Over-dependencies in services: A blind spot in the EU economic security strategy?

The Economic Security Strategy, launched by the European Commission in June 2023, focuses on overdependence on imported goods and the security of European infrastructure. The strategy also mentions services, but mostly with regard to cybersecurity infrastructure, reliable provision and data security. The new Single Market Emergency Instrument was designed to monitor the circulation of goods and services. However, the EU has paid little attention to assessing and reducing risks associated with its overdependence on imported digital and financial services.

Following Donald Trump’s re-election, the weaponisation of trade has expanded: the scope of de-risking has rapidly widened from focusing on China and the goods sector to the US and the service sector. Tech and crypto ‘bros’ are supporting the Trump administration, which in turn defends their presence abroad, most notably to dismantle digital rules (e.g. competition, content moderation, privacy, digital taxes) in the EU, their largest foreign market.

The uncertainty surrounding Trump’s commitment to the transatlantic alliance, combined with increased discriminatory tariffs and other coercive measures like increased taxes for foreign individuals or companies, means that the United States is no longer a reliable partner. Unfortunately, Europeans can’t cling to the idea that the second Trump administration is merely a temporary phase and hope for an eventual reconsolidation of historical ties. A new generation of American policymakers no longer prioritises the transatlantic relationship, and Europeans should actively pursue a double de-risking strategy – with respect to both China and the United States, and in terms of both goods and services.

If Europeans were to use the Enforcement Regulation and the Anti-Coercion Instrument to retaliate against coercive measures by the United States and opted to limit access to the Single Market for certain services, the European Commission would have the difficult task of identifying services with no available substitutes, to avoid a negative impact on European companies.

Since 2021, the European Commission has assessed the EU’s excessive dependency on certain imported goods. It is now also analysing with greater precision the concentration for producing critical components in certain countries or by specific companies. China’s leadership in refining critical minerals and its near-monopoly in rare earth processing is a well-known example of a critical dependency for the European technology sector. However, as long as the reliability of the United States as an ally was not in doubt, its dominance in software and digital services was seen as a matter of competition rather than an economic security concern.

As highlighted in the Draghi report of July 2024, the EU missed the turning point taken by the United States after 2000 with the expansion of the ICT and digital services sector, thereby limiting its productivity growth. But the report underestimates the risks related to the EU’s dependence on US professional, financial and insurance services, which grew alongside increasing reliance on US innovation in software and hardware in the 2010s, and then the development of US AI technologies in the 2020s.

A challenging statistical assessment

It is difficult to map the EU’s vulnerabilities in the services sector. Different statistical methodologies are used around the world, and granular data is lacking. Regarding transatlantic trade in services, Eurostat and the US Bureau of Economic Analysis (BEA) use different statistical frameworks and standards,^[1]  with distinct data collection methods.^[2] The classifications of digital services differ,^[3] as does the measurement of services provided through affiliates.^[4]

A complex risk typology

As the EU wakes up to a new transatlantic reality, some risks to European companies – such as the dependence on US cloud services – are thus better identified than others.

As long as the EU-US Data Privacy Framework remains at risk, European companies using US cloud providers to store or process EU customer data have no guarantee of GDPR compliance and face regulatory and financial risks. A US withdrawal from the EU Data Act, or increased difficulty in complying with European data processing rules, could no longer be carried out securely or in line with EU law. In addition to the risk of access transfer or surveillance of European personal and business data collected by major US cloud providers, a coercive ban on access to such data cannot be ruled out. US firms with datacentres in the EU could remain compliant with European rules. But diversifying existing cloud storage should be considered urgent. Vendor lock-in makes switching to other providers costly and complex, but as with other digital or financial services, the bigger challenge remains to find reliable substitutes. While European alternatives for cloud storage do exist, according to a broad estimate by Asterès, 80% of total spending on software and cloud services for business use in Europe goes to US companies,^[5] limiting support for the development of European alternatives. And the EU does not have any European substitutes for some software or credit card and digital payment companies (Visa, Mastercard, American Express, PayPal, ApplePay), as well as crypto currencies, which are predominantly American.

The EU is also dependent on US operating systems, both for computers and mobile devices. and on US business applications (e.g. enterprise resources planning, customer relationship management, accounting and finance…). In addition, not all functionalities are developed within a single application. They are composed of separate microservices^[6] communicating over a complex network. Failure in one dependency can trigger cascading impacts on other services and the entire application. These interdependencies are also inherent to new AI applications and amplifies the scope of economic security risks and call for a more granular approach that takes into account network effects.

The EU’s growing awareness of the need to better assess its dependency on foreign digital services should lead not only to a focus on current dependencies on US digital services, but also to anticipating future dependencies on foreign AI applications, especially as Chinese companies demonstrate a strong innovation capacity in the field.

Emerging Chinese AI players, such as Hunyuan, Doubao, and Qwen, are gaining traction and challenging the open-source DeepSeek foundation model. Chinese startups are actively developing AI applications to leverage data sharing technologies for the management of emerging technologies like smart cities, smart mining and smart transport. As China aims to redefine AI norms and practices globally by exporting its technologies, it will amplify its influence over the global tech landscape, including the EU.

Finally, calling for further integration of the Single market in his report “Much More than a Market”, Enrico Letta stated that the EU remains a “financial colony” of the US.^[7] As the US private equity continues to dominate the EU’s one, to scale up, startups go to the US to access capital. The EU needs an EU Deep Tech Stock Exchange to provide technological innovation in the EU with a European funding capacity.

The European doctrine for economic security that DG Trade has been tasked to present will now need to integrate those additional challenges.

____________________________________________________________________________________________________________

^[1] Eurostat adheres to the Balance of Payments and International Investment Position Manual, Sixth Edition (BPM6), developed by the International Monetary Fund (IMF). This standard is harmonised with the European System of Accounts (ESA 2010), ensuring consistency across EU member states. BEA also follows BPM6 for its International Transactions Accounts (ITAs). However, the BEA integrates these with the US-specific National Income and Product Accounts (NIPAs), which may introduce variations in classifications and presentations compared to Eurostat.

^[2] Eurostat relies on data provided by member states (collected through surveys, administrative records, and the Intrastat system for intra-EU trade). The focus is on cross-border transactions between residents and non-residents. BEA conducts its own surveys, such as the Benchmark Survey of Transactions in Selected Services and Intellectual Property and the Quarterly Survey of Transactions in Selected Services and Intellectual Property, to gather detailed data on services trade, including transactions through foreign affiliates.

^[3] Eurostat utilises the Extended Balance of Payments Services Classification (EBOPS 2010), which aligns with BPM6 and provides detailed categories for services, facilitating comparisons across EU countries. BEA employs its own classification system tailored to the US economy, which may not directly correspond to EBOPS categories. This can lead to challenges when comparing specific service categories between the US and EU.

^[4] Eurostat primarily focuses on cross-border services transactions and does not extensively cover services supplied through foreign affiliates. BEA provides detailed statistics on services supplied through foreign affiliates of US companies abroad and foreign companies operating in the US, offering a more comprehensive view of international services trade.

^[5] Asterès (2025) « La dépendance technologique aux softwares & cloud services américains : une estimation des conséquences économiques en Europe », April.

^[6] E.g. an e-commerce platform would user sign-up, login, password reset, stores and updates product listings, tracks product availability and stock levels, etc.

^[7] Thomas Moller-Nielsen (2024) “Letta: Europe is a ‘financial colony’ of the US, Euractiv, 2 October.