Cloud computing Archives | Digital Watch Observatory

The EU’s Tech Sovereignty Package and the future of European digital power

On 3 June 2026, the European Commission presented the European Technological Sovereignty Package, a set of measures to strengthen Europe’s capacity in semiconductors, AI, cloud computing and open source software. The package comprises two legislative proposals, the Chips Act 2.0 and the Cloud and AI Development Act (CADA), alongside the new EU Open Source Strategy and the Strategic Roadmap for Digitalisation and AI in Energy.

The Commission framed the initiative as a fundamental shift in the EU’s approach to technology, underpinned by the recognition that digital dependence is no longer a market inefficiency to be tolerated, but a strategic vulnerability to be corrected through legislation.

Commission President Ursula von der Leyen stated that Europe cannot afford to depend on others for the technologies that keep its hospitals running, its energy grids stable, and its services secure, calling on the EU to convert its research excellence, industrial base and single market into technological sovereignty.

The package is designed to broaden choice in core technologies for EU businesses, citizens and public administrations, and to position Europe to capture a larger share of a global semiconductor market projected to reach EUR 1.37 trillion by 2030, with AI-related components accounting for roughly 70% of that growth.

The timing reflects a specific convergence of pressures. The rapid spread of AI applications is driving a sharp increase in demand for data centre and cloud capacity that EU infrastructure cannot currently meet at scale. At the same time, longstanding dependence on non-EU suppliers for advanced semiconductor manufacturing, chip design and cloud services has become increasingly difficult to ignore as geopolitical tensions have demonstrated the economic risk of concentrated supply chains.

The 2022 US CHIPS and Science Act, generous subsidy regimes in Asia and tightening export controls on advanced semiconductor equipment have accelerated the global race for technological self-sufficiency, prompting Europe to adopt a more active industrial policy response.

Chips Act 2.0

Electronics, Hardware, Printed Circuit Board, Mace Club, Weapon

The Chips Act 2.0 revises and expands the 2023 European Chips Act, which has mobilised more than EUR 52 billion in public and private investment, created an estimated 46,000 direct and indirect jobs and strengthened Europe’s research and innovation capacity in semiconductors. Despite this progress, the EU remains dependent on third countries for advanced chip manufacturing and semiconductor design.

The revised regulation is designed to accelerate Europe’s position across the entire semiconductor value chain, from raw materials and design to manufacturing and packaging, and to ensure that Europe captures a greater share of the growth in AI-related chip demand.

The proposal is structured around four objectives. On investment and competitiveness, the Act would cap permitting approvals at 12 months, introduce ‘Grand Challenges’ to support the development of strategically important chip types such as AI processors, and formalise Strategic Partnerships on Semiconductors with international allies.

To stimulate demand, it establishes Demand Accelerators to align new products with industry needs, expands innovation procurement, notably for European start-ups and scale-ups, and creates structural synergies with CADA to benefit from the data centre and AI Gigafactory buildout planned under that regulation.

On the supply side, the Act enables state aid for ‘First-of-a-Kind’ facilities not yet present in the Union, covering the full semiconductor value chain, designates strategic projects to unlock EU and member state co-investment, and creates a ‘Semiconductor Regions of Excellence’ label to attract investment at the regional level. To strengthen resilience, it establishes a business-to-business semiconductor supply chain platform and provides sector-specific guidance on risk assessment and mitigation.

The explicit linkage between Chips Act 2.0 and CADA reflects a deliberate industrial logic: European-made chips powering European cloud infrastructure, with demand from that infrastructure in turn supporting European chipmakers.

Cloud and AI Development Act

Architecture, Building, Person, Security

The Cloud and AI Development Act (CADA) forms a central part of the Commission’s AI Continent Action Plan and simultaneously addresses two structural problems: insufficient EU cloud and data centre capacity to meet AI-driven demand, and strategic dependence on a small number of non-EU cloud providers.

The Act is designed to facilitate and accelerate the deployment of sustainable cloud and data centre infrastructure, while ensuring the EU accelerates the rollout of cloud and AI in critical sectors and retains meaningful control over the infrastructure on which that rollout depends.

The Act focuses on three main areas. On research, development and innovation, it supports next-generation cloud and AI technologies, including frontier AI, industrial AI, and physical AI, introduces grand challenges to drive R&D efforts, and promotes adoption in strategic sectors through national cloud and AI strategies and new Experience and Acceleration Centres for AI in member states.

On capacity, it targets at least a tripling of EU data centre capacity within five to seven years, simplifies and accelerates permitting, and improves access to energy, land, water and financing. On sovereignty and autonomy, it establishes a single EU-wide sovereignty classification framework, promotes open source solutions as a tool for resilience, and introduces a common EU-level procurement framework for public administrations.

The sovereignty classification system merits particular attention. It introduces four assurance levels for cloud and AI services, to be applied by public sector bodies based on their own risk assessments. Level 1 requires data to be processed and stored within the EU. Level 2 requires providers to demonstrate independence from third countries and transparency over their software supply chain.

Level 3 requires providers to be owned and controlled from within the EU and to meet additional criteria including personnel citizenship, although the Commission retains the ability to recognise third-country providers at this level. Level 4 requires full transparency and control over the software supply chain with no third-country interference.

Cloud service providers seeking recognition under this framework must undergo an independent audit conducted by member state authorities. The framework is significant because it creates, for the first time, a legally grounded and progressive definition of what it means for a cloud service to be sovereign, moving the concept from political rhetoric to a procurement-relevant standard.

EU Open Source Strategy

Astronomy, Earth, Globe, Outer Space, Planet, Plate

The EU Open Source Strategy is the non-legislative pillar of the package most directly aimed at reducing dependence on proprietary, non-EU software. It places open source at the centre of the EU’s technological sovereignty approach, arguing that open ecosystems reduce supplier lock-in, increase transparency and give European developers and public administrations greater control over their digital infrastructure.

The strategy addresses a persistent structural weakness: the economic value generated by open source projects has historically been captured outside Europe, limiting the ability of European developers and companies to benefit fully from their own contributions.

The strategy is organised around four objectives. The first, Open Source for Tech Sovereignty, focuses on scaling the Open Internet Stack, a Commission-curated catalogue of EU-aligned open source solutions, and promoting alternatives to dominant proprietary products in areas such as cloud platforms, workplace tools, secure e-mail and decentralised social media.

The work will be carried out in cooperation with member states through the European Digital Infrastructure Consortium for Digital Commons. The second objective, Vibrant Open Source Ecosystem, targets start-up support through accelerators and procurement access, alongside a stewardship toolkit for critical open source assets and investment in digital skills across schools, universities, and civil services.

The third objective, Open Source in Public Administration, sets out procurement guidelines that favour open standards, reinforces the Commission’s Open Source Programme Office (OSPO) and the EU Public Sector OSPO Network, and seeks to embed openness and sovereignty-by-design in digital investment decisions across EU institutions and member states.

The fourth objective, Reinforced Standards and International Outreach, promotes EU open source developers and solutions internationally through the EU Tech Business Offer, supports uptake in partner countries and integrates open source communities into standardisation processes, including through a forthcoming revision of the EU Standardisation Regulation.

The strategy also intersects directly with the other package components. On semiconductors, it targets open hardware development through the Chips Joint Undertaking’s RISC-V programme. On AI, it supports the GenAI4EU initiative and promotes open source tooling for public sector AI adoption through the Apply AI Strategy.

On digital identity, it prioritises open source implementation of the European Digital Identity Wallet (EUDI Wallet) and the European Business Wallet. The strategy also interacts with the recently enacted Cyber Resilience Act (CRA), which imposes new security obligations on open source projects that have generated concern in the developer community. The Open Source Maintenance Instrument and critical dependency mapping exercises set out in the strategy are designed in part to address those obligations, though reconciling the CRA’s security requirements with the growth objectives of the strategy will be a key implementation challenge.

Strategic Roadmap for Digitalisation and AI in Energy

Computer, Electronics, Hardware, Architecture, Building, Warehouse, Server, Factory

The Strategic Roadmap for Digitalisation and AI in Energy is the least legally binding element of the package but arguably the one that determines whether its ambitions are physically realisable. The targets set by CADA, particularly the goal of at least tripling EU data centre capacity within five to seven years, cannot be achieved without a corresponding expansion in reliable, affordable power supply.

Data centres are energy-intensive by nature, and the AI workloads they are increasingly required to process are even more demanding. The roadmap addresses this constraint by setting out how AI and digital technologies can improve the efficiency and flexibility of Europe’s energy systems while also enabling the energy infrastructure that these systems need.

The roadmap connects the package’s digital ambitions to the EU’s energy transition objectives, creating a mutually reinforcing relationship: cleaner, smarter energy systems create more viable conditions for data centre expansion, while AI-enabled demand management and grid optimisation tools reduce the cost and environmental impact of that expansion. The roadmap is also relevant as a governance document, since the deployment of AI in critical energy infrastructure raises its own questions about cybersecurity, data sovereignty and the concentration of control over systems on which entire economies depend.

Governance and policy implications

Adult, Male, Man, Person, Text, Pen, Formal Wear, Clothing, Suit, Document, Computer, Electronics, Laptop, Pc

The Tech Sovereignty Package raises several governance issues that extend beyond its immediate legislative content. The most significant concerns the model it establishes for EU industrial policy. The package marks a clear departure from the long-standing assumption in EU competition policy that market mechanisms and trade openness are the primary tools for achieving efficient and innovative technology markets.

The explicit use of state aid for strategic semiconductor projects, the joint procurement frameworks in CADA and the deliberate promotion of EU-origin suppliers both in public procurement and sovereign cloud classification illustrate a greater role for public intervention in the technology sector. Whether the EU’s trading partners, particularly the United States and major Asian semiconductor producers, will treat these provisions as proportionate industrial policy or as market-distorting intervention is likely to become a significant diplomatic issue.

The package also has important implications for the governance of AI in Europe. It operates in parallel to the EU AI Act and the work of the EU AI Office, but addresses a different layer of the AI ecosystem. While the AI Act focuses on the risk profile and compliance obligations of AI systems once deployed, the Tech Sovereignty Package governs the infrastructure and supply chains that enable AI development in the first place.

The relationship between the two frameworks matters as decisions taken at the infrastructure layer, such as the cloud sovereignty level applied to a given public sector AI deployment, can have downstream consequences for compliance with AI Act requirements. The relationship between these frameworks will be an important area to monitor as implementation progresses.

A further coordination challenge arises internally. The package spans multiple policy domains and directorates-general within the Commission, including DG CONNECT for semiconductors, cloud and open source, and DG ENERGY for the energy roadmap.

It also interacts with DG COMP on State aid approvals and with DG TRADE on the trade implications of sovereignty-oriented procurement rules. Ensuring coherence across these areas during the legislative process, and subsequently during implementation, will require stronger-than-usual inter-institutional coordination.

Legislative process and upcoming milestones

The two legislative proposals, the Chips Act 2.0 and CADA, need to enter the ordinary legislative procedure, meaning they will be negotiated separately by the European Parliament and the Council of the European Union before trilogue negotiations between the two institutions and the Commission can begin.

Given the political and economic stakes involved, and the number of member states with competing interests in semiconductor investment locations and cloud market access, the negotiations are likely to be protracted. The original European Chips Act took approximately two years from proposal to final adoption, and CADA, which touches on the politically sensitive question of digital sovereignty vis-à-vis key trading partners, may encounter comparable friction.

Several near-term milestones are already in view. The Commission is expected to launch a call for AI Gigafactories in July 2026, following the European High Performance Computing Joint Undertaking (EuroHPC JU) Governing Board’s agreement in principle on 1 June 2026. AI Gigafactories are large-scale, purpose-built AI training facilities and represent one of the most concrete and immediately actionable elements of the broader AI infrastructure agenda.

Their deployment is intended to provide European researchers, start-ups and industry with access to the kind of computing capacity currently concentrated in the United States, and the July call will be an early test of the Commission’s ability to move from legislative ambition to operational delivery.

The Commission will also launch a consultation with member states, the European Investment Bank Group and other key stakeholders to design a European equity capacity at scale for financing tech sovereignty ambitions. This implies that the Commission does not believe grant funding and state aid alone will be sufficient to mobilise the investment required, and that a blended finance model, combining public equity with private capital, will be needed.

The EIB Group’s involvement points towards the kind of risk-sharing instruments it has used in other strategic sectors, although the specific structures and governance arrangements have yet to be designed through the consultation process.

Broader context

The package does not emerge in isolation. It sits within a cluster of interconnected EU strategic frameworks that have, over the past two to three years, progressively shifted the EU’s economic policy stance from market liberalisation towards what the Commission calls ‘open strategic autonomy’: the maintenance of trade openness where possible, combined with targeted interventionism to reduce strategic dependencies where necessary.

The Competitiveness Compass, adopted earlier in 2025 and drawing heavily on the 2024 Draghi report on European competitiveness, identifies reducing strategic dependencies as one of three pillars for restoring European economic dynamism. The Tech Sovereignty Package is the most operationally specific expression of that pillar to date.

The Economic Security Strategy, adopted in 2023, provided the risk-assessment framework within which the package sits, identifying advanced semiconductors, AI, quantum computing and biotechnology as the technological areas posing the most significant dual-use and strategic dependency risks for the EU. The Tech Sovereignty Package translates that risk assessment into concrete legislative and policy instruments, with semiconductors and AI infrastructure receiving the most direct regulatory attention.

The Commission’s AI Continent Action Plan, which positions Europe to become a global AI leader by focusing on computing infrastructure, data, skills, and adoption, provides the most direct policy antecedent for CADA in particular. The Tech Sovereignty Package fast-tracks the infrastructure ambitions of the Action Plan and adds the supply chain governance dimension that the Action Plan did not fully address.

Taken together, these documents represent a sustained and internally consistent shift in EU digital and industrial policy, one in which technological leadership is treated not merely as an economic aspiration but as a precondition for political and regulatory autonomy in an increasingly contested global technological order.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

EU launches digital energy system initiatives for data centres and AI grids

The EU policymakers and high-level industry representatives have launched two flagship initiatives to prepare the EU energy system for a more digitalised future.

The first initiative brings together data centre operators, the energy sector, and public authorities to support the sustainable integration of data centres into the EU energy system. In the presence of Energy Commissioner Dan Jørgensen, 14 European associations signed a Declaration of Intent, while six companies signed a Declaration of Support indicating readiness to begin implementation.

The event also marked the launch of the AI.grids project, which will develop the EU sovereign AI models for energy grids. The project brings together 48 partners, including grid operators and research institutes, to improve grid management and planning.

Both initiatives coincide with the Commission’s Tech Sovereignty Package, published on the same day. The package includes a Strategic Roadmap for Digitalisation and AI in the energy sector, aimed at preparing the future energy system and supporting the deployment of AI solutions across the energy value chain.

Why does it matter?

The initiatives show how AI infrastructure and energy policy are becoming increasingly interconnected. Data centres are expanding rapidly as demand for AI computing grows, while electricity grids need more advanced digital tools to manage decentralised generation, demand, and resilience. By linking data centre sustainability with the EU sovereign AI models for grid management, the Commission is treating digitalisation as both a pressure on the energy system and a tool for managing it.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

EU proposes Chips Act 2.0 to strengthen semiconductor ecosystem

The European Commission has proposed Chips Act 2.0, a new framework intended to strengthen Europe’s semiconductor ecosystem and build on the original European Chips Act.

The proposal aims to boost the EU’s competitiveness, technological sovereignty, and resilience while improving crisis preparedness in semiconductor supply chains. It forms part of the Commission’s wider European Technological Sovereignty Package, alongside the Cloud and AI Development Act, an Open Source Strategy, and a roadmap for digitalisation and AI in the energy sector.

The Commission says the EU remains structurally dependent on third countries for semiconductor design and manufacturing, including advanced and leading-edge chips needed for AI. It also points to gaps in crisis preparedness, noting that existing mechanisms rely heavily on voluntary information sharing outside crises and do not provide sufficient, timely supply-chain intelligence.

Chips Act 2.0 would support both mainstream and advanced semiconductors, including AI chips. Measures are expected to include stronger research and innovation support, faster permitting, supply-chain information tools, Semiconductor Regions of Excellence, skills investment, strategic projects, and innovation procurement.

The proposal also places greater emphasis on demand-side measures, including support for public procurement and industrial uptake of European semiconductor technologies. The Commission argues that stronger local demand can reinforce local supply, shorten supply chains, and better align European production capacity with the needs of strategic sectors.

The initiative complements the EU’s broader technological sovereignty agenda. The Commission says Chips Act 2.0 should help reduce strategic dependencies, improve security of supply, support industrial scale-up, and strengthen Europe’s role in semiconductor technologies needed for AI, cloud, defence, automotive, energy, and other critical sectors.

Why does it matter?

The Chips Act 2.0 shows how the EU is shifting from an emergency response to the global chip shortage to a broader semiconductor industrial strategy. The proposal links chip policy directly to AI competitiveness, cloud infrastructure, defence, energy, automotive supply chains, and technological sovereignty. Its emphasis on demand-side measures also matters: Europe is not only trying to attract semiconductor production, but also to create stronger domestic markets for European chip technologies.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

European Union unveils tech sovereignty plan to boost digital independence

The European Commission has presented a European Technological Sovereignty Package aimed at strengthening Europe’s capacity in semiconductors, AI, cloud infrastructure, and open source technologies.

The package includes two legislative proposals, the Chips Act 2.0 and the Cloud and AI Development Act, alongside an Open Source Strategy and a Strategic Roadmap for Digitalisation and AI in Energy.

The Commission said the measures are designed to support Europe’s ambition to become an AI continent, strengthen digital autonomy, build a more sustainable digital future, and widen choice in core technologies for businesses, citizens, and public administrations.

Rising global demand for computing capacity, driven by the spread of AI, has intensified concerns over Europe’s dependence on non-EU suppliers for core digital technologies. The Commission said the package is intended to reduce structural dependencies and ensure Europe can develop, deploy, and secure the technologies it relies on.

The proposed Chips Act 2.0 aims to strengthen Europe’s semiconductor capabilities, while the Cloud and AI Development Act focuses on expanding cloud and AI infrastructure. The Open Source Strategy is intended to support Europe’s software ecosystem, and the energy roadmap links digitalisation and AI to a more sustainable energy system.

Commission President Ursula von der Leyen said Europe cannot afford to depend on others for technologies that keep hospitals running, energy grids stable, and services secure. She said the package is about protecting citizens, defending European interests, and making independent technological choices.

Why does it matter?

The package brings several major EU technology priorities under one sovereignty agenda. By linking chips, cloud, AI infrastructure, open source, and energy digitalisation, the Commission is trying to reduce structural dependencies while strengthening Europe’s capacity to build, deploy, and secure critical technologies. The key test will be whether legislative proposals and strategies translate into investment, infrastructure, and industrial scale.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!

EU proposes Cloud and AI Development Act

The European Commission has adopted a proposal for the Cloud and AI Development Act to strengthen the EU’s cloud and AI ecosystem, investment, and infrastructure.

The proposal is intended to support broader deployment and adoption of AI by expanding cloud and data centre capacity across Europe. The Commission said the ongoing deployment of AI factories and AI gigafactories is designed to provide European businesses and researchers with access to high-capacity, next-generation computing resources.

The Cloud and AI Development Act is intended to complement those efforts by supporting the wider diffusion of AI through expanded cloud and data centre infrastructure. It will also complement the Apply AI strategy, which aims to boost AI and cloud adoption across Europe.

The proposal focuses on three objectives. The first is research, development, and innovation, supporting the next generation of cutting-edge and sustainable cloud and AI technologies. The second is capacity, accelerating the deployment of data centres across the EU, with a focus on facilities that enhance essential public sector functions.

The third objective is autonomy. The proposal would introduce a single EU-wide assessment framework for cloud and AI sovereignty, accompanied by a public-sector adoption mechanism.

The Commission said the Cloud and AI Development Act complements other initiatives, including Chips Act 2.0 and the EU Open Source Strategy, as part of efforts to build a more competitive, secure, and resilient European digital economy.

Why does it matter?

The proposal shows how the EU is treating cloud and data centre capacity as core infrastructure for AI competitiveness and digital sovereignty. AI factories and gigafactories may provide high-capacity computing resources, but wider AI adoption also depends on cloud infrastructure, sustainable data centres, and public-sector access to trusted services. The sovereignty assessment framework is especially important because it points to a more structured EU approach to assessing dependence, control, and trust in cloud and AI infrastructure.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Europe’s digital crossroads: Key takeaways from CPDP 2026

The Computers, Privacy and Data Protection (CPDP) conference is an annual gathering that brings together academics, policymakers, industry representatives, civil society, students, and EU institutions to discuss emerging digital policy challenges. This year’s theme was ‘Competing Visions, Shared Futures’, the 19^th in the series, and it hosted approximately 150 panels over the span of 3 days in Brussels.

What is CPDP?

CPDP’s value lies in its multidisciplinary approach. With academics presenting their work or debating topical issues, as well as with industry and policy experts bringing their expertise to the table, the event creates a space for honest conversations among participants.

The conference is sponsored by organisations such as Google, TikTok, Apple, as well as the European Data Protection Supervisor (EDPS), European Union Agency for Fundamental Rights (FRA) and VBU. Google even presented its Banana AI model in a photo booth, allowing participants to modify photos they took in the booth.

Alongside panels, CPDP hosts an array of workshops, short films, artwork, radio programming, promotion booths, dedicated DPO, youth, finance and IT tracks, book launches, and pop-up exhibitions. The event always closes the day in style with an open bar and a party to chat and network at.

CPDP is not a typical conference with just panels, attendees, moderators, and lengthy speeches. The conference inspires creativity and gives the freedom to achieve it. This was proven by the diverse topics showcased in the event’s schedule over the three days.

From a fireside chat with the artist, Simon Denny, behind the conference’s art, who uses AI as a medium in some of his work, to typical discussions about the Digital Omnibus or tracking period apps, all the way to an exiled journalist talking about Russian internet censorship. There was something for everyone.

What was presented?

The breadth of topics discussed at CPDP offers insight into the issues currently shaping Europe’s digital policy agenda. There were approximately 150 panels in total, with data protection, AI, the Digital Omnibus and the topics of digital sovereignty receiving the most attention. Data protection received the most attention overall, as 33 panels were dedicated to the topic. This was followed by 26 panels on AI, 12 on the Digital Omnibus, 10 on digital sovereignty, and 7 on child-related protection.

The distribution of panels reflects the growing prominence of AI in digital policy discussions. However, data protection topics, including privacy and the GDPR, are still the frontrunners in terms of topic relevance. Newer and emerging topics reveal what is topical in the digital world.

Growing concerns over US tech reliance have intensified discussions about EU digital sovereignty. Alongside this, another heavily debated and sensitive topic is child protection in the online context and its generative AI implications, which raises questions about how to better protect children online.

People, Person, Crowd, Adult, Female, Woman, Electrical Device, Microphone, Accessories, Bag, Handbag, Audience, Jewelry, Necklace, Electronics, Speaker, Male, Man, Clothing, Footwear, Shoe, Indoors, Speech, Carrie Vaughn, Vian Dakhil

Emerging topics at CPDP

Digital sovereignty is a challenging topic as it encompasses a lot and has yet to be defined, meaning that taking action can look different for a wide variety of actors. Several discussions framed digital sovereignty as a pathway towards greater digital independence and reduced reliance on external technology providers. In order to try to achieve digital sovereignty, public procurement should be steered away from non-EU actors and towards EU businesses to develop a European stack.

Yes, private partnerships are important, but public ones set the tone. Several participants argued that public procurement choices will play an important role in determining whether EU can strengthen domestic digital capabilities and reduce strategic dependencies. Digital sovereignty needs to come from all corners of the market and society; that is the challenge.

A very interesting panel on data protection and AI, the GDPR, and privacy occurred. In Academic Session I, Stephanie von Maltzan presented findings about her groundbreaking research on LLM unlearning. The larger the LLM, the more data points it will be trained on and the more complex its ‘web’ will be.

Removing data points is not a common practice, given how data points interact with each other, meaning that complexity overrides certain fundamental rights. For example, when data subjects invoke their right to erasure under Article 17 of the GDPR, they may request that certain data be deleted in an LLM, yet this request is difficult to carry out in practice.

The research highlights one of the emerging challenges at the intersection of AI governance and data protection. She presents a two tier model in which the actively deployed LLM is accompanied by a parallel ‘shadow’ model.

After receiving a valied erasure request, the ‘shadow model’ would undergo the necessary unlearning processes to remove the relevant data. In the second tier, in a scheduled update, the ‘shadow’ model, which had undergone unlearning, would replace the initial LLM, thereby upholding data subject requests.

MIT researchers propose fix for LLM catastrophic forgetting.

Apart from these insightful exchanges of knowledge on AI, digital sovereignty and data protection, the conference offered practical workshops on how to brainstorm re-writing the proposed Article 88b of the Omnibus, data protection officer and cybersecurity crisis scenarios, as well as open conversations about how to protect children in online environments.

Remaining questions

The conference also highlighted several unresolved policy questions that continue to shape European digital governance debates.

Regarding the Digital Omnibus, would companies scale up overnight if we removed regulations?
Does digital sovereignty need/have a definition, or should it be left to the meaning of ‘digital independence’?
Open markets vs data protection, where is the balance?
Regarding digital sovereignty, which clouds should be used in the EU?
Should simplification mean using the once-used definition of personal data by the CJEU, or sticking to the definition relied on in law, cases, and practice?
In order to protect EU sovereignty, should parts of the stack be a public utility?

Why does it matter?

CPDP 2026 demonstrated that while privacy and data protection remain central pillars of European digital policy, debates around AI governance, digital sovereignty and online child protection are rapidly gaining prominence.

The discussions highlighted the growing challenge of balancing innovation, competitiveness, fundamental rights and strategic autonomy as Europe defines its digital future.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

NGI Commons outlines expectations for the EU Tech Sovereignty Package

NGI Commons has outlined expectations for the European Union’s forthcoming Tech Sovereignty Package, a policy initiative aimed at strengthening Europe’s control over critical digital technologies and reducing reliance on non-European providers.

The initiative is expected to focus on semiconductors, cloud computing, AI and open-source software. According to NGI Commons, the package aims to align and simplify existing policies rather than introduce a new layer of regulation.

The framework builds on recommendations from Mario Draghi’s report on European competitiveness and seeks to support innovation, competitiveness and the EU’s broader objective of open strategic autonomy. A central element of the proposal is the recognition of open technologies as digital commons that underpin Europe’s digital ecosystem.

The analysis argues that open-source software should be treated as strategic infrastructure and supported through long-term funding, coordinated development efforts and greater public-sector adoption to strengthen digital resilience and security.

The report notes that challenges remain, including securing long-term funding, managing the growing energy demands of AI infrastructure and attracting investment, as policymakers seek to balance technological sovereignty with competitiveness.

Why does it matter?

The Tech Sovereignty Package is expected to shape how Europe approaches critical technologies such as semiconductors, cloud services, AI and open-source software in the coming years.

By treating open technologies as strategic infrastructure, policymakers could strengthen digital resilience, reduce external dependencies and support the EU’s broader goal of technological sovereignty while maintaining competitiveness in the global digital economy.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

NVIDIA expands global AI Cloud network to support sovereign and agentic AI

NVIDIA has announced a major expansion of its AI Cloud ecosystem, supporting the rapid global deployment of AI factory infrastructure designed to meet growing demand for agentic AI, physical AI, sovereign AI and large-scale inference workloads.

The initiative aims to expand access to high-performance computing resources for enterprises, startups, governments, researchers and AI developers worldwide.

According to NVIDIA, the ecosystem now spans six continents, with new partners expanding AI Cloud infrastructure across multiple regions. The company said the expansion is intended to bring AI computing resources closer to users, industries and national AI initiatives while supporting regional and sovereign AI requirements.

Several cloud providers are expanding infrastructure to support advanced AI applications, including model training, fine-tuning, inference and AI agent development. Companies including CoreWeave, Firmus, Nebius and others are deploying new AI factories capable of supporting model training, fine-tuning, inference and AI agent development.

The expansion also includes support for emerging physical AI and robotics workloads through platforms such as NVIDIA Cosmos and Isaac.

NVIDIA also highlighted growing adoption of its DSX platform, which is designed to help cloud providers deploy and manage AI factories more efficiently. The company said AI infrastructure is increasingly being assessed using metrics such as cost per token, energy efficiency and infrastructure utilisation, rather than raw computing capacity alone.

Why does it matter?

The expansion highlights the growing importance of AI infrastructure as governments and companies compete to secure the computing resources needed for advanced AI systems. Access to large-scale computing capacity is increasingly viewed as a strategic asset, particularly as countries pursue sovereign AI initiatives and seek greater control over critical digital infrastructure.

The announcement also reflects a broader shift in the AI industry, where demand is expanding beyond model training to include inference, autonomous agents and robotics applications, placing new emphasis on infrastructure efficiency, energy use and geographic distribution of computing resources.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Digital Networks Act debate heads to Florence

A conference at the European University Institute in Florence will examine the proposed Digital Networks Act and its implications for the EU regulatory framework for electronic communications.

The event, titled ‘Digital Networks Act for a competitive and secure Europe’, will take place on 28 and 29 May 2026 at the EUI campus and online. It will bring together policymakers, regulators, industry representatives, and academics to assess how the proposal could reshape digital network governance in Europe.

The conference will focus on the Digital Networks Act as a shift from the existing directive-based telecom regime to a directly applicable regulation. Discussions will examine how the proposal could constrain national discretion, centralise selected decisions at the EU level, reduce implementation delays, and address regulatory fragmentation affecting the digital single market.

The proposed Act would repeal and consolidate several core EU telecom instruments, including the European Electronic Communications Code, the BEREC Regulation, the Radio Spectrum Policy Programme, and selected provisions of the Open Internet Regulation and the ePrivacy Directive.

The event will place the proposal in the context of the Commission’s 2023 exploratory consultation on the future of the electronic communications sector, the 2024 White Paper on Europe’s digital infrastructure needs, the 2025 Call for Evidence, and wider debates on competitiveness, resilience, scale, and Europe’s digital economy.

Speakers will also discuss delays in transposing the European Electronic Communications Code, which was due by December 2020 but was fully transposed across all the EU member states only in 2024. The delays are presented as an example of the limits of a directive-based approach, particularly for spectrum assignment, 5G deployment, and convergence with cloud, edge, and AI-enabled infrastructure.

Across keynote addresses and thematic panels, participants will examine access regulation, symmetric and asymmetric remedies, copper switch-off, spectrum and satellite governance, market structure and consolidation, and resilience in digital networks.

Why does it matter?

The conference reflects the growing importance of the Digital Networks Act debate for Europe’s connectivity and digital infrastructure agenda. Moving from a directive-based telecom framework to a directly applicable regulation could shift more decisions to the EU level, reduce national divergence, and reshape how Europe governs spectrum, access regulation, network resilience, satellite connectivity, and future infrastructure linked to cloud, edge, and AI.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

CrowdStrike disrupts Glassworm botnet targeting software developers worldwide

CrowdStrike has announced the coordinated disruption of the Glassworm botnet, a cyber operation targeting software developers through open-source software supply chains.

Working with Google and the Shadowserver Foundation, the cybersecurity company said it simultaneously disabled four command-and-control channels used by the malware infrastructure.

According to CrowdStrike, Glassworm targeted developers through trojanised VSCode extensions, malicious npm and Python packages, and compromised GitHub repositories containing poisoned code. The campaign affected Windows, macOS, and Linux systems and targeted the theft of developer credentials and the maintenance of persistent access to development environments.

CrowdStrike said the botnet had compromised hundreds of GitHub repositories using stolen developer credentials, posing risks to downstream software supply chains. The company warned that attackers are increasingly targeting developers because compromising a single workstation, repository, or package can spread malicious code across many organisations, services, and users.

The company also highlighted the growing resilience of cybercriminal infrastructure. It said Glassworm combined blockchain technology, peer-to-peer systems, legitimate online services, and traditional servers to make takedown attempts more difficult.

The disruption cuts off the botnet’s known command-and-control channels, but CrowdStrike said organisations should continue checking for compromised developer environments, malicious packages, and exposed credentials.

Why does it matter?

The Glassworm campaign shows how developer tools and open-source ecosystems have become critical attack surfaces. Rather than attacking only large enterprises directly, threat actors can compromise repositories, extensions, libraries, or credentials used by developers and then move through the software supply chain. Such attacks can create cascading risks for cloud services, enterprise software, financial systems, public services, and other organisations that rely on shared code and development infrastructure.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!