Europe Wants to Wean Itself Off U.S. Tech

Europe Wants to Wean Itself Off U.S. TechThe European Commission has proposed a tech sovereignty package that covers a range of initiatives around semiconductors, cloud computing and AI. We'd be surprised if these initiatives have a major impact in the short term, but this is still a good move for Europe. The key initiative of the proposed package, in our view, is the Open Source Strategy, which aims to "strengthen digital autonomy through open source." Although it's not stated explicitly, the intent here is to wean Europe off the U.S. tech stack by encouraging open-source alternatives. The strategy says it will take "concrete actions," for example by reforming government procurement rules to make them more open-source friendly. EU governments will also award grants to open-source projects under the strategy. European distrust of the U.S. government and American tech companies has been brewing since the International Criminal Court chief prosecutor Karim Khan had his Microsoft email services suspended. The services were cut when the court was sanctioned by President Trump in May 2025.And just this month Apple removed the Russian messaging app Max from its App Store and stopped delivering the app's push notifications due to sanctions. This effectively kills the Russian government's efforts to push its population onto a surveillance-friendly national messenger, at least on the iOS platform. Russia is not the European Union, of course, but the EU is nonetheless twitchy about the U.S. tech sector applying similar measures against its member states at the behest of the White House. Since 2025, President Trump has spoken of annexing Greenland and Canada and has threatened to withdraw the U.S. from NATO. You know, totally normal stuff!One visible manifestation of this lack of trust is that European governments are already dumping American messaging platforms in favor of open-source secure messengers. This year the French government announced that it is binning Microsoft Teams and Zoom and is replacing Windows with Linux where it can. In addition to bolstering European sovereignty, the strategy's fact page says that using open source could also be cheaper and more secure. Another area of focus in the sovereignty package is semiconductors. Europe does have some chip champions, such as the Dutch lithography company ASML, but the continent collectively supplies less than 10 percent of global semiconductors. The main objectives of the proposed European Chips 2.0 efforts are to improve investment conditions, accelerate approvals processes and essentially encourage customers to buy European. Given this intense global competition, where other governments are also investing in chipmaking initiatives, we don't expect that European efforts will make any discernable difference. This feels like it was included in the package because it involves a key area of geopolitical competition, rather than it being an area where the commission thinks it can make a significant difference. Chipmaking is a massive, global industry. Rather than trying to shape a complex global supply chain in the midst of a semiconductor bunfight between the U.S. and China, the EU has rightly concluded there are better things it can spend money on and has gone for a light touch here.Speaking of better places to spend money, the sovereignty package also aims to triple Europe's data center capacity over the next five to seven years. This includes building up to five AI Gigafactories, "large-scale facilities with 100,000 state-of-the-art AI chips," and speeding up the regulatory approval processes for their construction. These are worthy goals, as sovereign software doesn't buy you all that much technological independence if you don't also have sovereign infrastructure. However, the limiting factor here is likely to be electricity. Unfortunately, Europe's data center strategy emphasizes data center energy efficiency and sustainability without mapping out how to bring new energy sources online. Of course the EU's shift here is 100 percent an American own-goal, and a predictable one at that. China's three-ringed Huawei circus showed the world that, in the long term, a country can have internationally competitive tech giants or an aggressive and coercive foreign policy, but not both. NSO Group's Reanimated Corpse Targets WhatsApp UsersThis week Meta announced it caught NSO Group targeting its users in a new hacking campaign and is petitioning a court to hold the spyware company in contempt.In 2025, a U.S. court granted a permanent injunction preventing NSO Group from targeting WhatsApp's services. In that court case, NSO argued that the injunction "would put NSO's entire enterprise at risk" and "force NSO out of business." Oh, no! But it seems NSO has had an epiphany here: Injunctions can't slow you down if you ignore them.In its announcement this week, Meta said it "successfully disrupted NSO-linked social engineering attempts" that tried to trick people into clicking malicious links to external websites. It also caught NSO Group creating WhatsApp test accounts and groups. What NSO seems to have forgotten is that spyware companies can employ only one of two broad strategies. The first strategy limits sales to customers in the U.S. and allied markets, and vets buyers rigorously. Paragon Solutions, for example, consults with the U.S. government to make sure it doesn't put noses out of joint. The second approach is to sell to all and sundry and not give a hoot about due diligence or what your product is used for. For this strategy to work, the company needs to forgo the U.S. market and hope U.S. lawsuits don't catch up to the company's founders. The fundamental problem for NSO Group is that it has tried using both strategies at the same time. It wanted to sell its product to U.S. customers, while ignoring all standards of responsible behavior and selling its capabilities to tinpot authoritarian governments that engage in human rights abuses. This is how NSO has wound up on the wrong side of the Meta lawsuit and is subject to U.S. government sanctions. We've little doubt that NSO Group has been lobbying the Trump administration for some relief on the sanctions side of things. David Friedman, who was U.S. ambassador to Israel in President Trump's first administration, was appointed executive chairman of NSO Group in November 2025. That hasn't paid off so far, and the company remains on the U.S. Entity List.Getting busted by Meta ignoring a court injunction in 2026 will not help get it removed from the list! In its blog post about calling out NSO's latest alleged campaign, Meta actually argued sanctions should remain in place because NSO "continues to defy U.S. courts." We agree, and we actually expect the company's behavior to deteriorate further. Per Wednesday's Risky Bulletin:A researcher who tracks spyware operations told Risky Business on Monday that while NSO has lost most of its staff and contracts, its semi-dead legal status has made it more desperate and dangerous, with its tools being used in campaigns that most surveillance vendors would want nothing to do with.Back in October 2025 TechCrunchreported that an American investment group bought a controlling stake in the company for "tens of millions of dollars." At the time, we wondered whether U.S. investment might result in NSO Group turning a corner and behaving responsibly. We now have our answer: No. NSO Group is in a deep deep hole but just keeps digging. Hopefully it will eventually just do the one thing everyone hopes it will: lay down and die.Three Reasons to Be Cheerful This Week:Massachusetts lawmakers vote for privacy: The Massachusetts house voted 146-0 to pass a privacy bill that would block the sharing or sale of sensitive information without a user's explicit consent. Further coverage at TechCrunch.Anthropic has an AI model release strategy: In separate posts over the past week, Anthropic announced a two-tier approach to granting access to its cutting-edge models. Access to the newly released Claude Mythos 5, its most capable model, is being granted to a small number of organizations in Project Glasswing. For general use it has also launched Claude Fable 5, the same underlying model with stronger cybersecurity safeguards. The good news is that this seems like a reasonable strategy for safer release of frontier models, although we've got no idea how effective it will be. Bulletproof host shuts down: THE.Hosting Group has shut down operations after raids on two of its member companies last month. Dutch police seized more than 800 servers and arrested the two co-owners of the companies. The parent group was a rebrand of Stark Industries, a bulletproof hosting provider that was sanctioned by the EU for hosting Russian hacking and disinformation infrastructure. ShortsKremlin Rejigs Security CamerasA surveillance system used to protect President Vladimir Putin was shut down until it was disconnected from the internet, reports the Financial Times. The steps were taken by Russian security officials after reports that hacked cameras were used to provide intelligence that informed the lethal strike against Iran's Supreme Leader Ayatollah Ali Khamenei in February. Risky Biz TalksIn our last "Between Two Nerds" discussion, Tom Uren and The Grugq speak at the NATO CyCon conference on Cyber Conflict in Tallinn, Estonia. The pair discuss how cyber operations complement conventional military operations and the past, present, and future of cyber conflict. From Risky Bulletin:U.K. wants tech firms to block child nude photos: Tech companies operating in the U.K. must introduce device-level software that blocks children from taking, sending, and receiving nude images. The companies have until September to comply with a new rule announced by U.K. Prime Minister Keir Starmer on Monday. The new protection must be added to all phones and tablets sold in the U.K. Tech companies that don't comply could face huge fines and criminal prosecution of their executives. [Keir Starmer speech // The Guardian]RubyGems adds dependency cooldowns to counter supply chain attacks: The RubyGems package manager has added support for dependency cooldowns as a way to counter a recent spate of supply chain attacks. The move copies similar efforts made in the JavaScript and Python ecosystem this year.Dependency cooldowns are parameters that tell the package manager to install dependencies only if they are of a certain age in days. For example, a dependency cooldown of "7" will only install packages that are at least a week old.The idea behind dependency cooldowns is to allow security tools, the admins of package repositories, and library maintainers time to detect compromises and pull down malicious versions. [more on Risky Bulletin]Senate votes down FISA extension: The Senate has voted against reauthorizing Foreign Intelligence Surveillance Act (FISA) Section 702 surveillance powers. A bill reauthorizing FISA passed through the House but failed in a 52-47 vote in the Senate on Friday. Backroom efforts to pass FISA reauthorization failed after President Trump named Bill Pulte as acting director of national intelligence despite his having no experience in intelligence work. FISA surveillance powers are set to expire on June 15. [Politico]