Why EU Organisations Should Pay Attention to a U.S. Defence Dispute
The concept of EU digital sovereignty tends to attract polite agreement from decision-makers before quietly disappearing from the agenda. A sequence of events in Washington over recent weeks should change that. The clash between Anthropic and the Pentagon, and the deal that immediately followed with OpenAI, illustrates with unusual clarity why dependency on U.S. AI providers is not a hypothetical risk; it is a structural one with measurable consequences.
EU digital sovereignty is not an abstract policy goal. It is a practical question about who controls the conditions under which your organisation’s critical tools operate.
What Happened Between Anthropic and the Pentagon
Anthropic, the company behind the Claude AI models, had been in advanced negotiations with the U.S. Department of Defense. The draft agreement included provisions that would have prohibited the Pentagon from using Claude for mass surveillance of American citizens or in fully autonomous lethal weapons without meaningful human oversight.
The Pentagon rejected those limits. Its position was that a private vendor cannot be permitted to restrict “all lawful purposes” for national security tools. Talks broke down, and President Trump subsequently ordered federal agencies to stop using Anthropic’s products. The Defense Department then formally designated Anthropic a supply-chain risk, a classification that restricts its ability to work with U.S. defence contractors beyond the Pentagon itself.
The OpenAI Deal That Followed
Within hours, OpenAI reached an agreement with the Pentagon to supply its models for classified government use. OpenAI accepted the principle that its systems could be used for any lawful government purposes, while committing to additional technical safeguards against mass surveillance of Americans and fully autonomous weapons. The deal was announced as a strategic win; the timing made the competitive logic plain. One AI provider was blacklisted; its closest rival filled the gap within the same news cycle.
For European observers, the speed of that transition is the relevant data point, not the specific terms.
The EU’s Existing Dependency Problem
Europe’s exposure to this kind of disruption is not theoretical. Only around 1% of the European Commission’s own cloud infrastructure runs on a European provider. The remainder sits on U.S. hyperscalers. EU policy analysts have long described this as a structural vulnerability; the Anthropic episode provides a concrete example of how the risk materialises.
The concern is often framed as a “digital kill switch”: a political decision in Washington could alter the availability, terms of use or security posture of infrastructure that EU public bodies and companies depend on daily. Those organisations would have no direct lever to pull.
EU Initiatives Have Not Yet Closed the Gap
In response to this dependency, EU institutions have invested in initiatives including GAIA-X data spaces and a series of cloud and AI development measures aimed at reducing structural reliance on non-EU providers. The European Parliament has called for a broader “Eurostack” covering chips, cloud, software and AI, reflecting data showing that more than 80% of EU digital infrastructure depends on non-EU suppliers.
These efforts are moving in the right direction. They have not yet produced alternatives that most organisations can treat as operational substitutes for U.S. services. The gap between ambition and available capacity remains real.
What the Anthropic Case Adds to the Argument
Prior arguments for EU digital sovereignty have tended to focus on data protection, specifically on conflicts between U.S. laws such as the CLOUD Act and EU obligations under the GDPR. The Anthropic–Pentagon episode adds a different dimension.
It demonstrates that an AI provider can be reclassified overnight by a presidential directive, for reasons that have nothing to do with the provider’s quality, reliability or the preferences of European customers. Any EU organisation built on top of that provider’s services would have no advance notice and no practical recourse. The risk is not data leakage; it is abrupt loss of access to a tool on which operational processes may depend.
EU digital sovereignty, in this light, is not primarily a regulatory compliance question. It is a business continuity question.
What EU Organisations Should Be Doing Now
Digital sovereignty does not require excluding all non-European vendors; that is neither realistic nor necessary for most organisations. It does require building AI procurement and deployment strategies that account for the following:
- Which AI capabilities, if interrupted, would cause the most serious operational disruption?
- Is there a European or jurisdiction-neutral alternative that could serve as a fallback?
- Do current contracts include portability provisions and data export rights that would allow migration if a provider becomes unavailable?
- Does the organisation understand which of its AI tools are subject to U.S. export controls or government data-sharing obligations?
The Anthropic episode is a useful prompt for that audit, even if your organisation has no direct relationship with either company involved.
If EU digital sovereignty is relevant to your organisation’s AI strategy, explore what a sovereignty-aware procurement framework looks like in practice before the next disruption forces the question.
