The Backdoor you're comfortable with

Over the past week, two pieces of content have been shaping the mental context for this article: Keith Rabois’ viral post on Airwallex, and Micode’s latest documentary on CIA interference in French tech. One comes from the heart of Silicon Valley (Miami?), the other from a leading French YouTuber doing investigative work.

Together they sketch the same uncomfortable picture: data flows are power flows, and jurisdictions are never neutral. This pushed me to revisit a question that Europeans often avoid because the answer is geopolitically inconvenient.

Two things can be true at once:

• the US remains the centre of gravity for global tech
• Europe should be asking itself the same hard questions Keith Rabois is raising about China, just applied to our own dependence on the US.

We talk about digital sovereignty, publish strategy documents with more acronyms than verbs, and then… grow our AWS spend and move more workloads to US infra.

Keith’s recent thread on Airwallex stressed this, but on the Chinese side.

In his words, Airwallex, a global payments and financial technology company, is "a Chinese backdoor into sensitive American data," alleging that US companies have not been told that their financial operations, payroll flows, and vendor payments are being processed by a company whose staff, infra, and shareholders fall under Chinese National Intelligence Law.

His core argument is simple: if data passes through a jurisdiction whose laws allow secret state access, that government effectively has a backdoor, regardless of the company’s intentions.

Replace "China" with "the US" and Europeans suddenly find themselves staring at a very familiar problem. We pretend not to see it because the cognitive dissonance would make half our economy implode.

Is the US doing to Europe what China is doing to the US?

When Europeans hear "China has a backdoor into US tech flows," they don’t just nod along, there’s this eerie sense of familiarity, a quiet recognition that the logic feels a little too close to home. The structural mechanism is almost identical though and here are 3 pieces of legislation to prove it:

• The US has FISA 702: This allows US intelligence agencies to demand data from major cloud providers, email platforms, and large SaaS companies, even when the target is a non-US person abroad. These orders are secret, and the individuals affected never find out.
• The US has the CLOUD Act: This legislation requires US companies to hand over data they "control," even if that data is physically stored in Europe or elsewhere. In practice, it means jurisdiction follows the company, not the server location.
• The US has Executive Order 12333: This governs intelligence collection conducted outside US soil and does not rely on warrants or court oversight. It allows broad interception of data moving through international networks. In other words, some European data never needs to touch a US server or US company to be intercepted.

This isn’t a new debate. Two agreements that allowed European companies to send personal data to the US (Safe Harbor and Privacy Shield) were struck down 5/10 years ago because the EU’s top court ruled that once European data enters the US, it can be accessed under American surveillance laws in ways Europeans can’t contest or even see.

It’s the same underlying logic as Keith’s argument about Airwallex: once your data enters a jurisdiction where intelligence agencies can secretly compel access, you’re no longer dealing with "just another vendor", you’re dealing with that state’s interests and that’s exactly why I feel that eerie sense of familiarity when hearing his critique.

A 1-to-1 comparison?

If you read Keith’s critique of Airwallex as a highlight of data and jurisdictional dependency, it's a very lucid observation. Let's have a look at how this observation maps to the EU specifically.

This isn’t anti-Americanism, it's a neutral observation of what exists today.

Europe’s tech stack is very American

Europe frames the US as a benevolent supplier of cloud, compute, models, platforms, social networks, app stores, semiconductor design, and security guarantees. Unfortunately, when economic partners have a change of heart around alliances, dependencies become a growing strategic liability.

Look at Europe’s tech stack today:

Not much Europe in that list... and beneath it all: FISA, CLOUD Act, EO 12333.

When allies behave like rivals

Europeans like to believe we live in a world of aligned democracies where strategic competition is reserved for adversaries. The historical record suggests otherwise.

• The NSA's Echelon programme conducted economic surveillance on European allies for decades.
• The Snowden documents revealed that GCHQ and NSA hacked Gemalto, the French-Dutch SIM card giant, to steal encryption keys protecting mobile communications worldwide.
• More recently, Micode's documentary resurfaced the alleged CIA involvement in acquiring a French tech company in SIM cards and payments, partly to neutralise competitive threats.

All great powers act in their national interest, even when their public rhetoric is cooperative. This doesn't make the US an enemy, it makes them a rational actor whose interests won't always align with Europe's.

So what could Europeans actually do about it?

I’m not advocating decoupling from the US. Europe’s prosperity has been historically tied with American innovation, markets (and security guarantees). That's a fact whether you like it or not. It’s also important to recognise a simple historical reality: the software and technology centres of gravity will remain American for years to come. You can’t unwind 30 years of compounding tech leadership, talent concentration, capital formation, and platform dominance. Not in a decade, and certainly not by waving policy papers alone (we're working on that).

1- The new wave of capabilities
Building homegrown capability takes time, and aiming for parity with the US on every technology front is unrealistic and in my view not desirable. That shouldn't stop Europe from developing leading capabilities in the novel technological primitives such as AI. That's exactly the bet companies like Mistral.ai are making, where the slate is fresher, incumbents haven't formed around the category and the opportunity surface is wider (check out their latest release).

2- How about the existing stack?
Acknowledging our strong technological partnership with the US doesn’t mean we should accept total dependency; I believe we still need national or European capabilities on the historical tech infra bricks and while these may never be globally dominant, they could be "good enough" to sustain critical parts of our tech infrastructure without relying entirely on foreign jurisdictions.
What about a third way with opensource? It doesn’t magically make us independent, but it avoids the binary choice between “fully sovereign” and “fully dependent on US vendors.” With open-source, you’re not locked into a foreign company’s infrastructure or legal regime, you can run the software yourself and adapt it to your needs. For a lot of the foundational tech layers (databases, operating systems, orchestration tools), this may be already "good enough".

Build critical capability at home

Being deeply integrated with the US tech stack comes with structural risks we may downplay because the alternative (China or irrelevance) is perceived to be worse.

• France has already lived through this dilemma. The "Windows scandal" of the 2010s revealed that key defence systems were built on US software the state couldn’t fully audit or control. Microsoft supplied the software, but France insisted on running it on sovereign infrastructure to retain control. The shift to SaaS broke this dynamic. Once applications run on remote servers outside national jurisdictions, the state no longer truly governs its own data. As the Minister said: "If everything shifts to SaaS, we lose control and for the military, that’s not acceptable."
• This isn’t just a French story. The UK went through a similar situation during the NHS-Palantir debate. Palantir offered world-class capability, but it came with a dependency risk: a critical national institution outsourcing its core data infrastructure to a US intelligence-adjacent company subject to FISA and the CLOUD Act. The public debate was not about performance, people acknowledged that Palantir’s stack was extremely capable, but about whether the country was locking itself into a vendor it could neither regulate nor replace.

Sovereign tools have often lagged behind the global best, so the tradeoff used to be straightforward: if you wanted to move fast, you picked AWS or GCP. They were cheaper, better, and where the talent already knew how to operate. For startups (and even for governments) sovereignty came with an obvious tax on velocity, and in a fast-moving technological race, that cost mattered.

The landscape (and geopolitics) have shifted now. As AI systems become part of the state’s nervous system, the old logic of "capability first, sovereignty later" stops being reassuring. The question is no longer whether sovereign options are perfect, it’s whether they’re good enough for the critical parts of the stack. With AI infrastructure, that tradeoff is very different than it was a decade ago.

Not everything needs to be sovereign but it seems that nation states are agreeing on the need for a few core capabilities:

• Cloud & sensitive-sector hosting
  Not "cloud" broadly, but jurisdictionally contained, air-gapped infrastructure for defence, health, energy, and government workloads. This is why France has Outscale, Germany has SAP Sovereign Cloud, and why OVHcloud and other local players dominate regulated workloads.
• Compute & model-training capacity
  Not every country needs their own frontier models, but relying entirely on foreign black-box model serving creates unacceptable dependencies. EuroHPC systems (LUMI, Leonardo, MareNostrum 5) and initiatives like Mistral Compute exist to ensure Europe can train and run models on its own terms.
• Identity, authentication & cybersecurity
  Digital ID, trust frameworks, and incident response capabilities must be under national control. Initiatives like Estonia’s eID, Denmark’s MitID, FranceConnect and cyber teams like ANSSI and BSI are steps in the right direction.
• Semiconductors, chip design
  Total autonomy is impossible, but Europe is securing partial sovereignty: ASML in the Netherlands (lithography), STMicroelectronics in France/Italy, Infineon in Germany, and EU Chips Act-supported projects to expand regional fabs.
• Telecoms & critical network infrastructure
  Telecom is dual-use by design (and Huawei is a strong recent example). Europe relies on Nokia and Ericsson for 5G/6G, pushes Open RAN and funds secure subsea cables.
• Payments & financial rails
  SEPA, the European Payments Initiative, and the Digital Euro all aim to reduce Europe’s exposure to US financial law and dollar-centric extraterritoriality.
• Space & sovereign launch
  A strategic layer often forgotten: Airbus OneSat, Eutelsat, ArianeGroup, and new EU-funded constellations give Europe controlled space-based comms and Earth-observation capacity.

This list isn't meant to be exhaustive but more about securing national choke points: the places where the loss of control would immediately translate into geopolitical, economic, or military vulnerability.

The real question behind all this

If data flows create leverage, whose leverage are we comfortable living under? And what degree of dependency is compatible with being a meaningful actor in this tech age?

Let's be clear, Europe’s relationship with the US is not the same as the US-China relationship, but Keith's article is a uncomfortable reminder of the eerie structural asymmetry Europe is experiencing with the US.

Read more

Portable Memory & Behavioral Signatures: the missing layer for AI personalisation

Everyone is talking about context engineering and clever memory‑management tricks inside models. It's great, it's pushing the boundaries of what models can do. How does this translate into tangible benefits for users though? When you realise that those improvements are ultimately about preserving and applying

The Unfair Game - Why Fundraising Asymmetry Is a Feature, Not a Bug

When fundraising, founders must understand the rules, cultural differences and prepare strong narratives. It's about balancing vision with execution, showing ambition and having a clear path to success.

Tax the past, fund the future

Zucman's tax on unrealized gains risks penalizing entrepreneurs, forcing asset sales and driving startups abroad. France should adopt nuanced tax policies supporting innovation, not stifling it

Attention Was All We Needed -Now It’s All We Lack

Intelligence Too Cheap to Meter In 1954, electricity was hailed as "too cheap to meter" thanks to nuclear power. What a weird twist of events that, 70 years later, nuclear is now gearing up to power the very infrastructure that is creating intelligence "too cheap to meter&