In recent years, the question of who controls digital infrastructure has become a pressing issue for governments, especially in Europe. The growing dependence on foreign technology companies, mainly from the United States, has raised concerns about data privacy, legal control, and national security. These concerns came into sharper focus after a recent incident involving the International Criminal Court (ICC) and Microsoft. The event served as a reminder that Europe’s digital backbone is still heavily dependent on U.S.-based companies, and this situation could pose serious risks if left unaddressed.
The incident that raised alarms across Europe took place when the Chief Prosecutor of the ICC, Karim Khan, lost access to his official email account. This happened because the United States, under former President Donald Trump, imposed sanctions on the ICC after it issued arrest warrants for Israeli officials. The email service provider was Microsoft, a company based in the U.S., which was legally required to comply with the executive order. As a result, a top European judicial official suddenly found his digital communication disrupted, not because of any European decision, but due to a political move made in Washington.
This event showed just how little control Europe has over its own digital infrastructure when it depends on foreign companies. If the Chief Prosecutor of one of the most important legal institutions in Europe can have his work disrupted in this manner, the implications for governments, institutions, and businesses across the continent are far-reaching. The issue is not just about one email account being blocked. It is about the deeper problem of jurisdiction, and who ultimately holds the power to control or restrict access to digital tools and data.
For years, American companies like Microsoft, Amazon, and Google have provided core services to European governments, schools, hospitals, and courts. These services include cloud storage, communication tools, and software applications. While these companies have built data centers in Europe and made public promises to respect European regulations like the General Data Protection Regulation (GDPR), their legal obligations remain tied to U.S. law. This means that even if data is physically stored in Germany, France, or the Netherlands, it can still be affected by decisions taken in Washington or by U.S. courts.
There have already been concerns about how American tech companies handle European data. In several cases, services such as Microsoft’s Office 365 have been found non-compliant with European privacy laws. German and Danish schools have taken steps to block or ban certain tools over concerns about data being sent to non-European servers or being accessible to non-European authorities. These actions indicate a growing unease, but they are still scattered and not part of a united strategy.
The recent Microsoft-ICC case has become a turning point in the conversation. The reaction from experts and digital rights groups was immediate. The Open Source Business Alliance (OSBA) called the move by Microsoft unprecedented and said that the event proves why Europe must take digital sovereignty seriously. The message was clear: no matter where the servers are, if the company is based in a foreign country, the control over the data does not truly lie in Europe’s hands.
Digital sovereignty is about ensuring that the digital systems running critical parts of a country are not vulnerable to interference from foreign governments or corporations. It means that the software, data storage, and communication tools used by European institutions should be built, managed, and governed within the continent under local laws. This principle is essential not only for privacy but also for national security and independence.
The impact of this push for digital sovereignty will be felt most strongly by large American technology firms. Companies like Microsoft, Amazon, and Google have a deep presence in Europe and generate large portions of their income from European clients. If European governments start making “European origin” a requirement for public contracts in tech, these companies could lose their existing contracts or be forced to create entirely new legal structures within Europe. This would involve not only moving data centers but also separating their European operations from their U.S.-based parent companies.
Some companies have already started taking steps in this direction. Microsoft, for example, has created initiatives like a European Cloud and promised to offer services that comply fully with European laws. They have proposed creating regional data centers and independent boards of directors to manage European operations. However, critics argue that these are not enough unless full legal independence is granted. As long as the company remains under U.S. jurisdiction, it must obey U.S. laws, even if that conflicts with European regulations.
The European Union has already started addressing some of these concerns through legislation. Laws such as the Digital Markets Act and the Digital Services Act aim to create fairer competition and protect user rights. These acts are also meant to reduce the power of a few large players and open the door for local businesses to compete. As these laws are enforced, big tech companies will have to adjust their operations, business models, and compliance systems.
For European businesses, the push for digital sovereignty also creates new opportunities. Several companies already offer secure and privacy-focused digital tools that can replace services offered by U.S. giants. One example is Tuta, a German email service that provides encrypted communication and stores data in German data centers. It is one of several companies showing that Europe does have the technical capacity to offer secure, reliable alternatives.
Despite these available options, adoption has been slow. European authorities have continued using foreign services due to convenience, habit, and lack of planning. Microsoft’s software suite, for instance, has been deeply integrated into many public institutions for decades. Making a full switch to new platforms is not an easy task, and it cannot be done overnight. However, experts argue that governments must start creating transition plans, allocate budgets for migration, and develop long-term digital strategies focused on European products.
If Europe continues to depend on foreign digital infrastructure, more incidents like the one involving the ICC could happen. Today it was an email account; tomorrow it could be communication networks, databases, or even cloud systems that run entire public services. The risk is not only theoretical. Political decisions made far away can have direct consequences on how European systems operate.
The situation can be compared to the energy sector. No country would allow its power grid to be controlled by a foreign company subject to a different government. Yet, when it comes to digital infrastructure, similar risks are being accepted without much question. This contradiction highlights how digital systems are still not treated with the same level of seriousness as physical infrastructure.
