Ben Evans takes a timely comparative look at the approaches of the EU and Türkiye to digital sovereignty, with a focus on cloud computing.
This blog was published first by NASAMER Law Blog, Koç University Law School, Türkiye on 23 January 2026.
Overview
Digital sovereignty, which may be defined broadly as the ability of a state to exercise control over its digital infrastructure, is set to become a watchword of 2026. Cloud computing has emerged as a fundamental digital infrastructure and represents the foundational layer for the flourishing and effective governance of pan-industry digitalisation and AI driven innovation. The perceived inadequacy of the European Union (EU) digital legislative acquis for achieving exigent competition, innovation, and digital sovereignty goals has led to vocal calls for an industrial policy driven approach that shifts the focus away from regulation and towards investment in building EU digital infrastructure capacity. In Türkiye, primarily sectoral rules have long sought to establish a degree of digital sovereignty. The announcement at the end of 2025 that the country’s first hyperscale cloud region will be established through a partnership between Turkcell and Google Cloud will put its sovereignty framework to the test. As the EU contemplates its digital future, there is an opportunity to critically assess Türkiye’s approach, which serves as a case study in the evolving relationship between law and industrial policy.
The European Problem
In the EU, concerns arising from increasing geopolitical and geoeconomic uncertainty have prompted an urgent assessment of the extent to which the world’s largest trading bloc has become reliant upon foreign firms for its digital infrastructure, in particular cloud computing. Despite the maturity and complexity of the EU digital legislative acquis, none of its instruments – including the General Data Protection Regulation, Data Governance Act, Data Act, Digital Markets Act, Cybersecurity Act, Cyber Resilience Act, and NIS2 – appear capable of cutting to the core of the European problem. And this seems unlikely to change substantially with the advent of the Digital Omnibus proposal published by the European Commission (EC) in November 2025. Although the EC concurrently launched three formal market investigations into cloud computing services under the Digital Markets Act, to sovereignty advocates this will be little more than weak tea. Moreover, while October 2025 saw the publication of the Cloud Sovereignty Framework, which comprises an assessment matrix designed to facilitate the evaluation of cloud procurement by EU institutions, commentators have already questioned whether its design risks exacerbating entrenchment issues by potentially legitimising ‘sovereignty washing’ by foreign incumbents. Momentum for change could begin to manifest in the roll-out of the Digital Networks Act, Cloud and AI Development Act, Quantum Act, and a revised Chips Act in the first half of 2026 (EuroActiv, 05/01/2026).
Arguably the foremost articulation of the European problem – and, crucially, a potential solution – may be found in the EuroStack initiative. Launched in the European Parliament in September 2024, EuroStack is a strategic initiative that seeks to foster the development of an independent EU digital infrastructure. While aimed at reducing reliance on non-EU technologies, it explicitly ‘does not advocate for “decoupling” Europe from US tech, nor for “complete independence”’ (eurostack.eu). Rather, it is intended to ‘power up European industrial capacity’ by providing ‘autonomous alternatives and more – not less – competition.’ By focussing on buying, selling, and funding EU technologies and innovation, the EuroStack initiative seems to offer up a vision for a very specific kind of digital sovereignty that prioritises industrial policy over the prevailing regulatory approach, which has given rise to a proliferation of often unclear, overlapping, and inharmonious laws that are challenging to enforce.
The Turkish Opportunity
Türkiye’s ostensibly less mature and complex digital rulebook should not, at least given the EU experience, necessarily be interpreted as a weakness. Indeed, its largely sectoral approach collectively imposes significant obligations on firms providing digital infrastructure. In addition to the Law on the Protection of Personal Data No. 6698, which controls cross-border data flows and sets out data residency principles, specific banking and finance regulation establishes localisation rules for critical financial data and systems, and the Electronic Communication Law No. 5809 mandates data security and residency requirements for telecommunications. The latter is complemented by secondary regulation concerning network and information security, which sets out reporting and control measures. Importantly, Presidential Circular 2019/12 establishes sectoral data localisation for critical public infrastructure data. Finally, the 2025 Cybersecurity Law No. 7545 provides a framework for state oversight and critical sector designation. Overall, while foreign firms enjoy considerable market access with the freedom to operate and partner with domestic actors, their commercial liberty functions within a legal framework that enshrines strong domestic oversight and, frequently, local control over digital infrastructure, including cloud computing.
Whereas the EU is facing up to the reality that it risks technological relegation, despite promising innovation and remarkable human capital; Türkiye’s fast-growing economy has yet to bloom, and the country appears ambitious to leverage its unique geopolitical and geoeconomic position to secure a future as the digital coupling between East and West. At least a part of this ambition may be operationalised as early as 2028 – 2029 thanks to an announcement at the end of 2025 that the country’s first hyperscale cloud region will be established by a partnership between Turkcell and Google Cloud, through which Türkiye intends to ‘establish a digital bridge between Europe, Asia, and the Middle East, and … become the data hub of its region.’ (Anadolu Ajansı, 23/12/2025) Described as ‘sovereign cloud’, some critics may be quick to brand any such partnership as ceding control over digital infrastructure to foreign powers. However, the precise details of the partnership are not yet clear, and there may be reasons why it should not be couched as a capitulation. In reality, Türkiye’s approach underscores a fundamental trade-off between the risk of potential dependency on and accelerated access to the advanced digital capacity and know-how of innovative foreign firms. Ultimately, digital sovereignty is not a binary concept; rather it operates on a sliding-scale according to the level and design of legal controls.
Conclusion
In a crucial year for the European problem, the Turkish opportunity may provide a timely lesson in dualism. For Türkiye, the objective of establishing strong domestic capacity in and legal control over digital infrastructure appears to be balanced against maintaining openness to foreign technologies in a way that may enable the country to embed itself at the core of regional and global cloud computing networks. Globalisation is evolving, rather than perishing, and clear, predictable, and enforceable law should properly be understood as the cornerstone of industrial policy that enables such evolution.
Ben Evans is a Guest Researcher at NASAMER, Koç University Law School, Türkiye, and a PhD Researcher in IT, IP, and Competition Law at UEA Law School and Centre for Competition Policy, UK.
