Digital Sovereignty Is a Gradient, Not a Flag

This past weekend offered an unusually clean natural experiment. On the order of the US government, Anthropic had to block its newest models for all non-US citizens and, for technical reasons, took them offline worldwide – leaving Europe abruptly without access to one of the most capable AI systems available. Strip away the speculation about motive, and one variable is isolated for us to observe: a single jurisdiction unilaterally revoked European access to a critical technology input, in roughly the time it takes to hold a meeting. 

This is not anomalous behavior. It is a textbook instance of what the political economist Alex Capri calls techno-nationalism – the linking of technological capability to national security, economic strength, and social stability. The first of the six elements in his framework is “supply-chain weaponization”: the deliberate use of export controls, sanctions, and access restrictions as instruments of statecraft.

The weekend’s events are simply that element applied to the AI layer of the stack. The relevant question for European decision-makers is therefore not whether this will recur – the framework predicts that it will – but which dependencies leave us exposed to it, and which we can engineer away.

Defining the term precisely

“Digital sovereignty” is used loosely enough to mean almost anything, which makes it easy to dismiss. The most usable working definition comes from the 2025 Berlin Declaration, which frames it as the ability of the EU and its member states to act autonomously and freely choose their own solutions, while still cooperating with global partners where sensible. Two implications follow that are routinely missed in the political debate.

First, full autonomy is neither possible nor the goal. Any organisation that depends on external suppliers for hardware, software, or services – US hyperscalers, European providers, or domestic vendors alike – is never 100% autonomous. Sovereignty is therefore a risk-management discipline: a conscious decision about which dependencies are acceptable, not an attempt to eliminate all of them.

Second, sovereignty is multi-dimensional and layer-dependent. The EU Cloud Sovereignty Framework treats it as a property spanning legal, data, operational, supply-chain, technological, and security dimensions, explicitly not reducible to data localisation or GDPR compliance. Empirically, the degree of sovereignty an organisation can hold correlates with the layer of the stack it controls: the closer to raw infrastructure and self-hosted logic, the higher the attainable sovereignty; the closer to a remote, proprietary, foreign-operated service, the lower.

That last point is the entire argument. Sovereignty is a gradient, and where you sit on it is largely an engineering and procurement choice.

A simple model: criticality × attainability

To allocate scarce effort rationally, two variables matter for any given technology:

1. Criticality – the consequence if a foreign actor restricts or removes it.
2. Attainability – how feasible a sovereign alternative is, given capital, compute, talent, and time.

The useful policy question, as commentators on the 2026 sovereignty debate have framed it, is: where must sovereignty be absolute, and where is managed interdependence sufficient? The criticality × attainability map answers it.

Foundation models: high criticality, low attainability (today)

In large frontier AI models, sovereignty is structurally out of reach for Europe in the near term. There is no European system in the same capability class as the leading American or Chinese models, and closing that gap requires capital, compute, and concentrated talent on a scale that cannot be legislated into existence quickly. The concentration is measurable: as of 2025–2026, approximately 70% of the European public-cloud infrastructure market is controlled by three US providers – AWS, Microsoft Azure, and Google Cloud, who collectively leave European providers fighting for a roughly 15% share – and that share has been declining for nearly a decade. This is the very substrate on which frontier models are trained and served.

For this layer, the honest, evidence-based posture is managed interdependence: diversify suppliers, contract against lock-in, keep the most sensitive workloads off systems that can be revoked from abroad, and treat any “sovereign AI” claim that quietly rents foreign weights and GPUs as dependency with better branding. Pretending the gap is smaller than it is does not advance sovereignty; it conceals exposure.

Security analytics: high criticality, high attainability

The error in most sovereignty discussions is treating the foundation-model verdict as the verdict for the whole stack. It is not. Other layers sit in the opposite quadrant – critical and attainable – and security monitoring is the clearest example.

Criticality is self-evident: an organisation’s detection capability is its sensory system.

The moment it most needs visibility into its own infrastructure is precisely the moment a geopolitical dispute, an export action, or an adversary would want that visibility removed. A detection stack that can be switched off from another jurisdiction is a single point of failure deliberately placed at the centre of the defence.

Attainability is the part that is under-appreciated, and here I’ll be specific about how Exeon is built, because the architecture is the argument:

• Locus of execution. Detection runs on the customer’s own infrastructure – on-premises or in a sovereign cloud of their choosing – rather than as a remote service governed by foreign jurisdiction.

• Data minimisation. The analytics operate on infrastructure metadata, reducing exposure under instruments such as the US CLOUD Act.

• Self-contained intelligence. The machine-learning models are developed in-house in Switzerland and are lightweight enough to run where the data resides. They do not depend on a US hyperscaler’s foundation model or a remote API that a foreign authority could revoke at short notice.

The net effect is a system with no foreign kill switch on the ability to detect an attack.

Crucially, none of this required a national moonshot. It is an off-the-shelf existence proof that high sovereignty is reachable in a critical layer now, through ordinary architectural choices, not a decade of industrial policy.

The standpoint

Sovereignty should be treated as a portfolio under triage, governed by the criticality × attainability map:

• Where a technology is critical but not yet attainable (frontier models), pursue managed interdependence honestly – and stop pretending otherwise.

• Where a technology is critical and attainable (security analytics, and several other layers), accept nothing less than near-absolute sovereignty, because the dependency is both dangerous and avoidable.

Europe will not become sovereign by waiting for a sovereign LLM; that is the hardest square on the board and the wrong place to start. It becomes sovereign by reclaiming the layers it can, in order of criticality and attainability – one critical system at a time. The system that watches your infrastructure belongs at the front of that queue. Building your own frontier model is, for now, out of reach. Running a security-analytics platform that no foreign government can turn off is a decision you can make this quarter.

References 

1. Capri, A. Techno-Nationalismus: Wie er Handel, Geopolitik und Gesellschaft neu gestaltet. Wiley, 2024 – Sechs-Elemente-Modell; die Instrumentalisierung der Lieferkette als erstes Element. https://www.wiley.com/enus/TechnoNationalism%3A+How+It%27s+Reshaping+Trade%2C+Geopolitics+and+Society-p-9781119766179  
2. ITIF, “Decoding the Techno-Economic Power Struggle, With Alex Capri,” May 2025 – summary of the six-element framework. https://itif.org/publications/2025/05/12/decoding-the-techno-economic-power-struggle-with-alex-capri/
3. Berliner Erklärung zur europäischen digitalen Souveränität, 2025 – Definition der digitalen Souveränität; Analyse auf dem Verfassungsblog, März 2026. https://verfassungsblog.de/digital-sovereignty-and-the-rights/ 
4. Atlantic Council, “Digital sovereignty: Europe’s declaration of independence?”, Feb 2026 – sovereignty vs. strategic autonomy; definitional ambiguity. https://www.atlanticcouncil.org/in-depth-research-reports/report/digital-sovereignty-europes-declaration-of-independence/
5. EU-Rahmenwerk zur Cloud-Souveränität – Souveränität als multidimensionale Eigenschaft (rechtlich, datentechnisch, betrieblich, in Bezug auf die Lieferkette, technologisch, sicherheitstechnisch), gemäß der arXiv-Referenzarchitektur, 2026. https://arxiv.org/pdf/2602.05486 
6. Northwave, „Was digitale Autonomie und Souveränität für EU-Organisationen bedeuten“ – vollständige Autonomie als unmöglich; Souveränität nach Stack-Ebenen (IaaS/PaaS/SaaS). https://northwave-cybersecurity.com/article/what-digital-autonomy-and-sovereignty-mean-for-eu-organisations 
7. Netaxis, “The Issues Surrounding Digital Sovereignty in 2026,” Jan 2026 – ~60–65% European public-cloud concentration among three US providers; “absolute sovereignty vs. managed interdependence” framing. (Secondary source – verify the market-share figure against a primary tracker.) https://www.netaxis.be/2026/01/19/the-issues-surrounding-digital-sovereignty-in-2026/