The EU Digital Sovereignty Illusion: What No One Is Telling You About Your 'Secure' Infrastructure

Show Notes

In this episode of Darnley's Cyber Café, Darnley cuts through the politics and exposes what EU digital sovereignty actually looks like beneath the surface...and it's not what policymakers are telling you. 

Drawing from years of hands-on security assessments, incident response, and working directly with compromised organizations globally. Darnley breaks down why moving your data to European servers is a compliance exercise, not a security strategy, and why the firmware, chips, CVEs, and bug bounty programmes keeping your "sovereign" infrastructure alive are overwhelmingly American. 

If you're a business owner, IT professional, or anyone following EU tech policy, this episode will change how you think about digital independence, data residency, and what genuine cybersecurity sovereignty would actually require. The cookie banners are real. The independence underneath them is not. Listen now. 

Support the show

Subscribe now to Darnley's Cyber Cafe and stay informed on the latest developments in the ever-evolving digital landscape.

Transcript

"The EU Digital Sovereignty Illusion: What No One Is Telling You About Your 'Secure' Infrastructure"

 

Topic: Digital Sovereignty & Security Infrastructure

Audience: IT Professionals · Business Leaders · General

[Intro Music]

HOST

Welcome back to Darnley's Cyber Café, where we brew up the latest in cybersecurity, technology, and the digital world that shapes our lives. I'm your host Darnley, and today — pour yourself something strong — because we're going to talk about one of the most repeated phrases in European tech policy right now.

"EU Digital Sovereignty."

You've seen it on LinkedIn. You've seen it in government white papers. You've probably heard it in a meeting room where someone said "ditch Microsoft" and everyone nodded like that solved something. Today, I want to challenge that. Not because I don't think Europe should invest in its own digital future — it absolutely should — but because the current conversation is confusing a procurement decision for a security strategy. And that confusion is genuinely dangerous.

[PAUSE]

HOST

Let me start with a question. When you moved your data to a European data centre — or when your government mandated it — did anyone ask who found the last ten critical vulnerabilities in the browser your employees use every day?

I'll tell you the answer. Google. Apple. Microsoft. Meta. All American companies. The entire bug bounty ecosystem — the financial and operational infrastructure that incentivises security researchers to find vulnerabilities and report them rather than sell them — runs on US money, US researchers, and US disclosure programmes. Google's Vulnerability Reward Programme. Apple's Security Bounty. Microsoft's Security Response Centre. These are the programmes that are literally paying the people who find the bugs that would otherwise silently own your "sovereign" infrastructure.

And here is the thing that nobody says out loud at the EU sovereignty conference: a meaningful number of European researchers who do this work are being paid by those exact American programmes. Because that is where the money is. That is where the structure exists. That is where reporting a vulnerability is worth doing.

[PAUSE]

HOST

Now, I want to be clear about what I'm not saying. I'm not saying European researchers are inferior. I have worked with some outstanding security professionals in this industry who are based in Europe. And I'm not saying that data residency is irrelevant. There are legitimate compliance and legal reasons why European data should live on European soil. GDPR is real. NIS2 is real. These matter.

What I am saying is that data residency is not the same as security independence. And right now, the public conversation is treating them as if they are. And that is where I have a problem.

[PAUSE]

HOST

Let me walk you through what the technology stack actually looks like, because I think most people — including a lot of people making policy decisions — have not thought this all the way down.

You moved to a Finnish data centre. Your data is in Finland. Great. Now let's go one layer at a time.

The hypervisor running your virtual machines — the software that your servers actually live inside — has had vulnerabilities this year. Those vulnerabilities were reported to a US company's security team. They patched it. You applied the patch. That is the chain of trust your sovereign infrastructure depends on right now.

The TLS library your HTTPS connections run on — the thing that encrypts your data in transit — was patched three weeks ago. By an American researcher. Through a US-administered CVE. The Common Vulnerabilities and Exposures database, by the way, is operated by MITRE Corporation under a contract with the US Department of Homeland Security. Every time you quote a CVE number, you are citing American infrastructure.

The firmware on the drives in those Finnish servers? Written in California or Texas. Signed with a US company's cryptographic key. You are trusting that firmware every time those drives read or write your sovereign data.

BGP — the Border Gateway Protocol that routes traffic across the internet — its architecture is American. The largest route holders are American. DNS, the system that translates domain names into addresses, has its root zone operated by ICANN, a California nonprofit. The undersea cables that physically carry your data? Google owns cables. Meta owns cables. SubCom, which is part of General Dynamics, builds and owns cables.

And the chips in those servers. TSMC in Taiwan. ARM architecture out of the UK, now owned by a Japanese company. Intel in California. NVIDIA in California. The instruction sets your sovereign workloads run on — not European.

The Point

What you have built is a European-flagged building sitting on top of an American technology stack. The flag on the building is real. The independence underneath it is not.

[PAUSE]

HOST

Now let's talk about GDPR, because I know someone is listening to this right now thinking — yes, but GDPR changed everything. And in some ways it did. It created real accountability for data handling. It generated billions in fines for companies that violated it. It changed how businesses think about data collection globally. I give it credit for that.

But I want you to think about what GDPR actually is. It is a legal framework that regulates what companies do with personal data. It is, to put it bluntly, a compliance instrument. It does not fund a single security researcher. It does not build one chip fab. It does not maintain one open-source cryptographic library. It does not pay for one penetration test on one piece of European critical infrastructure. It does not create one vulnerability disclosure programme.

What it did produce, in terms of the actual user experience, is the most aggressive cookie consent regime in the world. A regime so complex that it broke the user experience of almost every European website — while changing exactly zero things about who owns the infrastructure those websites run on. The companies being fined under GDPR treat those fines as a cost of doing business. They budgeted for it. They have entire legal teams for it. And they are still running your data through their American infrastructure.

That is not sovereignty. That is theater. Expensive, well-intentioned, legally sophisticated theater.

[PAUSE]

HOST

I want to tell you about something I've seen in this work, without naming names for obvious reasons. I have been brought in to assess the security posture of organisations that had recently completed what they described as a "sovereignty migration." They were proud of it. They had moved everything off US cloud providers. They were compliant. They had the certifications on the wall.

And when we did the actual security assessment — when we looked at what was running and what wasn't being monitored — the picture was not good. Because in their focus on where the data lived, they had not invested proportionally in how the data was being protected. The monitoring wasn't there. The threat hunting wasn't happening. The incident response plan was a document that hadn't been updated in two years and named people who had left the organisation.

They had sovereignty on paper. They had a breach waiting to happen in practice. And I'll tell you what I told them: an attacker does not care about your compliance certification. They care about whether you can see them when they're inside your network.

[PAUSE]

HOST

So what does real digital sovereignty actually require? Because I am not here to just say the current approach is wrong without telling you what right looks like. I have thought about this a lot, and I want to give you the honest version.

Real sovereignty requires a European bug bounty ecosystem at scale. Not reports. Not assessments. Actual money flowing to researchers who find vulnerabilities in software that European critical infrastructure runs on. The financial incentive to report rather than sell. Right now, the most lucrative path for a talented European security researcher is a US company's bounty programme. Europe needs to change that equation.

Real sovereignty requires investment in the open-source cryptographic and systems libraries that real infrastructure actually runs on. With dedicated, funded security audits. Not one-time grants. Sustained funding. Because attackers don't stop looking, and defenders can't stop either.

Real sovereignty requires a European vulnerability disclosure infrastructure — a CVE-equivalent programme that Europe runs, funds, and gives researchers a reason to use. CVE is a US government-funded system. The world's vulnerability catalogue is American. That has implications.

Real sovereignty requires serious semiconductor investment — and I mean serious. TSMC building a fab in Dresden is a start, and I'll give credit for it, but it is a decade late and currently producing legacy nodes, not the cutting-edge chips that matter for the next generation of computing.

And real sovereignty requires funding security research at universities with an explicit, practical mandate — not just academic publications, but a pipeline that gets researchers into the room where actual deployed software gets patched.

[PAUSE]

HOST

The uncomfortable truth is that Europe has been having this conversation since 2013. Since Snowden. Since the world found out the extent of US surveillance programmes. That was twelve years ago. Twelve years of conferences, white papers, LinkedIn posts, and political speeches about digital independence.

And in that same twelve years, what has the research investment looked like at scale? Horizon Europe — the EU's flagship research and innovation programme — allocates roughly thirteen billion euros across seven years for all digital and space research combined. For context, Google's bug bounty programme alone has paid out over twelve million dollars to find vulnerabilities in one browser. I'm not saying the European investment is zero. I'm saying it is not proportionate with the claim being made about independence. Not even close.

The people who actually secure the internet — the researchers filing CVEs at two in the morning, arguing with vendor triage teams, spending months getting ignored before going public on a zero-day — they are not thinking about your cookie banner. They are doing a job. And right now, they are mostly being paid by the companies Europe says it wants to be independent from.

[PAUSE]

HOST

I want to be direct about what I think the risk is here, because this is not just an abstract policy argument.

The risk is that European organisations — businesses, government agencies, critical infrastructure operators — make significant procurement and architectural decisions based on a sovereignty narrative that gives them a false sense of security. They move the data. They get the certification. They brief the board. Everyone feels good. And the actual security work — the monitoring, the threat hunting, the patching cadence, the incident response planning — gets treated as secondary to the geography question.

That is exactly backwards. I have seen it. The flag on the server does not protect you. The security team watching what's happening on that server protects you. And if your sovereignty migration consumed the budget and attention that should have gone to building that capability, you are in a worse position than you were before. Geography is not a security control.

[PAUSE]

HOST

So what is the takeaway? What do I want you to actually do with this?

1Separate the compliance question from the security question. Data residency may be a genuine regulatory requirement for your organisation. If it is, you should absolutely address it. But treat it as the compliance exercise it is, and make sure your security investment is not being cannibalised to fund the migration.

2Audit your actual security posture, not your procurement decisions. Where is your data? Fine. Now — who is watching it? What does your threat detection look like? How long would it take you to discover that someone was inside your network? That is the number that matters. Not which flag is on the data centre.

3Understand your real dependency chain. Trace it. Firmware. Hypervisors. Libraries. Protocols. DNS. BGP. Chips. You do not have to solve all of it, but you should know what it looks like. Informed decisions are better than comfortable ones.

4Support the researchers. If you are in a position to influence procurement or investment decisions, push for funding that goes to actual security research. Bug bounty programmes. Open-source library audits. Vulnerability disclosure infrastructure. That is where real security improvements come from.

5Be honest about what sovereignty is and isn't. In a boardroom. In a policy meeting. On LinkedIn. If someone is claiming that a server migration is a security strategy, push back. Ask them to trace the stack. Ask them what their dwell time is. Ask them who they would call at two in the morning if something was wrong. That is a more useful conversation than which country's flag is on the building.

[PAUSE]

HOST

Europe can achieve genuine digital sovereignty. I believe that. It has the talent. It has the institutions. It has the economic weight to make it happen. But it requires honesty about how far away that outcome currently is, and it requires investing in the unglamorous, technical, slow-moving work that actually creates security — not the headline-friendly procurement decisions that create the appearance of it.

Until Europe funds real security research at scale — until there is a European programme that a talented researcher anywhere in the world would choose over Google's VRP — EU sovereignty is a LinkedIn buzzword. A well-intentioned, politically useful, genuinely important long-term goal that is being treated, right now, as if it has already been achieved. And that gap between the rhetoric and the reality is where the risk lives.

The flag on the server is not sovereignty. The work is sovereignty. And the work has barely started.

[PAUSE]

[Outro]

HOST

That's all for today's episode of Darnley's Cyber Café. Thank you for stopping by the café. If this episode made you think twice about what digital sovereignty actually means for your organisation — then it did its job. Don't wait until a breach makes the geography of your servers irrelevant. Build the security capability first. The server location can follow. I hope you enjoy this new format as I have been requested by many of you to dig a little deeper and show some security muscle. 

Next episode, I’ll be back with another topic from the frontlines of the digital world. Make sure you're subscribed so you don't miss it.

Until then — stay cyber aware, know your stack, fund the researchers, keep that coffee strong, knowledge is your powe…. This is Darnley's Cyber Café, signing off.