European Sovereignty Starts With the Stack

For the past decade, the European fintech conversation has been dominated by a single question: how do we grow faster?

More users. More products. More markets. Faster onboarding. Lower friction. Better apps.

That question is not going away. But it is no longer the most important question facing European financial infrastructure. A different question is now arriving and it is being asked not by founders, but by regulators, governments, and the institutional partners that determine which fintech firms become systemically embedded and which remain permanently dependent.

The question is this: who controls the infrastructure that European financial services actually runs on?

The infrastructure layer most FinTechs have not thought about

Every fintech product sits on top of a stack. Some of that stack is visible, e.g., the bank account, the payment processor, the licensed partner. Most of it is not.

Beneath the product layer, European financial services increasingly runs on cloud infrastructure owned by three American companies. AI models that power credit decisioning, fraud detection, AML monitoring, and customer communication are largely trained, hosted, and updated by non-European entities. Customer data, e.g., transaction histories, behavioural profiles, financial health indicators, flows through systems governed by legal frameworks that are not always aligned with European data protection expectations. Operational dependencies on non-European orchestration layers, identity providers, and compliance tooling have grown quietly for a decade.

None of this was a strategic choice. It was the consequence of thousands of individual procurement decisions made on the basis of cost, capability, and speed, not strategic sovereignty.

The reckoning with those decisions is now beginning. And it is arriving not through a single regulatory event but through a series of institutional friction moments that are progressively raising the cost of dependencies that were previously invisible.

Why this is a fintech problem, not just a geopolitical one

European financial sovereignty sounds like a topic for ministries and central banks. It is increasingly a topic for fintech CEOs, because the firms that will scale into institutional partnerships over the next five years are the firms that can demonstrate operational independence from dependencies that European institutions are now being required to scrutinize.

The regulatory signal on this is no longer subtle. DORA, which has applied since January 2025, requires financial institutions to map every material third-party ICT dependency, assess concentration risk, impose minimum contractual standards, and demonstrate to regulators that their technology supply chain is governed and resilient. The European Financial Data Space is advancing. The EU AI Act is live. The Digital Operational Resilience requirements are being enforced.

The direction of regulatory travel is consistent and unambiguous: European financial institutions must understand, govern, and where necessary reduce their operational dependencies on non-European infrastructure. And those requirements flow directly down to the fintech and infrastructure providers in their supply chain.

A fintech that cannot answer the question “where does your data go and who controls it” is not a viable long-term partner for a European bank navigating DORA compliance. That is not a regulatory abstraction. It is a commercial reality that is already arriving in vendor due diligence processes.

The four infrastructure layers where sovereignty matters most

1. Who owns the rails

Payments infrastructure in Europe has become increasingly concentrated in the hands of a small number of non-European networks. Visa, Mastercard, and a handful of American processing platforms handle the overwhelming majority of European card transaction volume. Instant payment infrastructure through SEPA is European by design, but the overlay services, fraud detection layers, and data analytics built on top of it are often not.

The wall: A Berlin-based payments infrastructure firm reaches an advanced stage of commercial negotiations with a major German savings bank. The bank’s vendor risk committee requests a full mapping of the firm’s operational stack. The mapping reveals that transaction routing, fraud scoring, and settlement confirmation all flow through a single American processor with no contractual data residency guarantees and no DORA-compliant exit arrangement. The partnership is put on hold. Six months of commercial progress stalls on a dependency question that no one had asked before that meeting.

The European Payments Initiative and the Digital Euro project are both, at their core, sovereignty projects, attempts to ensure that the infrastructure through which European consumers and businesses transact is owned and governed within Europe. For fintechs building on top of existing rails, the question is whether their operating model is designed for a world in which European alternatives become institutionally preferred, or required.

2. Who controls customer data

Financial data is the most commercially valuable category of personal data that exists. A complete picture of someone’s income, spending, saving, borrowing, and investment behaviour is more predictive of future behaviour, and more commercially exploitable, than almost any other data asset.

The open banking framework created by PSD2 was in part a sovereignty project: an attempt to ensure that European consumers could control their own financial data and that European firms could build on it. The European Financial Data Space, currently advancing through the EU legislative process, extends that logic to institutional and business financial data.

The wall: A fintech data platform reaches the final stage of a partnership process with a Nordic insurance group. The insurance group’s data governance team asks a single question: under what legal framework is customer financial data processed, and where is it stored? The answer: “US cloud infrastructure, Standard Contractual Clauses, no explicit data residency guarantee”, triggers an internal escalation. The firm’s legal team concludes the arrangement requires renegotiation before sign-off. The commercial timeline shifts by four months. The fintech’s CEO learns for the first time that a procurement decision made three years earlier is now a commercial liability.

The actual control of customer data, e.g., where it is stored, how it is processed, which AI models are trained on it, remains contested. Many European fintech platforms aggregate and analyse European customer financial data through infrastructure and AI layers that are not European. The commercial implications of this arrangement are becoming visible as the regulatory framework tightens.

3. Who controls the AI layers

This is the dependency that most fintech firms have not yet fully reckoned with.

AI is not a feature in European financial services in 2026. It is operational infrastructure. Credit decisioning. Fraud detection. Transaction monitoring. Customer communication. Risk scoring. All of it increasingly AI-mediated. And the models performing these functions are, in the overwhelming majority of cases, trained, hosted, and updated by non-European entities operating under non-European legal frameworks.

The EU AI Act creates mandatory governance requirements for high-risk AI systems in financial services. DORA creates third-party risk management requirements for ICT systems, which includes AI infrastructure. BaFin requires a management-approved AI strategy with defined accountability for any AI deployed in a regulated context.

Each of these frameworks points to the same underlying requirement: European financial institutions must be able to explain, audit, and if necessary replace their AI dependencies. A fintech whose core operational AI layer has no European data residency, no auditability, and no substitutability is a fintech whose institutional scalability is structurally constrained. Whether or not it currently understands that.

The wall: A credit infrastructure firm is three weeks from closing a contract with a German regional bank. The bank’s AI governance committee, newly constituted under EU AI Act obligations, requests the firm’s AI model documentation: training data provenance, model explainability framework, update governance, and substitution plan in the event of model unavailability. The firm uses a third-party American AI model for its core credit scoring logic. It has none of the requested documentation. It did not know it needed it. The contract does not close on schedule. The firm spends the following two months rebuilding its AI governance documentation from scratch, for a dependency it chose because it was the best available model, not because it was the most governable one.

4. Who controls operational dependencies

Cloud concentration is the most widely discussed sovereignty risk in European financial infrastructure. With good reason.

The operational dependency of European financial services on AWS, Azure, and Google Cloud is not a commercial convenience. It is a systemic concentration risk that regulators have explicitly named and are now explicitly acting on.

DORA’s concentration risk provisions require financial institutions to assess whether dependency on a single third-party ICT provider creates a vulnerability affecting financial stability. The question is not whether a firm uses cloud infrastructure. Every firm does. The question is whether the operating model could function if a specific provider were unavailable. Compromised. Or subject to a geopolitical event affecting its European service availability.

For fintech firms operating entirely on a single cloud provider, i.e., no portability architecture, no exit plan, no contractual resilience provisions, that question is currently unanswered. And institutional partners are now requiring answers before partnerships proceed.

The sovereignty premium is becoming real

For the past decade, European financial infrastructure firms that made sovereignty-conscious choices, e.g., European cloud providers, GDPR-aligned data architectures, auditable AI, portable operating models, often paid a capability or cost premium for those choices without a visible commercial return.

That is changing. European banks, asset managers, and insurance companies are now conducting vendor due diligence that explicitly asks sovereignty-related questions. Public sector financial institutions are making vendor choices on the basis of data residency and operational independence. Regulatory frameworks are progressively tightening in ways that make non-European dependencies more expensive to maintain and harder to defend in a supervisory conversation.

The sovereignty premium is becoming a sovereignty discount for firms that ignored it and a durable competitive advantage for firms that did not.

What this means for fintech operating structure

The connection to operating structure is direct and practical.

A fintech that wants to scale into European institutional relationships over the next three to five years needs to be able to answer a set of questions that were not on anyone’s radar five years ago. Where is customer data stored and processed? Which AI systems make operationally significant decisions, and are they auditable? What are the material third-party ICT dependencies, and what is the concentration risk? Is the operating model resilient to the loss of any single provider? What are the exit arrangements for material outsourcing relationships?

These are not compliance questions. They are operating model questions. And the answers are not found in a legal review, they are found in how the firm was built, how its infrastructure is architected, and whether its governance structure was designed with these questions in mind.

The firms that built quickly on the most capable available infrastructure, regardless of origin, regardless of data governance implications, regardless of operational portability, built something real. But they also built a set of structural dependencies that will need to be addressed before institutional scale becomes accessible. The longer those dependencies remain unexamined, the more expensive the reckoning becomes — in time, in commercial momentum, and in the partnerships that do not close because the dependency map, when finally drawn, produces answers that institutional partners cannot accept.

The direction is fixed. The question is timing.

Innovation will continue. Growth will continue. The products European consumers and businesses need from their financial services will continue to evolve.

But the direction of European financial infrastructure is no longer ambiguous. The regulatory frameworks, the institutional procurement requirements, the supervisory expectations, the geopolitical pressures, all of them point in the same direction. European sovereignty over the rails, the data, the AI, and the operational dependencies of financial services is becoming a structural requirement, not a policy preference.

The firms that will define European financial infrastructure over the next decade are not simply the most innovative. They are the most institutionally credible. The firms that built operating structures capable of surviving the dependency audit, the vendor risk committee, the AI governance review, and the supervisory conversation.

That audit is coming for every firm in this space. The only variable is whether it arrives as a planned review or as the reason a partnership did not close.

The stack you chose in 2021 is being evaluated in 2026. The stack you choose today will be evaluated in 2029. European sovereignty starts with that decision and it starts now.