The Kill Switch and the Long Arm
Presenting the European Commission’s technology sovereignty package in June, Henna Virkkunen stated that one of its aims was to ensure that “nobody has a kill switch” over Europe’s critical systems. In the same press conference, Virkkunen—the commission’s executive vice-president for tech sovereignty, security, and democracy—singled out the U.S. CLOUD Act as a reason American cloud and artificial intelligence (AI) providers would struggle to reach the new rules’ most stringent sovereignty requirements.
Virkkunen’s comments reflect a major concern driving Europe’s sovereignty push: that reliance on American technology exposes Europe to the American government. But she fuses two different kinds of U.S. power—a distinction drawn sharply in the scholarship on weaponized interdependence, and one built into U.S. law itself. One is the kill switch, which disables or degrades a system by cutting off the access or updates it needs to keep running, through sanctions or export controls. The other is the long arm, which can force a U.S. provider to produce data it holds abroad, or to assist foreign intelligence surveillance.
Contracts, corporate structure, and product design can narrow that exposure, but no guarantee puts an American-owned cloud or AI stack beyond the U.S. government’s reach. Both powers remain in place vis-a-vis any country whose digital ecosystem relies on American providers and U.S. technology.
Europe’s and others’ concerns about these powers are not theoretical. The Edward Snowden leaks exposed the foreign intelligence side of U.S. access to data held by American providers and sparked European litigation over data transfers to the United States, which remains unresolved. The U.S. government has, on occasion, flipped the switch, but it has become a more urgent matter in the wake of the Trump administration’s recently reversed order compelling Anthropic to suspend foreign national access—including at allied institutions—to Mythos 5 and Fable 5, its most capable large language models.
The EU’s sovereignty package attempts to address the risks posed by these powers with location, ownership, control, and supply chain requirements. The proposed Cloud and AI Development Act (CADA)—a key part of the package—would sort cloud and AI services into four assurance levels—from EU-located infrastructure at the bottom to full supply chain control that’s free of third-country interference at the top—and require government agencies to match sensitive workloads to higher levels, in some cases swapping foreign services for European ones.
Europe’s reasoning behind CADA is that a provider subject to U.S. law must comply with U.S. orders, regardless of its contracts. Europe’s answer, then, is to change who owns the provider, and ownership rules are one of the few tools it can use without American cooperation. The CADA may also serve other goals, including industrial competitiveness and resilience. But, in reality, it and similar policies do only limited work against the two powers. The switch follows American inputs. Even a European-owned service may run on American chips, software, models, updates, or support. The long arm follows the data, and if a U.S. company can reach it, then U.S. legal process can reach it.
If Europe’s worry is the switch and the long arm, proposals like CADA are an incomplete answer, and possibly a counterproductive one: years and billions of euros spent for an uncertain return, potentially leading to stagnation at a time when technological advancement is so critical. Those powers belong to the U.S. government, not to any provider, and only Washington can agree to limit them. A critical question that must therefore be answered is not how Europe escapes U.S. jurisdiction but how the U.S. governs the use of its own power.
What the Two Powers Enable
The kill switch power is based mainly on U.S. sanctions and export control laws. Through sanctions, mostly under the International Emergency Economic Powers Act, the Treasury Department can block a designated person or entity, making it unlawful for an American firm to keep doing business with them. Through export controls under the Export Control Reform Act, the Commerce Department can bar the supply of U.S. technology to a listed party, by destination, end use, or category of user, including nationality. When a sanction or a control applies, the provider must shut off the covered access.
One rare example of such cutoffs involved the International Criminal Court (ICC). After the United States sanctioned ICC prosecutor Karim Khan over the court’s arrest warrant for Israeli Prime Minister Benjamin Netanyahu, reports said Khan lost access to his Microsoft-hosted email. Microsoft told the U.K. Parliament that the ICC, not Microsoft, decided to disconnect Khan. It later corrected that testimony as inaccurate, after reporting indicated the company had warned the court to cut him off or lose service entirely. However it happened, one U.S. sanction was enough to put the ICC’s access to its own email at risk because the provider was American.
A similar chokepoint exists in banking, where such measures are more common. In February 2026, for example, the Treasury Department proposed to cut the Swiss bank MBaer off from the U.S. financial system, barring American banks from holding correspondent accounts for it. The measure was never finalized. But the next day, facing the loss of dollar access, MBaer withdrew its appeal of a Swiss order revoking its license and went into liquidation.
Export controls produced a blunter example in June. As mentioned above, the Commerce Department ordered Anthropic to cut off foreign national access to its two most capable models, Mythos and Fable. It was the first time the government used export controls to pull a working AI model off the market. The order followed a reported jailbreak of Fable that officials feared created serious cybersecurity risks—a flaw Anthropic called narrow and fixable. Unlike the ICC and MBaer cutoffs, this order didn’t name a target, and instead reached every foreign national—including allies—at once. As such, it was less a switch thrown against any one country or entity than a general withdrawal of the product from foreign markets. The sledgehammer-like order couldn’t be met with a scalpel, so Anthropic complied by disabling the models for everyone.
Instead of cutting a system off, the long arm can reach and access the data of foreign entities and individuals. Through ordinary legal process under the CLOUD Act, the U.S. government can compel a provider to produce data it holds and controls abroad, including that of EU citizens. Through Section 702 of the Foreign Intelligence Surveillance Act, the government can compel a provider’s secret assistance in surveilling non-U.S. persons abroad. (That authority lapsed in June amid a reauthorization fight; collection under existing certifications continues into 2027.) And through signals intelligence under Executive Order 12333, the government can collect data itself, tapping networks abroad with no provider’s help at all.
Amazon, Microsoft, and Google document the long arm in their transparency reports. These reports show the firms fighting it by contesting orders, narrowing their scope, and litigating against secrecy requirements that can keep a customer from ever learning that its data was produced. But data still reaches the U.S. government. For example, Microsoft’s most recent report, covering the second half of 2025, discloses enterprise content produced for a European customer. And the reports give only a partial picture. U.S. law allows national security demands to be disclosed only in broad numerical ranges, after a delay, and sealed orders are counted but never described.
What Tech Companies Can and Cannot Do
The providers’ primary answer has been to offer a sovereign cloud, a label that now covers their AI services as well. Products under the label aim to make cutoffs slower and harder to carry out, and to limit the data that government can access.
U.S. cloud providers hold most of the operational controls foreign governments worry about: accounts, updates, encryption, and infrastructure. They are investing to make those controls less worrying because foreign customers want American capability with fewer American-controlled chokepoints. Amazon Web Services’s European Sovereign Cloud, for example, is operated by EU residents (transitioning over time to EU citizens only) and governed separately from its other regions. Microsoft has committed to European operational oversight, customer-held encryption, a pledge to challenge orders that would suspend its European operations, and to keeping a copy of its code in Switzerland that European partners could draw on if it were forced to stop service. Google also offers a range of products, from software controls on its own infrastructure, to in-region clouds run by local partners, to a cloud that can be fully air-gapped for the strictest requirements.
None of this can stop a cutoff (a sanctions order overrides any contract to the contrary), but it can slow one down, make it harder to hide, and give a partner grounds to challenge it.
Against the long arm, the main tool is encryption. Where the provider holds neither the key nor the plaintext, an order to produce the data returns only scrambled files. But encryption is strongest when data is stored or moving between systems; it doesn’t, alone, protect data once a service must read or process it, and it generally doesn’t protect metadata. Confidential computing is closing the gap for inference, but it is not yet a complete answer, especially for large-scale training.
The providers also push back against the long arm in court. They press to have requests served on the customer rather than directly to providers, and they contest the gag orders directly. Google carried one such fight to a federal appeals court, challenging sealed orders for enterprise customers’ data on First Amendment grounds.
Provider discretion is a separate risk. For instance, SpaceX’s limits on Ukraine’s use of Starlink did not require a U.S. order; the company controlled the service and set the terms. Portability and enforceable exit rights can reduce that risk, but they cannot answer the problem at the center of this piece. When Washington orders a cutoff or disclosure, the provider’s contracts and goodwill have to yield to the law. That is why corporate safeguards have to be paired with rules for the government power itself.
What Only Washington Can Constrain
No U.S. provider can guarantee that its services will stay on and that its customers’ data won’t be accessed by the U.S. government. Only Washington can make those assurances, and only by binding itself.
The U.S. government has accepted this kind of limit before on the access side. After the New York Times disclosed in 2006 that the Treasury Department was drawing European financial-messaging data from SWIFT, allied governments compelled changes to the program, with European oversight of each request and limits and redress for the data it took.
Washington had also restrained its own surveillance of foreigners, first in Presidential Policy Directive 28 and more firmly in Executive Order 14086, the foundation of the EU-U.S. Data Privacy Framework, which created new limits and a review court in a government-to-government commitment. That framework survived its first court test in 2025, when the EU General Court dismissed the Latombe challenge, though an appeal is pending.
These precedents show Washington can limit its own reach. But it can often lift that restraint just as easily. For example, President Biden’s 2023 executive order on artificial intelligence directed leading AI developers to share safety testing results with the government. President Trump revoked it on his first day back in office and then, in June, issued a voluntary version of the type of reviews he had scrapped. (The Mythos cutoff days later showed how thin “voluntary” likely is.)
The disablement side has a precedent too, though it’s a much more limited one. Washington has pledged to keep the civil GPS signal available worldwide. It ended Selective Availability—the deliberate degradation of the civil signal—in 2000, and in 2007 it committed to building its future satellites without the capability at all. But that is different from the cutoffs partners actually fear—the loss of cloud and AI services. Those remain matters of discretion. Washington has eased such cutoffs before, allowing Kaspersky’s U.S. users to continue receiving updates for a time (a ban on an adversary product under separate technology-transaction authority) and licensing Huawei to keep existing networks running. But each was essentially an exercise of discretion and not an action taken in accordance with a clear rule.
The closest precedent comes from U.S. AI policy itself. The 2024 agreement between Microsoft and G42 set governance terms at the company level; the later U.S.-UAE AI Acceleration Partnership set them between governments, with security standards, audits, and joint oversight. So far, the terms mostly protect U.S. technology from diversion. But the arrangement has started to point the other way. The Trump administration has promised the United Arab Emirates continued access to American chips so long as it keeps to the security terms, and after the partnership’s first working group meeting this spring, officials called the promise “ironclad.” It is not a law or a general pledge against cutoff, just a supply assurance offered to a favored buyer. The same architecture could carry substantive assurances to trusted partners—rules on access, cutoff, notice, continuity, and review.
What Binding Both Powers Might Look Like
As others have argued in Lawfare, democracies should resist making disablement and compelled access routine tools of statecraft. But that discipline does not—and cannot—mean that Washington will never use either power.
The more credible answer is to define the narrow circumstances in which each may be used, the process that the powers must follow, and the continuity protections that apply when critical systems are at stake. The limits should therefore be clearly bounded. They should apply only to allies and trusted partners, and only while those partners comply with reciprocal security commitments. They should also focus on systems whose interruption would carry public consequences, such as core public services, health care, and critical infrastructure, and not on every account a provider happens to hold.
Rules for the Switch
The U.S. government should be able to cut off an ally or trusted partner only for specific reasons: evading sanctions, diverting technology to banned end users, prohibited military or intelligence use, a serious security breach, stealing model weights, or similar damaging actions. (Existing rules have a version of this that protects only the U.S.; a license can be revoked “in whole or in part, without notice.”)
In the ordinary case, it should give the partner notice and an opportunity to fix the problem first, while stating which authority it is acting under, so the cutoff cannot be passed off as a provider’s own enforcement. An emergency track can move faster, but only for true emergencies narrowly defined. A full cutoff should be the last resort—used only after lesser steps like throttled service or a supervised handover—and AI systems that an ally or partner relies on for essential public services such as health care should keep running even then.
And when a restriction targets a capability rather than a party—a whole model or service, not a designated country or other entity—the government should justify its breadth and choose the narrowest form that meets the concern, tailored where possible to specific uses, deployments, institutions, or users rather than restricting access for every foreign national at once.
Some members of the Group of 7 reached for a version of this after the June Mythos cutoff, when allied leaders reportedly discussed a trusted partners channel to restore access for vetted allies and firms. EU officials later echoed this request, suggesting that the near-term reality behind sovereignty rhetoric is not escape from the American stack, but managed dependence and governed access to it. And perhaps this is an opening. If what allies want at moments when risks and opportunities are sharpest is access rather than exit, then the terms of that dependence are negotiable, and it is an opportunity for the United States to make the offer.
Rules for the Long Arm
For ordinary criminal process—compelled disclosure under the Stored Communications Act, as amended by the CLOUD Act—the default for trusted partners should be customer-first. When the data belongs to a foreign government body or operator of critical infrastructure or essential services—customers whose compromise touches another state’s sovereignty or the systems its people rely on—Washington should seek it from that customer directly, or through the appropriate government-to-government channel, with notice and an opportunity to challenge the request.
The point is to make bypassing certain customers visible, justified, and contestable—and to tie each exception to the transparency the agreements below require. And, in fact, a customer-first approach already exists in the Justice Department’s own 2017 guidance. CLOUD Act executive agreements—the ones already in force with the United Kingdom and Australia—show how trusted governments can build reciprocal rules for cross-border data demands. A next-generation arrangement should go further for public and critical infrastructure customers as outlined above and take into account other guidelines and practices that currently guide U.S. law enforcement efforts abroad.
Section 702 calls for a different approach, since customer-first notices don’t make sense in the context of foreign intelligence. Here, the dual goals are durability and accountability. Executive Order 14086’s necessity, proportionality, and redress architecture are the right substance, but it rests on an executive order that the next president could repeal. Similarly, the Supreme Court’s Trump v. Slaughter decision demonstrates that executive discretion over personnel is also a challenge, one that a statute alone won’t solve unless it protects the adjudicators as well as the rules. The fix is to write these safeguards into statute, so that they no longer depend on the discretion of a single administration. Because a statute is far harder to undo than an order, this would also bring more stability to transatlantic data flows, which Schrems II has left on uncertain ground. Collection outside Section 702 raises related issues but is beyond the scope of this piece.
Using the AAEP as a Vehicle for American Commitments
The American AI Exports Program (AAEP) is a potential vehicle to pilot these commitments. It is designed to back priority export packages with diplomatic and financial support, which makes it a natural place to set the first terms. Most allies, including Europe, run on American cloud and AI through ordinary commercial channels and should keep doing so. But the terms of the program—once tested—could become the template for a commitment that binds Washington across American providers, not only the consortia participating in the AAEP. And though the vast majority of European projects should run through standard commercial channels, a small set aimed at the CADA’s higher levels could become the program’s European pilot—transactions in which the U.S. government offers terms that address the act’s concerns directly. The act threatens to shut American providers out of its middle levels because of the U.S. government’s power over them, but it also leaves the European Commission room to certify non-European providers. Rules on cutoff and access, included in AAEP transactions aimed at CADA-oriented projects, would give the commission grounds to do exactly that.
Each deal should bind both the government and the provider with the limits described above. Washington should write its own limits on the switch and the long arm into the deal, rather than leaving them to internal policy. The companies should have to build in the features that protect a partner—portability, customer-held keys, confidential computing, access logs, continuity plans, and exit paths. They already sell most of these, so the deal asks for nothing new. It changes three things. The features become commitments that a company cannot withdraw at will. Every vendor in a package must offer them. And Washington goes on record that these protections are the standard.
And if American services operating under binding U.S. assurances still could not qualify, the levels would not be measuring sovereignty; they would be industrial policy, and it would become clear that the sovereignty package and similar EU policies have less to do with trust than with a desire to compete with American providers through indigenous cloud and AI stacks.
Making It Last
Over time, the terms—if they function properly—should move into law. The power to cut off an ally or take its data sits mainly in permanent laws like the CLOUD Act, and the sanctions and export control statutes that only Congress can repeal. A promise to use that power sparingly isn’t equally permanent if it exists only in a program or an executive order, since any administration can erase it overnight while keeping the underlying power intact. That’s an asymmetry—permanent power, temporary restraint—and a key reason the restraint has to be set in a form as hard to undo as the power it checks.
Until then, the restraint included in vehicles such as the AAEP can still be revoked, but doing so is not a costless transaction when a commitment has been made publicly and repeatedly. For example, reversing the “ironclad” commitment to the UAE without compelling justification would carry a price that the U.S. government might not otherwise pay. That is one way that restraint can become lasting, even without becoming law.
The Choice
The American policy community is of at least two minds about European sovereignty measures. It dismisses some as disguised protectionism—and some are. At the same time, through the AAEP, it has started to embrace “sovereignty” as a selling point, offering partners the American AI stack as a way to achieve it. But neither stance answers the trust problem, because both leave the underlying powers untouched. Concerns about disablement and access can be addressed only by making both powers predictable, visible, and contestable.
Refusing to constrain these powers does not keep partners dependent; allies will build out their digital infrastructure regardless. If the United States binds its switch-and-arm powers, that buildout can happen in partnership with American technology. If it does not, every visible cutoff and every compelled disclosure gives partners one more reason to replace American technology, most concerning when the motivation is simply to escape U.S. government powers rather than to compete with services of their own. Not every ally will build its own stack; some will eventually turn to the Chinese AI stack instead.
Limiting the powers protects Washington as well. It curbs the reflex to reach for the switch or for data simply because it can, without weighing the cost. Overused, that leverage loses its value and makes exit more likely. Europe was already building Galileo before Washington made its strongest commitment to keep GPS open, and that assurance, when it came, did not bring Europe back. Europe will pursue some of that buildout regardless, for its own industry’s sake, and no assurance from Washington changes that. But much remains undecided: The EU’s rules are still being written, and the biggest investments are still only plans. An assurance offered now can shape those choices but if offered later would change little.
For Washington, constraining its own powers means giving up discretion it currently holds. Still, that may be the only serious answer it can give to allies’ and partners’ concerns about the kill switch and the long arm.
