Missing Link: Europe in the Sovereignty Triangle

Contents

Digital autonomy, sovereignty, independence: there has been no shortage of big words for years. The actual dependencies differ massively. And the necessary degree of autonomy or independence from third parties also varies depending on the area of consideration. This is also evident in different approaches to how solutions should be found for the respective problems. However, the solution sketch for an EU path is slowly taking shape – through many things that have so far worked poorly rather than well.

Dependency through market dominance

The most classic dimension is primarily an economic one: the so-called vendor lock-in – dependency on an overpowering or even actual monopolist. This concern exists in many forms and not just in IT. However, the problem scales particularly well in IT – because the costs of a provider do not only decrease proportionally to the number of users. Rather, where the network effect kicks in, the benefit also increases. And indeed, to the advantage of the customers, the provider, and its market position. A famous example of this logic is the search engine market: Google first had the best directory-based search query finder. And then it could primarily get better and better because users made the corrections – their click behavior revealed which links were relevant to a search query. And other services such as Teams, Facebook, Instagram, or YouTube are also based, not least, on the fact that content and users are findable and active there, a digital perpetuum mobile. This applies even more to language models, which train their users based on user interests and inputs and are also trained by them. The consequences for models that are now being trained automatically using AI agents can only be guessed at.

For decades, attempts have been made to counteract this development – first with national competition law, then with European law. The problem: digital monopolies behave differently from classic ones, and once they have emerged, it is often too late. At best, a containment of the effects is then up for debate. Which is why a newer generation of competition laws, such as the revised German Act Against Restraints of Competition (GWB) and the European Digital Markets Act. However, their effect so far has been limited.

Non-sovereign due to technological dependency

The second dimension is technological: whether application software, operating system, or cloud operation – in most cases, it is actually a multitude of software components that work together. And it repeatedly turns out that even giants stand on the shoulders of giants. Anyone who looks at the “Software Bill of Materials”, the dependencies of some well-known providers, will be surprised how often components are integrated that are more attributable to the category of hobby developers. Or by developers who operate far beyond their own legal sphere. Because, at least so far, the largest providers from the USA are regularly part of the open-source software supply chain. The use is based on trust in the quality and the community. So on the principle that a library or framework must be secure and trustworthy because so many other competent actors use it.

Non-sovereign through the sovereignty of others

The third is the dimension of jurisdiction: With digitalization, the globalization of law has become even more massive – and thus the potential for conflict. If US companies operate in the EU, they are subject to European law. If they operate in the USA, they are subject to US law. The same applies – with significant restrictions regarding the law, its quality, and its enforceability as such – to the People's Republic of China: companies there are subject to two legal regimes when they operate abroad. As soon as one of them claims to extend its validity beyond its borders, because it subjects companies headquartered in its own country to regulations for their actions abroad. It also grants its own government the right to intervene in business in other legal spheres. The problem is manifest. No Chinese company can guarantee that it will not be forced to cooperate. And no US company can guarantee that it will not have to comply with US sanctions, and that it will not have to hand over data.

This expression of the sovereignty of legal regimes is what is currently being added to the two aforementioned problem areas and is causing the biggest acute headaches: using law as a weapon, as a means of enforcing political interests is not new. And yet, it has rarely been as threatening to states as under the reality of market and technological dependence – because simply throwing it out and shutting it down is not realistically possible.

Attempts at answers do not yet form a complete picture

The political dimension is therefore complex. And it is precisely here that it becomes clear how difficult the situation is. When the EU Commission presented its proposal for a more sovereign Europe this week, it was the next step on a path that has long been apparent. The EU does not actually want to, but it must reduce its dependencies. And that applies to both software and hardware.

The “Cyber Dominance” problem, as it is called in parts of the discussion, is currently fashionable – because it does not only concern the narrow field of “IT”. “Dependencies that make Germany and Europe vulnerable affect topics such as mobile communications, the energy sector, and various digital products and services that we all use every day,” explains Thomas Caspers, Vice President of the Federal Office for Information Security. “For example, the operating systems of our smartphones, social media offerings, or cloud services.” He sees the Cloud and AI Development Act (CADA) as a milestone – because usage scenarios are used as a basis for evaluation. Interestingly, it is the IT security authorities and, in some cases, IT managers in authorities who have been clearly identifying the concerns for years and have developed concepts for dealing with the issue. And they are apparently increasingly convincing, even where it is not about IT security in the strict sense.

Blueprints for much more

However, no comparably clear concept for greater sovereignty is yet apparent in AI regulation, despite “CADA”. But the regulatory framework for cloud computing will serve as a blueprint for many areas. Different levels of requirements for different purposes, to be revised comparatively quickly if necessary. First, the state will be obliged, if necessary, to forgo a few percent of efficiency and financial savings potential – in favor of better business continuity and more control. As an anchor customer, the state is to provide the basis for scalable business models from the EU. And precisely these criteria will also become mandatory where action is taken on behalf of the state. Because a functioning fire brigade is predictably useless without functioning water supply.

In reality, however, the part of technological dependency in particular is difficult to regulate away by law. The European Union is struggling to find a clear path, for example, for open-source development to be more strongly anchored in this part of the planet. Although some ideas can be found in the Commission's “Technology Sovereignty Package”, national states would also be responsible for many of the open questions. Yet it would be important for many EU companies to be able to work with a trustworthy open-source code base – especially when it comes to operational technology, but also when it comes to classic IT. Enabling corresponding models here, so that open-source development receives reliable European addresses, and quality assurance is located in the EU, is not specifically provided for even with this EU sovereignty package.

The Self-Fulfilling Legacy

The member states, in turn, would also actually have to ensure, in the interest of state business continuity, that their operating systems and software are independent of the decisions of other actors for years. Yet to this day, what flows into independent workstations, for example, compared to license payments to other providers, is hardly proportionate. The chicken-and-egg problem cannot be broken through in this way: that there is no independent, easily usable software with all the necessary applications, which is why the dependency must be maintained. A self-fulfilling legacy that is not really progressing to break through, despite all lip service. Only Schleswig-Holstein is taking a consistent path, while all others watch benevolently and with interest but also skeptically.

But all users (the author includes himself) must also look at themselves. Because, of course, the dependence on MacOS, Windows, iOS, and Android, on Microsoft's Office and Google's services, is primarily due to learned convenience. For most private users, it would actually not matter which operating system they start their browser from, as long as their printer, their private photo and video management, and their word processing software are usable. And also, what lies under the app of the mobile phone they use is actually secondary – as long as the device can still handle route planning in the car and receive messages from the kindergarten chat group. However, this area is still not being addressed more strongly by regulation, apart from some interoperability obligations based on the Digital Markets Act, which are already an approach.

In sum, there is a solution

For the state to be successful as an anchor customer, a rethink and changes in behavior would be needed everywhere. In sum, the regulatory measures of the past decade would contain some approaches that can only unfold their real power in combination.

Only when existing, usable alternative software meets interoperability from the DMA and data export rights from the General Data Protection Regulation and the Data Act will alternatives really have a chance. If you want to take your belongings with you, you need a destination. Which should then preferably not be operated on one of the well-known large hyperscalers. As with cloud services, this could still involve performance or comfort losses. Only: in many cases, they are irrelevant, marginal, and at least temporarily manageable. And sometimes solutions are even leaner and faster if they don't have 20 years under their belt like AWS.

However, whether the political and economic courage is sufficient for this is still hardly realistically answerable even under the current situation – only one thing seems clear: there seem to be no real alternatives to alternatives politically at the moment.

(nie)