Brussels has spent two years telling European organisations that data sovereignty matters. This week it stopped telling and started asking.
On 8 July the European Commission opened a targeted consultation on safeguarding the EU’s data sovereignty. It runs until 8 September. The subject is not abstract. It asks who can reach European data, under what foreign law, and what that costs the organisations living with the answer.
What the data sovereignty consultation actually asks
The consultation gathers views on challenges to data sovereignty and international data flows for EU organisations. Three themes sit at its centre. Third-country access to data held by EU organisations. Transfers of data into the EU rather than only out of it. And the risks attached when sensitive data becomes reachable under another jurisdiction’s law.
It belongs to the European Data Union Strategy, which frames sovereignty as openness on fair terms rather than a wall. Its flagship actions are revealing. Guidelines to assess whether EU data is treated fairly abroad. A toolbox to counter unjustified localisation, exclusion and data leakage. Measures to protect sensitive non-personal data.
Read those aims closely and the direction is clear. Brussels is preparing instruments, and the consultation is where the evidence for them gets collected.
Why a consultation is worth an executive’s attention
Consultations rarely reach the boardroom. This one should. Policy that begins as an evidence-gathering exercise ends as a compliance obligation, and the organisations that answer shape the terms they will later live under. Those that stay silent inherit rules written from someone else’s evidence.
There is also a narrower reason. Building a response forces an internal exercise most governance teams have postponed.
The dependency underneath the data sovereignty debate
The Commission’s own tech sovereignty page states that the EU relies on non-EU countries for over 80% of key digital products, services, infrastructure and intellectual property. That is a striking figure from the institution now asking what should be done about it. It is also the backdrop to everything else this week.
Yesterday a UK parliamentary committee warned its own government it could be cut off from critical AI at the whim of allies. The trigger was a brief US export restriction in June that removed foreign access to a leading lab’s most capable models before being lifted. Access was restored. The precedent was not undone.
Data sovereignty is the same problem viewed from a different angle. Compute dependency asks whether you can still run the model. Data dependency asks who else can read what you feed it.
Access is not the same as location
European teams often treat this as a storage question. If the data sits in an EU region, the box is ticked. That reasoning is comfortable and incomplete. Location tells you where data rests. Jurisdiction tells you who can compel its production. A provider incorporated under a third country’s law may face lawful demands regardless of which data centre holds the bytes.
This is precisely why the consultation asks about third-country access rather than storage geography. The two questions have different answers, and only one of them appears on most architecture diagrams.
Turning the data sovereignty question inward
The practical value here is not the policy outcome. It is the audit the response requires. To answer honestly an organisation must know, for its most sensitive data, where it lives, which entity controls the infrastructure, whose law binds that entity, and what would actually happen if access were demanded or withdrawn.
Few organisations can answer all four from memory. Producing the answers surfaces the concentrations nobody planned. It also connects work already underway, because vendor due diligence and cloud sovereignty tiers are asking related questions from different directions.
A data sovereignty review worth the name covers:
- the sensitive datasets that would cause real harm if exposed or lost
- the legal jurisdiction of each entity that controls or processes them
- the transfer mechanism relied on, and what happens if it is challenged
- the practical cost of moving, in time and money, if a provider became unavailable
The last line is the one that changes conversations. Dependency feels acceptable until someone prices the exit.
What a good response looks like
Weak submissions describe discomfort. Strong data sovereignty submissions carry evidence. Name the dependency, quantify it and describe the barrier in operational terms rather than sentiment. A regulator can act on a documented switching cost. It can do little with a general unease about foreign providers.
Deadlines help here. The window closes on 8 September, which leaves time to run the internal review first and submit from findings rather than impressions. That order matters. The review is the asset. The submission is a by-product of having done it properly.
The limits worth naming
A consultation is not a law. This one may produce guidelines and a toolbox rather than binding obligations, and the timeline stretches well beyond September. Nothing here creates a duty tomorrow.
There is a harder tension too. Data sovereignty measures can slide into protectionism, raising costs and cutting European organisations off from tools they need. The Commission acknowledges as much by framing sovereignty as openness on fair, secure terms. Whether the instruments that follow honour that framing is a fair thing to doubt, and the consultation is one of the few places to say so on the record.
For a European governance lead the reading is straightforward. The policy will arrive regardless. The exposure map is useful either way.
Europe has decided to find out who can reach its data. That is a question worth answering for yourself before the answer arrives from somewhere else.