Europe Has Lost the Internet, Belgium’s Cyber Chief Warns

What happened

Europe has lost the internet, Belgium’s cyber chief warns after Miguel De Bruycker, director of the Centre for Cybersecurity Belgium, told the Financial Times that Europe’s reliance on cloud services and digital infrastructure dominated by US tech giants effectively means the continent lacks true digital sovereignty. De Bruycker argued that, despite aspirations to host and control European data, it is currently “impossible” to store information entirely within the EU because companies like Amazon, Microsoft, and Google hold a commanding share of the market and are subject to U.S. laws such as the Cloud Act and FISA 702 that can compel access to data globally. 

Who is affected

This situation affects European governments, critical infrastructure operators, and private sector organizations that depend on cloud services and digital platforms to store, process, and protect data. Heavy reliance on non‑EU technologies means essential services, from public administration systems to commercial IT and cybersecurity platforms, may face external jurisdictional pressures and reduced control over security policies and incident response. The broader European digital ecosystem, including startups trying to compete with U.S. hyperscalers, is also constrained by this dominance. 

Why CISOs should care

CISOs should care because digital sovereignty directly impacts risk, compliance, and defensive autonomy. Dependence on foreign‑controlled infrastructure can expose sensitive data to legal and geopolitical forces outside an organization’s control. This undermines the ability to enforce strict data residency, reduces negotiation leverage in supply chain discussions, and can complicate incident response across borders. As cyber threats grow in sophistication and geopolitical tensions influence cyber policy, European organizations must understand how infrastructure dependencies shape their attack surface, regulatory obligations, and strategic risk planning. 

3 practical actions

1. Assess Data Jurisdiction Risk: Inventory and classify data based on sensitivity and regulatory requirements, and evaluate the legal jurisdictions of cloud and infrastructure providers to understand exposure to extraterritorial laws.

2. Diversify Infrastructure Providers: Where possible, adopt multi‑cloud strategies that include European or non‑U.S. based providers, and evaluate emerging sovereign cloud and regional alternatives to reduce concentration risk.

3. Strengthen Vendor Contracts: Negotiate contractual safeguards with major cloud vendors that address data access requests, incident notification, and compliance support to better protect organizational data against external legal demands.