The Network Law Review is pleased to present a special issue on “Industrial Policy and Competitiveness,” prepared in collaboration with the International Center for Law & Economics (ICLE). This issue gathers leading scholars to explore a central question: What are the boundaries between competition and industrial policy?
**
Abstract: Two decades of hyperactive EU digital rule-making have not delivered “digital sovereignty,” but instead exposed a strategic naïveté: Brussels built a Digital Single Market that turbocharged non-European cloud and platform incumbents. This article traces how data, consumer, platform, and AI regulation have extended EU law extraterritorially while leaving Europe structurally dependent on US (and, increasingly, Chinese) infrastructures. It then sketches a different path: a “3R” agenda (Reshape, Reuse, Recycle) that treats data and compute as scarce resources, hard-wires interoperability and portability to break lock-ins, and builds digital commons as a realistic industrial policy for a more sustainable and sovereign European digital order.
*
Over the past 25 years, the European Union has adopted an extensive body of regulations aimed at asserting greater control over digital infrastructure and data flows. Yet, despite this abundance of legal texts and the proactive role of the European Court of Justice, the EU has fallen short of achieving true digital sovereignty. The EU’s ambition to establish a coherent and enforceable regulatory framework that safeguards the rights of its citizens and upholds its core values on its territory remains difficult to implement in a context of technological dependency. This shortcoming is particularly striking in light of the mounting pressure from major technology firms like Amazon Web Services (AWS) to store and process data beyond European borders, even in the public sector and of the growing unilateralism of the United States—reflected in measures such as the CLOUD Act and more recent Donald Trump’s declarations.
This article first outlines the quite naive vision of regulatory harmonization the EU has adopted in the digital sphere (Part 1), then assesses the key reasons why this approach has, so far, failed to translate into effective capacity to govern digital matters from Brussels (Part 2). Ultimately, it argues that embedding the core principle of the circular economy into digital governance can be a method for asserting Europe’s sovereignty in the digital age. (Part 3).
1. European Digital Regulation Through the Lens of the Digital Single Market: A Tactical Mistake ?
While several fundamental legal instruments for the digital sector were adopted in the early 2000s—most notably the E-Commerce Directive (2000) and the InfoSoc (Information Society) Directive on copyright (2001)—the European Union’s strategic vision for a Digital Single Market (DSM) was formally articulated in a European Commission Communication dated May 6, 2015. Under the presidency of Jean-Claude Juncker, the Commission signaled its strong political commitment to digital regulation by appointing a Vice-President, Andrus Ansip, specifically responsible for the DSM, alongside Günther Oettinger, Commissioner for Digital Economy and Society (DG CONNECT). This new strong institutional setup oversaw the drafting of thirty digital-related legislative proposals, twenty-eight of which were adopted during the 2015–2020 mandate.
In line with classical internal market logic, the Commission identified fragmented national legislations as the primary obstacle to the digital economy’s growth in Europe. Acknowledging the global scale of technological challenges, it emphasized that national-level responses were inadequate to provide the scalability required for European digital enterprises to compete effectively in a global market. Consequently, the DSM strategy aimed to create an integrated digital space where the free movement of goods, services, capital, and persons would be extended to include unhindered access to online activities. Within this framework, fair competition, consumer protection, and robust data safeguards were also to be guaranteed. The DSM was therefore structured around three core pillars: enhancing cross-border e-commerce, developing digital networks and services, and driving economic growth through digital innovation.
To this end, the Commission undertook various initiatives to dismantle national barriers in key sectors such as telecommunications, copyright, data protection, and competition. Legislation targeted practices like geo-blocking, localization obligations, and restrictions on the flow of personal and non-personal data. Measures such as the Portability Regulation facilitated seamless access to digital content across borders, while the Commission’s 2017 initiative on a “data-driven economy” laid the groundwork for the so-called “fifth freedom”. This concept sought to allow European startups and firms to access and utilize large datasets without artificial territorial restrictions, enabling scale and innovation.
Yet, while fostering an open and liberalized digital market, European institutions also began to articulate the need for a protective framework—particularly in response to what was increasingly seen as unfair competition from non-European tech giants. This dual movement—market liberalization alongside the emergence of an embryonic form of digital sovereignty—can be illustrated through four key domains: Personal data protection, Consumer protection, Platform regulation, and more recently, AI providers’ compliance with EU standards.
Personal Data Protection
The adoption of the General Data Protection Regulation (GDPR) in the wake of the Snowden revelations marked a major turning point in the European Union’s data protection framework. Reliability of US capacity and willingness to protect European citizen’s privacy was then heavily questioned. Building upon the former Directive 95/46, the GDPR pursued a dual objective: safeguarding individuals against unlawful processing of their personal data while ensuring the free movement of such data within the European internal market, in order to create predictable conditions for innovation. Entering into force in 2018, the GDPR was soon complemented by the Regulation on the free flow of non-personal data, which prohibits unjustified data localization requirements among Member States. Together, these instruments aimed to foster the digital economy by creating a coherent regulatory framework conducive to cross-border data flow.
Yet the GDPR’s ambition extended well beyond the liberalization of data markets. It enshrined enforceable rights for individuals—including rights of access and objection to data processing—enforced by compliance by design standards and significant financial penalties for violations. Crucially, these obligations apply to any company processing the personal data of EU citizens, regardless of the company’s geographic location.
The European Court of Justice (ECJ) has been instrumental in extending the territorial reach of EU data protection rules, effectively offering a form of “digital diplomatic protection” to EU citizens. In a landmark ruling Google Spain, for example, the Court required the company to implement a “right to be forgotten” within its European search engine service. Although Google was headquartered in the United States and processed data outside EU territory, the Court deemed its commercial presence in Spain through a subsidiary sufficient to trigger EU jurisdiction. Subsequent case law has clarified that the notion of “establishment” extends to any stable and effective activity within the Union, while mere accessibility of services from the EU does not suffice.
Perhaps the most impactful interventions of the ECJ are found in the so-called Schrems cases. Named after Austrian activist Max Schrems, these decisions led to the invalidation of both the Safe Harbor and the Privacy Shield frameworks, the ECJ considering that U.S. surveillance laws precluded the “essentially equivalent” protection required under EU law. The Court concluded that several provisions of US federal laws could impair the effectiveness of control of the US companies on their data privacy policies. Schrems’s challenges compelled EU institutions to strengthen their stance against potential circumventions of European rights, highlighting an embryo of digital sovereignty in action. Yet the legal barriers remain fragile as show the recent decision of the General Court of September 2025, which dismisses an action for annulment of the new framework for the transfer of personal data between the European Union and the United States – Privacy Shield II -, while the Data Protection Review Court (DPRC) set up by the US to handle complaints from EU citizens over the handling of their data in the US may lack independence from the US administration.
European Consumers’ Protection
The European Union has also sought to align the expansion of its digital market with strong consumer protection standards. In May 2019, after four years of negotiation, the EU adopted two directives: one on online sales of goods and another on the supply of digital content and services. While designed to facilitate cross-border e-commerce, both instruments also introduced mandatory rights for consumers engaged in digital transactions.
These measures form part of the broader “New Deal for Consumers,” a legislative package addressing pricing, unfair contract terms, consumer rights, and deceptive practices. Together, they establish a toolkit to counter asymmetries in bargaining power and to ensure that European consumers—regardless of whether they purchase from domestic or foreign providers—benefit from a guaranteed baseline of protection creating a sort of economic citizenship. Notably, the EU frames the digital consumer not as a mere passive buyer but as an empowered actor capable of collective action. Consumers are thus granted rights to information, transparency, and remedies, even in cases where services are offered free of charge and regardless of the geographic origin of the service providers.
Platform Regulation
Between 2015 and 2020, the European Union turned its regulatory focus toward digital platforms. During this period, the European Commission initiated multiple proceedings against “pure players” such as Google, Amazon, and Apple, imposing multibillion-euro fines for abuse of a dominant position and other anticompetitive practices. Yet, these ex post remedies did not remove entry barriers for new competitors. The lag between investigation and application of an eventual sanction was incompatible with the rapid pace of technological and market developments, leaving smaller European competitors exposed to the dominance of global tech giants.
This enforcement gap triggered a strategic shift toward an ex ante regulatory model. Rather than merely challenging dominant positions after they had been consolidated, the EU sought to impose obligations tied to market share and systemic relevance. Early steps of regulation included three instruments that progressively recalibrated the liability framework established under the E-Commerce Directive: the 2018 Audiovisual Media Services Directive, the 2019 Copyright in the Digital Single Market Directive (CSDM), and the 2019 Platform-to-Business Regulation (P2B). Together, these measures introduced obligations of transparency and fairness (Article 5 P2B), filtering and licensing mechanisms for copyrighted content (Article 17 CSDM), and a recognition that platforms should comply with specific duties beyond the traditional prohibition on general monitoring obligations.
By 2020, however, it was clear that sectoral directives could not adequately address the multi-sided nature of platform markets. In December 2020, the Commission proposed—and by 2022 the EU adopted—the Digital Services Act (DSA) and Digital Markets Act (DMA). These texts mark the most comprehensive attempt to regulate “gatekeepers” and Very Large Online Platforms by imposing structural obligations not limited to certain sectors. Although neither explicitly invokes “sovereignty,” both Acts embody a sovereignty-driven logic and have been perceived as protectionist measures: they impose differentiated obligations on large, often extra-European, actors in order to curb systemic risks and establish contestable digital markets. The territorial reach of these instruments is also significant. The DSA, for instance, provides that in the absence of an establishment in the EU, a “substantial connection” is sufficient to trigger application. Such a connection may be inferred from the scale of users in a Member State, the targeting of activities, or even the mere availability of an application in a national app store. In effect, the EU ensures that any meaningful commercial link to its market activates the application of its regulatory framework to the extra-European platforms, thereby imposing its digital regulatory authority to foreign Big Tech companies on the EU digital territory.
Artificial Intelligence Act
The European Union’s Artificial Intelligence Act (AIA) represents the first attempt to establish a comprehensive regulatory framework for AI. Its dual ambition is explicit: to harmonize rules for the development, marketing, and use of AI systems within the internal market, and to ensure that such systems operate consistently with Union values, including the fundamental rights protected by the Treaties and the Charter of Fundamental Rights. By grounding AI regulation in the constitutional fabric of the Union, the AI Act signals that technological innovation must remain compatible with Europe’s normative commitments.
As with data protection and platform regulation, the AI Act reflects a concern with the global distribution of technological power. Although the regulation does not expressly invoke the language of sovereignty, its territorial ambition is obvious. Providers of AI systems must comply whenever their products reach the European market, regardless of where the systems were trained or developed. Critics view this as an extraterritorial extension of EU law, but in practice it aims at responding to the dominance of U.S. and Chinese firms. In this respect, the AI Act illustrates the EU’s broader regulatory ambition: to mitigate dependence on external technological actors by exporting its standards abroad and embedding European values into the global governance of AI.
2. The Elephant in the Corridor
Despite the EU’s legislative and judicial activism, its ability to set the pace for extra-European digital actors remains limited. Several structural factors explain this gap between ambition and effectiveness.
First, the creation of a “fifth freedom”—the free movement of data and digital services—has primarily benefited firms already operating at a global scale. By eliminating intra-EU barriers, the Union inadvertently facilitated the entry of U.S. and Chinese tech giants, while local firms lacked the time and resources to scale. The Free Flow of Data Regulation epitomizes this asymmetry: while it removed Member State localization requirements, it did not impose European localization obligations on non-European providers, even as China itself was enacting strict localization laws against foreign companies.
Second, European severe addiction on foreign platforms entrenches their dominance. Consumers, businesses, and even public administrations increasingly rely on solutions offered by Google, Amazon, Microsoft, or TikTok. Once embedded, these ecosystems create lock-in effects that marginalize European alternatives. The French government’s Health Data Hub initiative, ultimately entrusted to Microsoft, starkly illustrates this dependency. Similarly, aggressive campaigns by AWS to secure public sector contracts underscore the lack of credible European Cloud infrastructure, due to insufficient investment in European innovative capacity.
Third, financial power amplifies technological dominance. Backed by massive capital reserves and favorable market valuations, Big Tech firms can neutralize emerging competition through acquisitions. Microsoft’s investment in the French AI start-up Mistral is a recent example of this dynamic.
Finally, lobbying and soft power blunt the impact of regulation. Invoking freedom of expression, large platforms have resisted stricter content moderation and copyright obligations. More recently, Extra-european actors’ influence has shaped the non-binding Code of Practice on AI and limited the scope of transparency requirements. The repeated postponement of the AI Liability Directive, amid U.S. diplomatic pressure and threats of trade retaliation, further highlights Brussels’s vulnerability. This dynamic is reinforced by the longstanding extraterritorial reach of U.S. digital legislation, from the Patriot Act to the CLOUD Act, which compounds the EU’s structural disadvantage.
In short, the Union’s regulatory project collides with entrenched technological, economic, and political asymmetries. While Europe seeks to export its standards, the gravitational pull of American and Chinese digital power continues to dictate the terms of competition and to limit EU attempts to enforce digital sovereignty.
3. The 3R Formula: Toward a Realistic European Digital Sovereignty
The current level of European dependence on extra-European providers is increasingly incompatible with the Union’s ambition to safeguard its values and strategic autonomy. While initiatives such as the Chips Act (2023) represent significant investment in infrastructure, the State of the Digital Decade 2025 report underscores persistent vulnerabilities in areas ranging from cloud services to energy supply. If achieving digital sovereignty will always require more investment it may also rely on regulatory innovation.
A useful lens is the “3R Formula”—Reshape, Reuse, Recycle—transposed from environmental law to the digital sphere. This approach highlights how the EU might recalibrate consumption, market structures, and innovation toward greater independence.
Reshape. The first imperative is to limit the over-exploitation of digital resources. The GDPR’s principle of data minimization offers a model that could extend to all digital content and services. Promoting digital sobriety—whether through discouraging non-essential consumption or regulating high-impact activities—would reduce dependence on foreign services, save energy, and address social harms such as mental health risks and threats to democratic integrity. Framing such restrictions in environmental terms strengthens their legitimacy: data processing consumes resources that must be prioritized for higher social value uses. Regulations that would limit the access to or the time of connection to certain services could then perfectly be justified, because data processing requires more and more water and energy that may be allocated to more important tasks than scrolling all day long food recipes or cat videos on social networks. In reaction, the European Union should favor the growth of high social value services. In a world where these resources are finite, imposing a hierarchy between the necessary and less necessary digital activities through legislative intervention may become rapidly unavoidable.
Reuse. Reducing dependency also requires dismantling lock-in effects. Strengthening obligations of interoperability and data portability that have already been partially implemented would allow users and businesses to move seamlessly across services, challenge Big Tech’s entrenched ecosystems, and reallocate value captured through data extraction. Portability empowers individuals and firms to reclaim their data and redeploy it, while interoperability ensures that new entrants can build on existing infrastructures. Together, these measures would support diversity within the digital ecosystem and localize more of the digital economy within the EU by combining the benefits of the commons with private innovation.
Recycle. If recycling generally refers to the action or process of converting waste into reusable material, the term will be given here another signification focusing on the necessity to build a common infrastructure enabling the best allocation and sharing of digital resources and intelligence. Digital sovereignty requires this building of common infrastructures for knowledge, skills, and innovation. Regulation should thus foster education, encourage collaboration, sharing (recycling) of ideas, information and skills and promote the idea of digital commons. Supporting digital commons in the light of future information scarcity due to the competition for resources is certainly one way for the European Union to limit foreign digital extractives activities.
As pointed out in the 2025 State of the Digital Decade, Europe faces acute shortages of digital talent, exacerbated by brain drain. To retain or attract this population, competitive salaries matter, but so does the sense of contributing to socially meaningful innovation. Europe can be the place to rethink the utopia of the digital commons that has for a time been fueling the development of the Internet. Unlike the United States, which has largely abandoned this vision for the most cynical form of capitalism, and China, which never embraced it, the EU can position itself as the place of digital commons, ensuring that scarce intellectual and natural resources will be shared and reinvested to foster a more social-centered innovation.
In short, applying the 3R Formula to the digital economy would align Europe’s regulatory project with sustainability, resilience, and autonomy. By reducing consumption, reusing data and infrastructures, and recycling knowledge and innovation, the European Union can move from dependency toward a more sovereign digital order.
Citation: Valérie-Laure Benabou, European Digital Sovereignty: From Naïveté to Sustainability?, Industrial Policy and Competitiveness (ed. Thibault Schrepel & Dirk Auer), Network Law Review, Fall 2025.
