Skip to content

Who could switch off Europe's digital economy? Count the controllers behind the suppliers

A plain-language companion to the working paper "Cuts and Options: A Theory of Strategic Autonomy in Production Networks" (v0.7, July 2026). The paper carries the proofs, the data, and the caveats; this text carries the ideas.

The short version. Europe's digital dependence is usually discussed one layer at a time: is there a European cloud? A European chip? A European office suite? We built the mathematics for the question that actually matters, which is about whole stacks: how many actors would have to act together to shut a European service down, and how many genuinely independent ways of operating does Europe have? The two numbers can be computed, we computed them, and they are much worse than the layer-by-layer checklists suggest, except where they are better.

Dinner from a menu

A digital service is assembled like a dinner from a fixed menu. You need something from every course: an application, a cloud to run it on, machines in the cloud, chips in the machines, a factory that made the chips, materials that fed the factory, and a channel (an app store, a marketplace) through which the service reaches its users. Within each course you can pick among whatever suppliers exist. Skipping a course is no more possible than running software without hardware.

Every supplier answers to someone: a company, and behind it a country or bloc whose law and export rules reach it. Call that its controller. Now ask two questions about the whole dinner instead of about any single course.

First: how many controllers would have to act together to make every possible dinner infeasible? Call that the coercion number. If it is one, a single actor holds a switch. Second: how many complete dinners can you compose that share no controller anywhere, so that losing any one controller still leaves you a full dinner? Call that the option number. It measures real, usable diversification.

The illusion the paperwork creates

Here is the result the paper is built around. Imagine three courses. Each offers exactly two caterers, and the two are genuinely independent of each other. Every course, inspected on its own, passes a "two independent suppliers" test. But suppose the caterers belong to three companies, call them X, Y, and Z, arranged like this: course one is served by X and Y, course two by X and Z, course three by Y and Z. Compose any full dinner and count the companies involved: always two of the three. Take any two dinners: they always share a company. However you choose, you cannot build two dinners that are independent of each other. Layer-by-layer diversification: two everywhere. Whole-dinner diversification: one.

This is a theorem, and its target is real. European cloud rules test suppliers one layer, one contract, one offer at a time. France's SecNumCloud asks whether a provider could keep operating using its own competences or at least two other companies. The European Commission's Cloud Sovereignty Framework grades individual offers, and its top grade requires "no critical non-EU dependencies". These criteria name exactly the right concepts. What the theorem shows is that no test of this per-layer form can certify the whole-stack numbers, because the failure mode lives in the pattern across layers: it appears whenever the same controller shows up at more than one layer. And that configuration is ordinary. One bloc supplies clouds, operating systems, and AI chips at once.

What the numbers say for Europe

We measured a 49-category map of the European digital stack, from raw materials to app stores, with sources on every link, and computed the two numbers on it.

At full depth, every category of European buyer we model (public sector, consumers, enterprises and industry, critical infrastructure, defense-adjacent) has a coercion number of one. Five different blocs each hold a switch on their own: the United States through software and silicon design, Taiwan through chip fabrication, Japan through materials and packaging, Korea through memory, China through raw-material processing. Every feasible way of running a European digital service touches all five. That sounds dramatic, so it needs its honest reading: this measures structure, who could stop what, in principle and at some horizon; it predicts nobody's behavior. Most of these blocs are allies and all of them are commercial partners. But strategy is about capability, and the capability is this concentrated.

If we set the semiconductor layers aside (call them the floor: no policy short of building factories moves them quickly) and ask only about the layers procurement and regulation can reach, the answer simplifies: one bloc, the United States, holds a switch alone, through the layers where the map records no alternative at all, network hardware and identity systems among them. (For the enterprise buyer, added in the July 2026 revision, China holds a second above-the-floor switch through the industrial IoT platform layer, under the stricter of our two codings.)

On the legal channel, meaning the power to compel or forbid through law rather than through commerce, two states hold unilateral leverage over every European buyer in the map: the United States, whose data-access and export laws reach fourteen of the 49 categories including EU-owned lithography, and China, whose export controls sit on the raw-material layers everything else stands on.

And the certificate illusion shows up exactly where the theorem predicts. The European public-sector buyer passes a per-layer two-suppliers test at every one of its required layers. Its whole-stack option number is one.

Where finer detail changes the verdict, in both directions

A map of 45 categories is coarse: a category can hide options inside it. So we recomputed at the resolution of individual suppliers for the three layers where we have verified supplier-level data, and the answer split.

Good news first. For everyday productivity work (documents, mail, collaboration), a fully European stack exists today: European suites (the Nextcloud and openDesk family, Open-Xchange) running on European-controlled hosting (OVHcloud, Hetzner, Scaleway, and their peers). Above the chip floor, nobody outside Europe can cut that combination. The coarse map had said otherwise; the coarse map was too pessimistic there. German states have run this exit in practice, tens of thousands of mailboxes at a time.

Now the other direction. For AI accelerators, the market offers seven usable suppliers: Nvidia, AMD, Intel, Google's TPUs, Cerebras, Groq, Tenstorrent. Count controllers instead of suppliers and the seven collapse to one. Every one of them is a US firm under US export law. A plurality test at this layer overstates diversification by a factor of seven. Diversifying from Nvidia to AMD protects you against Nvidia's pricing; it does nothing against the only coercion scenario anyone actually worries about.

Two ideas worth keeping

Open source is a standing option. An input whose specification and code can be self-hosted (Linux, Kubernetes, open databases, open chip-instruction sets) is an option nobody can take away, because nobody outside controls it. The theory makes this exact: a forkable layer drops out of every would-be coercer's toolkit and puts a ceiling on what leaving your current supplier can cost. This is why the fully European productivity stack exists (it is built on open substrates) and why nothing similar exists behind the CUDA wall at the AI layer.

Indirect dependence adds up, and there is honest math for it. Economists track how dependence flows through supply chains with input-output methods descending from Wassily Leontief: if my supplier's supplier depends on X, then I depend on X a little too, and the little amounts accumulate along every path. The applied companion paper runs a graded version of this (each link weighted by how intense and how replaceable it is). One of the theory paper's results says the shortcut is trustworthy in a precise sense: whatever the exact cut-and-option logic says is exposed is exactly what the Leontief accounting says is exposed, and making links more replaceable never increases measured dependence. The two views agree on the map; they differ only in how finely they grade the shades.

What follows for policy

Count controllers, never just suppliers; ask the question at the level of whole stacks, never one layer at a time. Certificates should certify the system quantity, which means assessing the pattern of control across layers, something no per-offer audit currently does; this is becoming urgent as the EU moves sovereignty criteria into procurement law. Where options exist, procurement can buy them, and every purchase keeps the option alive for everyone else, which markets under-reward. Where options are absent for everyone, at the floor, only capacity-building adds one; no label, wrapper, or transfer of ownership does. And openness is an instrument, the cheapest standing option there is.

One caveat belongs in the last word as much as in the first. These are structural numbers computed from a documented but incomplete map, at stated resolutions, on stated scopes, and "can cut" is a statement about capability, never a forecast. The full papers carry every source, every coding choice, and every self-check, and the scripts that reproduce every number are public in the project repository.