Europe demands AI and cloud sovereignty: Zscaler warns tech companies

What happened?

Casper Klynge, vice president of Zscaler and former Danish diplomat who led Denmark's tech policy and served as ambassador to Silicon Valley, has issued a direct warning to global tech companies: those that fail to adapt to European digital sovereignty requirements will struggle to operate in the European Union market. In an interview with TechRadar, Klynge noted that the EU is pushing a regulatory framework requiring companies to align with local standards for data protection, cloud sovereignty, and transparency in artificial intelligence. This move is not new: the EU has already demonstrated its ability to impose global regulations with the GDPR, which since 2018 has forced companies worldwide to modify their data handling practices. Now, digital sovereignty is emerging as the next major front, with the EU seeking not only to protect data but to control critical infrastructure and AI algorithms.

Why is it important?

Europe has been a pioneer in tech regulation with laws like the GDPR, the Digital Markets Act (DMA), and the recent AI Act. Now, digital sovereignty is shaping up as the next major front. Klynge emphasizes that the EU aims not only to protect its citizens' data but also to ensure that critical infrastructure and AI algorithms remain under European control. This means US and Chinese companies will need to rethink their business models, investing in local data centers, complying with data localization requirements, and submitting to algorithm audits. The EU's AI Act, approved in March 2024, classifies AI systems by risk and imposes strict obligations for high-risk systems, including transparency and human oversight. Additionally, the Gaia-X initiative, launched in 2019, seeks to create a federated and sovereign cloud infrastructure in Europe, reducing dependence on non-European providers. Historically, the EU has used its market power to set global standards: the GDPR inspired similar laws in Brazil, Japan, and California, and the DMA is being replicated in other regions. Digital sovereignty could follow the same path, creating a global domino effect.

Market consequences

Zscaler's warning is not isolated. Other industry voices, such as Google's head of AI policy, have acknowledged the need to adapt. However, Klynge's message is blunt: companies that ignore these demands risk losing access to the European market, which accounts for approximately 15% of global GDP. According to European Commission data, the EU single market has over 450 million consumers and a GDP of €15 trillion. This could accelerate internet fragmentation and spark trade tensions, but also open opportunities for local cloud and AI providers. For instance, companies like OVHcloud (French) and Deutsche Telekom (German) are already positioning themselves as alternatives to AWS, Azure, and Google Cloud. A 2023 IDC study estimates the European sovereign cloud market will reach €12 billion by 2027. However, fragmentation could also raise compliance costs for multinationals, which might pass them on to consumers. Compared to past events like GDPR implementation, a gradual but firm transition is expected. During GDPR's first two years, European companies invested an average of €1.3 million in compliance, according to an IAPP report. Now, with digital sovereignty, investments could be even larger, especially in data center infrastructure and AI audits.

What should readers know?

• European AI and cloud sovereignty is not an option but a regulatory requirement that is tightening. The AI Act is already in force, and sovereignty requirements are expected to strengthen with the upcoming Cybersecurity Act and GDPR revision.
• Companies like Zscaler, which offer cloud security, are already adapting their services to comply with European regulations, setting an example. Zscaler has announced investments in data centers in Germany and the Netherlands to ensure data localization.
• Tech SMEs relying on foreign infrastructure should assess their exposure to regulatory risks. According to a Eurostat survey, 60% of European SMEs use cloud services, many depending on non-European providers. A regulatory shift could force them to migrate to local alternatives, with costs up to €50,000 per company.
• European consumers will benefit from greater data protection but may see a reduced service offering if some companies choose not to comply. For example, Meta threatened to pull Facebook and Instagram from Europe in 2022 over data transfer restrictions, though it ultimately did not. Such tug-of-war could recur.

“Companies that do not respond, that do not align with those requirements, will have difficulties in the European market,” said Casper Klynge.

In summary, the EU is drawing a line in the sand. Digital sovereignty is no longer a theoretical debate but a reality reshaping the relationship between technology and geopolitics. Companies have two options: adapt and invest in compliance, or risk losing a market of 450 million consumers. History shows the EU is often relentless when it comes to protecting its digital values, and this time will be no exception.