As the influence of digitisation continues to grow in all aspects of life in Europe – from business operations to public services and citizen activities – the capacity of the EU and its member states to determine the form and extent of reliance on external suppliers has become a necessity. Control over hardware, software, and the supply chains for infrastructure components lies at the core of digital sovereignty in Europe.
Non-European technology companies supply multiple network components of the 5G infrastructure deployed in the EU. As 5G networks are expected to underpin many sectors of the economy (e.g. communications, transport, health), the risk of EU dependence on external suppliers increases, and with it, potentially creating a situation known as supply chain dependence. This means that in the case of an unanticipated interruption in any part of the chain, the whole supply would be at risk.
Furthermore, citizens, businesses and public administrations may lose control over their own data. For example, data from EU citizens and companies could be stored in a cloud infrastructure established outside the EU, and would therefore be subject to a foreign jurisdiction and its data protection laws. There is also a risk of foreign interference or espionage through technology with components from non-European countries.
In response to these dangers, the EU has declared its willingness to enhance its strategic autonomy by asserting digital sovereignty. Digital sovereignty refers to Europe’s ability to act independently in the digital age and entails both protective mechanisms and policies to foster digital innovation within the EU.
Pillars of digital sovereignty include investment in new technologies, diversification of suppliers, and risk profiling of vendors. Domestic EU law applies to all vendors and suppliers selling equipment and services across Europe. This means non-European suppliers need to manufacture their products with certain in-built EU standards regarding security, privacy, and safety. The consistent application of the regulatory framework is being monitored by the European Data Protection Board (EDPB) throughout the Union.
The reliance on foreign infrastructure (e.g. for 5G or cloud computing) and the lack of common rules on cyber security was identified as a weakness by the EU. It, therefore, began to establish itself as a standard-setter in the field of cyber security, expanding and adapting policy tools and initiatives. The European Commission, in cooperation with member states, recommended a common approach towards 5G network security and published the so-called 5G toolbox for risk assessment.
An EU-wide certification scheme is advancing to ensure a safe environment that improves digital sovereignty. In this context, defining common security standards would be a major step forward in fostering Europe's technological know-how and industrial leadership in 5G networks and smart connectivity systems – in line with the current 5G Public-Private Partnership. The EU could also work towards setting global norms in the IoT field, which is an area where standards are still largely absent.