At a Glance

• On June 1, 2026, China put into effect the Provisions on the Protection of Trade Secrets, classifying any non-public algorithm, dataset or software program as a trade secret — while leaked internal documents revealed the parallel development of an AI tool designed to identify political opponents before they act.

• On June 3, 2026, the European Commission unveiled its Tech Sovereignty Package: the Cloud and AI Development Act (CADA), a revised Chips Act, and the EU’s first formal definition of “digital sovereignty” — an ambitious agenda that European industry insiders already describe as outpacing the bloc’s actual delivery capacity.

• The EU now holds a real regulatory arsenal — the AI Act, a new foreign investment screening regulation, the Data Act — but its coherence and speed of execution remain unproven against a China that treats data not as a privacy right, but as a national economic asset.

This image is used for illustrative purposes only.

A double trigger in forty-eight hours

Sometimes a calendar says more than a speech. In the space of forty-eight hours, two rival blocs placed their pieces on the artificial intelligence board.

On June 1, Beijing put into force the Provisions on the Protection of Trade Secrets, issued by China’s State Administration for Market Regulation (SAMR), the country’s primary market oversight authority. The first update to Chinese trade secret law since 1998, the regulation explicitly classifies algorithms, datasets and software programs as trade secrets, with fines of up to 5 million yuan (approximately €630,000) for confirmed violations. Simultaneously, internal documents from Geedge Networks — the company that sells a commercial version of China’s Great Firewall, the vast internet censorship and surveillance infrastructure — analyzed by Vanderbilt University researchers based on a trove of files that leaked in September 2025, describe the development of a predictive AI system designed to identify potential political opponents before they act, by cross-referencing location data, telecommunications records and internet activity.

On June 3, the European Commission presented its Tech Sovereignty Package: the Cloud and AI Development Act (CADA), a revised Chips Act, and the first formal EU-level definition of what “digital sovereignty” actually means.

Two visions of data. Two speeds. Two political models. One shared urgency.

What Europe is building — and what is still missing

The June 3 package carries real weight. The CADA aims to triple EU data center capacity within five to seven years and establishes four tiers of sovereignty for cloud services used in public procurement. The revised Chips Act shifts from a supply-side to a demand-side model, seeking to build a large enough domestic market to justify advanced semiconductor manufacturing on European soil. Member states will be required to conduct mandatory sovereignty risk assessments, mapping their dependence on non-European technology infrastructure.

That is not nothing. But the industry is already tempering expectations. Twenty-four European cloud company CEOs wrote to Henna Virkkunen, the European Commission’s Executive Vice-President for Tech Sovereignty, Security and Democracy, warning of “sovereignty washing” — the risk that CADA compliance labels are granted to American hyperscalers like Amazon Web Services, Microsoft Azure and Google Cloud without meaningfully reducing their dominance in EU public contracts.

The underlying challenge is industrial: according to projections from Forrester Research, Europe’s technology spending in 2026 exceeds €1.5 trillion — but the bulk of that sum flows to non-European providers. The package’s ambitions may be outrunning the physical delivery capacity available on the continent: data centers, engineers, computing power.

The regulatory arsenal exists — its coherence is fragile

On paper, the EU is not defenseless. The AI Act, which has been rolling out progressively since 2024, prohibits general social scoring systems and mass biometric surveillance tools — precisely the kind of technology Geedge Networks is developing for China’s domestic market and reportedly exporting to third-party governments. The Data Act governs data portability and sharing. The revised foreign direct investment (FDI) screening regulation, whose compromise text was approved in February 2026 and whose formal adoption is expected later this year, will require all EU member states to screen acquisitions in sensitive sectors, explicitly including AI models with systemic risk.

But the coherence of this arsenal has gaps. The new FDI regulation does not define uniform operational thresholds — each member state retains discretion that creates a risk of forum shopping: a hostile investor could enter through the most permissive national gateway to reach a target elsewhere in the bloc. The previous decade made the cost of that gap visible: between 2015 and 2022, funds linked to Chinese interests acquired stakes in several European semiconductor companies — including Nexperia in the Netherlands, Siltronic in Germany, and LFoundry in Italy — before the affected states tightened their national screening mechanisms.

“The door to Chinese technology investment in Europe is still ajar.” — Centre for European Reform

Analysis: diverging models as a systemic risk

China’s sequence over recent weeks — legal lockdown of data, travel restrictions on AI engineers, the April 2026 reversal of Meta’s acquisition of Manus ordered by China’s National Development and Reform Commission (NDRC), the country’s top economic planning body — is not a reaction. It is a doctrine. Beijing treats data as a factor of national production, on par with capital or energy. That logic is consistent, enforceable and accelerating.

The EU treats data as an individual right to be protected. That is a principled position — and a potential competitive liability in an economy where the volume of trainable data determines the power of AI models.

This is not an argument for Europe to abandon its fundamental guarantees. It is an argument for making them operationally coherent: the CADA, the AI Act, the FDI regulation and the Data Act form an ecosystem whose pieces were designed at different moments, by different directorates, for partially different objectives. Their practical articulation has yet to be tested at scale.

What separates the two models is not regulatory sophistication — Brussels has no reason for embarrassment there. It is industrial execution capacity: fabricating chips, building data centers, training engineers, assembling training datasets at scale. Technological sovereignty is not decreed — it is built, component by component.

The Bottom Line

Europe chose the regulatory path to protect its data and govern AI. China chose the industrial and security path to lock it down. Both agendas converged this week by the sheer force of the calendar. The real question is not which model is more just — it is which one will be operational first.

Sources: Euronews · European Parliament Legislative Train · Atlantic Council · Centre for European Reform · Council of the EU · TechPolicy Press · Forrester Research