I previously wrote a blog about the emerging and growing focus on technology sovereignty in the United Kingdom and Ireland (UK&I) and European markets. Since then, Europe technology and data sovereignty have been back in the spotlight because of two recent events:

• The war in Ukraine and its cyberwarfare implications
• EU lawmakers agreeing to new rules to limit the market power of Big Tech platforms through the Digital Markets Act (DMA) and Digital Services Act (DSA)

This is not an isolated move. Europe has set in motion initiatives in recent years including Gaia-X, a project to develop common requirements for a European data infrastructure supported by representatives of business, science, and administration. With data security, privacy, and technology sovereignty becoming key issues for the region, Europe is setting up new regulatory frameworks to protect consumers and companies, while trying to ensure a competitive market and encouraging innovation.

What does the DMA entail?

Beyond the hyperbole that surrounds any regulation such as this, here’s what the DMA provisions include:

• Focus on Big Tech companies providing “core platform services” and designating them as gatekeepers. These are the ones most likely to execute unfair business practices, such as social networks or search engines, with a market capitalisation of at least €75 billion or annual revenue of €7.5 billion
• To qualify gatekeepers, these companies must provide services such as browsers, messengers, or social media, which have at least 45 million monthly end users in the EU and 10,000 annual business users
• Sizable messaging services (such as WhatsApp, Facebook Messenger, or iMessage) will have to open up and interoperate with smaller messaging platforms, if users ask, promoting more choice
• Combining personal data for targeted advertising will only be allowed with explicit user consent to the gatekeeper. Similar to instant messaging, there’s also a requirement to allow users to freely choose their browser, virtual assistants, or search engines
• If a gatekeeper does not comply with the rules, they can receive fines of up to 10 percent of total worldwide turnover in the preceding financial year and 20 percent for repeated infringements. In cases of systematic infringements, these companies might be banned from acquiring other companies for a certain period

There’s a separate act called the Digital Services Act (DSA), which the EU reached a consensus on in April 2022. This act focuses more squarely on setting up a standard for the accountability of online platforms regarding illegal and harmful content.

There’s still some time before these acts become law. For the DMA, it looks like it could be the summer of 2023 before it comes into effect. The DSA will need to be officially voted into law, will be directly applicable across the EU, and will apply for 15 months or from January 1, 2024, whichever is later, after it is enforced.

The battle for sovereignty and security is just getting started

While these acts are a significant step in Europe’s focus on curbing the perceived monopolistic power of BigTech, it is not happening in isolation.

• There’s a growing global reckoning around BigTech companies who control multiple industries, such as enterprise cloud computing, consumer-oriented economies, and media & advertising, to name a few. What complicates this further is the way their roles (especially social platforms such as Meta, Twitter, etc.) are evolving into digital town squares, and the subsequent impact on democracy, free speech, and bullying.
• Most of these Big Tech companies originated in North America but are global businesses now. There’s a degree of circumspection in how Europe views this shift in innovation and control and is trying to rein it in. These acts are a natural successor to Europe’s previous foray into data protection through the General Data Protection Regulation (GDPR), which came into force in 2018. It subsequently inspired other acts globally (including the CCPA or the California Consumer Privacy Act).
• The increasingly fragile geopolitics of the region is creating new implications for cyberwarfare and rogue state actors and is fuelling the desire to shore up digital resilience. We can also expect this to have a knock-on effect on other regions (for example, the US is considering more steps in a similar vein, and Australia has taken measures to regulate the relationship between BigTech and traditional media).

I expect this conversation to evolve and shape the future of technology spending and strategies in the region.

Implications for the European technology ecosystem

Owing to these triggers and the broader conversation around technology sovereignty and BigTech reach, I expect the following three implications for buyers, providers, and investors in the European technology space:

• Buyers should include sovereignty requirements in sourcing decisions:
  We are starting to see enterprise buyers of technology and services embed sovereignty of the tooling and service providers they choose in the RFP process. Expect this to continue and become a hygiene factor for technology providers to showcase in the sourcing process

• Establish regional market partnerships:
  Big Tech companies are smart and understand they can’t be upstaged overnight. They are already establishing partnerships and tweaking their business model to ensure compliance with the evolving European regulatory environment. Expect them to partner with specific players in the region to play by these rules (for instance, Google Cloud and T-Systems partnering on cloud sovereignty in the region). IT service providers will also train more people of BigTech technologies as a result.
• Look beyond sovereignty-washing:
  As with any big shift and trend, there will be new and existing competitors to BigTech who will latch on to this market theme. I expect a lot more press releases amping up the focus on sovereignty. Investors, buyers, and partners should look beyond this marketing hype and truly understand how these firms are solving for these issues. For instance, are they embedding sovereignty at the application or data layer? Where does the data reside, and who owns it? These questions can help spot the real innovators.

We are going to see the floodgates of activity open as we approach implementation timelines in the next 12-18 months. This will create a one-time discontinuity in the market and result in additional spend on compliance. However, market participants will be wise to consider the longer term in technology regulation in Europe and its subsequent impact on their strategies.