Europe cannot legislate its way to digital sovereignty

By Michael Holm, founder and chairman of the board, Systematic. 

This opinion piece was first published in Altinget on 24 June 2026.

On paper, Europe looks well ahead. We set global standards that American and Asian companies are forced to follow. But legislation only regulates behaviour. It does not regulate who holds actual control over the infrastructure.

In 2022, Elon Musk refused to activate his Starlink satellite internet service off the Ukrainian coast, cutting short a planned military strike on the Russian fleet. A single man with a satellite made a decision with direct military consequences for a country at war. That is digital sovereignty in practice - or rather, the absence of it.

Denmark's new coalition government has just published a policy platform promising to strengthen European technological autonomy and prioritise Danish and European solutions in defence. It is an important step - but it also illustrates just how far we still have to go.

Digital sovereignty comes down to one fundamental question: who controls the infrastructure that society depends on? The answer should never be a private actor in another country.

I have spent 35 years building software that democracies rely on when lives are at stake. Command-and-control systems used by NATO itself and by more than 50 nations worldwide. From that vantage point, I can say something that rarely gets said clearly enough: you cannot legislate your way to digital sovereignty. It has to be practised.

The question is simple: can we trust our systems - or can we not?

On paper, Europe looks well ahead

Europe has done something remarkable over the past decade. We have built a sophisticated legal architecture for the digital age. GDPR. NIS2. The AI Act.

On paper, Europe looks well ahead. We set global standards that American and Asian companies are forced to follow. But legislation only regulates behaviour. It does not regulate who holds actual control over the infrastructure. You cannot be sovereign if your data sits on someone else's infrastructure.

You cannot be sovereign if a decision taken in a boardroom in San Francisco can change the terms of service for the software your armed forces, your health system, or your electoral process depends on. And you cannot legislate your way to resilience if the critical infrastructure sits outside European jurisdiction.

That is our fundamental problem.

Many NATO allies today run critical command infrastructure on American hyperscaler clouds or platforms. At the time, it made sense: faster, cheaper, more scalable. But it was a choice with consequences we are only now beginning to feel. The political shifts in Washington in recent years have turned what was once a theoretical concern into an operational one: an America that does not necessarily share European values and interests at every moment, in every crisis.

For all critical infrastructure, sovereignty comes down to four concrete questions: who wrote the code? Where is the data held? Who can access it? And who can switch the system off? No service agreement with a non-European supplier answers those questions satisfactorily.

Open standards are the way forward

It is important to avoid a false conclusion here. Digital sovereignty does not mean every country should build its own technology. That would lead to fragmentation and weakness, not strength.

What we need are shared European standards, systems that can talk to one another, and trusted partnerships between democracies. Europe has already done this in other areas - in aviation, in financial infrastructure, in food safety. Now we must do it for digital infrastructure.

NATO is proof that it can be done. Through the command-and-control system SitaWare, defence forces share intelligence and coordinate operations across languages, systems, and borders - without any single actor surrendering sovereign control.

Open standards are the way forward. Dependence on a single supplier is the enemy.

Europe has the capability

NIS2, the Cyber Resilience Act, and GDPR are necessary. But they are not sufficient. One of the missing policy levers is procurement. The new coalition government does write in its platform that military equipment and software should increasingly be procured from Danish and European companies - and that Danish research and education policy should support European autonomy and technological independence. Those are the right words. Now they must be translated into practice - beyond defence as well.

Scale matters. That is why European governments must start buying European solutions at scale - not pilots, not proof-of-concepts.

European solutions are not a guarantee in themselves, but they give us the legal and political tools to set requirements, exercise oversight, and intervene when needed. We cannot do any of that with a server in Virginia.

Europe's companies have the capability. But we cannot build sovereign systems if our own governments will not buy them. That requires long-term procurement contracts and the political will to make sovereignty a condition for public procurement of critical infrastructure.

A recognition that matters

The government itself acknowledges in its platform that a handful of large technology companies outside Europe dominate key critical technologies - and that this is a vulnerability threatening our democracies. That is an important acknowledgement.

But acknowledgement is not enough, and it leads us directly to the question of democratic accountability.

Opaque, foreign-controlled infrastructure is fundamentally incompatible with democratic accountability. If a government cannot see who has access to citizens' data - or cannot operate its own systems independently in a crisis - then democracy's resilience begins to crack.

In five years' time, the measure of success will not be whether we have passed another regulation. It will be whether European institutions and defence forces can operate critical digital infrastructure independently, securely, and in keeping with democratic values - including under pressure.

The decisive question is not technological. It is political: are we willing to fund and practise sovereignty - not merely legislate about it?