Navigating tech sovereignty in a fractured world

Anu Bradford, Henry L. Moses Professor of Law and International Organization | Columbia University

Anu Bradford is a leading expert on how regulation and state power shape the digital economy. She currently serves as a special advisor on technology sovereignty to European leadership. She is the author of The Brussels Effect: How the European Union Rules the World (2020), named one of the best books of 2020 by Foreign Affairs. Her newest book, Digital Empires: The Global Battle to Regulate Technology, was published in September 2023. It was recognized as one of the best books of 2023 by Financial Times, and awarded the 2024 Stein Rokkan Prize for Comparative Social Science Research. At the Columbia Law School, Bradford is the Director of the European Legal Studies Center. Before joining the Columbia Law School faculty in 2012, Bradford was an assistant professor at the University of Chicago Law School. She also practiced EU law and antitrust law in Brussels, and has served as an adviser on economic policy in the Parliament of Finland, and as an expert assistant at the European Parliament. The World Economic Forum named her Young Global Leader ’10.

You coined the term “Brussels Effect” to describe how EU regulations shape global tech practices. Where do we stand today on Europe’s digital regulatory influence?

I think the high-water mark of Europe’s regulatory leadership is behind us. A few years ago, during the peak of the “techlash,” it seemed like the world was moving toward stricter digital rules and the EU was setting the tone. Even the United States, under President Biden, initially leaned into tougher tech regulation. But since then we’ve seen a strong backlash. Externally, Washington has become more hostile to any foreign power, including the EU, trying to discipline American tech companies. US policymakers resent Europe’s attempts to set rules for Silicon Valley, and we’ve even seen Congressional hearings criticizing the Brussels Effect. At the same time, inside Europe a narrative has taken hold that perhaps over-regulation is hurting our competitiveness. A high-profile report led by Mario Draghi, for example, argued that Europe’s innovation deficit is partly due to burdensome regulation. This has shifted the conversation in Brussels. EU leaders have gone from championing digital rights and stringent oversight to asking, “Are we too heavy-handed? Do we need to dial back regulation and focus more on innovation?” As a result, the European Commission has proposed easing or revisiting some policies – including “Digital Omnibus” to simplify rules and rethink parts of the AI Act and GDPR. In short, Europe’s resolve to be the world’s digital regulator has wavered under US pressure and internal doubts.

In a recent Foreign Affairs article, you warned that Europe could “lose what makes it great.” What were you cautioning against?

Europe has many strengths and some deep weaknesses. My warning was that the EU must not throw away its greatest strength in the digital era – its commitment to protecting users’ rights and a fair digital marketplace. Europe has led the world in defending privacy, online safety, and competition. And let’s be clear: we cannot count on tech CEOs to voluntarily protect societal values. Democratic oversight is needed to set guardrails for the digital economy, and Europe has been that global standard-bearer. Europe shouldn’t fight the wrong battle. Over-regulation is not the core reason Europe lags in tech – lack of a unified digital market, underdeveloped capital markets, cultural aversion to risk, and talent gaps are much bigger factors. Rather than dismantling the GDPR or weakening upcoming AI rules, Europe should tackle those fundamentals. Complete the digital single market so startups can scale across the EU. Build a robust capital markets union so innovators have access to growth funding. Reform insolvency laws and the culture around failure so entrepreneurs can take risks and try again. And work on immigration to attract and retain tech talent from around the world. These steps would do far more for competitiveness than gutting the EU’s digital regulations.

“Over-regulation is not the core reason Europe lags in tech – lack of a unified digital market, underdeveloped capital markets, cultural aversion to risk, and talent gaps are much bigger factors.”

In your new book Digital Empires, you outline three competing tech models – the American market-driven approach, Europe’s rights-driven approach, and China’s state-driven model. How are those models evolving today?

We’re seeing a real convergence toward the state-driven model in many ways. Everyone is playing Beijing’s game now. Geopolitical tensions have pushed governments to take a much bigger role in tech. The United States, traditionally very hands-off and market-driven, is now intervening heavily in the tech sector when national security or strategic advantage is at stake. The US is subsidizing domestic semiconductor manufacturing, restricting exports of advanced chips, even taking equity stakes or imposing investment bans – actions that make the US sometimes seem more Beijing than Beijing. Europe has launched its own industrial policies for tech as it is striving for greater technological sovereignty. Europeans are way too dependent on American and Chinese technologies. I used to worry about Europe’s need to de-risk from China, but now Europeans need to de-risk from the USA as well. So the gap between the free-market approach and the state-controlled approach is narrowing. Each of the big three is emphasizing sovereignty and control over key technologies.

That said, there are still important distinctions. Culturally, the US remains more techno-libertarian – it’s empowering Big Tech to drive innovation and is quite hesitant to regulate data privacy, AI, or social media content. The prevailing view in Silicon Valley and Washington is that regulation could undermine America’s tech lead, so they’re skittish about the kind of strict rules Europe favors. Europe, meanwhile, is in an identity crisis of sorts: it has championed a rights-driven model (privacy, safety, competition), but now, it’s second-guessing itself and inching toward the US stance of lightening up on rules. And China of course continues with its government-steered, authoritarian model: strong state control of data and platforms, tight censorship, and massive state investment in tech sectors.

Importantly, the values-based, rights-driven approach hasn’t disappeared. There is still significant public demand for privacy protection, accountability, and curbing corporate excesses. Even in the US, despite the deregulatory rhetoric, there’s bipartisan concern over Big Tech’s power – antitrust cases against tech giants are ongoing, and many states are implementing their own privacy and AI rules. In Europe, there is pushback against deregulating too much. So we’re in flux. Overall, we do see more state influence and a tilt toward protectionism everywhere, but there’s also an underlying recognition that completely unbridled tech markets can threaten important social values. The three “digital empires” are still distinct, but the lines are blurring as each tries to secure its technological future in a volatile world.

Is true technological sovereignty actually achievable?

Many nations are indeed trying to hedge their bets and build up domestic tech capabilities. India, for example, talks about digital sovereignty and has taken steps like data localization and promoting homegrown startups. Countries like Russia, Brazil, and others have voiced desires to control more of their digital destiny. The drive to be less dependent on foreign technology has become quite universal. However, genuine end-to-end tech sovereignty is extraordinarily difficult, if not impossible, for almost any country. The modern tech ecosystem is deeply globalized and interdependent. Take semiconductors: no single nation controls the entire supply chain. The US might design leading-edge chips, but it relies on Dutch lithography machines, Japanese chemicals, Taiwanese or Korean manufacturing, and rare earth minerals largely processed in China. China itself, despite pouring resources into chip development, still depends on foreign chip-making equipment and intellectual property. Europe has strengths in areas like semiconductor equipment (ASML in the Netherlands, for instance), but it doesn’t do it all either. No country can go it alone, not even a superpower.

“Genuine end-to-end tech sovereignty is extraordinarily difficult, if not impossible, for almost any country.”

What do these geopolitical shifts mean for global companies? How should businesses navigate a world where technology markets are fragmenting along national lines?

It’s becoming a huge challenge for multinational tech companies – and really any company touched by digital rules (which these days is almost everyone). For the past decade, a lot of firms benefited from relatively harmonized standards or at least the ability to operate globally with one set of practices – often defaulting to the strictest regime, like the EU’s rules, and applying it worldwide. That was the classic Brussels Effect. Now, companies are increasingly caught between conflicting governments and regulations. The US and EU, for example, diverge on things like content moderation, data flows, and AI oversight. A platform might be required by European law to take down hate speech or disinformation, but in some cases, doing the same in the US could provoke political backlash or even violate more permissive US rules on speech. The eventual prospect of irreconcilable rules is real.

For businesses, this means higher costs and difficult choices. They may have to maintain separate systems, policies, or even product versions for different regions. We already see a mild version of this – think of social media companies turning off certain features in Europe to comply with GDPR or the Digital Services Act, or cloud providers offering special “sovereign cloud” partitions for European clients. In the past, companies often chose to comply globally with the toughest standard to keep things simple, but now the toughest standard might earn them punishment elsewhere. If fragmentation intensifies, some firms may run region-specific configurations to meet conflicting requirements. That’s expensive and operationally complex, but it may be necessary in some cases.

There’s also a real trust issue at play. International customers and governments are starting to question whether foreign tech providers will obey local laws or the dictates of their home government. For example, European officials worry: if push comes to shove, will an American company side with Washington or Brussels? We saw the inverse in the US with TikTok – can a Chinese-owned platform truly firewall its US user data from Beijing’s government? Many in the US doubt it, hence the pressure on TikTok. Similarly, European clients are beginning to ask whether using an American cloud service could expose them if a future US administration takes a hostile turn. This is forcing companies to make promises of “digital sovereignty” solutions – like storing and processing EU data only in Europe, under European jurisdiction, to reassure customers.

Companies find themselves between a rock and a hard place. Take a concrete scenario: If a US administration were to demand that an American tech firm cut off services to Europe or hand over European user data, that company is in an impossible position – violate US law or EU law, either way it faces huge legal liability and reputational damage. We haven’t seen something that extreme yet with US and Europe (since they are allies), but we’ve seen it in other contexts like sanctions compliance, and it could happen in the tech realm too. Until now, such transatlantic conflicts have been rare and were handled as exceptions instead of systemic issues. Still, businesses have to be savvy. They need contingency plans for geopolitical fractures – everything from diversifying their supply chains to being ready to localize operations if required. In some cases, companies might decide a market is too risky and exit if the legal requirements diverge massively. We have seen companies face choices in China that led to public backlash, making continued operation difficult or even impossible. It’s not unthinkable that similar hard choices could arise elsewhere.

Companies will have to be more agile and jurisdiction-specific. They’ll need to engage with policymakers in all major markets to find workable compromises – essentially becoming diplomats as well as businesses.

“International customers and governments are starting to question whether foreign tech providers will obey local laws or the dictates of their home government.”

Do you think companies need to elevate geopolitical risk management to the C-suite? Is it time for a chief geopolitical officer?

Absolutely. Geopolitical risk has moved from a peripheral concern to a central, boardroom issue for global companies. Just as firms have chief financial officers to manage financial health and chief security officers to manage cybersecurity, they now need a high-level chief strategist for political and geopolitical risks. Whether you call it a chief geopolitical officer or something similar, the role would be to anticipate and navigate the kind of challenges we’ve been discussing – regulatory fragmentation, sanctions, trade wars, even conflicts that could disrupt operations.

In practical terms, that means building a team dedicated to scanning the horizon for geopolitical developments and analyzing how they might impact the business. This team needs to work closely with all parts of the company – product, supply chain, compliance, sales – because geopolitical issues affect all aspects of the business. The geopolitical risk team has to be plugged into corporate decision-making, not just producing occasional memos. I’d expect them to do scenario planning (“What if relations between X and Y sour next year? How do we respond?”), to advise on market entry or exit decisions, and to liaise with government affairs teams on policy trends.

Many companies right now address these risks in a piecemeal way – a legal team handles sanctions compliance, an operations team handles supply diversification, maybe an external consultant is called in when something blows up. That’s not enough anymore.

“Geopolitical risk has moved from a peripheral concern to a central, boardroom issue for global companies.”

What should such a geopolitical risk team look like? What skills or approaches are crucial for managing these risks effectively?

The key is diversity of perspective and expertise. Geopolitics is multifaceted – it spans economics, law, security, culture – and it plays out differently in different regions. So you can’t expect one analyst or one data model to capture it all. You need a team comprising people who understand various domains and geographies. These experts need to collaborate and cross-pollinate insights. They need to be able to connect the company’s strategy and business opportunities, with an understanding of technology, all tied with awareness of domestic and foreign politics. They need to be proactive in risk assessment, while also recognizing that there’s a lot of noise. If you don’t have a seasoned geopolitical risk team, they start overreacting to everything. Companies also need to have regional expertise. For instance, it’s hard to find someone who knows how Brussels will react, who also understands Beijing.

For emerging technologies such as AI, how can countries balance the pressure to regulate with the push for innovation?

AI is multifaceted and fast-moving, with high stakes for both risks and opportunities. Governments should not be spectators who let companies alone shape the next decade. We need a nimble regulatory approach, with rules in place now and a willingness to revise them as the technology evolves.

In Europe, revisiting the AI framework so soon after enactment risks eroding credibility and creating more uncertainty just as companies are adjusting. Some proposed changes are postponements, for example taking longer to finalize standards in high-risk areas. Others could be more far-reaching, such as ideas about using personal data to train large language models. I worry about reforms being pushed further by corporate pressures, and about less resolute enforcement at a time when the AI race is heating up and geopolitical tensions are high. That combination increases the risk of irresponsible choices that could harm society.

This is not about choosing innovation or safety. We need both, starting now, and we should refine the rules as we learn. I am concerned that early moves to simplify may go too far, create uncertainty, and send mixed signals while many governments are drafting their own frameworks and looking to Europe’s direction. Meanwhile, the US is moving fast, often focused on AGI (Artificial General Intelligence) and China is making pragmatic gains, including globally with open-source AI. Europe needs to play to its own strengths, which is unlikely to be foundation models for most companies. But there is no inherent disadvantage Europe has when it comes to developing AI applications and accelerating AI adoption across industries. The question is what race really matters, and how to ensure AI is safe as it advances.

“In Europe, revisiting the AI framework so soon after enactment risks eroding credibility and creating more uncertainty just as companies are adjusting.”

Is AI sovereignty a realistic goal?

True AI sovereignty would mean that a country keeps its vulnerabilities manageable. No one is going to control the entire AI stack, from raw materials and cloud services to data sovereignty, locally developed models, and especially the hardware layer, where semiconductors are an example of a globally deeply interconnected industry. So I do not think there is such a thing as full AI sovereignty. The realistic goal is relative, to move toward greater sovereignty by reducing vulnerabilities. For some countries that means more partnerships and hedging. For others it means enhancing domestic investment to do more within their borders and build capabilities.

For the United States, the goal has also been to restrict rivals’ access to key capabilities, for example limiting China’s access to choke points like the most advanced chips to maintain leadership in the AI race. That can also give China an incentive to innovate around constraints, and China has been good at making AI development more capital-efficient and energy-efficient. The US has vulnerabilities too. Energy costs are high and the grid is limited, while data centers need a lot of power. That can raise energy bills and become politically costly in a country that is already struggling with a cost-of-living crisis. The US does not control the entire stack, and ramping up chip production domestically is not feasible quickly because it lacks all the equipment and raw materials. Even where there is money, investments are often funded by debt and can become systemically fragile. It is possible to run out of power for the data centers being built. Even the world’s AI leader faces limits in that elusive pursuit of AI sovereignty.

In Europe, countries also need to think about how their geopolitical vulnerabilities and their environmental costs factor into these choices.

I do not think there is such a thing as full AI sovereignty.
Even the world’s AI leader faces limits in that elusive pursuit  of AI sovereignty.”

What do you see as the role of initiatives such as the Euro Stack or Gaia-X for developing common digital infrastructure?

Europeans need a real industrial policy plan. My worry is that it can lead to a lot of wasteful investment. European governments do not have unlimited money. Gaia-X has not been particularly successful. There have been attempts, for example by the French government, to rebuild a French search engine and even to default governments use suboptimal technologies. That does not work. Industrial policy is probably necessary these days, but it remains vulnerable to being profligate.

We need a combination of private and public capital to fund the Euro Stack. The Euro Stack cannot be a complete alternative to American technologies. Some technologies are easier to build at home, others are harder. Europeans need to be clear-eyed about their strengths and vulnerabilities, the relative costs, what can be done immediately, what can be done in the medium term, what can be done in the long term, and what the priorities are. Everything cannot be done immediately, and the money is limited.

That is why I am eager to unleash more private capital in Europe. The capital markets union should be a no-brainer, and it has been in the works for a long time. There is a lot of capital in pension funds and institutional investments that is not channeled into the system. There are many restrictions on where they can invest, and risk tech is not available for pension funds in many European countries. Europe has money, but it needs to be channeled much more effectively.

We cannot afford to rely only on government-driven build ups. Much of that is going to go to military technologies, and many of these technologies are dual use. In the United States, it is not the Pentagon that is developing AI for the military. It comes from Silicon Valley and it is dual use, serving commercial and military applications. There needs to be efficient partnering, including joint procurement where there is public money, and we also need to fully unleash entrepreneurship and capital markets to help build European capabilities.

“True AI sovereignty would mean that a country keeps its vulnerabilities manageable.”

What are your views on the emerging topic of data sovereignty?

The data sovereignty question is very important. China has long restricted the movement of data outside the country. The US, including in the WTO, long promoted the idea that data flows should not be restricted, but even the US is now changing its position. Europeans, through the GDPR and related decisions, have sought to restrict data flows to the US where they could compromise data privacy rights. So we now have both privacy and national security concerns, two reasons to push for greater data sovereignty.

We have seen growing requirements to store data locally. But data localization mandates are costly for companies. I think countries should at least prepare for obligations that push toward localized data solutions, or require proof that sovereign control over data can be protected even by foreign companies. The question is what companies do under the US CLOUD Act. Europeans know the US can compel US tech companies to hand over data to the US government and that is a growing concern as the transatlantic rift deepens.

For Europeans, data sovereignty has mostly been viewed through the lens of protecting data. That lens is important, but it has meant forgoing many opportunities to commercialize data. There is a large pool of untapped data in Europe that must be protected but also used for innovation, investment, and commercialization in ways consistent with data protection. I regret the idea that this is often viewed as a stark choice between rights and commercial opportunities. Companies can provide solutions that meet both aims. We should show how to unlock the potential of these data pools while insisting it be done without compromising data privacy. You can have both.

“There is a large pool of untapped data in Europe that must be protected but also used for innovation, investment, and commercialization in ways consistent with data protection.”

If you were advising the board of a Global 500 company on geopolitical risks in technology, what are the top two or three actions you would recommend they take this year?

I would focus on three areas.

US–China decoupling and Taiwan risk
You still see decoupling between the United States and China, given the magnitude of technological rivalry and the size of those two markets. Boards need to manage a potentially deepening rift between them. There are more conciliatory signals about maintaining functional business relationships, but there is still a geopolitical calculus around Taiwan. If TSMC were disrupted, the global economy would halt. I am not predicting China will take ownership of Taiwan, but every board should consider scenarios involving Taiwan, the United States, China, and the depth and manifestations of tech decoupling. If you overplay the risk, you may forgo opportunities; if you underplay it, disruptions can be severe.

Europe’s regulatory role and transatlantic dynamics
Europe generates much of the tech regulation and provides leadership for the rest of the world. If Europe retreats, that would significantly shift the regulatory environment. I doubt Europe will retreat all the way, but companies must navigate transatlantic tensions and Europe’s efforts to gain greater technological sovereignty by de-risking from China and also de-risking from the United States. This matters given the value of the European market, the presence of tech companies there, and the potential breaking of a united front between the United States and the EU.

Managing an AI bubble and concentration risks
Boards should plan for the possibility that an AI bubble could burst and affect investment flows and the industry. At the same time, accelerate adoption and invest in the right players and layers. There is risk if you do not invest in AI, but you also need to choose suppliers carefully and hedge against failures. Diversify across an increasingly concentrated AI market so you are not dependent on a single country, a single player, or a single large language model. Ensure you have alternatives. Protect the integrity of your firm’s data that may be used to train large language models. Where possible, consider bespoke models that give you more control. Think about solutions not only at the country level, but at the level of your company: your data, your models, your vulnerabilities, and what happens if some providers do not exist in a few years.

“If TSMC were disrupted, the global economy would halt.”

If you had a magic wand, what is the one thing you would change about how companies manage geopolitical risk, or how the EU and other countries approach it?

I would have companies treat geopolitical risk, and risk generally, as an opportunity to clarify the company’s purpose and values. Use volatility to rethink how you run things, how you anchor decisions, and what your values are, so you are not simply following political winds. Do not do it the Mark Zuckerberg way where you lean into content moderation, then abandon it when the politics changes. That makes a company look like it has no principles.

Trusted companies project confidence through turmoil. Think of the spirit of Mark Carney’s (Current prime minister of Canada) Davos remarks: know who you are, accept volatility, be clear about your strengths and principles, and state what you will do under scenarios A, B, or C. Be prepared because you have invested in knowledge, refined strategy, and built nimbleness. Combine pragmatism and realism with a principled foundation, so you are not rudderless, choosing sides day to day.

Companies with clear values gain the trust of the marketplace. For example, the Trump administration put pressure on Microsoft to let go of a public policy person who was seen as misaligned with the US politics; Microsoft did not act, let the storm pass, and the person was not removed. If you start dismissing personnel, abandoning customers, or leaving markets, you look directionless and without a compass. Do not be naive; develop diplomatic skills and pragmatism. But without an anchor in values and core principles, companies ultimately lose the trust of their customers and employees. Seen this way, all the unfolding uncertainty and volatility can also be a moment of great clarity for confident and well-run companies.

“Use volatility to rethink how you run things, how you anchor decisions, and what your values are, so you are not simply following political winds.”