1. Silent Dependency: How it arose and why it is dangerous

When you unlock your smartphone in the morning, you are, at that moment, opening an operating system from California or Shenzhen. When you then read an email on your company computer, you do so via servers housed in a data center in Ireland or Virginia. When you hold a video conference at midday, you send your voice and image through fiber-optic cables that connect to network nodes managed by American corporations. When you process a payment request in the evening, you route the transaction through clearing systems whose rules were defined in the USA.

This is no coincidence. It is the result of three decades of technological expansion, in which American and, increasingly, Chinese companies have consistently built platforms, standards, and infrastructures that today seem as self-evident as electricity from the socket. And therein lies the problem: what has become self-evident is no longer questioned.

This article seeks to challenge that sense of self-evidence. It outlines how deep the dependency runs, across which layers it spans, the associated risks, and what it would mean to at least partially regain it.

2. The Hardware Layer: Who Builds the Foundation?

Every piece of digital infrastructure begins with silicon. Chips, processors, memory, network cards – all of these form the physical basis of every piece of software, every cloud, every AI model. And this foundation is concentrated to an extent that opens the door wide to strategic risks.

Chips for Data Centers and AI

NVIDIA has, in recent years, become the decisive infrastructure component for AI training. The H100 and H200 accelerators as well as the Blackwell architecture are de facto without alternative when it comes to large-scale model training. Crucial here is not only the hardware itself but the CUDA software ecosystem, which over years has penetrated development practices so deeply that switching to alternative platforms would entail enormous effort. Anyone operating NVIDIA hardware is, in virtually all cases, also tied to CUDA. A classic example of technological lock-in that extends far beyond the chip itself.

Intel, AMD, and Qualcomm complete this picture: Xeon and EPYC series server processors dominate corporate data centers worldwide. Qualcomm’s Snapdragon platform is built into billions of mobile devices. All of these companies are American, subject to US export law, and can, as Huawei painfully experienced, be cut off from global supply chains by political decisions.

China is reacting to this. Huawei’s HiSilicon subsidiary is developing its own AI accelerators with the Ascend chips; Kunpeng processors are intended for the server market. Cambricon, a Beijing-based company, produces its own MLU chipsets for machine learning. These developments are geopolitically significant but still technically lagging considerably, particularly because the manufacturing technology is missing.

Manufacturing Dependency

Designing chips and manufacturing chips are fundamentally different activities. The global manufacturing monopoly rests with a few players, and the bottleneck is narrow. TSMC in Taiwan manufactures a large portion of the world’s most powerful chips – from Apple’s M series processors to NVIDIA’s graphics processors to the chips in modern vehicles. TSMC’s N2 and N3 manufacturing processes have no comparable alternative. Samsung in South Korea competes at this level, but even there the geopolitical dependencies are significant. The Dutch company ASML produces the only machines capable of lithographically manufacturing chips in the sub-5-nanometer range. EUV lithography is globally exclusive to ASML. Without these machines, state-of-the-art semiconductor manufacturing is simply not possible. The fact that ASML, under pressure from the US government, has restricted exports of these machines to China clearly demonstrates how closely technology, trade, and geopolitics are intertwined.

China is attempting to build its own manufacturing capacities with SMIC and YMTC. SMIC has by now demonstrated 7-nanometer-like processes but remains blocked from accessing EUV machines. YMTC produces 3D-NAND memory using its own stacking process called Xtacking. These advances are noteworthy but do nothing to change the fact that China is still years, possibly decades, away from establishing a fully independent semiconductor manufacturing capability.

For European companies, this constellation means that the hardware on which every business activity relies is so dependent on foreign actors that, in a worst-case scenario – trade conflicts, sanctions, geopolitical crises – it can hardly be bridged.

3. The Operating System Layer: Whose Rules Apply?

Software runs on hardware. And at the base of all software are operating systems. Here too the dependency on American companies is structurally embedded. Microsoft controls a large portion of enterprise infrastructure worldwide with Windows and Windows Server. Apple dominates the premium end-device segments with iOS and macOS. Google has built Android as the mobile operating system for the global mass market. These three platforms not only determine which software runs but also how data is collected, which telemetry data flows to the manufacturer, and which app policies apply. This is not an abstract threat. Windows sends diagnostic and telemetry data to Microsoft servers. iOS devices synchronize location, usage behavior, and app activity with Apple services unless the default settings are actively adjusted. Android devices without Google Play Services, such as many Huawei devices after the US sanctions, lose access to a significant portion of the app ecosystem. Red Hat and Canonical offer Linux alternatives with RHEL and Ubuntu that are widespread in server infrastructures. Open-source operating systems have achieved real adoption here, something that has hardly succeeded in the desktop and mobile world. China’s answer is Huawei’s HarmonyOS, which now exists in a version called HarmonyOS NEXT that largely operates without an Android compatibility layer. OpenHarmony is the open-source variant increasingly used in Chinese government and industrial infrastructure. EulerOS and the community project openEuler target the server sector. Whether these systems will represent a serious alternative for non-Chinese actors in the medium term remains to be seen.

4. The Cloud Layer: Where the Data Really Resides

Cloud computing is the backbone of modern enterprise IT. Hardly any organization still operates its entire infrastructure entirely on its own. The advantages are real: scalability, global availability, low entry costs, rapid innovation cycles. The risks, however, are systematically underestimated.

The Hyperscalers and Their Market Power

Amazon Web Services, Microsoft Azure, and Google Cloud together control a large part of the global cloud market. This concentration has consequences:

  • AWS offers a platform with EC2, S3, Lambda, EKS, and CloudFormation so comprehensive that companies that have once begun building their infrastructure on proprietary AWS services must undertake enormous effort to extricate themselves. The egress costs – fees for the massive transfer of data out of the cloud – can amount to millions for large data volumes. This mechanism acts like a financial lock on one’s own dependency.
  • Microsoft Azure holds a special position in enterprise environments through tight integration with Microsoft 365, Entra ID, and Active Directory. Whoever uses Teams, SharePoint, and OneDrive already has their identity management anchored in Azure. Those who then rely on Azure services for AI, data analytics, and Kubernetes have fully committed to dependence on a single American provider.
  • Google Cloud, with services like Compute Engine, GKE, and Vertex AI, completes the picture. The integration of Google advertising data and cloud analytics creates its own form of interest entanglement here.

The European Dimension

For European companies, a legal issue is added. The US CLOUD Act allows American authorities, under certain circumstances, to access data managed by US companies, regardless of where that data is physically located. A server in Frankfurt, operated by Microsoft Azure Germany, is therefore potentially accessible to US authorities if the owner of that data is a US company. This stands in direct contradiction to the GDPR, which mandates the protection of personal data of European citizens. This legal tension remains unresolved to this day. For companies with legally protected secrets, for law firms, banks, healthcare organizations, or defense contractors, this situation is existentially relevant. The question of whether data truly resides where one believes, and whether only authorized parties actually have access, is not a technical detail but a question of operational capability.

Chinese Cloud Alternatives

Alibaba Cloud, Huawei Cloud, and Tencent Cloud are relevant providers in China and increasingly in Asia and Africa. Alibaba Cloud offers a full cloud suite with ECS, OSS, and PolarDB. Huawei Cloud relies on GaussDB as a database solution and ModelArts for AI workloads. Tencent Cloud combines cloud services with the WeChat infrastructure. For Western companies, these providers are problematic for the same reason American ones are from the Chinese perspective: their services are subject to Chinese law, which grants authorities extensive access rights. China’s Cybersecurity Law obliges companies to hand over data upon request. The geopolitical logic is symmetrical, and the concrete risk profiles differ depending on location and industry.

5. The Software Layer: Invisible Threads

Beyond operating systems and cloud infrastructure, further dependencies overlay: in the form of software ecosystems, developer tools, marketplaces, and communication platforms.

Developer Ecosystems

GitHub, owned by Microsoft since 2018, is the world’s dominant platform for source code management. A large portion of the world’s relevant open-source code resides on Microsoft’s servers. GitHub Actions allows the integration of automated CI/CD pipelines directly into the development process. Anyone using GitHub is dependent on the availability of an American company. Docker Hub is the world’s most used container registry. npm, Maven Central, and PyPI – the package registries for JavaScript, Java, and Python – are hosted on the infrastructure of American companies. A software application built on a modern stack typically pulls dozens of dependencies during the build process from servers located somewhere in American data centers. GitLab, JFrog Artifactory, and Sonatype Nexus offer alternatives that can be self-hosted – reducing but not eliminating dependency, since the software itself often pulls components from those same registries. China has built its own GitHub alternative with Gitee. Huawei’s CodeArts platform targets the enterprise market. These alternatives are used in the Chinese market but have so far had no international relevance.

Communication Platforms

Microsoft Teams has combined email, phone, and project communication on a single platform in many companies. Slack, now part of Salesforce, is widespread in technology companies. Teams and Zoom dominate video conferencing. All of these tools store communication data on American servers, are subject to American law, and can, in extreme cases, serve as a data source for authorities. On the Chinese side, Tencent’s WeChat is the universal communication platform in China, combining messaging, payments, shopping, and identification. WeCom is the business variant. ByteDance’s Toutiao and other platforms round out the picture of a Chinese infrastructure that creates as total a dependency for its users as Western platforms do for theirs.

6. The AI Layer: The New Frontier of Digital Dependence

Artificial intelligence has created a new dimension of dependency in recent years, whose full ramifications are not yet fully understood.

Cloud-Bound AI as a Sovereignty Issue

Microsoft has embedded OpenAI’s language models into its cloud infrastructure with the “Azure OpenAI Service.” Anyone using GPT-4 or later models via the Microsoft interface sends their prompts—and thus potentially corporate secrets, product development data, customer data—to servers where American law applies. Amazon Bedrock offers various language models as an API service, including models from Anthropic and Meta. Google Vertex AI brings together its own and third-party models. The point is always the same: Using cloud-bound AI services entails ceding control—not only over the infrastructure but potentially also over intellectual property that is input into these systems. Many contractual agreements from the hyperscalers explicitly exclude using user data for model training, but whether these commitments are actually enforced, whether they prevent future changes, and whether they hold up in the event of an authority’s request is uncertain.

China’s AI Ambitions

Baidu, Tencent, and Alibaba are investing massively in their own language models. Baidu’s ERNIE, Tencent’s Hunyuan, and Alibaba’s Qwen are full-fledged competitors to OpenAI and Anthropic. Huawei is investing in Ascend chips specifically designed for AI workloads. The geopolitical dimension is significant: China is building a complete AI infrastructure that does not depend on American chips, American software, or American training platforms. Whether it will fully succeed is questionable, but the endeavor is to be taken seriously.

Local Models as a Way Out

For companies that do not want to send corporate data to external cloud services, there is an alternative: locally run language models. Meta’s Llama, Mistral from France, and a growing number of other open-weights models can be operated on one’s own hardware. The quality of these models has improved significantly in recent years. Local operation means: the data does not leave the private network. No provider can block the service. No price increase jeopardizes planning. The downside: infrastructure effort, operational expertise, and hardware investment are significantly higher than with a simple API call in the cloud.

7. Network Infrastructure: The Invisible Layer

Beneath operating systems, cloud, and software lies the network infrastructure, such as routers, switches, and mobile network equipment. Here too, the dependencies are deep. Cisco dominates enterprise and carrier networks worldwide with product lines like Catalyst, Nexus, and ASR. Juniper Networks, Arista, and others offer alternatives, but the fundamental structure of internet infrastructure is strongly shaped by American manufacturers. Until a few years ago, Huawei was the world’s leading supplier of mobile network equipment. Its exclusion from many Western markets has strengthened Nokia and Ericsson. Nevertheless, Huawei continues to operate substantial parts of 5G infrastructure in large parts of Asia, Africa, and Latin America. The process by which these decisions were made was explicitly geopolitical: the fear that network components from a Chinese manufacturer could contain backdoors for Chinese authorities was the central argument. Whether these concerns are justified is not conclusively substantiated in public.

8. Financial Infrastructure and Digital Marketplaces

Digital dependency is not limited to IT infrastructure in the narrow sense.

Payment Networks

Visa and Mastercard dominate global payment traffic. Their market power extends from transaction technology to the rules governing who is allowed to conduct business over these networks. Sanctions against Russia in 2022 showed how quickly a country can effectively be cut off from global payment systems when excluded by Visa and Mastercard. PayPal, Stripe, and Braintree control a large part of the online payments segment. All of these are American companies subject to American law and American sanction regimes. Ant Group with Alipay and Tencent with WeChat Pay have built an alternative payment ecosystem in China and increasingly in Asia. Ant Group’s international expansion plans were halted by regulatory pressure from Beijing, demonstrating that the Chinese state also exercises its control over these infrastructures.

Digital Marketplaces

Amazon Marketplace has become the platform of choice for many merchants. The dependency is structural: anyone selling through Amazon accepts Amazon’s rules, Amazon’s commission structure, and Amazon’s ability to compete directly with its own products. Apple’s App Store and Google Play together control the global market for mobile applications. Both charge commissions of up to 30 percent on in-app purchases. Both can remove apps from the market. Both determine which payment systems are permissible within apps. For companies whose business model is based on apps, this dependency is fundamental. On the Chinese side, Alibaba’s platforms such as Taobao, Tmall, AliExpress, and 1688 are the dominant trading infrastructures. PDD Holdings with Temu has begun to expand aggressively into Western markets. In Europe and the USA, discussions have taken place regarding data protection and potential state access to data on these platforms.

9. Standards, Protocols, and Control over the Internet

A less visible but fundamental level of dependency lies in control over Internet standards. ICANN, the Internet Corporation for Assigned Names and Numbers, manages the DNS root system and the allocation of top-level domains. ICANN is an American non-profit organization that historically stood under significant influence from the US government. Although the governance structure has been internationalized, the institutional anchoring in the USA remains significant. The IETF, the Internet Engineering Task Force, develops the technical standards of the Internet: HTTP, TLS, BGP, DNS, QUIC. These standards are open, developed by volunteers from around the world, and available to everyone. Nevertheless, American companies and universities are structurally overrepresented in this process. Cloudflare controls a significant share of global web traffic with its DNS service, its CDN, and its security services. If Cloudflare decides to stop protecting certain content or services, as it did in some cases in 2022, the impact is immediately global.

10. Digital Identity and Public Infrastructure

The dependency extends into public infrastructure. Microsoft Government Cloud, AWS GovCloud, and Google Public Sector are special offerings for government agencies. They are certified for governmental security requirements and are used by many governments around the world. This means: parts of critical state infrastructure run on servers of American companies. Palantir, an American data analysis company with close ties to intelligence agencies, is deeply embedded in the government and defense infrastructures of various countries. The Gotham, Foundry, and AIP platforms are used for decision support in areas traditionally considered core state functions. Microsoft Entra ID (formerly Azure Active Directory) is the central identity system for many organizations. If this service fails, authentication no longer works and thus access to almost all IT systems fails. The dependency on a single American provider for the fundamental function of digital identity is a significant concentration risk.

11. The Seven Dimensions of Risk

From the dependencies described arise specific risk dimensions that are relevant for decision-makers in companies and government agencies.

  1. Legal Access and Covert Government Requests: The US CLOUD Act and comparable laws in China enable government authorities under certain circumstances to access data managed by companies from those countries. Gag orders (secret disclosure orders) can lead to the affected cloud provider not even being allowed to inform the company that data was released. The data owner may never learn of it.
  2. Politically Motivated Shutdowns: A company entirely hosted in an American cloud can, in a geopolitical conflict, come under pressure to suspend certain services or refuse service to certain customers. This is not a theoretical scenario: In the course of the war in Ukraine, many Western technology companies suspended services in Russia, partly voluntarily and partly under political pressure.
  3. Economic Lock-In and Switching Costs: The so-called “golden handcuffs” describe the mechanism by which companies are lured into dependencies: free initial credits, cheap reserved instances, proprietary SDKs, and services that are difficult to replace afterwards. The costs of an exit from a hyperscaler—such as data transfer, migration, redevelopment—can far exceed the costs of the dependency.
  4. Data Location and Metadata Leakage: Not only file contents but also metadata such as filenames, author names, timestamps, communication partners, and IP addresses flow into global data centers. This metadata can be used for economic espionage, competitive analysis, and intelligence evaluation, even if the actual contents are encrypted.
  5. Supply Interruptions Due to Sanctions: The history of recent years has shown that sanctions are used as an economic policy instrument. Huawei was cut off from access to American technology in 2019. Russian banks were disconnected from the SWIFT system. For companies dependent on technology from a politically exposed country, this risk is real.
  6. Industrial Espionage Through Supply Chain Integration: The processes within the supply chain are often not fully traceable. Downstream service providers, supporting tools, and external software components can contain potential attack vectors. Hardware manipulations en route—so-called supply chain attacks—are documented. The complexity of modern IT supply chains makes complete control virtually impossible.
  7. AI and Intellectual Property: Anyone using AI services to generate source code, write texts, or analyze product data risks the leakage of intellectual property. Even if the provider does not use data for model training: the data leaves the corporate network. It is processed on external infrastructure. The risk of a data breach is structurally present, for example as a result of security vulnerabilities, misconfigurations, or internal misuse.

12. Paths to Digital Sovereignty

Sovereignty does not mean that all technology must be developed in-house. That would be illusory. It is rather about strategic operability: the ability, in an emergency, to switch, to maintain critical processes, and to retain control over sensitive data.

Architectural Independence

The first step toward sovereignty is architectural in nature. Applications that use vendor-neutral standards can be more easily relocated. Kubernetes without proprietary extensions, Terraform instead of vendor-specific infrastructure-as-code tools, S3-compatible storage APIs instead of proprietary services. All of this creates an abstraction layer that enables switching without having to completely redevelop systems. Software Bills of Materials (SBOMs) provide transparency about the actual components used and their origin. Without this transparency, risk assessment is not possible.

Data Sovereignty

Not all data is equally sensitive. Clear data classification is a prerequisite for a differentiated approach. Highly sensitive data such as patents, customer secrets, research data, and financial data belong in strictly controlled environments, ideally with their own key management. Confidential Computing, in which data remains encrypted even in memory during processing, offers a technical means to protect data even on external infrastructure.

Financial Preparation

Exiting a hyperscaler incurs costs. Without a budget allocated for this, one cannot switch, even if the desire exists. Egress costs, migration effort, redevelopment of proprietary integrations: all of this must be considered in a realistic calculation. The EU Data Act strengthens data portability rights and can help limit the associated costs, but only if the technical prerequisites for an actual export are in place.

Local and European Alternatives

The European cloud landscape has grown in recent years. Hetzner, IONOS, StackIT, Deutsche Telekom, and other providers offer infrastructure under European law. The GAIA-X initiative seeks to establish a common European data space, even though practical implementation has lagged behind the announcements. For AI applications, locally run models are an increasingly realistic option. The quality of open-weights models has improved significantly in a short time. For many use cases, they provide sufficient performance with complete data control.

Digital Resilience

Sovereignty is also a matter of resilience. What happens if a critical cloud service fails? If an identity provider is unavailable? If a provider terminates the contract or comes under sanctions? Offline available documentation of emergency processes, local authentication for backups, geographically distributed data storage, and regular testing of emergency scenarios are not theoretical concepts but practical requirements from the NIS2 Directive and the Digital Operational Resilience Act (DORA).

13. The Political Dimension: Sovereignty as a Strategic Task

What appears as a technical problem is in truth a political and strategic task. Digital dependency on the USA and China did not arise by accident but is the result of decades in which Europe failed to build and scale independent technology platforms to a sufficient extent. The EU has created a regulatory framework with the GDPR, the Data Act, the AI Act, and the Cybersecurity Act that defines requirements. This framework is necessary but not sufficient. Regulation alone does not create a sovereign infrastructure. That requires investments, skills development, and, above all, the political decision to regard certain dependencies as a strategic risk and to act accordingly.

14. Conclusion: Conscious Decisions Instead of Unconscious Dependency

Digital dependency on the USA and China is in most cases not the result of a conscious decision. It is the result of countless small decisions that each seemed reasonable, such as choosing the cheapest cloud provider, the most popular tool, or the easiest route. The problem arises when these decisions, in aggregate, produce an infrastructure that is no longer controllable. When data is stored in locations whose legal implications are not fully understood. When systems build so deeply on proprietary services that switching becomes practically impossible. When AI models are trained with corporate data without anyone having truly reviewed the contractual terms. The alternative is neither technological nationalism nor a return to paper and pen. The alternative is awareness: knowing where data lies, which legal frameworks apply, what alternatives exist, and what costs a switch would incur. On this basis, conscious decisions can be made, not overnight, but with a clear direction. Digital sovereignty is not a state that can be achieved once and then checked off. It is a continuous practice that combines technical, legal, and strategic thinking. Those who take it seriously do so not in spite of digitalization but in order to make digitalization sustainable in the long term.