Mid-2026 EU Tech Sovereignty: A Progress Report

by BetterInEurope | | 7 min read
digital-sovereigntyEU-toolsGDPRgovernancepolicy

What Changed in the First Half of 2026

When 2026 started, European tech sovereignty was still mostly a policy discussion. By the end of May, it has become an operational reality with concrete events, concrete vendors, and concrete regulatory mechanisms. This is the consolidated progress report.

Six developments stand out.

1. The Infomaniak Foundation Move

In May 2026, Boris Siegenthaler transferred majority voting control of Infomaniak to the newly constituted Infomaniak Foundation — a Swiss public-interest foundation whose non-transferable voting shares structurally lock in the company’s sovereignty mission against any future acquisition.

This is the first major European cloud company to apply steward ownership at the governance layer. The Carl-Zeiss-Stiftung, Robert Bosch Stiftung, and similar foundations have used this model for industrial companies for over a century. Applying it to a cloud-infrastructure company that competes directly with AWS, Microsoft, and Google for European business is genuinely new — and likely to set the template for further moves.

Expect more European tech founders to adopt foundation governance in 2026-2030, particularly for companies whose value proposition depends on long-term trust. Privacy-focused tools, sovereign cloud providers, and AI companies with non-extraction commitments are the most likely next adopters.

2. The ICC / Microsoft Sovereignty Lesson Cemented

The 2025 incident in which the International Criminal Court’s prosecutor lost access to his Microsoft email under US sanctions pressure continues to shape European procurement.

Concrete consequences observable in the first half of 2026:

  • Several Member States have issued or strengthened cloud-first-EU procurement guidance for public-sector and regulated industry
  • New procurement template clauses addressing sanctions-cutoff scenarios are circulating across European legal teams
  • The contested sovereignty criteria in the EUCS scheme gained renewed support from previously ambivalent Member States
  • European public-sector sovereign-cloud RFPs increased materially in volume

The shift is not from “all in on US clouds” to “all out.” It is from “abstract concern” to “explicit risk register entry” — and the risk-register entry is now informing real procurement decisions.

3. The AI Office at Full Operational Tempo

The European AI Office — established under the AI Act within DG CNECT — completed its first full operational year by mid-2026. Staffing grew to several hundred technical and policy personnel. The first GPAI Code of Practice was published in late 2025 with major foundation-model providers participating.

The Office’s first formal enforcement actions are now setting precedent. Foundation-model providers serving the EU now have a clear regulatory interlocutor — and that interlocutor has demonstrated it can exercise actual authority, not just publish guidance.

For European AI startups, the AI Office’s regulatory-sandbox coordination has made experimentation with novel use cases significantly more navigable. Several Member State sandboxes have moved from announcement to operational testing.

4. EHDS Implementation Begins

The European Health Data Space, adopted as a regulation in March 2025, is moving from law to infrastructure in 2026. Health Data Access Bodies (HDABs) have been designated in 23 of 27 Member States. France (Health Data Hub expanded under EHDS), Germany (Forschungsdatenzentrum Gesundheit), Finland (Findata), and Estonia (Tehik) are most advanced operationally.

The first cross-Member-State research data permits are being issued. The MyHealth@EU primary-care infrastructure is being built out toward the 2030 mandatory-applicability deadline. EU-only secure processing environments for sensitive health-data research are being procured.

For health-tech vendors, EHDS-compliant infrastructure is becoming a procurement category. For US-headquartered health-cloud providers, the sovereignty requirements are limiting direct participation — JV structures are emerging as the workaround.

5. Critical Raw Materials Act Strategic Projects Approved

The Critical Raw Materials Act — the foundational supply-chain layer beneath digital sovereignty — saw its first wave of Strategic Project designations in 2026. Lithium projects in Portugal, the Czech Republic, and Germany received accelerated permitting. Battery recycling capacity expansion has been Strategic-Project-designated in several Member States.

This matters for digital sovereignty because semiconductors, batteries, and AI computing infrastructure all depend on materials covered by the CRMA. EU access to these materials is no longer a question of pure market dynamics — it is also a structural policy question.

Strategic Partnerships have been signed with Australia, Canada, Chile, Greenland, Kazakhstan, Norway, Serbia, Ukraine, and Zambia. The third-country diversification benchmarks (no more than 65% dependency on any single non-EU country) are shaping these partnerships explicitly.

6. The Cyber Solidarity Act Becomes Real Infrastructure

The Cyber Solidarity Act, adopted late 2024, moved into operational implementation in 2025-2026. The European Cybersecurity Shield is partially operational. Cross-border SOC consortia (France-Germany-Belgium, Nordic-Baltic) are running threat intelligence exchanges. The first EU Cybersecurity Reserve framework contracts have been signed with vetted European cybersecurity providers.

For cybersecurity vendors, Reserve membership has become a meaningful procurement signal. For US-headquartered cybersecurity firms, the sovereignty requirements have created structural participation barriers consistent with SecNumCloud and the broader EU certification ecosystem.

What This Means For European Buyers

For most European businesses, sovereignty was a concept in 2024 and 2025. In mid-2026 it is increasingly a procurement category with specific vendors, specific certifications, and specific governance structures to evaluate.

The practical implications are concrete:

For procurement teams: vendor evaluation now reasonably includes corporate jurisdiction, foundation/steward-ownership status, EU certification (EUCC, EUCS, SecNumCloud, BSI C5), and supply-chain disclosure (CRMA-aligned). These were academic considerations two years ago. They are increasingly procurement-relevant today.

For CTOs and engineering leaders: cloud, database, and SaaS choices are no longer purely technical decisions. The ICC/Microsoft incident and the Infomaniak Foundation announcement book-end a year in which structural-vendor-risk became a board-level conversation in many organisations.

For regulated-industry compliance teams: NIS2, DORA, the AI Act, EHDS, and the Cyber Resilience Act collectively create a procurement-shaping regulatory environment that was simply not there in 2023. Sovereignty considerations are no longer optional editorial choices — they are increasingly embedded in regulatory expectations.

For European tech vendors: the procurement signal is moving. EU jurisdiction, foundation governance, certified sovereignty, and supply-chain transparency are increasingly differentiation pillars that buyers actively evaluate. The European vendor ecosystem (Infomaniak, OVHcloud, Scaleway, Mistral, Mullvad, Threema, Element, Mojeek, DeepL, Cubbit, Tixeo, Scalingo, Clever Cloud, Aiven, and many more) is increasingly able to compete on more than just price and feature parity.

What Hasn’t Changed Yet

It is worth being honest about what hasn’t shifted.

Most European businesses still default to Microsoft 365, AWS, and Salesforce for the bulk of their stack. Migration costs remain real. Skills and ecosystem familiarity continue to favour incumbents. The European tech ecosystem still cannot compete with the US hyperscalers across every category at every scale.

What has changed is that the direction of change is now structurally European-favouring in a way it was not two years ago. The combination of regulatory pressure (NIS2, DORA, AI Act, EHDS, CRA), incident-driven risk perception (ICC/Microsoft), and credible European alternatives is producing visible procurement shifts at the margin.

That margin compounds over time.

The Honest Outlook

European tech sovereignty in mid-2026 is no longer a defensive narrative about not losing further ground. It is increasingly an offensive narrative about specific structural advantages — corporate jurisdiction, foundation governance, certified sovereignty, supply-chain transparency — that European vendors can credibly offer and US incumbents structurally cannot.

The next 18-24 months will determine whether this advantage translates into significant market-share movement or stays as a small but durable structural premium. The conditions for the former are visibly building. The execution is the question.

For anyone responsible for European tech procurement, the mid-2026 progress report is clear enough: the abstract is now operational. The vendors exist. The certifications exist. The governance structures exist. The regulatory pressure aligns. The question is no longer whether sovereignty is real. The question is whether your organisation is structured to act on it.

Want a personalised European stack recommendation? Try our 2-minute decision wizard — it asks four questions about your priorities and returns a ranked shortlist of EU-built tools. Or take the US Exposure Assessment to map your current vendor-jurisdiction risk.

Was this helpful?

Stay Updated

Get the latest European alternatives and digital sovereignty news.

We respect your privacy. Unsubscribe anytime. No tracking, no spam.