Addressing Questions Over Europe's AI Act, Digital Sovereignty, and More

Audio of this conversation is available via your favorite podcast service.

In Europe, the digital regulatory landscape is in a state of flux. Over the past few years, the EU has positioned itself as a global leader in tech regulation, rolling out landmark laws like the AI Act. But now, as the much-anticipated AI Act approaches implementation, the path forward is looking anything but smooth.

Reports suggest the European Commission is considering a delay to the AI Act’s rollout due to mounting pressure from industry, difficulties in finalizing technical standards, and geopolitical tensions—including pushback from the US government. At the same time, a broader movement for Europe to reduce its dependence on American tech is gaining momentum: What does this push for digital sovereignty actually mean?

To help us unpack all of this, Tech Policy Press associate editor Ramsha Jahangir spoke to Kai Zenner, Head of Office and Digital Policy Advisor to German MEP Axel Voss, and one of the more influential voices shaping the future of EU digital policy.

What follows is a lightly edited transcript of the discussion.

Ramsha Jahangir:

Today we are turning our focus to Europe where the digital regulatory landscape is in flux. Over the past few years, the EU has positioned itself as a global leader in tech regulation, rolling out landmark laws like the AI Act. But now as the much-anticipated AI Act approaches implementation, the path forward is looking anything but smooth. Reports suggest the European Commission is considering a delay to the AI Act's rollout due to mounting pressure from industry, difficulties in finalizing technical standards and geopolitical tensions, including pushback from the US government.

At the same time, a broader movement for Europe to reduce its dependence on American tech is gaining momentum. What does this push for digital sovereignty actually mean? To unpack all of these complex debates today, I'm joined by Kai Zenner, Head of Office and Digital Policy Advisor to MEP Axel Voss, and one of the more influential voices shaping the future of EU digital policy.

Kai, thanks so much for joining today. Let's start with what's on everybody's mind right now. That is the AI Act. What do you think is going to happen? Do you believe it will be fully implemented?

Kai Zenner:

Yes, many thanks, first of all for the invitation. Pleasure to be here. Yeah, it's a good question and I think probably not even the AI office in the European Commission has a clear answer right now to your question because indeed there is a lot of uncertainty around the Commission. But also member states are facing a lot of pressure from industry, but also from the U.S. government, and also from other international partners to delay the implementation or enforcement of the AI Act to also make some changes, which the Commission could do, for example, in the court of practice, in the template, in the guidelines on high risk, on GPAI models and so on and so on. And well, this Commission to criticize them a little bit, is not really, at least in the digital field, known for very, very wrong leadership and so on. So they are right now I think waiting to see what they should do. I'm sure maybe also internally discussing.

And we in the European Parliament here is that there are a lot of different camps in the European Commission that are currently discussing with each other, trying to convince each other what are the best steps. Some of them, what we hear are actually arguing that the AI Act and its enforcement should be really part of the tariffs negotiations with the Trump administration. Others are saying, "No, definitely not. We should not touch our piece." So this is a little bit one layer. And the other layer, which you also mentioned, is more connected to implementation difficulties on the ground and there to say my political groups, so MEP Voss is in the EPP group, a conservative group. We actually together also with other groups like the liberals from the very beginning already in the negotiations said that the timetable is too ambitious, that it needs time for public authorities to bid up their national competent authorities, for the Commission to bid up a strong AI office, but also think about notification authorities in member states.

In Germany it would be [inaudible 00:04:09] for conformity assessments, but also for the companies to create the necessary instruments, risk management and so on. And of course technical standardization and [inaudible 00:04:23], all of that is rarely impossible in one or two years. But during the negotiations when we mentioned those points, it was often brushed away as, "No, it's important to implement it quickly and we will manage." And therefore we feel now a little bit confirmed in our worries back then because now it actually really seems that national member states, the Commission standardization and so on will all not be ready in time. And therefore there are some good reasons for discussing delays.

However, Axel and I, and this is my last point, would be maybe supportive of small delays when it comes to create a sufficient governance structure, but we should not now start to question the whole AI Act and all of our political decisions because there was a strong majority for the AI Act as it is. And we would feel very, very strangely if now we are starting to re-discuss suddenly the whole AI Act or maybe thinking about a long-term pause or delay of the AI Act. So therefore, to make it short, we are really a little bit split between, yes, there is a justification for a very, very small and targeted delay or extension, but we would not at all understand any significant changes or significant delays.

Ramsha Jahangir:

And that obviously comes with risks because of course we're talking about in a geopolitical context that we are in, there's a lot of attention to the AI Act's implementation and the signal that sends globally if there is even a delay in its implementation. So of course, do you recognize what the message would be, even if because of targeted changes, there is a pause? And then secondly, some of it you've already mentioned, but do you think the Commission, what is the Commission's capacity to implement not just the AI Act, but the digital laws in general, both politically and technically?

Kai Zenner:

Yeah, the first question is very, very important. And indeed, if you don't have very, very good communication and on top also clear commitment and agreement between all the different political actors, but also within the Commission from all responsible Commissioners and so on, that it's really staying with the targeted revision or delay, then of course the box of Pandora could be opened. And there is this risk that a message comes across that the European Union doesn't really believe anymore in the AI Act, in the digital framework, in all those values that we promoted over the last years. And therefore this of course would be a terrible thing to send out. And there again, I'm going back to my criticism. I miss a little bit real leadership right now on that point because again, you could justify a small justification, but then you would need to combine it with very clear language why you are doing it. You would need to give examples of what is being delayed, what is critical.

For example, the Commission in my opinion, should now not just finger point to the member states and say, "Okay, they are too late or companies are too late." But also say for example, we are still in our building up process. To your second question, we as an AI office still do not have enough capacities to fully implement, even enforce even the GPAI model. We need more time. And over the next six months, for example, we have the following plans and therefore we are extremely sure that after those additional six months, for example, we will be fully capable of starting that. You would need to send those signals out, I think in order to prevent the whole global stage. Thinking of Europe, it was another publicity stunt but there was not really substance behind it.

And just to compliment a little bit more on your second question, my feeling right now, of course the Commission and especially the staff in the AI office, but also in the DSA, DMA enforcement team and so on, lot of highly committed people, highly qualified people that are working often day and night, not having a lot of holidays and so on and so on. So it's great what we have there, but especially at the starting period where they need to bid up, and also new procedures, they need to establish links to each other. Think about a topic like deepfake, it's falling in GDPR, it's falling in AI Act, it's falling in DSA and so on. All those structures will need time to be established.

Therefore, I think it's a normal thing at the very beginning of new laws and especially such a variety of new laws that we saw over the last months and years, we take some time and especially the Commission, we need to find some ways how to better enforce it, how to leave work, the situation where they're often working in work silos because all those files are interconnected and this is right now definitely not happening. So all those different units and all those different DGs are still working in the past on their topic. And this broader scale or broader approach is definitely not happening right now.

So especially there beyond hiring more people, is a lot of additional work still missing. And maybe one thing that we proposed in our European Way paper that we published two or three weeks ago was this idea of a digital enforcement agency taking away those enforcement powers and bringing it to a more independent body like BEREC maybe even more. Or if there's no political appetite for something like that, I think at least we should think in Europe about a coordination platform. Many member states have it, or now also for two or three years as the UK with the digital regulation coordination platform or forum, which is bringing all those different enforcement bodies together. And again, I think this is really the biggest problem that we in Brussels have right now, that we have a lot of committed people, a lot of really good-intentioned governance actors, but they need to work better together.

Ramsha Jahangir:

There's definitely a coordination crisis like you've pointed out, but then there's obviously political alignment. That is another issue. And with that, I think I'm going to come to the other big debate happening in Europe, and that's on digital sovereignty because everybody has their own definition of what this is. So maybe I'll actually start with a very basic question. What in your view does digital sovereignty actually mean?

Kai Zenner:

Yeah, and I answer in a very, very basic and general way in order to keep it so broadly and get most people on board for us. So Axel, my boss and I, we are working on this topic for a long time. Let's say maybe we started already in 2018, '19 and so on. And for us it was always the same, the opposite of protectionism or isolation and so on. We are still committed to our transatlantic partnership. We want to keep working with Canadian companies, with South Korean companies, Thai companies and so on. We actually want to even increase our cooperation with trustworthy international partners.

At the same time, we feel, and the EU commission was actually doing already a lot of good work, think about cyber resilience, 5G debate and so on. But there's still a lot that needs to be done in this field, which is to think about critical dependencies, about areas where we are currently forced to use maybe just one foreign company that is maybe not always in line with our European values and therefore there are maybe reasons to not kick them out completely, but to look a little bit for alternatives to diversify a little bit and so on.

So it's really digital sovereignty in my mind and Axel's mind is a very strategic approach, which is still embedded in our community of international partners, but is trying to strengthen up Europe, to bid up our own European alternative infrastructure, alternative parts of the tech stack or where we are not able to do it ourselves, again, look for maybe better partners then some of those companies that we are heavily using now.

And the last point on that is of course we don't want to now build European leaders in the field of browser, of social network and so on and so on. But what our understanding of digital sovereignty would try, that in those areas where Europe is still leading. Just yesterday The Economist was publishing some very interesting graphics. We saw again that for example with biotech or with quantum, Europe is really worldwide with U.S., with China in a kind of lead. So maybe there it really makes sense to build up some European champions, or at least like in the Gaia-X case, think about the federated system of European and non-European companies where you have via technical protocols, a certain list of values and rules. But again, only there where it really makes sense. We don't want to waste a lot of money to just for the sake of it, build a lot of European alternatives that then no one will use or that don't really have any chance on the free market.

Ramsha Jahangir:

There's a lot to unpack there, but just for background, what prompted this? Because the effort and the vision to establish digital sovereignty as you mentioned, has been around for some years. What happened now that's prompted this push and also why has EU struggled to define this so far?

Kai Zenner:

Yeah, again, two very good questions. First of all, indeed it's a topic, I think it's almost as old as the internet or digital technologies and so on and so on. There were definitely a lot of pushes. I can now just speak from my professional career. The first real push was with Thierry Breton, the former French commissioner in 2019, '20 when he picked it up. And also Ursula von der Leyen was speaking very often about European way to digitalize digital sovereignty and so on and so on. But maybe due to COVID, maybe due to other geopolitical, but also economical political developments, it soon died a little bit, this kind of momentum that we had in 2019, '20.

And maybe if I want to talk about mistakes back then, and we were already back then part of a broader movement, I think one of the big mistakes has been that this whole push came across rather protectionist. So there was again this idea of building up now everything on our own, basically creating an Airbus for every part of the tech stack. And then of course those people who are not supportive of Europe's tech sovereignty had, let's say an easy target to push back.

And now to your also second question, what changed is, well, the topic was never really dead. So it was, let's say in our community, we were working on it between all those years of a kind of tech sovereignty winter to use an AI term. And now that there's a tech sovereignty summer, we can basically use all those materials that was being collected that was already used in the previous episodes again. And what makes the moment now more promising is that maybe parts of the movement have learned a little bit from mistakes of the past, but also of course with Trump 2.0, with other international challenges from Israel, Palestine to Ukraine, Russia to, I don't know, financial or budget problems and so on. I would say there is really momentum in particular after the Draghi report and the letter reports in Europe and all the competitiveness and discussion that finally we need to do more on tech sovereignty.

And this brings me to your second question, what was being done wrong now, not so much when it comes to the campaign or the movement, but more on the ground is that many of those initiatives. Again, the Commission had a lot of really good ideas, for example, on cyber resilience, the CHIPS Act, also Digital Decay program from 2022. You could maybe argue that certain ideas are not that important and maybe should have been replaced by others. But I would say in general it was a good idea. What didn't help was that many member states didn't really follow up as they didn't invest enough. You see it, for example, with the Digital Decay, there's this plan until 2030 to have 10,000 edge computing nodes. Now we have still three, I think at least last year so far away. There were a lot of political differences in, for example, how member states are feeling about using Huawei networks in their tech ecosystem and so on. So really no political agreements as it also didn't help.

And again, maybe as a third point over the last years that really didn't help, we had a lot of very promising initiatives, commercial initiatives on the market. But unfortunately we as political level, but also the companies, we are not really able to position themselves in the public's sphere enough. So most of those projects didn't get enough attention, enough attraction, companies were often not willing to join or create a joint venture to really not only think about their own profits, but the greater good. And therefore many, many promising chances have not been used and pushed forward.

And again, my big hope is now with all the momentum, your political momentum. Also on those last point, there is maybe now a change in mentality. And that again, if we have a very good chance or if there is a very good public-private partnerships that is very promising, that member states and companies are then maybe not thinking about, okay, I want to have this project in Germany or otherwise I will not invest as German government. Or I want to profit the most out of it, otherwise I will not invest in it as company B or C. I hope this mentality is really, at least for now, gone. And again, all players, private sector, public sector, really thinking more about the greater good.

Ramsha Jahangir:

One thing that comes to mind is that obviously related to extreme push, there's also this effort from U.S. companies to Europeanify their EU businesses. They're making a lot of effort to store data locally. So do you think this is enough in terms of making infrastructure more European or is there still a need to come up with local solutions? And again, building on that, and I'm combining questions a lot, but one thing that I think about a lot is this issue of data extraterritoriality that's tied to this. Those are obviously different things, different from digital sovereignty. So how do we reconcile all of this when on one hand, U.S. companies are making efforts to Europeanify their EU businesses, but on the other hand, there is still the persistent issue of data flows, especially with the U.S. Cloud Act, which can compel access to data stored in Europe by U.S. companies?

Kai Zenner:

First question I would answer in a similar way, as I already indicated several times, if you would really approach the topic of tech sovereignty or digital economy, digital transformation in a more strategic way, I think we could easily separate between those U.S. companies that are just pretending to give us a better deal, to present us a more Europeanized offer that is taking more care about our European values, for example, is more compliant with our high privacy standards, GDPR and so on and so on. And those companies that really care, that play fair, that for example really are giving their customers a lot of freedom and almost complete control, for example, to your second question also how the data is being stored, really committing that they would not face jurisdiction problems if for example, the U.S. Cloud Act is being activated and so on and so on. To be very clear, I have at the moment, I will not name those companies, but I have two or three companies particularly in mind when it comes to clouds because there are huge differences in those offers, those different U.S. companies presenting.

So yes, I saw also a lot of new offers coming from America that were reacting, a clear direct reaction to our EuroStack movement, to all those discussions here in Europe on tech sovereignty. But again, I think if you are taking a little bit of time and if you are looking a little bit behind what they are proposing, it's very easy to separate between good offers and bad offers.

And the second question is of course, I think the easy answer is it needs to be solved internationally, and the OECD is working on international data transfers for a long time. There were some promising steps between the old government from Biden and CEU, there were ongoing discussions. At the moment, they have stopped because the U.S. side needs to reestablish all the key players on those topics. So we will need to wait. We will need to see how this is playing out. Until then, until this international solution hopefully one day can be found, I think again, thinking more strategically, it means that in certain areas, to give you a clear example, in Germany the secret service currently made a deal with a U.S. technology company.

I think this is one easy and very clear example of where maybe you should not do it because this area is so critical and so sensitive that you definitely don't want the Cloud Act or any other piece of non-European legislation to force a company to put your most secretive data at risk and so on. So maybe in those areas, at least for now, you should think with a European alternative, because they are, especially now when it's about clouds, there are a lot of good alternatives that lack scale and maybe lack the generality of certain U.S. cloud providers, but especially for those niche topics or areas, they are way enough. They are really sufficient.

So taking the Cloud Act and other things into account, maybe there you should really not decide, at least for certain U.S. companies that are not really able to commit and give you all the security that you need in other areas that are less sensitive, you can maybe accept it to a certain extent. Then again, those companies want to sell you a product so I can just repeat it. There are a lot of U.S. companies that are willing to make strong commitments to their European partners that for example, their data is safe or they are willing to build up certain capacities that are really not under their control.

But it's all going back to my original point, what is missing in the European Union is so far a much more strategic thinking and approach. And also my other point and approach, which is connecting all the dots and the different actors, because to your last point, international data transfer is also hampered by a situation that DG Connect is partially involved, DG justice is partially involved, DG Trade is partially involved and so on. And the same member states. So the different ministries and different DGs are all talking differently. But then of course you have also national interests that are also leading to different statements and wishes. And of course all those is not helping. And even if our U.S. counterparts want to give us the best offer, how can they make the right conclusion if they hear so many different things. So I think it's at least partially also our fault as Europe.

Ramsha Jahangir:

A lot of challenges. But I do want to come to concrete recommendations that some of them you've put out in your paper on Europe's way forward. But what do you think can be done to address political alignment challenges, coordination, as well as capacity building?

Kai Zenner:

Yeah, so just to give a little bit of background to our paper, it was a really long-term project over almost one year with a growing number of co-authors that I have worked with that were also rather active in the area of AI policy or tech sovereignty or the EuroStack movement and so on. Because all of us, again, are almost emotional when we are talking about this point because we really believe in what we are doing. We really believe that it's now or never, that Europe needs to act and that Europe, again is not making use of all its strengths and advantages and so on. So the bottom line of our paper is grow up, toughen up Europe because the world became a much more dangerous place to say it very, very politically. But also to make better use of all those good ideas, good laws, good initiatives that we have already in place by what the Commission tried back then with the Digital Decay and with the Declaration of Digital Rights and Freedoms to come up with general principles that are really what the European way to digitalize are all about.

So for example, that our digital technology is more sustainable than in many other areas, more trustworthy, that it's fully interoperable, that you are not having constant locked-in effects, that you are forced to stay always with one product, that we are promoting very much the open source sector and so on and so on. Our feeling is alone by, and we propose six principles, that could be a bit more, it could be a bit less, but by having those principles, those key principles and really make sure that they are applicable and integrated in all of our different initiatives would help so much to make them more coherent. Because right now, for example, in the AI Act, the greens and us from the EPP, we fought very much to bring the green deal and the green transition also in the AI Act. But the answer from the Commission was, "No, this is not our topic and therefore we don't want it."

But this is exactly what should not happen. It should be comprehensive, every and each law should tackle basically the whole digital transition and bring in all European values and standards that matter in this field. So this I think is the first and foremost most important step in order to have this coherence and make all of our isolated efforts much more effective, let's say, and streamline them. And I think this goes really hand in hand with one of the main points that Mario Draghi and then Enrico Letta and so on also had, without, by the way, without just deregulating. Because if you deregulate in a non-coherent way, which is at the moment a little bit what I'm afraid is happening with the Commission, you're not really solving anything. You are just making incoherent overregulation to incoherent deregulation. The result is the same. It's a mess. So I think and the authors, as the other authors, we are all thinking the most important point is coherence and alignment.

And then of course we were also thinking about certain obstacles that are around for a long time, the, of course, single market, again, the Draghi report was talking about the capital market union, about the banking union, but also on [inaudible 00:35:42], we are talking for almost 15 years about the same things, the same problems, the same issues that should be harmonized, but member states so far didn't want. And there our argument is first of all, now with the Draghi report, with your politics and so on, there's really momentum for change, which makes it highly likely in our view that if you are now starting large scale reforms from areas like digital infrastructure, digital single market to energy supply, to talent, attracting talent, keeping talent and so on, you would have a much better chance. But of course we know how difficult politics is, that there is always opposition and therefore we are also advocating to go back to this idea of a multi-speed Europe.

So what you saw, for example with Schengen, so with border management, internal border management with the euro that some member states were saying, "This is a good idea, we are going forward." Those member states are benefiting from this act of harmonization while other member states are out, they are not benefiting, but they are keeping their national competences. And then later on they can join if they think it's a good step or they stay out. With the euro, we saw that after some time, more and more countries were willing to join or were fulfilling those criteria that they need to fulfill in order to be able to join and something like that we call sovereignty compact.

Again, the idea of a multi-speed Europe that for example, one of the smaller reforms that we are proposing, a technology sovereignty fall, which would be created to promote especially European scale-ups, to attract bigger venture capitalists in Europe and so on and so on. That of course, only those member states that would be willing would create this fund, would benefit from this fund while others are then out and could decide to jump in at a later stage. Or an even better example is of course digital education. We really feel that at least in certain areas here, we need centralization, harmonization, we need for example, AI literacy or digital literacy courses, programs also to tackle better deepfakes, fake news and so on.

This is based on the EU treaties, very difficult for the European Union to regulate to do something, but again, via a sovereignty compact, this multi-speed Europe idea could solve it. For example, 10 member states are going forward, are creating such an approach and maybe after some time, the other 70 member states are thinking that this was a good idea and are slowly joining. And by leaving those resistant member states, behind is maybe the wrong word, but by giving them the chance to opt out and observe for some time, we feel there's basically no reason left to not go for a reform. So we are very much convinced that with that, plus the momentum that we see right now, big reforms could really happen.

Ramsha Jahangir:

One question, who is funding this? Because there's obviously an energy crisis, there's a lot of talk about energy, living costs going up across Europe, and then not all member states have the capacity to build infrastructure or fund these initiatives. So who will be footing the bill?

Kai Zenner:

Yes. Yeah, it's a good question. I could again answer it rather easily. If I refer now to Germany, which has created this huge front on infrastructure, it's partially creating a lot of debts, let's say. And as you said, not every and each member state could do it. Again, it could be an argument to say, okay, a smaller group of member states. So those member states that are capable to put away a budget or commit in other ways to put together money, and those are going forward and others are joining later if they are financially capable or in other ways capable to jump in. However, as also especially our group of co-authors, we are not really big fans of top-down approaches that basically everything needs to come from the public sector and so on. And therefore, for example, when I came to Brussels, there was just the Juncker Initiative starting this 315 billion investment initiative, which was a little bit IEB, the bank, but the vast majority was basically private money.

And this we see especially in the field of EuroStack, in the field of digital infrastructure as a much better solution that you create really projects that are making also sense for companies in a commercial way or in a long-term planning way because they are also relying on this infrastructure and so on. And use them basically also to bring us forward. So in the end, it's a little bit like it's a new society contract or something like that. So we really see that all actors that are capable to ship in should come together to make it work. And if there is a will, we see it, [inaudible 00:42:31] of money. It was the same with COVID, with Ukraine and so on and so on. And if we are right, tech sovereignty is similarly important, could become an existential threat to the European project. This is why we feel if in the past money could be found, it should also now be found for something similarly important.

Ramsha Jahangir:

To end on a hopeful note, thank you so much, Kai. There's a lot to unpack. We could go on forever with this conversation, but thanks so much for your time. This has been very useful.