Adeline: Europe has a sovereignty problem and it is partly of its own making.

In early June 2026, the European Commission unveiled its most ambitious technology package to date: the European Technological Sovereignty Package, pairing a Cloud and AI Development Act (CADA) with a revised Chips Act, an open-source strategy, and a digitalisation roadmap for energy. The message from Brussels was unambiguous. As Commission President von der Leyen put it: “We cannot afford to depend on others for the technologies that keep our hospitals running, our energy grids stable, and our services secure.”

The numbers behind this urgency are stark. The EU remains structurally reliant on non-European providers for more than 80% of its digital products, services, infrastructure and intellectual property. Three US hyperscalers, Amazon, Microsoft and Google, hold over 70% of the European cloud market. This is not merely a commercial inconvenience; it is, in the Commission’s own language, a strategic vulnerability.

And yet, while Brussels crafts grand legislative remedies, a quieter, systemic problem persists inside the very institutions pushing for sovereignty: the way Europe buys technology actively works against the goals it is trying to achieve.

What “Sovereignty” Actually Means and Why the Definition Is the Problem

Tech sovereignty, as the Commission defines it, is Europe’s capacity to “develop, control and scale” critical technologies, infrastructure, services and data, while reducing strategic dependencies and exposure to foreign interference. The sovereignty framework introduced in CADA goes further, defining four trust tiers for cloud services used by public authorities, based on criteria including ownership, control, supply chain dependencies, data processing, and infrastructure location.

There is a particular irony buried in this framing. European procurement law, the backbone of how EU institutions and member states actually acquire technology, is built on a philosophically opposite definition of sovereignty: freedom to choose. The foundational principles of EU public procurement, as stated by the European Commission itself, are transparency, equal treatment and non-discrimination, widest possible competition, and proportionality. The single market project was built on the premise that the best outcome emerges from the broadest possible pool of competitors, regardless of their nationality or origin.

For most goods and services, this logic is sound. Competitive tendering keeps costs down, prevents corruption, and ensures public money delivers value. But for technology, and especially for artificial intelligence, applying the same philosophy produces a structural contradiction: the rules designed to maximise freedom of choice systematically prevent the exercise of strategic choice.

The Financial Regulation and the Tyranny of the Open Tender

EU institutions are governed by the Financial Regulation (EU, Euratom) 2024/2509, which requires that all significant purchases go through formal public procurement procedures. The European Parliament, the Commission, and the Council are all bound by its provisions. Any contract above the relevant threshold (currently €140,000 for central government bodies and €216,000 for sub-central authorities, as of January 2026) must be advertised in the Official Journal of the European Union and subjected to a competitive tender process.

For the Commission’s own IT operations, the scale is considerable. The DIGIT-TM III framework contract, covering digital-solution lifecycle management for the European Commission from 2026 to 2030, is valued at approximately €3.5 billion. Its stated objectives include “supporting European digital sovereignty by restricting delivery to EU territory.” But the mechanism by which DIGIT-TM III was designed and awarded is a multi-year, specification-heavy framework tender: exactly the kind of process that works best when you know what you want and the landscape is stable.

That is precisely the condition that does not apply to AI.

Why Traditional RFPs Cannot Keep Pace with AI

The traditional Request for Proposal process follows a predictable logic: identify a need, write a technical specification, publish a tender, evaluate bids against that specification, award a contract, and manage the relationship for its multi-year term. The entire system assumes that requirements can be defined in advance and that the technology market will remain sufficiently stable for those definitions to remain meaningful.

AI breaks every one of these assumptions.

AI capabilities are not evolving on annual cycles: they are shifting on a scale of weeks and months. A specification written in January may describe a capability frontier that has been comprehensively surpassed by April. A procurement process that takes six to twelve months from notice to contract award, a typical duration for complex EU tenders, means that by the time a contract begins, the technology procured may already be a generation behind the state of the art. The market has moved on before the ink is dry.

This is not merely a theoretical concern. Governments across Europe face significant barriers to AI procurement specifically because of the difficulty of selecting appropriate procurement procedures to suit the unique characteristics of AI systems. Negotiated procedures and innovation partnerships have been identified as potentially valuable alternatives, but they require careful consideration and are far less commonly used than standard open procedures.

The EU’s procurement framework does provide more flexible routes. The competitive dialogue allows contracting authorities to work through requirements with suppliers before finalising specifications, suitable precisely when authorities “do not know the technical specifications of what they wish to purchase.” The innovation partnership procedure, established under Article 31 of Directive 2014/24/EU, allows for joint development of innovative solutions with subsequent purchase. Pre-commercial procurement offers another route to engage with the market before a full tender.

These mechanisms exist. But they are used rarely, largely because they are more complex, demand greater internal expertise, and create more legal risk for contracting authorities than standard open procedures. The institutional incentive, reinforced by years of audit culture and accountability pressure, is to default to the familiar, the open RFP, even when the subject matter makes it poorly suited.

The practical result: many of the most innovative partners in AI avoid government RFPs altogether. They move in weeks, not quarters. A slow procurement cycle filters in those who are good at navigating bureaucracy, not those building the most capable or sovereign technology.

Suzanne: I live on the other side of this every day, and the real issue isn’t that anyone moves too slowly — it’s that the technology moves at an unusual pace. Even the government’s faster paths reflect that. Its innovation shop, the Defense Innovation Unit, aims to get prototype work on contract in 60 to 90 days, and in practice that runs closer to 120 — and that’s the streamlined route. A more conventional, specification-driven buy can take six months to a year to reach award, and for understandable reasons: rigor, fair evaluation, and accountability all take time.

Now set that against how we actually build. The technology itself is evolving extraordinarily fast, and we’re right on the cutting edge, innovating with it as it changes under our feet. At CORAS we release new capability weekly — or close to it — and we’ve deliberately structured the company around that pace. The practical result is that the product a customer bought a year ago has evolved substantially — in any meaningful sense, it is no longer the same product. So a specification written to describe it at signing is describing something that has already moved on by the time the work begins. The contract ends up chasing a target that won’t hold still — not because anyone did anything wrong, but because a process built for stable products is meeting a technology that changes by the month. Europe is dealing with the same reality. The useful question isn’t who’s to blame, because nobody really is. It’s what we do about it, together.

One thing we’ve done to blunt this from our side is in how we deliver it. Because it’s SaaS, customers get access to new capabilities as they arrive — the improvements land continuously, without opening a fresh contracting action every time. It doesn’t fix the front door — getting in still takes what it takes — but it means the value can compound at the speed the technology moves instead of the speed the contracting office moves. That’s worth noting for Europe, because it points at a partial answer: if you can’t make the buying fast, you can at least make each purchase go further once it’s done.

The Gap Between Rhetoric and Reality

Adeline: The contradiction plays out at the institutional level in ways that are almost tragicomic in their consistency. The European Parliament, in September 2025, adopted a resolution calling for reform of the EU’s procurement framework to “strengthen competitiveness, support a more sustainable economy, enhance the EU’s resilience and advance digitalisation.” The same resolution acknowledged that the framework “aimed to simplify procedures” but that “challenges remain in transparency, efficiency, and the broader use of non-price criteria.”

Meanwhile, the Commission’s own Single Market Strategy, adopted in May 2025, promised to simplify “overly complex EU rules” and foresaw revising procurement legislation to “mainstream the use of sustainability, resilience, social and, in certain technologies and strategic sectors, European preference criteria”, while still “ensuring competitive tenders.” A revision is planned for 2026.

But even this revision is conceived within the same philosophical frame: competition as the default, European preference as a criterion to be scored, openness as the principle. The idea that sovereignty might sometimes require the restriction of competition: that choosing a European provider over a more capable or cheaper non-European one is itself a legitimate strategic act remains deeply uncomfortable within EU legal culture, precisely because it conflicts with the foundational single market logic.

The CADA framework attempts to square this circle by making sovereignty a technical requirement rather than a preference: cloud services that fail to meet the sovereignty tiers simply cannot be used for sensitive public-sector workloads, regardless of price. This is legally elegant but practically incomplete: it tells institutions what they cannot buy without telling them how to buy what they should, quickly enough to matter.

There is also a sobering gap between what European governments proclaim and what they actually purchase. France champions European digital alternatives, yet its domestic intelligence agency extended its partnership with a major US data-analytics provider in December 2025. Germany, Denmark, and the Netherlands have moved away from certain foreign providers, but these are exceptions driven by political will, not structural change in procurement rules.

Suzanne: The US government hasn’t ignored this. It has put vehicles in place specifically to make procurement faster, and Other Transaction Authorities are a good example. They exist to speed up buying for prototypes and innovation work, and to reach the “nontraditional” companies the standard process tends to screen out. The appetite is real, and in my experience they can make a big difference. Used well, an OTA changes who can even get in the room.

None of this means competition is the enemy. You need a competitive process precisely so that players get evaluated fairly and the field stays level, and that’s worth protecting. The goal isn’t to skip the fairness. It’s to get it without rebuilding the world from scratch on every purchase.

There’s another shift quietly changing the picture: the move toward commercial off-the-shelf products. COTS is, by definition, not bespoke development — it’s a product that already exists, so it should deliver value faster and cheaper, with far less setup, than funding something custom. When you’re buying a proven product instead of commissioning a build, a lot of the old timeline-and-risk assumptions simply stop applying. The encouraging part is that the government already has more flexibility available to it than it tends to use. The mechanisms exist; the work is being willing to reach for them, deal by deal, instead of defaulting to the slowest path because it’s the familiar one.

A Structural Mismatch That Compounds Over Time

Adeline: The consequences of this mismatch compound in ways that are easy to underestimate.

When EU institutions procure technology through slow, specification-driven processes, they systematically favour established vendors with the resources to navigate complex tender procedures. These are typically large, often non-European, enterprises: the hyperscalers and global system integrators who have dedicated bid teams, existing framework agreements, and the legal infrastructure to respond to procurement requirements across multiple jurisdictions. European AI startups and scale-ups, the companies whose success is actually necessary for European tech sovereignty to become real, are filtered out.

Suzanne: The real cost here isn’t measured in dollars anyway. A complex tender quietly selects for the companies that are good at tenders — the ones with standing bid teams and the patience to answer a frozen specification — not the ones building the best technology. And that second group is exactly the one Europe keeps saying it needs.

Here’s what actually gets filtered out: not just small companies, but a way of working. The teams iterating fastest, shipping every week, willing to bet on something new are the least able to stop the world for a year to chase one contract. So they don’t. The process doesn’t reject them — they quietly decline to enter, which is worse, because the buyer never sees the capability that didn’t show up. The good news is that this part is fixable without rewriting the whole rulebook. You make it easier to get in the door: a smaller first step, a fast pilot, room to prove value before anyone commits to a decade. Land one real win in front of people and the next step gets easier. Start where you can, and build from there.

Adeline: The Microsoft France situation, disclosed in June 2025, illustrates the stakes. Microsoft’s Director of Public and Legal Affairs testified before the French Senate that Microsoft could not guarantee that data stored by French public-sector customers in its French data centre regions would never be transmitted to US authorities without the French government’s explicit consent. The US CLOUD Act of 2018 requires US companies to produce data stored anywhere in the world upon a valid government demand, creating an irresolvable tension with EU data protection obligations. Yet EU institutions continue to rely heavily on precisely these providers, because the procurement process that would enable a shift toward alternatives is too slow, too rigid, and too risk-averse to keep pace with the strategic urgency.

Suzanne: Government customers have gotten sharp about data. We get asked the data-ownership question constantly — who owns it, who can reach it, what happens to it if we walk away — and it’s usually one of the first things on the table, not the last. Plenty of these buyers have been burned by vendor lock-in before, and they’ve learned to ask at the start instead of discovering the answers later. At CORAS our stance has been clear and consistent: the government owns its data. We treat that as a guiding principle, something to design and contract around rather than an afterthought, and it ought to be table stakes for anyone selling to a sovereignty-conscious buyer.

And here’s the thing: these are just the right questions to ask of anyone you buy from. Years ago, when I was the one buying software, I asked the same things — who keeps the model we build together? Is the data mine? Where does it live, and what happens if we go our separate ways? Good buyers have always asked these questions; the sovereignty conversation has only made them louder. And what ultimately answers them is architecture, not a vendor’s postcode — a provider built the right way, with data kept in-region, owned by the customer, and no lock-in, can meet the sovereignty bar wherever it happens to be based. The reassuring part is that these are real, concrete answers, and the buyers who put the questions on the table early are the ones who end up in good shape. It’s less about deciding who to trust and more about doing the work, on both sides, to make the trust verifiable.

Conclusion: The Sovereignty Gap Is a Procurement Gap

Adeline: Europe’s tech sovereignty ambitions are real, and the June 2026 package represents a genuine political commitment of a kind that has been absent for too long. The four-tier sovereignty framework, the EuroCloud Federation, the tripling of data centre capacity, these are substantial structural investments.

But legislation defines what can be bought. Procurement determines what is actually bought. And right now, the procurement process inside European institutions is structurally misaligned with the strategic goals those institutions are proclaiming.

True tech sovereignty is not just about building European alternatives. It is about building the institutional capacity to choose them, quickly, intelligently, and at the pace that technology actually moves. Until the procurement process catches up with that reality, Europe will continue to find that its deepest commitment to sovereignty is, paradoxically, expressed through rules designed to prevent it.

Adeline writes from the EU. Suzanne writes from the US. Between them, they’ve seen procurement from both sides of the table.