The European Commission published its tech sovereignty package last week, including the clearest signal yet of its intention to strengthen European cloud sovereignty and reduce its dependence on US hyperscalers.
It’s a response to growing concerns among European organizations and regulators about the reliance on US tech firms and legislation such as the US CLOUD Act, which could give US officials access to data — even if it is stored in Europe.
But any shift toward local, sovereign cloud providers will necessarily be gradual, analysts, said as the Cloud and AI Development Act (CADA) proposals leave plenty of room for US providers to continue supplying cloud computing services to European public sector customers.
“The direction is right. The execution will be slow,” said Fernando Pereiro, senior director analyst at Gartner.
While the Commission has correctly identified areas where the EU is most dependent on foreign providers, delivering on its ambitions is another challenge, he said. Scaling alternatives to US suppliers “takes time, capital, and coordination at a level that is difficult to sustain in Europe.”
Dario Maisto, senior analyst at Forrester, played down the prospect of a major short-term shift towards European cloud providers as a result of the CADA proposals, even after recent interest in local European vendors for mission-critical workloads and highly sensitive data.
“I do not expect an immediate impact on the cloud infrastructure market,” Maisto said. “Full-blown migrations are costly and take several years. They are not going to happen in the near future.”
Instead, Pereiro expects the gradual emergence of “sovereign enclaves” or controlled environments for sensitive workloads, particularly in government and regulated sectors. “Outside of those areas, the market will remain global, but increasingly shaped by European rules,” he said.
Nevertheless, the three US hyperscalers that account for around 70% of the European cloud market – Amazon Web Services (AWS), Google, and Microsoft — will likely see a more competitive environment.
“The real shift is symbolic and structural: hyperscalers move from being the default choice to one option among others, and their competitiveness will increasingly depend on how well they align with European control requirements, not just on technology or price,” said Pereiro.
What is CADA and what could it mean for Europe’s cloud market?
CADA is part of a range of policy and legislative proposals — known as the Tech Sovereignty Package — published by the Commission, alongside Chips Act 2.0, the Open Source Strategy, and Strategic Roadmap for Digitalization and AI in Energy.
CADA includes measures to boost European tech sovereignty. Among other things, it aims to triple data center capacity in the next five to seven years by easing restrictions on new infrastructure projects across the EU, as well as efforts to support research and development of cloud and AI technologies.
It also includes a sovereignty framework that, if enacted, would require EU public bodies to assess sovereignty risks and procure cloud services that meet four assurance levels.
The various levels portray “a political vision with many open questions,” said Maisto. In more detail:
- Level 1 requirements are achievable by hyperscalers, Maisto said, with requirements focused mostly on data residency.
- Level 2 is “more controversial,” he said, as it includes requirements around third-country access to data and disruption of services.
- Level 3 leaves room for US providers to win procurement contracts — particularly where they enter a joint venture with a European cloud provider such as S3NS, a Thales subsidiary that has partnered with Google.
- Level 4 applies to only a small proportion (1%) of the most sensitive workloads.
The first two levels could be open to US hyperscalers, said Maisto, with 70% of existing EU public sector workloads falling under Level 1 and 20% at Level 2, according to Commission’s own impact assessment. Just 9% of the workloads would require Level 3.
The most stringent Level 4 would require cloud providers that “have full transparency and control over their software supply chain and no interference from a third country,” the Commission said.
For public sector organizations, the CADA rules could create more clarity around procurement, said Pereiro. “Today, the concept of ‘sovereign cloud’ is often vague and inconsistently applied in providers’ marketing and messaging,” he said. “This package standardizes what sovereignty must look like in practice, effectively ending the era of ‘sovereign washing.’”
The proposals give public sector organizations a “stronger set of requirements with which to assess risk, especially around jurisdiction and access to data,” he said.
“For enterprises, it’s less about regulation and more about leverage,” said Pereiro. “They gain clearer benchmarks and more viable alternatives, particularly through open source and emerging European providers.”
European cloud industry sees ‘a step in the right direction’
The Cloud Infrastructure Services Providers in Europe (CISPE) — a nonprofit trade group — welcomed the “strong definitions” of Levels 3 and 4, and said that, if implemented well, the proposed rules could “help to challenge the commercial dominance of established foreign cloud and AI vendors.”
However CISPE also called the current Level 1 and 2 criteria “confusing and non-sensical,” and said they should not be designated as “sovereign” since US hyperscalers can meet the requirements. “This will continue to confuse the market, both public and private customers, and encourage more sovereignty washing attempts,” CISPE said in a blog post Thursday.
CISPE also said the proposals fail to require public authorities to check whether a European service exists before opting for a foreign supplier. “We see a significant risk that assessments become a ‘rubber-stamp’ exercise that allow IT departments to continue to buy non-sovereign services out of convenience,” the organization said.
French firm OVHcloud — one of the leading European cloud computing and web hosting companies — welcomed the proposals, though it said any rules must be carefully scoped to ensure they are effective.
“This text is a step in the right direction and represents an opportunity to strengthen European strategic autonomy — something unthinkable just a few years ago,” an OVHcloud spokesperson said. “It provides a useful framework, but one that must not leave too much room for exceptions and workarounds.
“Europe must and can move much faster, with very clear rules and a genuine European preference. Beyond this text, the Commission has demonstrated with its sovereign procurement call that it is possible to act right now to reduce critical dependencies. The time for waiting is over. We must accelerate. We must clarify. We must own it.
“Europe has the players and the expertise,” the spokesperson said. “It is time to turn political ambition into European industrial capability.”
The overall tech sovereignty package “marks the overdue shift from diagnosis to treatment,” said a spokesperson at Ionos, a German cloud and hosting company. Ionos pointed to the EC’s claims that more than 80% of digital products, services and infrastructures in the EU originate from non-European providers, while 264 billion euros flow from EU organizations into predominantly US-based IT products.
“This is a strategic failure that must now be corrected,” the spokesperson said. While the company applauded the Commission’s focus on “secure and sovereign cloud and AI infrastructure for highly critical use cases,” it argued the CADA proposals fall short. “The central weakness of the package: the approach remains predominantly supply-side. The decisive lever — the demand side – is missing. Public procurement is the most powerful instrument for digital sovereignty. The public sector as anchor customer is critical for scaling sovereign cloud and AI solutions.
“Europe will remain dependent on Nvidia and AMD for GPU computing, the spokesperson said. “What matters is not whether to cooperate, but on what terms: data under European law, operations by European providers, no extraterritorial access. …If EU funding earmarked for ‘sovereign cloud’ ends up with the European subsidiaries of US hyperscalers, the package will have failed its objective.”
The real impact on hyperscalers
The proposed rules could require hyperscalers to change tactics to cater to European customers, or to at least ramp up existing sovereign cloud strategies. “For vendors, this is essentially a shift in what ‘competitive’ means,” said Pereiro. “For the last decade, scale and hyperscaler alignment were enough. That’s no longer the case.”
Cloud providers will need to demonstrate real control over data, infrastructure, and operations, he said, and not just label solutions as “sovereign.”
“The bar has been raised, and some existing offerings simply won’t clear it,” he said.
While the CADA rules are designed to favor European providers in some cases, the proposals stop short of barring US providers from public sector contracts. “It doesn’t shut them out,” said Pereiro, “but it changes competitive conditions substantially.”
The proposed procurement requirements make sovereignty a “gating factor” for sensitive workloads, said Pereiro, and “create real friction for providers whose operating models depend on centralized control or non-EU jurisdiction.”
US tech firms tout support
US hyperscalers publicly welcomed the proposals, and indicated plans to work with policy makers and ensure the importance of customer choice in cloud service procurement.
“We look forward to reviewing the proposed rules and continuing to work alongside our partners to ensure European organizations have the power of choice and sovereign control,” a Google spokesperson said.
An AWS spokesperson said the company has invested ”tens of billions of euros” in European cloud infrastructure, which it claims has “already advanced the continent’s competitiveness, helped organizations innovate and grow, and supported the development and resilience of both public and private services that Europeans now rely on every day.
“European organizations deserve access to the best technology available from trusted providers, chosen on the basis of security, performance, verifiable controls, and value,” the AWS spokesperson said. “We look forward to working with policymakers to ensure the Cloud and AI Development Act promotes technology choice and rewards long-term investment in Europe’s digital future.”
A Microsoft spokesperson said the company shares the EU’s “ambition to strengthen technological sovereignty and global competitiveness in AI, grounded in openness, partnership and fair competition.
“Achieving this will depend on access to world-class infrastructure and technologies at scale,” the Microsoft spokesperson said. “That means enabling European companies and public administrations to make procurement choices based on a broad, risk-based assessment in an open and competitive market.
“Microsoft offers secure and sovereign cloud solutions that put customers in control, and we stand ready to help build a strong, resilient and globally connected AI ecosystem in Europe.”
While the proposals present potential hurdles for US hyperscalers, those that adapt to the new regulatory direction — and concerns of European organizations — will benefit, said Pereiro. “If your offering aligns with sovereignty requirements, your company will be likely to see more opportunities, not fewer,” he said.