The European Commission is moving forward with rules that could restrict US cloud services from handling sensitive government data, targeting financial records, health data, and judicial information held by public-sector bodies across all 27 member states. This is not a broad ban; private-sector cloud use remains untouched. But for AWS, Microsoft Azure, and Google Cloud, which together command roughly 70% of cloud infrastructure revenues in Europe, even a targeted public-sector restriction represents a significant shift in how the EU does business with American tech.
The proposals are the centrepiece of the long-awaited Tech Sovereignty Package, built around the Cloud and AI Development Act (CADA). Led by Executive Vice-President Henna Virkkunen, the package has faced repeated delays due to intense institutional debate. Following a brief slip past its late-May target, the finalised strategy is set for imminent official presentation. Once unveiled, the package will still require unanimous approval from all 27 member states before taking effect.
What makes this moment fundamentally different from past EU sovereignty rhetoric is that the Commission has already built, tested, and deployed a concrete scoring system for cloud sovereignty. The upcoming legislation will determine exactly how high that statutory bar gets set.
Why US cloud law makes the EU nervous
Under the 2018 US CLOUD Act, American companies can be compelled by domestic law enforcement to hand over user data regardless of where that data is physically stored. A server in Frankfurt provides no legal insulation if the company operating it is headquartered in Seattle. For government-held financial, judicial, and health data, this extraterritorial exposure is the core of the Commission’s concern. Where data lives matters less than who can be legally ordered to produce it.
Thibaut Kleiner, Director for Future Networks at DG CONNECT, previously framed the strategic stakes plainly:
“Unless we get our acts together, we are going to be in the mode of becoming a technological colony of some kind, where we are not able to develop our own products.”
He also acknowledged that the initiative has run into sustained lobbying built around the argument that moving away from US tech is too difficult and too expensive. These tensions sit at the heart of why digital governance is a European imperative, as the continent attempts to assert regulatory control over architectural ecosystems it did not build.
Moving sovereignty from principle to metric
Before the Commission developed its Cloud Sovereignty Framework, there was no standardised way to translate “sovereignty” into procurement criteria. The new framework changed that by measuring providers across eight dimensions—including legal jurisdiction, operational resilience, supply chain transparency, open architecture, and EU law compliance.
These metrics score providers on a five-tier scale called the Sovereignty Effectiveness Assurance Level (SEAL):
- SEAL-0: No digital sovereignty demonstrated.
- SEAL-2 (Data Sovereignty): Achieves baseline compliance with EU laws without requiring additional customer-side technical protections, though material non-EU dependencies may remain.
- SEAL-3 (Technological Autonomy): Demands an open architecture and structural immunity from non-EU supply chain or third-party disruptions.
- SEAL-4 (Full Sovereignty): Requires a completely localised EU supply chain, from physical silicon chips to the software stack.
What the commission’s own tender revealed
The Commission did not wait for formal legislation to put these criteria to work. It utilised the framework to award a massive six-year, €180 million cloud procurement contract to four European provider groups.
The tender was explicitly designed to encourage the market to develop sovereign digital solutions. However, it also exposed a deep pragmatic compromise. Purely European tech stacks — such as Scaleway, STACKIT, and the Post Telecom/OVHcloud alliance —successfully achieved SEAL-3 status. Meanwhile, the Proximus consortium qualified at SEAL-2 because its framework relies on S3NS — a joint venture utilising US-origin Google Cloud technology under European operational management.
By anchoring the tender’s minimum eligibility baseline at SEAL-2, the Commission proved its own stated position: that non-European tech, when wrapped in strict local operational controls, can meet baseline requirements. It allowed the EU to maintain a diversified, multi-vendor ecosystem and avoid vendor lock-in, but it drew sharp criticism from European cloud CEOs who wanted a total exclusion of foreign-exposed stacks.
What changes for big tech — and what remains open
The upcoming CADA rules will not lock US hyperscalers out of Europe entirely. Instead of a binary system of exclusion, the draft strategy leans toward a risk-based, tiered access model. Member states will be required to conduct formal “sovereignty risk assessments,” defining specific public-sector workloads that must be hosted on verified sovereign capacity.
The unresolved legislative battle comes down to where the law will mandate those thresholds:
- If the final law mandates SEAL-2: The “wrapper” approach survives. European entities can continue using highly automated US tech stacks managed by local partners (like the Proximus-S3NS model).
- If the final law mandates SEAL-3 or higher: Wrapped US infrastructure will fail the test. Highly sensitive public-sector workloads will be legally forced onto fully native European architectures.
The debate highlights how deeply European regulators are scrutinizing the gap between where data is processed and who owns the underlying code. Similar boundary-testing has increasingly surfaced across consumer platforms — such as the ongoing regulatory scrutiny over whether certain cross-border data tracking features violate the GDPR — proving that data residency is no longer a sufficient defense.
Market realities and the blueprint ahead
The scale of the industrial challenge is massive. European cloud providers collectively hold only about 15% of regional cloud infrastructure revenues, compared to the 70% dominated by the US hyperscalers. Yet, momentum is shifting; high-profile migrations, such as France’s Health Data Hub moving workloads to Scaleway, point in the exact direction the Commission wants to go.
The Commission is actively using its purchasing power to shape the market, creating guaranteed demand conditions that European providers can scale into. The €180 million tender is signed, the SEAL framework is active, and the Commission is preparing to push national governments to align their domestic public procurement with this exact methodology.
The final piece of the puzzle is the statutory threshold written into the Cloud and AI Development Act. The SEAL metric remains the critical number to watch: if member states mandate a strict SEAL-3 baseline for sensitive government records, the Commission’s own compromise procurement model will no longer pass its own test.
The European Commission is moving forward with rules that could restrict US cloud services from handling sensitive government data, targeting financial records, health data, and judicial information held by public-sector bodies across all 27 member states. This is not a broad ban; private-sector cloud use remains untouched. But for AWS, Microsoft Azure, and Google Cloud, which together command roughly 70% of cloud infrastructure revenues in Europe, even a targeted public-sector restriction represents a significant shift in how the EU does business with American tech.
The proposals are the centrepiece of the long-awaited Tech Sovereignty Package, built around the Cloud and AI Development Act (CADA). Led by Executive Vice-President Henna Virkkunen, the package has faced repeated delays due to intense institutional debate. Following a brief slip past its late-May target, the finalised strategy is set for imminent official presentation. Once unveiled, the package will still require unanimous approval from all 27 member states before taking effect.
What makes this moment fundamentally different from past EU sovereignty rhetoric is that the Commission has already built, tested, and deployed a concrete scoring system for cloud sovereignty. The upcoming legislation will determine exactly how high that statutory bar gets set.
