In February 2026, an essay made the rounds among people who think about markets for a living. Citrini and Alap Shah published a piece with a deliberately unsettling title: "The 2028 Global Intelligence Crisis — A Thought Exercise in Financial History, from the Future." It wasn't doomer fan-fiction. It was a scenario built on a single, slippery question:
"What if our AI bullishness continues to be right … and what if that's actually bearish?"
The premise: imagine we are right about artificial intelligence — that it keeps getting better and more useful, that it reshapes the economy. And imagine that the very thing that makes it powerful, its concentration in a handful of frontier labs, is what turns it into a systemic risk. A "Global Intelligence Crisis," written as a macro memo dated 2028, looking back at how it all unspooled.
The 2028 memo is an abstraction. Here is the same logic narrowed to a single, concrete morning — a brief scenario, not a forecast. Call it 12 June 2026.
The scenario: four hours offline
At 5:21 p.m. Eastern, the US government sends a leading American AI lab an export-control directive. It bars any foreign national — inside or outside the United States, including the company's own foreign-national staff — from accessing two of its frontier models. There is no clean way to comply with that except one: switch the models off for everyone, everywhere. Not throttled. Not geofenced. Off.
A founder in Lisbon, a manufacturer in Stuttgart, a hospital's triage tool in Vienna — all of them go dark at the same moment, because of an order that isn't even about them. The lab, in this scenario, is transparent and pushes back. The government cites national security but gives no specifics; the underlying concern is the kind of minor "jailbreak" that, on inspection, surfaces a handful of already-known vulnerabilities — the sort other public models find without any bypass at all. The company complies while disagreeing, and the warning a frontier lab would issue in that moment writes itself:
"If this standard was applied across the industry, we believe it would essentially halt all new model deployments for all frontier model providers."
You don't have to take a side in that dispute to draw the lesson that matters for Europe. Notice what wouldn't save anyone: it isn't a data-residency problem. Your data sitting in a Frankfurt region would be irrelevant, because the model itself has stopped answering. A switched-off capability doesn't leak your data. It just gives you nothing.
The number that should worry you isn't a percentage. It's "one."
We talk about digital dependency in market-share terms, and the figures are bad enough. But the real risk the 2028 memo points at isn't share — it's concentration. The number of independent points of failure between a European business and the frontier intelligence it now runs on is, increasingly, one.
Here is the share picture, for grounding:
And there's a legal layer most "EU region" checkboxes quietly ignore. Under the US CLOUD Act and FISA 702, jurisdiction follows the company, not the server. A US provider can be compelled to hand over data regardless of where it's stored — Frankfurt, Dublin, anywhere — with no notice to the user and no European authority in the loop. "Hosted in the EU" is a comfort, not a sovereignty. And as the scenario shows, the access risk sits above the data layer entirely: it's the capability itself that can be revoked.
Renting versus owning
Here is the distinction that the share charts obscure and the switch-off made vivid. There is a difference between a vendor relationship and a dependency.
A vendor relationship is one you can exit. If your supplier raises prices, degrades quality, or simply annoys you, you switch — maybe at some cost, but you switch, and the threat of switching disciplines the supplier. A dependency is one you can't exit on your own terms, because there is no credible second source and the off-switch is held by someone else. When an entire continent wires its productivity through a few US labs governed by US national-security law, that is not procurement. That is a dependency.
Put plainly: a capability you cannot switch on yourself is not a capability. It's a permission. And permissions can be revoked by people who never have to think about your payroll.
The point isn't that everyone should self-host everything. That would be its own kind of foolishness. The point is that most European organisations today sit entirely on the left of that diagram and have never priced the move rightward — not even one notch, not even for the workloads that would end the business if they vanished.
Europe has rules, not products
Europe's instinct, faced with dependency, has been to write rules: GDPR, the Data Act, the AI Act, DORA, NIS2. Good rules are an asset. But you can only regulate what someone else builds. Regulation is not a substitute for capability, and treating it as one is how you end up sovereign on paper and dependent in practice.
The Draghi report on European competitiveness (September 2024) said this without flinching. The productivity gap between the EU and the US, Draghi wrote, is "largely explained by the tech sector" — or rather Europe's relative lack of one. The supporting numbers sting:
- The EU's output now trails the US by roughly 30%, up from about 15% in 2002.
- Europe pours money into mid-tech (cars) and underinvests in intangibles — software, R&D.
- The European Innovation Council's flagship Pathfinder ran on €256 million in 2024. DARPA's budget is more than 15× that.
Draghi's prescription was blunt: around €800 billion in additional annual investment, a real capital-markets union, lighter and faster rules, and an actual industrial push on AI. The scenario compresses all of it into one sentence: we specialised in regulating because we never built the thing.
"Isn't this just protectionism?"
It's the first objection, and it deserves a straight answer: no — and it shouldn't become that.
Sovereignty is not autarky. Nobody is proposing a European firewall, a ban on US software, or a Fortress-Europe cloud. That would be self-harm; the American tools are genuinely excellent, which is precisely why the dependency is so comfortable and so dangerous. Sovereignty means optionality: a credible, self-controlled second source for the things that matter, so that a vendor outage or a foreign decree doesn't take the lights out. A real alternative also disciplines incumbents and improves your bargaining position — second-sourcing is standard practice in every serious supply chain. We simply stopped doing it for our most important one. The ask here is pro-European, not anti-American: build the second source, and own it.
Lowering the barriers: five moves
European champions don't appear because ministers give speeches about them. They appear when the obstacles that currently keep European software firms small, sold, or relocated are cleared away. Five of those obstacles matter most — and none of them is a subsidy in the old sense.
1. Demand — give startups a first customer. The public sector is the largest software buyer on the continent, and its tenders are de-facto written around incumbent US standards. The forthcoming EU Tech Sovereignty Package, anchored by a Cloud and AI Development Act (CADA), would introduce a four-tier sovereignty classification and a "buy European / open by default" posture in procurement. Used seriously, that's not charity — it's a launch customer, the single hardest thing for a young company to win.
2. Capital — close the scale-up valley of death. European seed funding is fine; growth capital is not. The big late-stage round still tends to come from the US, and with it the gravity to relocate. Mistral, France's frontier lab, raised €1.7B in 2025 in a round led by Europe's own ASML — proof it can be done here, and how rare it still is. A genuine capital-markets union, pension capital allowed into tech, and a real EU technology fund (the EuroStack proposal puts the long-run need near €300B by 2035, with a €10B fund as the first step) are the unglamorous fixes.
3. Regulation — proportionate, not absent. The goal is not to gut the AI Act; it's to make compliance survivable for a 12-person team that has no legal department. One rulebook instead of 27 national interpretations, regulatory sandboxes, "once-only" reporting, and genuinely fast approvals. Protection and proportionality are not opposites.
4. Compute and energy. Frontier work needs GPUs and affordable clean power, and today both flow mainly to the hyperscalers. The EU's AI Gigafactories initiative (~€20B of public commitment) only matters if a guaranteed slice of that compute is reserved for startups and researchers — not just rented back from the same incumbents.
5. Open source and talent. Open-weight models — Mistral's, Aleph Alpha's sovereign-deployment stack, and others — are the clearest path to capability you actually hold. Fund open source as public infrastructure, give procurement preference to open and auditable systems, and stop training world-class engineers only to export them. EuroStack's own stated aim is to lower adoption costs for SMEs — exactly the right target.
What builders and buyers can do now
Policy is slow. Your own exposure is not — you can reduce it this quarter, and the logic is risk management, not patriotism. The question to put to your own team is simple: what happens to the business if our most important model stops answering tomorrow morning? If you don't have an answer, you have an unpriced single point of failure.
- Design for portability. Put an abstraction layer (a gateway) between your product and any single model, so you can swap providers without a rewrite. Model lock-in is avoidable if you plan for it on day one.
- Keep an open-weight fallback. A self-hostable model — Mistral, Llama — doesn't have to be the best. It has to be available when the primary isn't. That's a second source no one can revoke.
- Host sensitive workloads in Europe. For regulated or critical data, providers like Hetzner, IONOS, OVHcloud and STACKIT are already viable. Not for everything — for the things that would hurt to lose.
- Run the drill. A business-continuity test for AI dependencies belongs in 2026 next to your backup test. If you've never rehearsed the outage, you'll rehearse it live.
For investors, the framing is different but the conclusion is the same: sovereign infrastructure is a category, not a charity. The 2028 memo's whole point is that concentration risk eventually gets priced — and the assets that get re-rated are the credible, independent alternatives. There's a companion piece on the organisational side of this in our overview of digital sovereignty for businesses, if you want the operational roadmap rather than the argument.
FAQ
Does digital sovereignty mean building a European firewall and banning US tech?
No. Sovereignty is optionality, not autarky. The aim is a credible, self-controlled second source for critical capabilities — so a vendor or political shock can't take the business down. For non-critical workloads, excellent US tools often remain the right call.
Are European models actually good enough to bet on?
For a growing share of tasks, yes. Open-weight models from Mistral and others are competitive for most real workloads, and the frontier gap narrows every quarter. The honest answer is "evaluate per use case" — for many jobs the marginal capability of the absolute best model is worth less than the guarantee that it'll still be there next month.
Doesn't an "EU region" from a US hyperscaler already solve this?
Only partly. The CLOUD Act and FISA 702 attach to the company, not the server location, so a US provider can be compelled to disclose data even when it sits in Europe. And against the model itself being switched off — the scenario above — the region does nothing at all. Real sovereignty is control over the supply chain, not just the storage address.
Is this protectionism in a nicer suit?
It shouldn't be, and it doesn't have to be. The argument is for a credible alternative and the freedom to exit — not for shutting anyone out. A second source makes the whole market healthier, including for the US firms that then have to compete on merit rather than lock-in.
Closing: own what you depend on
A morning like that one needn't ever arrive for its lesson to land. Run the scenario honestly and it shows, in the space of a few hours, exactly how it feels when the capability your business runs on hangs from a switch you don't control — and were never consulted about.
Europe can keep renting excellent tools and hoping the landlord stays friendly. Or it can finally build a second source it owns. That doesn't require a miracle — it requires resolve in five concrete places: demand, capital, regulation, compute, talent. The blueprints exist. The money exists. What's missing is the willingness to lower the barriers in front of our own companies instead of merely administering them.
A capability you can't switch on yourself isn't a capability. It's a permission. It's time Europe owned a few again.
Want to map and reduce your organisation's dependencies — from cloud to AI strategy? Let's talk.
