Achieving Europe’s Cloud and Data Sovereignty.

Guaranteeing the security of sensitive data and mastering digital technologies are key to Europe’s sovereignty. Data Free Flow with trust (DFFT) is essential for economic growth as they enable frictionless digital trade, integrated supply chains, and the rapid diffusion of innovation across markets. However, the EU’s internal and external policies must be strategically coordinated with regard to geo-economic developments while preserving its strategic autonomy. This makes it important to promote EU‑based infrastructure, reduce dependencies on non EU actors, and strengthen the protection of critical data flows. The European framework must establish a mechanism capable of adressing all associated or inherent cybersecurity risks of technologies, including the extraterritorial application of non-EU laws in relation to digital technologies, such as cloud computing. A favourable outcome to the current discussions would promote the European trusted cloud market and strenghten the protection of the most sensitive data held by EU Member States and enterprises. While promoting greater use of European solutions, in line with WTO agreements, companies that meet the EU framework requirements are welcomed on the European market.

1. Europe must continue its efforts to achieve digital sovereignty

Germany and France stand by the EU’s efforts in the EU Data Strategy and acknowledge the work done with regard to Data Free Flow with Trust as well as the importance of data-related clauses in trade agreements. It is also important to recognize the role of trusted international data flows to achieve the UN’s SDGs.

Data sovereignty is of growing strategic importance for the EU’s resilience and digital economy. Completing the EU digital single market, fostering investment in European cloud companies, whilce reducing dependencies on insecure data infrastructures create vulnerabilities that require coordinated policy responses. In addition, the rise in cybersecurity related incidents and ongoing cyberattacks on European infrastructure requires action. We will decisively address the inadequate compliance with regards to European privacy and data security rules. This also requires deepening the European digital single market, while establishing a robust framework revision of the Cybersecurity Act and the Cloud and AI development Act,  in order to address dependencies as well as risks.

For Germany and France there is an urgent need for the European Union to create a unified, resilient EU data‑governance architecture that safeguards and protects its most sensitive data, sustains economic competitiveness, and upholds the Union’s strategic autonomy in the global digital ecosystem. We will therefore ask the EU COM to review and, where necessary, to adjust its data and cybersecurity regulation in order to achieve European data sovereignty. This shall include :

• the proposal of a Data Sovereignty Framework,
• defining highest protection standards for the most sensitive data, including adequate safeguards to protect data from cybersecurity risks, notably the effects of nonEU extraterritorial legislation, and mandatory usage of privacy-enhancing technologies, in close alignment with the European cybersecurity framework;

For less sensitive data, including non-sensitive, the framework could propose a multi-layered framework that includes innovation incentives, balancing data localisation requirements and the use of privacy enhancing technologies with advanced possibilities of using personal data. The EU should assert its position with a leading voice on Data Free Flow with Trust at G7, G20, OECD, UN, and other multilateral platforms and therefore pursue agreements that embed EU data‑protection principles in global digital trade rules.

2. Achieving European digital sovereignty should be a joint effort with the private sector.

Public authorities must lay the foundation for ensuring the highest level of protection for sensitive data, which requires a strong and coherent European regulatory and governance framework as well as an ambitious industrial policy. Within this framework, providers of digital services, including but not limited to cloud services, ought to take all adequate technical, legal and organisational measures in order to ensure the cybersecurity of their services, prevent unauthorised access by third-country authorities and, therefore, to develop capacities and structures able protect Europe’s most sensitive data. They should also ensure data portability and interoperability, offering secure interfaces for cross-platform data exchange and standardized formats for data import and export.

France and Germany commit to actively support the development and uptake of European solutions in data, cloud and AI. Under the future IPCEI-AI and IPCEI-CIC, Germany and France to support joint projects, with the aim of strengthening European sovereignty. Similarly, AI gigafactories must provide tangible reinforcement of European sovereignty across the cloud and AI value chain. Strong common positions on AIGF selection criteria and governance should be put forward, both in the revision of the EuroHPC Regulation and in the future AAP, to ensure that state and EU supported AIGFs ensure EU added value and address the security and resilience of supply chains.

Public procurement must be leveraged to foster the large-scale development of European players with expertise across the full spectrum of cloud technologies.

We look forward to the EU COM’s current efforts in the field of digital sovereignty and completing the EU digital single market, lin particular with regard to the Data Union Strategy, the Digital Omnibus, the Cybersecurity Act, the Cloud and AI Development Act, and the Cloud Sovereignty Framework.