July 7, 2026
Who Owns the Internet?
Is digital sovereignty really about geography? A governance analysis of cloud dependency, platform lock-in, and Europe’s digital future.

By Brian Haman, PhD
11 min read
Who Owns the Internet? How Europe's "Digital Sovereignty" Debate Exposes the Real GRC Risk of Dependency
At some point in the early 2020s, Europe began speaking the language of "digital sovereignty." Policy papers filled with calls for "European cloud," "strategic autonomy," and "technological independence." Panels debated whether the continent could, or should, wean itself off American platforms and Chinese hardware. For a moment, it almost sounded as if Europe had discovered that the internet upon which it relied every day did not, in any meaningful sense, belong to it.
Of course, none of this is new. For decades, European businesses, governments, and citizens alike have run their digital lives on US‑dominated infrastructure. Think hyperscale clouds, productivity suites, ad networks, mobile ecosystems, and social media platforms. Rather than an open secret, this dependence itself was a business model. However, what has changed is not the dependency itself, but the willingness to name it as a risk. In other words, geopolitics finally caught up with what architectures had quietly been doing for years.
In their haste to correct this imbalance, though, European policymakers and vendors have reached for an intuitive answer, one that hinges on building "sovereign" alternatives. If American platforms are too dominant and Chinese vendors too politically fraught, as the thinking goes, then the solution must be European clouds, European AI, European platforms — digital stacks with the right flag on the login page. Insofar as this means (or has meant) funding open‑source projects, federated services, or public infrastructure, then it's obviously a welcome development. But something more troubling appears to be happening.
There's actually a risk of constructing a less free internet in the name of sovereignty, with its familiar architecture but different branding. Centralized platforms, non-transparent control planes, tightly coupled dependencies — all now operated by "our" providers rather than "theirs." The conversation has subtly shifted from "How do we keep the network open and resilient (and even interoperable)?" to "Which bloc gets to control the chokepoints?" And that's starting to look unmistakably like a move from governance by protocol to governance by passport.
From a GRC perspective, this should give us pause. The problem with a US‑dominated internet has never been that the servers are in Virginia instead of Frankfurt. Rather, the EU's structural dependency on a small number of actors means that it can neither control nor easily escape their decisions (and their consequences, in the case of outages). Rebranding that dependency as "European" doesn't resolve the underlying governance failure. It just makes it feel more familiar.
The Ever-Present Risk of Infrastructure Dependency
For the better part of the last three decades, Europe treated its digital dependencies as a kind of benign inevitability. American companies built the operating systems, social networks, productivity suites, and hyperscale clouds. Chinese manufacturers built the hardware. European orgs wrapped it all in contracts and DPAs and carried on with business as usual. Even current frameworks like NIS2 and DORA emphasize reporting and continuity, yet neither alters the underlying fact that many depend on hyperscalers they cannot meaningfully audit. If the stack functioned and the auditor was satisfied, then what's the problem, right?
From a governance standpoint, it's tempting to see this as a story about privacy law (Safe Harbor, Privacy Shield, Schrems I and II, GDPR). And to a certain extent it is. But those battles (important as they were) took place at the level of data protection rather than infrastructure dependency. The questions were limited to legal data flows and safeguards, when they should also have included concerns over whether the underlying architecture itself had become a web of unaccountable intermediaries. The irony, of course, was that data protection discussions also led to consolidating the underlying stack into a handful of non‑European platforms.
In GRC language, it's a clear case of Europe misclassifying the risk. It treated digital dependence as an externality of innovation when it should have been seen as a core concentration risk. Cloud, SaaS platforms, consumer (eco)systems — all were framed as efficiency choices, with concerns over who actually held operational and strategic leverage largely overlooked. As long as availability and confidentiality met baseline requirements, it felt almost ungrateful to ask whether being unable to leave was itself a material risk.
Then politics moved the proverbial goalposts. The CLOUD Act of 2018 foregrounded extraterritorial access in a way that made it clear that infrastructure could be weaponized, while more recent US domestic volatility has reminded Europeans that their digital lives ultimately sit under someone else's jurisdiction. At roughly the same time, China's model of tightly integrated national platforms (call it the internet with Chinese characterstics) became more visible, and with it the specter of a different kind of dependency.
Nothing about the underlying stack changed overnight. What did change was the perceived likelihood that those dependencies might be used as leverage. Risk that had been dismissed as "theoretical" suddenly felt quite practical.
Made in the EU: Sovereignty as Branding
In many quarters, the (predictable?) response has been to double down on a comforting narrative. If the problem is "foreign" infrastructure, then the solution most assuredly is "sovereign" infrastructure. Simply replace US hyperscalers with European ones; or American SaaS with European platforms; or Chinese 5G vendors with European telecommunications champions. Same architecture, different passports.
Of course, there's a certain moral comfort in all of this. Here "European" is implicitly coded as more democratic, more rights‑respecting, more aligned with humanistic values. To run on European infrastructure is, by this logic, to be sheltered from the excesses of surveillance capitalism and authoritarian data extraction. But this moral geography overlooks an awkward fact, namely that centralization doesn't become benign just because it's local.
A European hyperscaler could be as non-transparent as an American one, while a European AI platform could be as unaccountable as its Californian counterpart. A national cloud, operated by a small cadre of incumbent providers under the blessing of state procurement, could become as much a chokepoint as any foreign dependency. The fact that contracts are denominated in euros and the CEO testifies in Brussels doesn't inherently guarantee substitutability or even transparency.
In this sense, "digital sovereignty" risks becoming European comfort food, as it conveniently re‑labels political discomfort with a foreign power (yes, you, America) as a technical design problem that can be solved with procurement. Buy the right brand and you're sovereign (or boycott the "wrong" ones and you're equally independent).
Lost in translation is the more fundamental question: sovereign over what, exactly?
The question isn't simply a clever rhetorical aside. If you're a governance professional, can you even speak of sovereignty in any meaningful way without interoperability or observability?
We might as well call it for what it is — dependence with better marketing.
The Web We Still Haven't Built
"The Web as I envisaged it, we have not seen it yet." Tim Berners‑Lee's lament is usually read (accurately) as a critique of surveillance capitalism and the kind of enclosure that enables and indeed instantiates it. But there's something more architectural at work. The original vision of the web, and the broader internet upon which it sits, assumes a world of interoperable networks, loosely coupled by protocols, where no single entity can unilaterally dictate the conditions of participation.
Wide-eyed optimism aside, the notion involves a set of design choices. Think end‑to‑end principles, open standards, routable networks, and the possibility of running your own services without asking permission. It is an assumption that control is on the margins at the edge rather than in the center (thus the de in decentralize).
What has been built insteadis a stratified stack of platforms (thus Berners-Lee's lament). At the bottom, there are a small number of global infrastructure providers, while above them sits a layer of identity brokers, app stores, and payment rails, and then at the top are things like the app ecosystems and AI‑mediated interfaces. In this model, governance is completely absent from participating in the design of these protocols, only emerging when it's time to accept the pre-defined terms of service. Sure, you can opt-out of cookies, but you can't opt-out of your data being transmitted to US servers if you're dialing in from Bucharest or Berlin (or what we might call a "consensual hallucination," to borrow from William Gibson).
When Europe proposes a "sovereign" internet by swapping one set of platforms for another, it implicitly accepts this layered, platform‑centric architecture. The disagreement is not with the model, but with who gets to be the landlord (some have even referred to it as technofeudalism), and the result is less a restoration of the web's original ethos of underlying and enduring openness than a negotiation over whose control is more palatable.
The Axis of Coeval: Blocs vs Dependency
Among other things, GRC is the art of choosing the right axis along which to measure risk. Readers of this blog will recall that, in cognitive GRC, I argued that the real distinction is not "AI vs no AI," but assistive vs authoritative systems (the latter offering transparent logic and full audit ownership). In consumer computing, I suggested that the problem was not "on‑premise vs cloud," but who holds the controls and whether they can be audited.
And the same is true here. The axis that dominates public debate of "US vs EU vs China" turns out to be the least helpful one for making sound governance decisions. What actually matters is not the jurisdiction to which your dependency reports, but the nature of the dependency itself.
A non‑exhaustive axis might look something like this:
Centralized vs distributed
Are we concentrating critical functions into a narrow set of providers, or deliberately spreading them across diverse ones?
Substitutable vs locked‑in
Can we move (and without friction)? Are protocols and formats open, or are they proprietary and sticky?
Observable vs non-transparent
Can we see what's happening inside the stack? Can we reconstruct decisions and events for audit and accountability, or are we confined to dashboards and marketing claims?
Governable vs ungovernable
Boards, regulators, internal GRC teams — do the entities tasked with governance actually hold levers that they can pull, or are they ceremonially overseeing systems whose behavior is effectively dictated elsewhere?
On this axis, a "European cloud" that is architecturally identical to a US hyperscaler, with the same degree of lock‑in and non-transparency, doesn't meaningfully improve governance. Granted, it might shift some jurisdictional exposure, but the central problem, which is to say critical services depending on distant black boxes, remains unchanged.
Conversely, a US‑based open‑source service could present less structural risk than a domestically branded EU platform that insists on proprietary interfaces and non‑portable data. From a GRC perspective, the first enables exit and layered control, while the second does the opposite. The flags on their websites tell you almost nothing about such things.
Interoperability, Exit, and the Limits of Market-Centric Remedies
Interoperability is hardly a new idea (the word itself appears to have been first used in the 1960s). Writers like Cory Doctorow have long argued that the only reliable antidote to platform power is the ability for users and rivals to plug into dominant systems and to leave them at will. Mandated interoperability and even adversarial compatibility along with the legal right to reverse‑engineer apps (currently illegal thanks to Section 1201 of the US's Digital Millennium Copyright Act or DMCA) would all function to discipline platforms that would otherwise be free to enshittify their users with impunity (the core thesis of Doctorow's latest book).
It's a compelling line of argumentation, one largely correct on its own terms. Interoperability restores a degree of exit, and with exit comes bargaining power. A social network that must accept third‑party clients, or allow users to take their data elsewhere, cannot quite so easily convert its user base into a captive market, thereby purposely "entshittifying" their platform to the detriminent of users (both individuals and businesses). In this case, interoperability and portability are actual structural checks on abuse (no argument here).
Yet when seen through a GRC lens, interoperability (while necessary) is insufficient because governance asks a different set of questions than markets. It's not enough that users can walk away (at least in principle). We also need to know whether the systems that they are walking away from can be audited and held to account.
It might sound paradoxical initially, but interoperability can exist alongside non-transparency. A platform may expose APIs that allow clients to connect and users to migrate, while keeping its internal decision‑making entirely inscrutable. Content ranking, risk scoring, access decisions, model updates — all can remain black boxes, even as data flows in and out over well‑documented interfaces (which can be beneficial for competition law). Governance is an entirely different matter, though. Good luck certifying a control or reconstructing an incident if the critical logic is sealed behind vendor confidentiality.
Similarly, interoperability can coexist with concentration. A world in which three or four hyperscalers expose interoperable services is arguably better than one built on something akin to what we have today, but the underlying dependency structure remains unchanged. If all viable providers share the same reliance on unclear AI pipelines, for example, then the practical choice for a regulator or a GRC function is reduced to "which black box?" rather than "black box or transparent system?" In fact, this is precisely why edge AI is increasingly becoming preferrable in certain communities (or among certain individuals) to proprietary versions.
One might argue, therefore, that Doctorow's insistence on interoperability is a necessary precondition for a healthier internet. But from a GRC standpoint, it needs to be complemented by things like auditability and the preservation of meaningful controls at each layer of the stack. Offramps without actual visibility risk creating a market of interchangeable, ungovernable infrastructures with the same blind bends. The harder question (and the one that digital sovereignty debates often sidestep) is whether the systems that we are building in its name are ones over which we can exercise any genuine authority at all.
When Alternatives Help (And When They Don't)
All of this is not an argument against European initiatives per se. There are likely many ways in which Europe's current "awakening" could materially improve the state of the internet.
It might start by funding open infrastructure that others can inspect and host (and eventually fork). Here it's perhaps less about licensing code on GitHub, and more a matter of building serious, production‑grade alternatives (e.g., identity providers, messaging layers, storage systems, monitoring tools) that reduce friction for organizations who want to avoid total dependence on a single cloud or vendor (single point of failure, anyone?). Sovereignty here isn't marketing doublespeak. Proof? You can actually leave.
Then it might involve backing federated and protocol‑centric services rather than national platforms. Email, ActivityPub, Matrix, and other federated systems embody the "network of networks" model by allowing multiple providers, including public institutions and small operators, to coexist. A public‑interest Mastodon instance, for example, is structurally different from a national social network, even if both sit under European law. One speaks to collaboration, the other to compartmentalization.
Where European efforts become counterproductive is when they merely replicate the existing model under a blue flag with twelve gold stars, as suggested. A sovereign cloud that is functionally indistinguishable from an existing hyperscaler, or a national AI platform that is as unaccountable as the systems it replaces, or a "European" operating system that embeds agentic assistants as mandatory intermediaries (thankfully not the case yet) are not real alternatives. They're just European-branded variants of the same centralization trap.
(In its own small way, my homelab writing attempts to point to a different path. A Raspberry Pi in a living room is not going to replace a hyperscale data center, but it does offer a powerful lesson insofar as it makes the case that small systems are where governance thinking is clearest.)
Layered Sovereignty and Networked Governance
If the current debate is misframed, then what might a more useful picture of digital sovereignty actually look like?
One starting point would be to treat sovereignty as layered rather than monolithic. At the individual and organizational layer, sovereignty means the ability to meaningfully configure, self‑host, or exit. It includes the right to run your own infrastructure where feasible and to choose tools whose behavior can be audited and, if necessary, overridden. At the technical layer, sovereignty would mean protocols and formats that don't belong to any one vendor. Open standards and federated architectures that anyone can adopt. It would mean designing systems so that no single actor (however well‑intentioned) becomes a permanent bottleneck (read: problem). At the legal and political layer, it would mean clarity over jurisdictions and their powers, and practical mechanisms to mitigate around overreach. And this certainly includes European clouds and infrastructure, but deployed in a way that is fundamentally different than the current status quo.
All of this reframing has consequences for GRC professionals (surprise, surprise), as it invites us to move beyond the comfortable world of checklists and contract clauses into a more uncomfortable one of architecture and topology. It also suggests a different kind of alliance. The people building homelabs, hacking routers, maintaining open‑source infrastructure, and fighting for the right to control their own hardware aren't eccentric hobbyists at the margins of governance. In a very real sense, they are practicing the kind of sovereignty that our frameworks assume (but our infrastructures routinely deny).
Governance of the Future
GRC frameworks presuppose agency. We write policies and define controls based on the assumption that someone, somewhere, retains the authority to decide how systems behave. Europe is right to be uneasy about its dependencies. The risks are real, and they've been real for a long time. But if the response is merely to build sovereign stacks that are structurally indistinguishable from the ones that they replace, then little will have been gained. In fact, we'll have traded one set of remote landlords for another, all the while continuing to call it "the internet."
If the web as Berners‑Lee envisaged it remains unrealized, perhaps the same is true of governance. The challenge, then, is not simply to decide which bloc owns the infrastructure, but to rebuild it so that we can't quietly substitute ownership for accountability.
It's a project large enough for a continent, but small enough to begin on a single‑board computer running a family media server on a kitchen table.