In a world where data and digital infrastructure are the engine of the economy, the use of technology as an instrument of power and object of international dispute has ceased to be an academic debate. A few weeks ago, the U.S. Department of Commerce ordered Anthropic to bar foreigners from accessing its most advanced artificial intelligence (AI) models. The crisis has been resolved and Fable 5 is accessible worldwide again, but tensions of a latent technological conflict between the United States and Europe continue to emerge. Now, conversely, several member states are beginning on the path to limit the use of products from American companies like Palantir. The tools used reflect the incompleteness of Europe’s legal framework in the current geopolitical landscape. Tech sovereignty is built on industrial capabilities, but also by having an adequate framework to counter the deployment of products that introduce risks to digital assets.
The mistrust of foreign technology
Restrictions on the use of foreign digital technologies by an economic area are not new. Since the mid-2010s, cybersecurity threats have ceased to be seen as originating only abroad. In this sense, the growing complexity of digital goods introduced doubt about the products used inside organizations and the possible Trojan horses within them. Governments responded with risk-prevention policies based on trust in supply chains.
“The increasing complexity of digital goods raised doubt about the products used inside organizations”
Restrictions on the use of foreign technologies have multiplied in the last decade as global geopolitical tensions grew. Between 2018 and 2020, the United States banned Huawei equipment in government networks and in the 5G and broadband infrastructures deployed with public subsidies. In 2022, the Chinese government adopted Document 79, which in its classified version allegedly includes a policy of total substitution of American technology within state-owned enterprises before 2027. Chinese customs are also currently delaying permissions to import Nvidia and AMD AI technology authorized by Washington.
The EU had hitherto been reluctant to impose strict restrictions on the use of specific foreign technologies. For example, limitations on the use of Huawei technology in 5G networks have been uneven among member states despite harmonization efforts by the European Commission. Only when the Cybersecurity Act (CSA) review is approved will Brussels have powers across the EU to identify technological assets as critical and designate certain providers of them as “high-risk providers” for non-technical security reasons, whether structural or geopolitical.
The proposal for the Cloud & AI Development Act (Cloud & AI Development Act, CADA) opens another route to impose limits on the use of foreign technology, albeit only for the procurement of cloud AI applications, in particular, and data analytics, in general. The requirements at the highest levels of the technology sovereignty framework defined in the CADA are potentially applicable to its use in critical and high-impact infrastructures: ownership and control by EU entities —level 3— and independence from extraterritorial laws —level 4—.
Even after the CSA reform and the CADA, each member state will retain the authority to keep imposing its own prohibitions on national-security grounds. The fragmentation of restrictions on the import of digital goods and services does not foster a shared European technological sovereignty either.
The examination of the requirements to limit Palantir’s use in some member states yields lessons for building a defensive framework of technological sovereignty.
The Palantir deployment case in Europe
But what is Palantir and why does the wave of restrictions in Europe arise? Palantir Technologies is a software company specialized in the analysis of massive volumes of data from large public and private entities, generating actionable information for human decision-makers. Its range of products for military use — Palantir Gotham — and civilian use — Palantir Foundry — is a strategic element for organizations in the information age.
“The examination of the requirements to limit Palantir’s use in some member states yields lessons for building a defensive framework of technological sovereignty”
Three factors have made Palantir procurement in the public sector and critical infrastructure a political controversy in Europe. First, its entanglement with the U.S. security apparatus, both present — various projects with ICE and the Pentagon — and past — its origin lies in the CIA’s venture capital arm. Second, the company’s ideological profile, starting with its president Peter Thiel — who has supported Trump since the 2016 elections — and continuing with the presence of former executives of the company in the White House. Third, the structural sovereignty argument over the critical data it handles and its exposure to U.S. extraterritorial law.
In this environment, Palantir faces difficulties of different kinds in accessing public contracts across European administrations. In France, the prime minister announced the non-renewal of the contract that the domestic intelligence agency maintained with the American company, replacing it with a domestically-origin tool in the name of sovereignty. In Germany, restrictions on Palantir’s use by the police are a legal debate, based on constitutional limits to data analysis that security agencies can carry out regardless of the product they use. In Spain, there is information — without documentary evidence or official confirmation — of informal orders to avoid Palantir’s procurement by public and private companies owned by SEPI.
With the current legislation, the Palantir case pits Europe against dilemmas similar to those raised by the Huawei case, with one nuance: the United States is part of the WTO Agreement on Government Procurement, which excludes defense and security. While there is no absolute right for a company to access public procurement, there is the right not to be arbitrarily excluded. Moreover, the CJEU reserves to the EU general regulation of third-country bidders’ access to tenders, weakening general national vetoes. Excluding a supplier from open tenders has multiple条件: a legal norm with a legitimate purpose that enables the measure, evidence for the concrete case, a transparent procedure with the right to be heard, and coherence with international obligations. It also requires having technological options to meet identified needs. Just as Huawei equipment can be substituted by European manufacturers, it is necessary to have Palantir alternatives developed by member states or trusted partners.
“The veto of foreign technology is only half of the digital sovereignty equation”
In short, the veto on foreign technology is only half of the digital sovereignty equation. If in Huawei’s case Europe could mitigate the risk by relying on its own tech champions such as Ericsson and Nokia, the challenge with Palantir reveals a much greater structural vulnerability. The European AI ecosystem and mass data analytics lacks established alternatives capable of immediately matching the performance of American platforms in critical infrastructures. Excluding foreign contractors for national security reasons is a legitimate and necessary defensive tool, but it should be done in a harmonized way and with a decisive industrial commitment to develop first-rate domestic solutions. Otherwise, the European Union faces a complex dilemma: protecting its data at the cost of its own technological paralysis.