When Miguel De Bruycker, director of Belgium's Centre for Cybersecurity, declared that Europe has "lost the internet," he wasn't being dramatic. He was stating a technical reality that cybersecurity professionals have been quietly grappling with for years. The uncomfortable truth? Most of what we consider "European" internet infrastructure—from cloud storage to critical applications—isn't actually European at all.
I've worked with European businesses trying to maintain data sovereignty, and let me tell you: the situation is more dire than most people realize. We're not just talking about where your photos are stored. We're talking about fundamental control over critical infrastructure, economic independence, and national security.
This article will break down exactly what "losing the internet" means in practical terms, why it matters more in 2026 than ever before, and what European businesses and individuals can actually do about it.
The Uncomfortable Reality: Your "European" Data Isn't European
De Bruycker's central claim—that it's "currently impossible" to store data fully in Europe—sounds hyperbolic until you start tracing data flows. Here's what most people don't understand: even when you choose a European data center, your data often takes detours through American infrastructure.
Take a typical European business using cloud services. They might select a Frankfurt data center, believing their data stays within EU borders. But what about the management plane? The authentication services? The backup systems? The analytics tools? These often route through or are controlled from US-based infrastructure.
I've seen this firsthand while helping companies achieve GDPR compliance. We'd audit their data flows, and inevitably find connections to US-based services they didn't even know they were using. A European SaaS provider might use AWS for certain functions. A European analytics tool might rely on Google's infrastructure. The interdependencies are so complex that true data localization has become nearly impossible without building everything from scratch.
And here's the kicker: this isn't just about privacy regulations. It's about legal jurisdiction. Under laws like the US CLOUD Act, American authorities can demand data from US companies regardless of where that data is physically stored. So your "European" data in a Frankfurt data center? Potentially accessible to US authorities if it's stored with a US company's infrastructure.
Why This Matters More in 2026 Than Ever Before
You might be thinking: "So what? The internet's global anyway." But the stakes have changed dramatically in recent years. Three factors make this particularly urgent in 2026:
1. The AI Infrastructure Gap
Europe's falling behind isn't just about where data sits—it's about who controls the computational power needed for the next generation of technology. The AI revolution requires massive GPU clusters, specialized hardware, and enormous data centers. Guess who's building almost all of it? American tech giants.
European AI startups face a brutal choice: use American infrastructure and lose sovereignty, or build their own at astronomical cost and fall behind competitively. I've spoken with founders who've literally moved their companies to the US just to access the infrastructure they need.
2. Geopolitical Tensions Have Changed Everything
Five years ago, transatlantic data flows were mostly a regulatory concern. Today, they're a national security issue. With increasing tensions between Western powers and other global players, dependence on foreign infrastructure represents a strategic vulnerability.
Imagine a scenario where European governments need to secure communications during an international crisis. If those communications rely on infrastructure ultimately controlled by another nation's companies, that's a problem. It's not about trust—it's about control.
3. The Economic Implications Are Staggering
Every euro spent on American cloud services is a euro not invested in European infrastructure, European jobs, or European innovation. We're essentially funding our own competitors. The scale is massive: European businesses spend tens of billions annually on US cloud services.
What's worse? This creates a vicious cycle. Less investment in European infrastructure means European alternatives remain less competitive, which means more businesses choose American services, which means even less investment in European alternatives.
The Security Implications Nobody's Talking About Enough
Here's where things get really concerning from a cybersecurity perspective. Dependence on foreign infrastructure creates unique vulnerabilities:
First, there's the supply chain risk. When European security depends on American companies' security practices, we're vulnerable to their weaknesses. Remember the major cloud provider breaches of the last few years? Those weren't just problems for their direct customers—they were problems for everyone in their ecosystem.
Second, there's the visibility problem. European cybersecurity agencies can't properly monitor or secure infrastructure they don't control or even fully understand. How can you defend what you can't see?
Third—and this is the really uncomfortable one—there's the insider threat from foreign jurisdictions. I'm not suggesting American companies are malicious. But their employees are subject to American laws. If US authorities demand access to systems for legitimate national security reasons, European data could be caught in the crossfire.
I've worked with European financial institutions that have had to create incredibly complex data segmentation strategies just to manage these risks. They'll keep truly sensitive data on-premises, use European providers for less sensitive data, and accept the risk for everything else. It's a patchwork solution at best.
What European Businesses Can Actually Do Right Now
Okay, enough doom and gloom. Let's talk practical solutions. If you're running a European business in 2026, here's what you should be doing:
1. Conduct a Real Data Sovereignty Audit
Most companies think they know where their data is. Most are wrong. You need to trace every byte. Where is it created? Where is it processed? Where is it stored? Where are backups kept? What third-party services touch it?
Don't just ask your providers for assurances—actually test the data flows. I've helped companies set up monitoring that shows exactly where their data goes. The results often surprise them.
2. Embrace a Hybrid Approach
Pure European-only infrastructure might be impossible for most businesses, but that doesn't mean you should give up. Implement a tiered approach:
- Tier 1 (Critical/Sensitive): European infrastructure only, preferably with European-owned providers
- Tier 2 (Important): European data centers of multinational providers
- Tier 3 (General): Whatever's most cost-effective
This isn't perfect, but it's practical. You protect what matters most while acknowledging reality.
3. Invest in European Alternatives When They Exist
Yes, European cloud providers might be more expensive. Yes, they might have fewer features. But using them for even part of your infrastructure creates market demand that can help them grow and improve.
I'm not suggesting you compromise your business's efficiency. But if there's a European alternative that's "good enough" for certain workloads, consider using it. Every bit helps.
4. For Technical Teams: Build With Portability in Mind
This is where the rubber meets the road. Design your systems so they're not locked into any single provider. Use containerization. Use infrastructure-as-code. Avoid proprietary services that create vendor lock-in.
The goal? To be able to move workloads if you need to. This isn't just about sovereignty—it's good business practice that gives you leverage with all your providers.
The Policy Problem: Why Regulation Isn't Enough
Many people point to GDPR and similar regulations as the solution. They're not wrong, but they're not completely right either. Regulations can dictate where data should be, but they can't magically create the infrastructure to store it.
Europe faces a classic chicken-and-egg problem: businesses won't use European infrastructure until it's competitive, but European infrastructure won't become competitive until businesses use it.
Government initiatives like GAIA-X are trying to break this cycle by creating European cloud federations. The idea is solid: create standards that allow different European providers to work together, creating a seamless experience that can compete with the American giants.
But here's my take, based on watching these initiatives develop: they're moving too slowly. The tech world doesn't wait for committees to make decisions. By the time European alternatives are ready, the market has moved on to the next thing.
What's needed isn't just more regulation or more initiatives. It's massive, coordinated investment—the kind of investment that only happens when something is treated as a true strategic priority, like defense or energy independence.
Common Mistakes European Companies Are Making
Let me save you some pain by sharing what I've seen go wrong:
Mistake #1: Assuming "EU data center" means "EU controlled." As we've discussed, the physical location is just one piece. Who controls the software? The management tools? The authentication systems?
Mistake #2: Focusing only on storage, not processing. Where your data is processed matters just as much as where it's stored. AI training, data analytics, real-time processing—these often happen outside Europe even when the stored data is within it.
Mistake #3: Overlooking the small services. That little analytics widget on your website? That customer support chat tool? That email marketing service? These "small" services often route data through US infrastructure.
Mistake #4: Thinking this is just an IT problem. It's not. It's a business strategy problem, a legal compliance problem, and a risk management problem. The solution needs involvement from leadership, not just the tech team.
The Human Cost: What This Means for European Tech Talent
Here's an aspect that doesn't get enough attention: this infrastructure gap is causing a brain drain. Europe's brightest tech minds are increasingly moving to the US—not just for higher salaries, but for access to cutting-edge infrastructure and scale.
I've seen this firsthand with colleagues and students. They start in Europe, but when they want to work on truly large-scale systems or cutting-edge AI, they feel they have to go where the infrastructure is.
This creates another vicious cycle: less talent in Europe means European companies struggle to innovate, which means they fall further behind, which means more talent leaves.
Breaking this cycle requires more than just building data centers. It requires creating ecosystems where European talent can work on interesting problems at scale without leaving home.
A Path Forward: Realistic Solutions for 2026 and Beyond
So what can actually be done? Complete digital sovereignty might be impossible, but meaningful improvement isn't. Here's what I believe needs to happen:
First, European governments need to lead by example. Public sector data should be on European infrastructure whenever possible. This creates guaranteed demand that can help European providers scale.
Second, we need strategic investment in specific areas. Instead of trying to compete with American giants across the board, Europe should identify areas where it can lead—perhaps in privacy-preserving technologies, green data centers, or specialized industrial applications.
Third, we need better tools for transparency. Businesses need ways to actually verify where their data is, not just take providers' word for it. This is where technical solutions can help bridge the policy gap.
Fourth—and this is controversial—we need to reconsider data localization requirements. If true localization is impossible, maybe we need more sophisticated approaches. Perhaps encrypted data can flow more freely while plaintext data stays local. Or maybe we need new international agreements that give Europe more control over data even when it's on foreign infrastructure.
Conclusion: It's Not Too Late, But Time Is Running Out
Miguel De Bruycker's warning shouldn't be taken as surrender. It should be taken as a wake-up call. Europe hasn't just "lost the internet"—it's in danger of losing its digital future.
The solutions won't be easy or quick. They'll require investment, coordination, and probably some painful trade-offs. But the alternative—permanent dependence on foreign infrastructure with all the strategic vulnerabilities that entails—is worse.
For European businesses and individuals, the message is clear: start paying attention to where your data actually goes. Make conscious choices when you can. Support European alternatives when they make sense. And most importantly, understand that this isn't just a technical issue—it's about what kind of digital future Europe wants to have.
We might have lost the first battle for the internet. But the war for digital sovereignty is just beginning. And in 2026, with AI and other transformative technologies accelerating, the stakes have never been higher.
