Sovereignty requirements at the expense of a thriving startup ecosystem?
Startups want to be global from day one; their mission is to scale their venture. Thankfully, for entrepreneurs, the tools to start, build, and scale a globally oriented business have never been more accessible. However, policymakers’ concerns and nationalistic fervour over the “safety and security” of data held in the cloud threaten to curb—or even reverse—those advances and that growth potential. Digital sovereignty is an emerging global phenomenon whose origins are not exclusive to the EU. Different countries have been following this path for many years. However, the EU is leading the next charge in support of it, with startups and growing businesses left to wonder whether their ambitions might be thwarted.
If ‘sovereignty’ is an ambiguous concept whose perceived meaning is context-dependent and highly contested, discussing digital sovereignty requires even more careful consideration. The digital world is multidimensional, made up of interconnected parts without a clear hierarchy. It spans the virtual and real realms, blurring geographical boundaries and escaping strict state control.
EU policymakers continue to express concerns about restricting access to foreign cloud firms. Beyond technical dependencies, storing valuable data in infrastructure managed by foreign companies has created a political furor that threatens to hamper efforts to globalise European startup potential. As a region that cherishes citizens’ privacy, widespread anxiety among a handful of Member States about unauthorised access to sensitive data has driven this thrust of haphazard policymaking. This push, coupled with the increasing speed at which geopolitical and security dynamics have shifted in the past couple of years, has intensified the desire to pursue digital sovereignty in the cloud. As a result, certain EU digital policies have been geopolitised in light of these challenges. One clear example is the cloud sovereignty requirements of the EUCS, which could limit access to European markets by non-EU cloud service providers.
Europe’s global leadership has built a golden opportunity to enforce and export technical and regulatory standards and, in this case, increase the Union’s cybersecurity in the cloud. However, while that is of immense value politically and economically, it is equally important to differentiate between pursuing legitimate objectives and protectionist goals. Enhancing cybersecurity and safeguarding privacy are welcomed by startup communities, but setting sovereignty requirements does so at the expense of building the local champions and scaling startups Europe needs to compete in the global cloud market. Furthermore, imposing sovereignty requirements might defy the purpose of the scheme, which is to ensure maximum cybersecurity. European startups are not ready for the sovereignty requirements.
During the past decade, many startups have gradually moved their data to the cloud for the many advantages that this offers. Backup and disaster recovery, data availability anywhere where there is an internet connection, improved cost efficiencies, and, more significantly for ambitious entrepreneurs, scalability, are some examples of the benefits that this technology brings to the ecosystem. Today, in the EU, three non-European companies control over two-thirds of the cloud market, which has sparked various debates as a result of certain practices that harm startup growth. Nonetheless, in capital-intensive markets like cloud computing, which are characterised by economies of scale, this concentration is attributed to high upfront costs and research investments. At this point, what is more concerning for startups than market concentration is being compelled to switch providers that fail to offer better or equivalent products and, indeed, may be less secure than the established leaders, undermining the scheme.
The implications of setting sovereignty requirements must be more carefully assessed, especially in light of recent research that suggests that EU cloud service providers are currently unable to respond to the increasing demand in the region. It would be counterproductive if both European businesses and public institutions could not enjoy the latest innovations that are otherwise accessible to the rest of the world, including strategic competitors. The potential lack of access to the latest solutions is projected by the European Centre for International Political Economy to result in losses between EUR 29 billion and EUR 610 billion within the next two years after implementation. Productivity gains would be severely damaged, especially in data-driven industries. Furthermore, capital inflows could also be affected, as foreign firms would be discouraged from investing in the region. This is particularly detrimental for European startups, which rely heavily on foreign private investment. Finally, policymakers should understand that this move could violate WTO law and result in retaliation, hampering global trade and cooperation.
While the goal of building a safe and secure environment in the cloud for growth and scale is admirable, evidence shows that the implications of sovereignty requirements in this unprecedented push for data localisation as currently structured could be harmful for the startup ecosystem. EU policymakers would take care to remember that digital dependencies in today’s globalised world are too great and question whether digital sovereignty or safe and secure cloud environments, regardless of location, are a more worthy project. Moreover, a solid and versatile cloud will be needed to leverage AI, edge computing and quantum technologies. In short, if part of the sovereignty ambitions of the EU is to spur startup innovation, then the sovereignty requirements in the EUCS might create obstacles towards achieving this goal.