Europe Thinks It Lost the Internet and the UK Is About to Learn Why

I was at a conference last month where a Belgian cybersecurity official said something that stuck with me. He was talking about digital sovereignty—a phrase that usually makes my eyes glaze over—when he stopped mid-sentence, looked at the audience, and said: "We've lost the internet. Europe lost it and we're not getting it back."

The room went quiet. Not the polite kind of quiet you get when someone's being boring. The uncomfortable kind you get when someone's being honest.

He wasn't wrong. He wasn't even being particularly controversial. He was just saying out loud what anyone who works in tech already knows but finds impolite to mention at dinner parties.

The uncomfortable maths

Here's the bit where I get serious for a moment. Feel free to scroll past if you prefer the jokes, but the numbers matter.

Of the world's 20 largest technology companies by market capitalisation, precisely zero are European. Not one. The top 20 is split between the US (mostly) and China (increasingly). Europe contributes exactly nothing to this list.

Break it down further. Cloud infrastructure: Amazon, Microsoft, Google—all American. The European alternatives exist but hold single-digit market share. Social media: American or Chinese, depending on whether you prefer your data harvested by Californians or by Beijing. AI models: the leading foundation models are OpenAI (American, backed by Microsoft), Anthropic (American), Google (American), and an assortment of Chinese labs including DeepSeek and Alibaba's Qwen.

Europe has some capable AI companies. Mistral in France is doing interesting work. But "interesting work" and "globally competitive infrastructure" are different things. One gets you invited to conferences. The other determines whether your continent has any strategic autonomy.

The UK, post-Brexit, sits in an odd position. We're not quite European anymore but we're definitely not American. We're sort of adjacent to both while belonging to neither. Like a divorced parent at a school event, trying to work out which table to sit at.

The bit where this becomes a UK problem

You might be wondering why any of this matters to a business owner in Birmingham or a IT manager in Bristol. Fair question.

It matters because digital infrastructure is actual infrastructure now. The servers your business runs on, the AI tools your staff are adopting, the cloud platforms holding your customer data—none of this is neutral. It lives somewhere. It's governed by someone's laws. And increasingly, that somewhere is America and those laws are American.

This was true five years ago. It's more true now. And the UK government's response has been... delayed.

The AI Bill that was supposed to provide some framework for all of this? Pushed back until the spring King's Speech. Not cancelled, just postponed. Again. The Data Use and Access Bill is still grinding through Parliament. The Online Safety Act exists but implementation has been slow and patchy. Ofcom is doing its best but "doing its best" is not the same as "keeping pace with developments."

Meanwhile, every month that passes is another month where British businesses adopt American AI tools, move more data to American clouds, and build dependencies that will be extremely difficult to unpick later.

I spoke to a compliance consultant last week who described the current situation as "regulatory limbo with extra steps." UK businesses are trying to comply with UK GDPR (which is basically EU GDPR but slightly different), preparing for whatever the AI Bill eventually says, keeping an eye on EU regulations in case they do business there, and hoping nobody notices the gaps.

Nobody's noticed the gaps yet. Or rather, everybody's noticed them but nobody's done anything about it.

What Europe got wrong

Before I suggest what the UK should do differently, it's worth understanding what Europe got wrong. Because copying their mistakes would be stupid, and we should at least make fresh mistakes of our own.

Europe's approach has been to regulate what it can't build. GDPR. The Digital Services Act. The Digital Markets Act. The AI Act. Brussels produces regulation the way Silicon Valley produces startups—prolifically, expensively, and with variable quality.

Some of this regulation is good. GDPR, for all its implementation headaches, established important principles about data rights. But regulation alone doesn't create capability. You can write all the rules you like about how AI should behave. If you don't have any AI companies, you're just writing rules for other people's products.

The Belgian official I mentioned earlier had a phrase for this. He called it "governance without power." Europe gets to set standards for technology it doesn't control, built by companies it doesn't host, serving customers it can't effectively protect. It's better than nothing. But it's not the same as having skin in the game.

What the UK needs to do before it's too late

I'm going to suggest some things now. Some of them cost money. Some of them require political will. None of them are easy. But all of them are easier than explaining to future generations why we sleepwalked into digital dependency while arguing about whether AI chatbots needed to display age ratings.

1. Actually pass the AI Bill

Not a perfect bill. Not a comprehensive bill. A bill. Something that provides a baseline framework while remaining flexible enough to adapt as technology changes. The EU's AI Act took years and is already showing its age. The UK doesn't need to repeat that process. It needs something that exists.

The current draft has problems. It's too focused on high-risk categorisation and not enough on practical guidance for businesses. But those problems can be fixed through amendment and secondary legislation. What can't be fixed is continued absence.

2. Get serious about sovereign cloud options

I'm not suggesting the UK build its own hyperscale cloud from scratch. That ship sailed, hit an iceberg, and sank to the bottom of the Atlantic about fifteen years ago. But there's a meaningful difference between total dependency and having options.

The government should require that public sector data has a credible UK or UK-adequate hosting option. Not just "data stored in UK region of American cloud"—actual sovereign alternatives for the most sensitive workloads. This exists in fragments but needs proper investment and consolidation.

3. Fund AI capability, not AI committees

The UK has some genuinely capable AI research. The Alan Turing Institute does good work. Various universities have strong programmes. But there's a pattern where we fund academic research that produces papers, rather than applied development that produces products.

The government announced an AI Opportunities Action Plan. The question is whether "action plan" means actual action or the kind of action where everyone agrees to meet again in six months to discuss progress on the action items from the previous meeting about the action plan.

4. Create actual incentives for UK tech infrastructure

Tax breaks for data centre construction. Planning reform to speed up builds. Energy guarantees that make UK hosting economically viable. The boring stuff that determines where companies actually put their servers.

This isn't glamorous. It doesn't make good headlines. But a data centre built in Slough matters more for UK digital sovereignty than any number of policy papers published in Westminster.

5. Accept that some dependencies are strategic risks

Not everything needs to be sovereign. Your company's expense reporting software can live wherever. But some things—critical national infrastructure, healthcare data, educational records, government systems—probably shouldn't be entirely dependent on the continued goodwill of American technology companies and the stability of US-UK relations.

This isn't anti-American. Americans are lovely. It's just prudent to have backup plans. Every country that takes this stuff seriously does.

The closing argument

The Belgian official ended his talk with something I've been thinking about since. He said the problem with losing the internet isn't that you notice immediately. It's that you don't notice at all. Everything still works. Your emails arrive. Your cloud apps load. Your AI assistants answer questions.

You only notice when something goes wrong. When there's a policy change you don't like. When there's a geopolitical shift that affects pricing. When someone else decides what content your citizens can see, what AI your businesses can access, what data your government can protect.

By then, the dependencies are so deep that unwinding them seems impossible. So you don't. You just accept the new terms and conditions, like we all do, without reading them.

The UK hasn't lost the internet yet. But we're not winning it either. We're standing on the sidelines, producing thoughtful reports about what's happening, while the game continues without us.

The spring King's Speech will apparently include AI legislation. That's good. It's also about two years later than it should have been. But late is better than never, as long as we actually turn up.

I don't know if we will. But I know that the Belgian was right about Europe. And I'd rather the UK didn't have to give the same speech in five years' time.