Srsly Risky Biz: Europe Wants To Wean Itself Off US Tech

Written by

Tom Uren

Policy & Intelligence

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Amberleigh Jack. This week's edition is sponsored by SpectreOps.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

The European Union Commission has proposed a tech sovereignty package that covers a range of initiatives around semiconductors, cloud computing and AI. We'd be surprised if these initiatives have a major impact in the short term, but this is still a good move for Europe. 

The key initiative of the proposed package, in our view, is the Open Source Strategy which aims to "strengthen digital autonomy through open source". Although it's not stated explicitly, the intent here is to wean Europe off the US tech stack by encouraging open source alternatives. 

The strategy says it will take "concrete actions", for example reforming government procurement rules to make them more open source friendly. EU governments will also award grants to open source projects under the strategy. 

European distrust of the US government and American tech companies has been brewing since the International Criminal Court's chief prosecutor Karim Khan had his Microsoft email services suspended. The services were cut when the court was sanctioned by US President Donald Trump in May 2025.

And just this month Apple removed the Russian messaging app Max from its App Store and stopped delivering the app's push notifications due to sanctions. This effectively kills the Russian government's efforts to push its population onto a surveillance-friendly national messenger, at least on the iOS platform. 

Russia is not the European Union, of course, but the EU is nonetheless twitchy about the US tech sector applying similar measures against its member states at the behest of the White House. Since 2025 President Trump has spoken of annexing Greenland and Canada and has threatened to withdraw the US from NATO. You know, totally normal stuff!

One visible manifestation of this lack of trust is that European governments are already dumping American messaging platforms in favour of open source secure messengers. This year the French government has also announced that it is binning Microsoft Teams, Zoom, and replacing Windows with Linux where it can. 

In addition to bolstering European sovereignty, the strategy's fact page says using open source could also be cheaper and more secure. 

Another area of focus in the sovereignty package is semiconductors. Europe does have some chip champions, such as the Dutch lithography company ASML, but the continent collectively supplies less than 10% of global semiconductors. 

The main objectives of the proposed European Chips 2.0 efforts are to improve investment conditions, accelerate approvals processes and essentially encourage customers to buy European. Given this intense global competition, where other governments are also investing in chipmaking initiatives, we don't expect that European efforts will make any discernable difference. 

This feels like it was included in the package because it involves a key area of geopolitical competition, rather than it being an area where the Commission thinks it can make a significant difference. 

Chipmaking is a massive, global industry. Rather than trying to shape a complex global supply chain in the midst of a semiconductor bunfight between the US and China, the EU has rightly concluded there are better things it can spend money on and gone for a light touch here.

Speaking of better places to spend money, the sovereignty package also aims to triple Europe's data centre capacity over the next five to seven years. This includes building up to five AI Gigafactories, "large-scale facilities with 100,000 state-of-the-art AI chips" and speeding up the regulatory approval processes for their construction.     

These are worthy goals, as sovereign software doesn't buy you all that much technological independence if you don't also have sovereign infrastructure. However, the limiting factor here is likely to be electricity. Unfortunately, Europe's data centre strategy emphasises data centre energy efficiency and sustainability without mapping out how to bring new energy sources online. 

Of course the EU's shift here is 100% an American own-goal, and a predictable one at that. China's three-ringed Huawei circus showed the world that, in the long term, a country can have internationally competitive tech giants or an aggressive and coercive foreign policy, but not both. 

NSO Group's Reanimated Corpse Targets WhatsApp Users

This week Meta announced it caught NSO Group targeting its users in a new hacking campaign and is petitioning a court to hold the spyware company in contempt.

In 2025 a US court granted a permanent injunction preventing NSO Group from targeting WhatsApp's services. In that court case, NSO argued that the injunction "would put NSO's entire enterprise at risk" and "force NSO out of business". Oh no! 

But it seems NSO has had an epiphany here: injunctions can't slow you down if you ignore them.

In its announcement this week, Meta said it "successfully disrupted NSO-linked social engineering attempts" that attempted to trick people into clicking malicious links to external websites. It also caught NSO Group creating WhatsApp test accounts and groups. 

What NSO seems to have forgotten is that spyware companies can only employ one of two broad strategies. The first strategy limits sales to customers in the US and allied markets, and vets buyers rigorously. Paragon Solutions, for example, consults with the US government to make sure it doesn't put noses out of joint. 

The second approach is to sell to all and sundry and not give a hoot about due diligence or what your product is used for. For this strategy to work, the company needs to forgo the US market and hope US lawsuits don't catch up to the company's founders. 

The fundamental problem for NSO Group is that it has tried using both strategies at the same time. It wanted to sell its product to US customers, while ignoring all standards of responsible behaviour and selling its capabilities to tinpot authoritarian governments that engage in human rights abuses.   

This is how NSO has wound up on the wrong side of the Meta lawsuit and is subject to US government sanctions. 

We've little doubt that NSO Group has been lobbying the Trump administration for some relief on the sanctions side of things. David Friedman, who was US ambassador to Israel in President Trump's first administration, was appointed executive chairman of NSO Group in November 2025. That hasn't paid off so far, and the company remains on the US Entity List.

Getting busted by Meta ignoring a court injunction in 2026 will not help get it removed from the list! In its blog post about calling out NSO's latest alleged campaign, Meta actually argued sanctions should remain in place because NSO "continues to defy US courts".  

We agree, and we actually expect the company's behaviour to deteriorate further. Per Wednesday's Risky Bulletin:

A researcher who tracks spyware operations told Risky Business on Monday that while NSO has lost most of its staff and contracts, its semi-dead legal status has made it more desperate and dangerous, with its tools being used in campaigns that most surveillance vendors would want nothing to do with.

Back in October 2025 TechCrunch reported that an American investment group bought a controlling stake in the company for "tens of millions of dollars". At the time we wondered whether US investment might result in NSO Group turning a corner and behaving responsibly. We now have our answer: No. 

NSO Group is in a deep deep hole but just keeps digging. Hopefully it will eventually just do the one thing everyone hopes it will: lay down and die.

Watch James Wilson and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. Massachusetts lawmakers vote for privacy: The Massachusetts house voted 146-0 to pass a privacy bill that would block the sharing or sale of sensitive information without a user's explicit consent. Further coverage at TechCrunch.
2. Anthropic has an AI model release strategy: In separate posts over the last week, Anthropic announced a two-tier approach to granting access to its cutting edge models. Access to the newly released Claude Mythos 5, its most capable model, is being granted to a small number of organisations in Project Glasswing. For general use it has also launched Claude Fable 5, the same underlying model with stronger cyber security safeguards. The good news is that this seems like a reasonable strategy for safer release of frontier models, although we've got no idea how effective it will be.  
3. Bulletproof host shuts down: THE.Hosting Group has shut down operations after raids on two of its member companies last month. Dutch police seized more than 800 servers and arrested the two co-owners of the companies. The parent group was a rebrand of Stark Industries, a bulletproof hosting provider that was sanctioned by the EU for hosting Russian hacking and disinformation infrastructure. 

Sponsor Section

In this Risky Business sponsor interview, Tom Uren talks to Justin Kohler, Chief Product Officer at SpecterOps, about how attack paths exist in the seams between different identity or permissions management domains.

Shorts

Kremlin Rejigs Security Cameras

A surveillance system used to protect President Vladimir Putin was shut down until it was disconnected from the internet, reports The Financial Times. The steps were taken by Russian security officials after reports that hacked cameras were used to provide intelligence that informed the lethal strike against Iran's Supreme Leader Ayatollah Ali Khamenei in February. 

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq speak at the NATO CyCon conference on Cyber Conflict in Tallinn, Estonia. The pair discuss how cyber operations complement conventional military operations and the past, present and future of cyber conflict. 

Or watch it on YouTube!

From Risky Bulletin:

UK wants tech firms to block child nude photos: Tech companies operating in the UK must introduce device-level software that blocks children from taking, sending, and receiving nude images. The companies have until September to comply with a new rule announced by UK Prime Minister Keir Starmer on Monday. The new protection must be added to all phones and tablets sold in the UK. Tech companies that don't comply could face huge fines and criminal prosecution of their executives. [Keir Starmer speech // The Guardian]

RubyGems adds dependency cooldowns to counter supply chain attacks: The RubyGems package manager has added support for dependency cooldowns as a way to counter a recent spate of supply chain attacks. The move copies similar efforts made in the JavaScript and Python ecosystem this year.

Dependency cooldowns are parameters that tell the package manager to install dependencies only if they are of a certain age in days. For example, a dependency cooldown of "7" will only install packages that are at least a week old.

The idea behind dependency cooldowns is to allow security tools, the admins of package repositories, and library maintainers time to detect compromises and pull down malicious versions.

[more on Risky Bulletin]

Senate votes down FISA extension: The Senate has voted against reauthorizing FISA Section 702 surveillance powers. A bill reauthorizing FISA passed through the House but failed in a 52-47 in the Senate on Friday. Backroom efforts to pass FISA reauthorization failed after President Trump named Bill Pulte as acting director of national intelligence despite having no experience in intelligence work. FISA surveillance powers are set to expire on June 15. [Politico]