could potentially provide an opportunity to consolidate a sovereign industrial foundation.

Share on

[juiz_sps buttons="facebook, twitter, linkedin, mail"]
About the author
mm
Pierre-Yves Hentzen Chief Executive Officer, Stormshield

Combining entrepreneurial, managerial, and financial expertise, Pierre-Yves’s career began in 1989. Having joined Arkoon in 2001 as the Chief Financial and Administrative Officer, Pierre-Yves Hentzen retained this position in the 2013 Arkoon-Netasq merger. After his appointment as Deputy Chief Executive Officer in 2015, he was named Chief Executive Officer of Stormshield in 2017.