Facing Digital Dependence: Europe’s Wake-Up Call?

Long tolerated in the name of efficiency, Europe’s digital dependence now appears as a systemic risk. From cloud to AI, from infrastructure to platforms, the shift is clear: cybersecurity has become a matter of power, and resilience a strategic imperative. In this context, how can a trusted ecosystem be built? Insights from the INCYBER Forum plenary dedicated to this issue.

What if everything stopped tomorrow? A major outage, a large-scale attack, geopolitical or economic upheaval—digital dependence can no longer be treated as a given or confined to IT departments. “We have moved from a technical issue to a strategic one,” emphasized Éric Singer, CISO, during the presentation of the white paper Mastering Our Digital Dependencies, produced by the INCYBER Forum in partnership with CESIN.

During the plenary session “Digital Dependencies: How to Build a Trusted Ecosystem?” at the 2026 INCYBER Forum, the conclusion was widely shared: “In two decades, a performance issue has become a seismic and systemic risk,” confirmed Bernard Gavgani, Senior Advisor to the Group General Management at BNP Paribas. This observation is far from alarmist when one considers that “this dependence is threefold: technological, economic, and geopolitical,” as explained by David Djaïz, co-founder of the Digital Resilience Index. Especially since “a single failure cascades and impacts everyone,” recalled Emmanuel Garnier, Cyber Director at Orano. Telecommunications, transport, public services—all rely on shared infrastructures. The incidents affecting AWS and Azure in 2025 illustrate, according to Garnier, this “blast radius,” the spread of impact from a single incident.

From a technological standpoint, Europe remains heavily dependent on non-European solutions for its critical infrastructures, its cloud, and now its artificial intelligence building blocks. “80% of European companies’ data is stored in American clouds,” recalled Véronique Torner, President of Numeum. This does not even account for office software, networking, cybersecurity tools, or hardware.

Cloud, SaaS: “Suppliers can increase prices at will”

This dependence is all the stronger as it is embedded in complex architectures that are difficult to reverse and translate into a massive transfer of value: “Europe’s digital bill of €286 billion per year should concern us,” lamented Bernard Gavgani. That is money financing innovation and employment across the Atlantic rather than on European soil.

This phenomenon is exacerbated by the evolution of digital business models. With the shift from proprietary software to cloud, and then to SaaS, “we moved from a proprietary model to a rental model […] where suppliers can increase prices at will,” stressed David Djaïz. While the agility gains are undeniable, they come at the cost of control, creating structural lock-in. A key concern, according to Martin Kuppinger, founder and principal analyst at KuppingerCole: “tools can create lock-in; if you choose a tool, you must think about how to get rid of it.”

The rise of generative AI further intensifies this phenomenon. Usage-based models (pay-as-you-go) introduce new uncertainty. As Djaïz pointed out, “we do not know what the price of a token will be in three or five years.” This volatility reinforces economic dependence.

“We will be completely vassalized”

From a geopolitical perspective, the assessment provided by Michel Paulin, author of Black Out: What If the United States Cut Off Our Digital Services? (Le cherche-midi), was unequivocal: “If we are 100% dependent on infrastructures, software, cloud, and AI that are not in our hands, we will be completely vassalized.” “Cyberspace has become a space of competition, contestation, and sometimes even uninhibited confrontation, mirroring geopolitical tensions and international rivalries,” explained Anne Le Hénanff, Minister Delegate for Artificial Intelligence and Digital Affairs.

Dependence becomes a lever of pressure, as illustrated by the testimony of Joséphine Ballon. Legal Director of the NGO Hate Aid, she was subjected to ad hominem sanctions from Washington, alongside Thierry Breton and others defending the Digital Services Act (DSA). “This goes beyond us […] it is an attack against European regulation,” she stated.

Let us go further. Digital dependence is not only technological, economic, or geopolitical—it is also cognitive, highlighted Virginie Tournay, Research Director at CNRS. Just as oil is the lifeblood of the industrial economy, data is that of the knowledge economy. “Our dependencies on energy are visible, material, and negotiable […] digital dependencies are invisible, structural, and cognitive. […] Our energy dependencies constrain action, our digital dependencies constrain perception.” This translates into concrete effects: deregulation of the information market, polarization of debates, and the loss of shared reference points.

“The problem lies in scaling support”

How did Europe allow itself to become trapped in such dependence despite a dynamic ecosystem? For historical reasons first, explained Joséphine Staron, PhD in philosophy. “It was not designed […] to create champions in energy or other sectors. The European community was built as a factor of peace and gradual market harmonization.”

Structural shortcomings are evident. Underfunded venture capital, fragmented markets, difficulty retaining champions—Europe struggles to turn innovation into industrial leaders. “The market is underfunded,” lamented Joanna Świątkowska, Secretary General of ESCO. According to the European Investment Bank, the cybersecurity investment gap between Europe and the United States reached €1.75 billion in 2020. “The issue is not talent, it is support for scaling,” emphasized Farida Poulain, CEO of Campus Cyber.

The market is also far from unified: “when you are French and go to Germany, you are seen as a competitor,” recalled Michel Van den Berghe, CEO of Seclab. European and national regulations do not help the emergence of champions. “We are not supported; on the contrary, we are hindered,” he stated, explaining his decision to relocate production to Canada. Hans de Vries, Head of Cybersecurity at ENISA, also pointed to a “cultural issue regarding risk-taking.”

“What is not measured cannot be managed”

Despite this, Martin Kuppinger challenged the idea that Europe lacks alternatives: “There is no real European alternative [to American players]? Really? I doubt it.” The INCYBER startup awards support this view, highlighting companies contributing to strengthening European protection, as François Delzant emphasized.

There is no miracle solution, but a doctrine is emerging: since dependence cannot be eliminated, it must be governed—and therefore chosen. In a globalized digital world, interdependence is inevitable; it must become an object of measurement, governance, and operational arbitration. “What is not measured cannot be managed,” recalled Emmanuel Garnier.

This is where the Digital Resilience Index (DRI) comes into play. It aims to turn an abstract concept—dependence—into a measurable indicator. The approach is straightforward: start from critical business processes, map associated digital assets, and analyze risks across the entire chain—from hardware to applications, including data and suppliers. The DRI identifies eight major risk categories: geopolitical, economic, legal, operational, environmental, technological, and more. A full-stack approach that breaks down silos. “This will elevate these issues to a strategic level,” said Arnaud Pons, CEO of Digital New Deal, noting that one objective is to “involve boards.”

“Total independence is neither possible nor necessary”

Arnaud Pons’s point aligns with David Djaïz: “an executive does not view the problem in silos […] they need a global vision.” With such tools, leaders can turn digital dependence into a governance issue, just like finance or risk.

But how should these trade-offs be made? “Total independence is neither possible nor necessary,” warned Michiel Van der Veen of TNO. “We cannot lead across the entire value chain. We must choose where to lead to gain leverage,” insisted Véronique Torner. The consensus is clear: “sovereignty is not autarky; it is the ability to choose dependencies,” confirmed Farida Poulain, adding the need to “maintain room for maneuver.”

Before that, however, organizations must reduce subordination to dominant players. This requires careful transition planning. The shift from Windows to Linux within the French Gendarmerie was “a non-event internally because it was well organized,” noted General Xavier Guimard. “Users must see a benefit when they make an effort,” he added.

The result: better-integrated workstations, three million hours of productivity gained, and €30–40 million saved annually. A significant gain achieved through a holistic approach: “applications do not run alone; they rely on operating systems, hardware, and more.”

“I advocate for a European preference”

Behind this success lie numerous challenges. Europe faces a delicate equation: strengthening sovereignty without sacrificing openness, regaining control without losing efficiency.

The first step is to respond to a recurring message, summarized by Anne Le Hénanff: “I advocate for a European preference in the digital field.” “We have something to reinvent here, similar to what was done in agriculture in the 1960s,” added Joséphine Staron. This requires putting in place a “Small Business Act” akin to the American model supported by DARPA, facilitating access to public procurement and market scale, as explained by Akim Oural of ARCEP.

At this price, Europe may transform digital dependence into a lever of power. Without decisive action, it will have identified a strategic battlefield—only to continue playing by rules set by others.