The European Parliament’s January 2026 resolution on technological sovereignty confronts a truth that engineers cannot solve: when sensitive data must answer to foreign courts, no amount of encryption restores the rule of law.
On 22 January 2026, the European Parliament adopted its resolution on European Technological Sovereignty and Digital Infrastructure. The document has attracted considerable commentary as an industrial policy statement. It deserves equal attention as a legal one. Read carefully, the resolution is a catalogue of structural vulnerabilities in the rule of law — and a challenge to every practitioner who handles digital evidence, cross-border proceedings, or sensitive client data.
The core thesis is unsparing. Europe’s growing dependence on non-EU digital infrastructure — cloud servers, data centres, communications platforms — has created a condition in which the enforcement of EU law can be silently overridden by the legal demands of third-country governments. That condition is not a regulatory gap to be filled by the next directive. It is a sovereignty deficit. And as the resolution makes clear, it cannot be solved with better cryptography.
I. The Diagnosis: Critical Dependency as a Legal Problem
The Parliament identifies what it calls “critical dependencies” as the central threat to Europe’s strategic autonomy. The resolution notes, with notable candour, that concentration of power among non-EU companies across key digital sectors is simultaneously weakening innovation capacity, democratic resilience, and security. Each of those three words is doing work that lawyers should notice.
“Democratic resilience” is not an engineering metric. It describes the capacity of democratic institutions — courts, parliaments, regulators — to govern effectively within their own legal orders. Where the infrastructure on which those institutions depend is owned, controlled, or legally subject to a foreign sovereign, democratic resilience is structurally compromised in ways that no service-level agreement can cure.
| Key Resolution Provision — Points 13–21 The Parliament’s treatment of digital public infrastructure is deliberately focused: investment and development should be targeted at areas where critical dependencies already exist. This is not a generalised aspiration to European industrial champions. It is a triage exercise — an acknowledgement that dependence has already taken hold in sectors of constitutional importance, and that remediation must be prioritised accordingly. |
For criminal defence practitioners, the most consequential passage in this diagnostic section is also the most quietly stated. The resolution reaffirms the EU’s need to retain “full sovereignty in the enforcement of its laws, particularly in the digital sphere.” The phrase “particularly in the digital sphere” is not decorative. It reflects the Parliament’s recognition that the digital sphere is precisely where EU legal sovereignty is most practically contested — not at borders, but in server logs, metadata repositories, and encryption key escrow arrangements that may be governed by laws that EU courts cannot touch.
II. Infrastructure as a Jurisdictional Question
Points 24 and 25 of the resolution address critical digital infrastructure with a precision that repays close reading. Point 24 identifies the strategic importance of a wide range of physical and digital assets, with specific reference to “cloud servers that contain sensitive information and data centres that process sensitive information.” The enumeration is deliberate. Cloud servers and data centres are not listed as economic assets. They are listed as security infrastructure — which, in legal terms, means their governance is a matter of sovereignty, not merely commercial regulation.
“The infrastructure that processes sensitive information is not merely an economic asset. It is a jurisdictional fact.”
Point 25 is the resolution’s most direct legal statement, and the one that should matter most to practitioners in criminal and human rights proceedings. It highlights the need to ensure that this infrastructure “falls under EU jurisdiction, meaning that it fully adheres to EU law.” The gloss — “meaning that it fully adheres to EU law” — is essential. The Parliament is not merely describing a desirable regulatory outcome. It is identifying a condition that presently does not always obtain.
Infrastructure that nominally falls within EU territory may nonetheless be legally subject to the demands of foreign governments under instruments such as the United States CLOUD Act, which permits US authorities to compel disclosure of data held by US-controlled entities regardless of where those servers are physically located. This is not a novel observation in academic literature. It is, however, striking to see it stated plainly in a legislative resolution of the European Parliament — and to see the remedy framed not as enhanced contractual protections or technical data segregation, but as a question of jurisdiction.
III. Cloud Services and the Limits of Technical Solutions
Points 66 to 69 address cloud services specifically, and they contain the resolution’s most important concession to legal reality. The Parliament recognises the need for “sovereign solutions that offer enhanced levels of control over data for certain categories of sensitive data.” The category-based approach is significant: not all data requires the same degree of protection, but some categories — those connected to national security, to law enforcement intelligence, and to professional privilege — require solutions that go beyond technical access controls.
| Points 66–69 Sovereign cloud solutions Recognition that certain categories of sensitive data require dedicated sovereign solutions with enhanced control — not merely contractual safeguards or technical access restrictions. | Point 25 Full adherence to EU law Infrastructure must not merely be physically located in the EU but must fully adhere to EU law — excluding extraterritorial legal regimes of third countries. |
| Points 13–21 Targeted public investment Digital public infrastructure investment should be focused on areas where critical dependencies already exist — a triage of constitutional importance, not industrial preference. | Point 24 Security and resilience Cloud servers and data centres processing sensitive information are classified as critical security infrastructure, imposing a strategic imperative rather than a commercial consideration. |
The Parliament then makes the observation that practitioners in criminal proceedings have long understood, but that policymakers have been reluctant to state explicitly: there are sovereignty considerations, in particular related to the extraterritoriality of binding legal regimes, that cannot be solved through technical discussions. End-to-end encryption, data localisation, and zero-knowledge architectures are important tools. They are not answers to the question of which sovereign’s courts have the last word over data processed by a given cloud provider.
| The CLOUD Act Problem — A Note for Criminal Defence Practitioners The extraterritorial instrument the resolution implicitly targets is the United States CLOUD Act of 2018, which authorises US law enforcement to compel US-based cloud service providers to produce data held anywhere in the world. EU data protection law — including the GDPR — provides no certain shield against such compulsion where the provider is a US-controlled entity. The practical consequence for criminal defence is acute: evidence gathered or stored on platforms subject to CLOUD Act jurisdiction may have been accessed by foreign law enforcement through channels that are neither transparent to the accused nor subject to EU judicial oversight. The resolution’s insistence on genuine EU jurisdictional adherence is the first step toward treating this as the rule-of-law problem it is. |
IV. Implications for Criminal Defence Practice
The resolution has immediate practical resonance for criminal defence lawyers operating in a digital evidence environment. Digital evidence in European criminal proceedings is increasingly sourced from infrastructure that the resolution now officially categorises as insufficiently under EU jurisdiction. That categorisation has consequences for admissibility arguments, for the integrity of the chain of custody, and for the enforceability of fundamental rights — in particular the right to a fair trial under Article 6 ECHR and the rights to privacy and correspondence under Article 8.
Where evidence has been obtained through foreign legal process — or where a service provider has disclosed data to law enforcement under a foreign legal instrument — the accused’s rights to challenge that evidence, to examine its provenance, and to test the legality of its collection may be systematically frustrated. The resolution does not resolve these questions. But it provides legislative authority for the proposition that the current architecture of digital infrastructure creates structural conditions inimical to the rule of law — a foundation on which litigators can build.
The EncroChat jurisprudence offers a telling illustration. The ECBA’s intervention in Silgir v. Germany, currently before the European Court of Human Rights, raises precisely these questions: whether the opaque mechanisms by which encrypted communications data was obtained and transferred across jurisdictions are compatible with Articles 6 and 8 of the Convention. The Parliament’s resolution — acknowledging that sovereignty considerations in digital infrastructure “cannot be solved through technical discussions” — lends institutional weight to the argument that judicial oversight, transparency, and effective judicial remedies are indispensable, and that technical processes cannot substitute for them.
“Where the infrastructure of evidence is beyond the reach of EU courts, the rights of the accused are hollowed out — not by legislative choice, but by structural dependency.”
V. Toward a Legal Architecture for Sovereignty
The resolution, taken seriously, implies a programme of work that extends well beyond industrial policy. It demands a legal architecture in which the infrastructure that processes data relevant to criminal proceedings, to legal professional privilege, and to the exercise of fundamental rights is genuinely subject to EU law — not merely to EU law as qualified by the extraterritorial reach of foreign legal instruments.
That architecture has several necessary components. First, procurement rules for public authorities — including law enforcement — that condition the use of cloud services on demonstrable EU jurisdictional adherence. Second, evidentiary rules that require disclosure of the legal basis on which data was obtained, including whether any foreign legal process was involved. Third, judicial cooperation frameworks that ensure defence access to information about data collection chains that traverse multiple jurisdictions. And fourth — perhaps most ambitiously — European sovereign cloud capacity that enables criminal justice actors to operate entirely within an EU legal perimeter.
The Parliament has named the problem. The legislative, judicial, and advocacy communities now bear the responsibility of translating that naming into enforceable standards. For criminal defence practitioners, the resolution is both a resource and a reminder: the digital infrastructure on which modern criminal proceedings depend is a legal question, not merely a technical one — and clients’ rights depend on how that question is answered.
NOTES & REFERENCES
* Alexis Anagnostakis is a criminal defence barrister registered with the Athens Bar Association (No. 25132) with over 25 years of practice in European criminal law, human rights, and digital evidence. He serves as Human Rights Officer and Chair of the Human Rights Committee of the European Criminal Bar Association (ECBA), is a member of the Greek Delegation and Criminal Law Committee at the CCBE, and holds admission to the ICC List of Counsel. He has litigated before the ECtHR, including Grand Chamber appearances, and has appeared as third-party intervener in cases involving digital evidence and fair trial rights.
1 European Parliament Resolution of 22 January 2026 on European Technological Sovereignty and Digital Infrastructure.
2 Clarifying Lawful Overseas Use of Data Act (CLOUD Act), Pub.L. 115–141 (2018).
3 Silgir v. Germany, Application pending, European Court of Human Rights — ECBA Third-Party Intervention concerning the admissibility of EncroChat evidence under Articles 6 and 8 ECHR.
4 For the ECBA’s institutional position on digital evidence and algorithmic transparency in criminal proceedings, see the ECBA Human Rights Committee statements (2024–2026).
