A vibrant US flag waves against a scenic sunset backdrop in Stowe, Vermont.

How Trump 2.0 could affect the IT industry in Europe

ByStefan Karg

The shifting political landscape in the United States may significantly impact the global IT industry, especially in Europe. This blog post explores three aspects of how Trump 2.0 could impact the IT sector in Europe, offering insights into the near future and potential developments ahead.

Data Transfer to the US

The foundation for the legal transfer of European personal data to the United States is established by the EU-US Data Privacy Framework. The adequacy decision of the European Union is based on the Executive Order 14086 issued by former US President Joe Biden.

Following the inauguration of the Trump administration, all Executive Orders from the Biden administration were reviewed within the first 45 days. The processes following the review may result in the revocation of Executive Order 14086, on which the adequacy decision of the European Union is based.

Executive Order 14086 makes reference to the Privacy and Civil Liberties Oversight Board (PCLOB), which is an independent entity in the United States. Besides other oversight tasks, the PCLOB is responsible for ensuring complaints from European customers are addressed appropriately and in a timely manner. The independent PCLOB was one of the central pillars for the adequacy decision of the European Union.

The PCLOB is composed of five members; however, the fifth position was currently vacant. On January 27, 2025, the three democratic members of the PCLOB were dismissed by the White House, sparking debates in the European Union about whether the adequacy of data protection measures can still be assumed.

The dismissal of the democratic members of the PCLOB, which renders the board incapable of acting with just one member left, led on the European side to a parliamentary question on February 5, 2025, regarding the consequences. This question raises significant concerns about the safeguarding of European personal data.

On February 6, 2025, the “Committee on Civil Liberties, Justice and Home Affairs” (LIBE) of the European Parliament sent a letter to the EU Commission requesting an evaluation of whether US data protection remains adequate.

The outcome of this evaluation and its implications remain unclear at this time. The EU-US Data Privacy Framework could face termination, which would consequently eliminate the existing legal foundation for data transfers between the EU and the US. To ensure compliance with legal regulations, European companies would either have to stop all data transfers to the US or accept the potential risks of being fined by regulatory authorities for continuing to transfer data to the United States. A potential alternative could involve utilizing standard contractual clauses. This approach may require considerable effort from the affected organization to determine if the US-based company can legally comply with these clauses.

Close-up of a computer monitor displaying cyber security data and code, indicative of system hacking or programming.

Vulnerability Tracking & Security Standardization

Most vulnerability management practices today rely heavily on CVE databases. These databases publish information on publicly known vulnerabilities and offer supplementary data related to them.

CVE-IDs are assigned to publicly known vulnerabilities by MITRE, a US based non-profit organization. The National Institute of Standards and Technology (NIST) oversees the publicly accessible National Vulnerability Database (NVD). This database is built upon the CVEs assigned by MITRE and enhances them with additional information, such as CPE names, which is utilized by many vulnerability management tools. Furthermore, the NVD assesses the severity of vulnerabilities by assigning a Common Vulnerability Scoring System (CVSS) score.

In addition to overseeing the National Vulnerability Database (NVD), the National Institute of Standards and Technology (NIST) plays a crucial role in the development of cybersecurity standards and best practices. A prominent example is NIST SP 800-53, which delineates Security and Privacy Controls for Information Systems and Organizations. This standard represents just one of numerous examples. These invaluable resources are accessible to the public globally at no cost.

At the National Institute of Standards and Technology (NIST), which employs a total of 3400 individuals, approximately 500 employees might be facing layoffs. The substantial reduction in workforce could have detrimental effects on both the cybersecurity standardization initiatives at NIST and the continuous upkeep of the NVD.

What consequences might arise? At least, the global visibility of software vulnerabilities would get worse. Many vulnerability management tools are using the analyses conducted by NIST in the NVD. Reducing the workforce at NIST could potentially exacerbate the existing backlog of unaddressed vulnerabilities awaiting analysis.

The potential influence of political factors on the global availability of the NVD and publicly funded cybersecurity standards remains unclear. In the worst-case scenario, researchers outside the U.S. may find the NVD and standards inaccessible or not available free of charge anymore. This situation could be affected by the policies of the Trump administration, which emphasizes that U.S. taxpayers’ money should be utilized in a way that primarily benefits U.S. citizens.

Detailed image of a server rack with glowing lights in a modern data center.

Increasing prices for US based services

The future may further see tariffs imposed on US-based services such as hyperscalers e.g. to counter US tariffs on Europe. Price increases might also come in the form of a digital services tax. Tariffs or additional taxes on US-based hyperscalers would raise cloud service prices for European companies. In the short term, this may result in higher prices for customers. In the long term, a shift towards European-based hyperscalers is to be expected. However, this transition will take time, as European hyperscalers need to catch up to the capabilities of their US counterparts.

Further down the road: Availability of the Newest Technology for Europe

Facing the current political situation, European companies are looking for ways to advance towards digital sovereignty. Improving the competitiveness of European companies in strategic fields such as AI may increasingly be viewed as an economic threat to the US. Preparing for potential restrictions on technology availability from US hyperscalers and hardware manufacturers may be necessary.

Trump signed an Executive Order in January 2025 which is headlined as “America First Trade Policy”, which includes the evaluation of the current export controls. Europe should prepare for significant impacts from US policy on technology availability, in light of the Executive Orders signed and the overall direction of the Trump administration’s policies. Currently 18 allies of the US are considered so-called Tier 1 countries with nearly unlimited access to AI relevant chips. With growing digital sovereignty of Europe, there are no guarantees that this policy will not be changed. This policy change would primarily impact the availability of the latest generation chips, particularly GPUs used for AI, and may also affect the rental of these GPUs through hyperscalers like Azure, AWS, or Google Cloud.

Conclusion

As the political landscape shifts, the IT industry in Europe must stay vigilant. Donald Trump’s second presidency is introducing new challenges. Europe can improve its position by proactively addressing relevant issues amid these changes. The future of the IT industry in Europe hinges on its ability to navigate this situation effectively. Significant investment in digital sovereignty is essential for Europe to remain a key player in global competition in the field of IT and digitalization.