EU Law for EU Digital Sovereignty: Workshop Report (University of Antwerp, 20 March 2026)
Omid Jahanbozorgi and Ardit Maxhuni (Business and Law Research Group, University of Antwerp, Belgium)
Digital Sovereignty is an increasingly discussed topic in European policy circles. CELIS Blog will host several contributions on the topic in the following months. The following post provides a general introduction to the theme.
The Business and Law Research Group of the University of Antwerp organised the academic workshop titled ‘EU Law for EU Digital Sovereignty’ on 20 March 2026, with Jan Blockx, Feyisayo Lari-Williams and Pierfrancesco Mattiolo as conveners. It gathered academics and practitioners from many institutions from the EU and beyond to address a burning issue that is facing EU law today: what can EU law do in order to ensure Europe’s digital sovereignty?
The workshop consisted of a variety of plenary and parallel sessions on competition law, industrial policy instruments, public procurement, artificial intelligence governance. The participants discussed a range of EU tools, such as the Digital Markets Act (DMA), the AI Act and the Data Union Strategy, questioning whether these tools would prove sufficient to address the risks posed by Europe’s dependence on non-EU tech giants. Most of the contributions presented at the Workshop will be published in an edited volume in the upcoming months.
Plenary session 1: From Industrial Policy to Digital Policy: Institutions and Tools for Digital Sovereignty
Oles Andriychuk (Exeter University) opened the panel by grabbing the attention of the audience with a critique of the EU’s emerging industrial policy for digital markets. He mentioned Europe’s struggle against market ‘tipping’ dynamics, intensified by the AI revolution. While welcoming the shift toward enforcers as ‘market co-designers’ through legislation like the Digital Markets Act, Andriychuk raised important concerns. He questioned whether Europe’s focus on ethical imperatives, privacy, green values and SME support can truly compete with Big Tech. His central argument is the fact that European alternatives must match the user experience of existing platforms, not just appeal to stated ethical preferences.
Building upon the challenges mentioned by Andriychuk, Alice Pisapia (Universitas Mercatorum) examined whether current EU competences are sufficient for achieving digital sovereignty. She analysed the legal framework governing strategic digital infrastructures, data spaces and platform markets. She questioned whether current Treaty provisions and CJEU case law can be supportive of digital sovereignty from both aspects of market integration and fundamental rights protection.
Paolo Recaldini (Université Libre de Bruxelles) traced the evolution of EU’s industrial approach to the data economy since 2014, characterised by a shift toward a more interventionist approach, made evident in the 2020 European Strategy for Data. This shift of vision was implemented through the creation of the Common European Data Spaces with different degrees of success, including the operational Health Data Space, the industry-driven Mobility Data Space and the Financial Data Access regulation. The strategy achieved its peak potential in the Data Union Strategy of 2025, while taking on a new focus is on digital sovereignty via secure cloud and AI infrastructure. This latest update in vision and action exemplifies how growing geopolitical pressure increasingly influences Europe’s strategic thinking towards technology independence.
Parallel session 1: Public Digital Infrastructure: Perspectives on Public Procurement
Benjamin Kay-Hilmar Hinz (Europa-Institut, Saarland University) identified the EU’s substantial reliance on non-European cloud providers as a structural vulnerability, raising concerns for long-term economic development, the scaling of Europe’s digital economy, and its geopolitical and technological autonomy. His broader research examines public procurement as a strategic instrument to address this dependency, mapping both its potential and its legal limits under EU law. In particular, Hinz distinguished between different models of preference design – notably origin-based approaches and function-based criteria aimed at fostering ‘European by design’ solutions. He situated this analysis within the broader shift from a predominantly regulatory approach towards a more proactive, ‘building-oriented’ understanding of digital sovereignty. Against this background, he assessed the compatibility of strategic procurement with EU primary law principles and explores possible justifications, such as security-related considerations. By also examining constraints arising from international and external EU instruments, including the WTO Government Procurement Agreement, the International Procurement Instrument and the Foreign Subsidies Regulation, Hinz delineated the legal parameters for a coherent European strategy on technological sovereignty.
Dionysios Pelekis (Utrecht University) built upon Hinz’s presentation by addressing the practical implementation challenges in procurement. Pelekis tackled the operational tensions that emerge when theory meets practice. He framed public procurement not merely as a transactional process, but as a fundamental state ability and capacity that can be wielded to achieve digital sovereignty. Pelekis identified a critical problem: initiatives like GAIA-X and EuroStack require deep cooperation that can conflict with antitrust and state aid regulations. His solution-oriented approach examined innovation-oriented procurement tools such as Pre-Commercial Procurement, Public Procurement of Innovative Solutions and Innovation Partnerships. These tools can enhance the co-development of European infrastructures, but remain constrained and uncertain. Pelekis described how cooperation clauses and consortium requirements can comply with competition law while promoting innovation and SME participation, making contract design a core element of digital sovereignty. Finally, he addressed the ‘Europe-first’ procurement movement, assessing how legal frameworks can prioritise European providers for critical infrastructure via security exceptions, data sovereignty requirements and reciprocity mechanisms. Yet, such clauses and approaches, he concluded, still remain fraught with uncertainty.
Katrina Polychronopoulos (Legal Counsels at the STRABAG Group) and Felix Zopf (University of Vienna) introduced a crucial counterpoint in the discussion. They acknowledged that discussions surrounding digital sovereignty are widespread across the EU, with initiatives like EuroStack proposing frameworks for ‘Buy European’ regulation. However, they argued that Europe must first clearly define its goals before taking firm steps. They identified vital open questions that require answers: concerns about the technological ‘arms race’, foreign influence on critical infrastructure, CLOUD Act surveillance implications and AI models contradicting EU values. The speakers questioned in which parts of the technology stack the EU can realistically compete, which use cases are most critical and which infrastructures are essential. Their warning was stark. Without answering these fundamental questions, initiatives risk ‘dying out without achieving significant impact’, as Gaia-X did. They strongly advised against introducing digital sovereignty rules into the Public Procurement Act before these questions are answered, otherwise such action may have no meaningful impact.
Cassie Jiun Seo (Independent research affiliate, Minderoo Centre for Technology and Democracy, University of Cambridge) provided the concluding perspective, positioning active state curation as the governance mechanism shaping Free and Open Source Software (FOSS) in the service of national interests. Seo’s contribution examined how states strategically engage with FOSS ecosystem as part of digital sovereignty and industrial policy; and how EU law itself operates as a curatorial force, influencing the composition and governance of ‘sovereign technology stacks’ through instruments such as the DMA, the Cyber Security Act and the Cyber Security Act, Cyber Resilience Act by shaping incentives and market conditions and allocating risks within technology ecosystem. They defined ‘stack curation’ as the process of selecting and organizing digital components across a technology stack, emphasizing that these decisions are political and economic, shaping dependencies and interoperability relationships across actors. They cautioned that FOSS is not a panacea for digital sovereignty, noting that while it may reduce vendor lock-in, it remains subject to forms of control, by state and corporate actors, albeit in different configurations than proprietary software. This was illustrated through examples of state-supported and state-backed open-source ecosystems.
Parallel session 2: EU Competition Law for Digital Sovereignty: a General and Comparative Overview
Alessandro Carpi (Cleary Gottlieb Steen & Hamilton) opened the session by addressing the growing risk of politicisation of competition policy against the backdrop of transatlantic tensions. He pointed to a key tension between legal assessments and broader policy choices and argued that the notion of ‘Union interest’ as interpreted by the Court of Justice plays a crucial role in shielding competition policy from political pressure, including U.S. threats of retaliation over EU fines. Carpi warned that abolishing the formal complaint mechanism in the upcoming review of Regulation 1/2003 could turn the Commission’s discretion into a ‘political question doctrine’, creating a ‘black box’ where enforcement priorities escape judicial review. He concluded that maintaining a reviewable Union interest standard is essential to protect the rule of law from unchecked administrative discretion.
Thomas Fabry and Cristina Teleki (Maastricht University) examined Google’s growing control over the Android Open Source Project (AOSP), arguing that the governance of open infrastructures has direct consequences for Europe’s digital sovereignty. Despite Android’s original promise of openness, they argued that Google has gradually privatised key development processes and moved core functionalities to its proprietary Google Mobile Services (GMS). This split between open and proprietary creates structural dependencies that make it harder for individuals and governments to achieve technological independence. The speakers connected this to competition law, raising questions about how Google’s gatekeeper status under the DMA could affect regulatory oversight. Their broader conclusion was that real digital sovereignty in the EU cannot rely on regulation alone. It also requires greater technical transparency and the development of genuine open source alternatives.
Behrang Kianzad (Malmö University) offered an innovative take on digital sovereignty, reframing it as a matter of consumer welfare rooted in Kantian autonomy. The contribution was co-authored with Fabrizio Esposito (Nova School of Law, Lisbon). Rather than defining sovereignty in terms of state control or regional ownership, he argued it should be understood through the legal and market conditions that allow individuals to make meaningful choices and avoid structural dependence. Drawing on a Kantian framework, he identified ‘digital fairness’ as the link between broad sovereignty claims and concrete legal standards. His proposed concept – ‘consumer sovereignty’ – operationalises fairness through three criteria: autonomy, non-exploitative exchange and contestability. The goal is to keep digital regulation grounded in actual consumer interests, rather than letting it become a cover for protectionist policy.
Anush Ganesh (University of Exeter), Jasper van den Boom (Leiden University), and Kena Zheng (Heinrich-Heine University, Düsseldorf) closed the session by comparing how the EU and the UK designate major digital platforms. They used a ‘hare and tortoise’ metaphor to capture the contrast between the two approaches. The EU’s DMA is the ‘hare’: it relies on quantitative thresholds to designate gatekeepers quickly, identifying seven within just 18 months. The priority is speed and avoiding false negatives, even at the cost of analytical depth. The UK’s DMCCA is the ‘tortoise’. It requires nine-month investigations to establish entrenched market power, allowing for more targeted interventions but struggling to scale. The speakers argued that these procedural differences are not merely technical, since they ultimately shape different regulatory outcomes for digital markets on either side of the Channel.
Parallel session 3: EU Competition Law for Digital Sovereignty: A Focus on the DMA
Federico Ruggeri (University of Bergamo) opened the panel by examining the EU’s ex ante regulation of digital markets in comparison with the US market-oriented approach and China’s state-centric model. He presented the DMA as a preventive framework that complements traditional antitrust and is designed to ensure contestability and fairness, while reflecting a distinct approach that combines market regulation with the protection of fundamental rights and the values of the social market economy. Ruggeri framed the DMA as an instrument of digital sovereignty, highlighting the EU’s capacity to govern the conduct of private platforms, present a unified voice in their supervision, and project its standards externally. However, he acknowledged that the ‘Brussels Effect’ may be more limited than expected: whilst the rationale of ex ante regulation is spreading worldwide, other jurisdictions are embracing it by favouring more tailored, flexible or co-regulatory solutions.
Further, Pavlina Hubkova (University of Exeter) built upon the discussion on digital sovereignty by providing an interdisciplinary approach. She introduced different theories, including Law and Political Economy (LPE) and Strategic Trade Theory (STT). She argued that the DMA goes beyond traditional competition law and functions as a tool to restructure economic power within digital markets. Hubkova demonstrated how the DMA’s obligations on predominantly non-EU gatekeepers can reduce foreign platform dependence and strengthen digital sovereignty, representing a shift from narrow consumer welfare concerns toward broader objectives of justice, autonomy, and sovereignty.
Finally, Sebastian Steinert (Heinrich-Heine University, Düsseldorf) argued that the DMA can support European sovereignty where its objectives of contestability and fairness align with sovereignty goals. Steinert used the concentrated cloud market as an example. He introduced the concept of ‘infrastructural gateways’ under the DMA to explain how cloud providers functioning beyond traditional intermediation platforms can still be designated as DMA gatekeepers. Steinert laid out how the DMA provisions can apply to cloud services and emphasised that a modification of the obligations is crucial to address the relevant issues for contestability and fairness in the cloud.
Parallel session 4: EU Law, AI and Digital Space
Dominik Brtna (Charles University) opened by pointing to a core paradox in the AI Act: while its extraterritorial reach is meant to project European digital sovereignty globally, its enforcement design risks creating unequal rights protection within the EU itself. He described this as a ‘rights-protection lottery’, where outcomes depend on the varying budgets, expertise and investigatory cultures of national Market Surveillance Authorities. The Clearview AI case illustrated this problem clearly. Identical violations led to multi-million euro fines in some Member States and complete inaction in the others. Brtna argued that this ‘inward-facing vulnerability’ undermines the EU’s broader regulatory ambitions. Without centralised enforcement or binding dispute-resolution mechanisms, equal protection cannot be guaranteed. His conclusion was straightforward. Genuine sovereignty is not just about shaping global markets, but about ensuring that all EU residents enjoy the same fundamental rights protections.
Patricie Startlová (Charles University) examined how the EU is reshaping the concept of territoriality to govern digital infrastructures that go beyond national borders. She argued that instruments like the AI Act, the DMA, and the DSA reflect a deliberate strategy of ‘regulatory territoriality’, thereby extending EU law into global digital environments. In her view, sovereignty is no longer a fixed principle tied to geography but a dynamic tool exercised through market power and regulatory design. While this approach allows the EU to influence global norms, as seen in the Brussels Effect, it also comes with tensions. Extraterritorial ambition can expose new vulnerabilities, such as jurisdictional conflicts and enforcement dependencies on global tech companies. To address this, Startlová proposed an integrated legal architecture that connects digital governance with security and crisis resilience, arguing that this is what genuine sovereignty ultimately requires.
Viola Heutger (University of Antwerp) shifted the focus to the maritime domain, using remote-controlled and autonomous vessels as a case study for digital sovereignty in hybrid physical and digital environments. She argued that these vessels challenge traditional territorial logic, since their navigation increasingly relies on AI systems and data flows controlled by non-European actors. Heutger looked at how EU instruments like the AI Act, the NIS2 Directive, and the Data Act try to assert control over such safety-critical infrastructures. However, framing maritime transport as ‘critical infrastructure’ only goes so far, given the inherently mobile and cross-border nature of shipping. Her broader point was that digital sovereignty beyond platforms requires a sector-sensitive approach that accounts for the specific complexities of international maritime law.
Akshita Rohatgi (University of Cambridge) closed the session by examining how international trade secret law deliberately creates regulatory opacity for digital corporations. In her view, secrecy regimes are increasingly reframed as a form of intellectual property to protect almost any confidential corporate information. This global harmonisation of corporate privacy, pursued through instruments such as the TRIPS and the CPTPP, puts foreign regulators in the same position as commercial competitors. Since algorithmic supply chains (and secrecy protections) are global, such framing blocks national regulators from examining the personal data processing of their citizens occurring beyond their jurisdiction, posing a critical hurdle in examining global algorithmic supply chains. Rohatgi pointed to a concrete example of the resulting tensions: the EU scaled back several AI Act provisions to stay compliant with free trade agreements. She concluded that these secrecy regimes ultimately allow corporations to bypass state authority, thereby undermining the transparency that digital sovereignty requires.
Plenary session 2: Public and Private Actors in the Quest for Digital Sovereignty
Pieter Wolters (Radboud University) opened the final session by examining how hybrid conflicts are reshaping cybersecurity obligations for private companies in Europe. He argued that while defending against hybrid threats such as cyberattacks is primarily a state responsibility, private companies cannot be left out of the picture, since many essential services including healthcare, banking and energy are provided by the private sector. Wolters identified several ways in which hybrid conflicts affect existing obligations. They raise the level of risk that companies must account for, push firms to reduce reliance on non-European suppliers and increase government involvement in corporate cybersecurity decisions. His broader point was that rising geopolitical tensions are driving an escalation of obligations that is likely to continue, and that private cybersecurity compliance will thus increasingly become a central part of Europe’s broader security strategy.
Antonino Alì (University of Trento) examined how EU law is reshaping the conditions under which intelligence activities operate across digital networks. His starting point was a tension that is hard to ignore. European security agencies depend on global platforms and cloud infrastructures largely controlled by non-EU actors, while the EU simultaneously commits to fundamental rights and digital sovereignty. He argued that intelligence today no longer travels through classic state to state channels but through private intermediaries embedded in the EU’s regulatory space. Drawing on CJEU case law from Digital Rights Ireland to Schrems I and II, Alì argued that EU law is constructing a regime of ‘conditional openness’ for intelligence-related data flows, tying legitimacy to strict necessity tests, independent oversight and constraints on bulk access. He concluded that this reflects the EU’s broader model of digital sovereignty: neither unconstrained market openness nor full decoupling, but a legally mediated middle ground.
Ruggero Rudoni (University of Turin) examined the concept of EU digital sovereignty from a constitutional law perspective, emphasizing the centrality of effective judicial protection. While scholarly and policy attention gravitates toward legislation and implementation, he pointed out that the judicial function is often overlooked when approaching the concept of sovereignty. Rudoni compared two enforcement models: the traditional model of public enforcement, whereby private power is limited through the intervention of public authorities, and private enforcement, which operates within horizontal relationships between private actors and thereby strengthens the effectiveness of fundamental rights. From this perspective, collective and representative actions perform an essential complementary function, eroding the conventional boundary between public and private law and confer judges a quasi-regulatory role. Thus, private enforcement emerges as a pivotal element in redefining the scope and nature of EU digital sovereignty.
Maria Giulia Arciero (Sapienza University of Rome) examined how the US and the EU are pursuing divergent regulatory strategies for data center infrastructure, driven by deep structural asymmetries between the two blocs. She argued that as computational capacity increasingly determines technological leadership, control over data centers has become a core dimension of digital sovereignty. The US approach relies on aggressive industrial policy, subsidies, and deregulation, as illustrated by the CHIPS Act and executive orders fast-tracking data center construction, against a backdrop of fragmented and heterogeneous state-level regulatory frameworks. The EU, by contrast, seeks sovereignty from a position of dependency, attempting to balance strategic autonomy with environmental protection, internal market rules, and fundamental rights. Arciero concluded that this balancing act may be the EU’s greatest challenge, as internal legal constraints risk undermining its digital sovereignty ambitions just as much as external dependencies do.
Conclusion
The workshop made clear that EU digital sovereignty is not a single problem with a single solution. It cuts across competition law, procurement, cybersecurity, artificial intelligence and international trade. Each of these areas brings its own tensions and contradictions. A recurring theme was the gap between regulatory ambition and institutional capacity. The EU has built an impressive legal arsenal, but enforcement remains uneven. At the same time, several contributors pushed back against purely state-centric or market-driven readings of sovereignty, reminding the audience that individuals, private companies and judicial institutions all have a role to play. If the workshop left one lasting impression, it is that digital sovereignty is less a destination than an ongoing project, one that demands both legal creativity and honest reckoning with the EU’s current limitations.
All speakers at the conference spoke in a personal capacity. Thus, the views expressed at the conference and referenced in this report may not necessarily reflect the views of the respective institution or employer which the respective speaker is affiliated to.
