, ,

Brussels asks who controls Europe’s data

A new EU consultation puts data sovereignty, cloud dependency, and international data flows back into regulatory focus.

Brussels asks who controls Europe’s data
Summary
  • The European Commission has opened a consultation on EU data sovereignty and international data flows.
  • The consultation asks about dependencies, third country access risks, and barriers to moving or using data.
  • The outcome could shape cloud, AI, data sharing, and digital sovereignty policy across Europe.

The European Commission has opened a targeted consultation on data sovereignty, asking organisations across the data value chain where European control over data is constrained by international dependencies, barriers, and third country access risks.

Open until 8 September 2026, the consultation asks for views on challenges to EU data sovereignty and data flows in an international context. It covers barriers to accessing or using data in third countries, obstacles to transferring data into the EU, and risks linked to third country access to sensitive data, placing cloud, AI, industrial data, and regulated workloads inside the same policy frame.

The Commission links the exercise to its Data Union Strategy and European Tech Sovereignty Package, which cover semiconductors, artificial intelligence, cloud, and open source. Data sovereignty is therefore being treated as part of Europe’s industrial base, rather than only as a privacy or compliance concern.

European businesses and public bodies operate in a market where cloud infrastructure, enterprise software, AI platforms, and cross border data processing are often provided by companies headquartered outside the EU. Existing legal frameworks already address personal data, but the commercial and operational questions are broader. Organisations need data to move securely, lawfully, and usefully, while also having confidence that sensitive assets are not exposed to legal, geopolitical, or supplier risks they cannot manage.

The consultation also exposes a tension Europe has not resolved. Data localisation can increase control, although blunt localisation rules can fragment markets, raise costs, and reduce the value of data sharing. Unrestricted data flows can support innovation and trade, but they may weaken confidence where foreign access, enforcement conflict, or infrastructure dependency becomes material.

Cloud and AI providers are likely to feel the policy direction in product architecture, hosting models, contractual safeguards, and customer assurance requirements. Sovereign cloud services are already a visible part of the European enterprise market, while AI adoption is making data location, training access, retrieval systems, and model governance harder to separate from ordinary IT sourcing.

Public sector technology is exposed in a different but equally practical way. Governments increasingly want digital identity, health data, welfare systems, tax platforms, justice services, and shared data infrastructure to support more joined up services. As those systems depend on external platforms or international processing arrangements, data sovereignty becomes a procurement and resilience issue.

The Commission is not asking whether Europe should cut itself off from global data flows. Its consultation text says the EU promotes free flow with trust internationally, while warning that unjust localisation requirements, discriminatory rules, and data leakage to third countries can undermine sovereignty. That leaves room for a nuanced policy response, although the final direction will depend on how heavily business users, cloud providers, member states, regulators, and civil society push their interests.

The commercial consequences are already arriving. Enterprise buyers are asking more questions about where data is stored, who can access it, how audit rights work, what happens under legal conflict, and whether cloud or AI providers can support regulated workloads without forcing customers into operational compromise.

Europe has been moving towards greater scrutiny of digital dependency for years, but the rise of AI has sharpened the issue. Data is no longer only an asset that businesses protect after collection. It is becoming the feedstock for competitive advantage, public sector reform, industrial automation, and national security capability.

The consultation gives Brussels a formal channel for evidence. Its larger value will come if that evidence helps define where Europe wants open data flows, where it wants stronger safeguards, and where sovereignty requires infrastructure rather than policy language alone.