The European Commission on Wednesday proposed the Cloud and AI Development Act, the centerpiece of a wider tech sovereignty package meant to loosen the bloc's grip-by-proxy from American cloud providers. The measure would let Brussels sort cloud vendors into sovereignty tiers, steer public money toward European products, and speed up data center construction across the 27 member states.
What the act actually does
The Commission's press release describes a single EU-wide framework with four assurance levels for cloud and AI sovereignty. Public bodies pick a level based on a risk assessment, and providers get audited and recognized by member states before they can serve sensitive workloads. There's also a procurement angle: tenders in areas like banking, energy and healthcare would weigh more than price, with criteria nudging toward EU-developed software and hardware.
So the practical effect lands on a narrow slice of government work, not the whole public sector. The original reporting around this framed it as touching roughly 1% of state services, which sounds about right for "most sensitive" workloads, though the Commission hasn't put a clean number on it that I could verify.
The Cloud Act problem nobody can engineer around
Here's where it gets pointed. Executive Vice-President Henna Virkkunen told reporters that American firms will struggle to reach the top sovereignty tiers, and the reason isn't European protectionism dressed up in compliance language. It's a US law. The Cloud Act lets American law enforcement compel US companies to hand over data stored on any server, anywhere on earth.
"We want to make sure that our most critical sensitive data is stored in Europe," Virkkunen said, which is the polite version of saying a US-headquartered provider can't promise that no American court will ever reach into its European servers.
That structural conflict is the whole story. You can build all the sovereign cloud regions you want, and Microsoft and Amazon already have, but the legal exposure follows the company's home jurisdiction. Commission President Ursula von der Leyen framed it bluntly, saying Europe cannot depend on others for the technologies keeping hospitals running and energy grids stable. Virkkunen elsewhere reached for the phrase everyone latched onto: making sure nobody has a "kill switch."
How dependent is Europe, really
The dependency numbers are real but worth reading closely. Amazon, Microsoft and Google control roughly 70% of the European cloud market, per a European Parliament study, with European providers collectively under 15%. The often-cited €264 billion a year that flows to foreign cloud and software vendors comes from outside research, not the Commission's own accounting, and it covers software broadly, not just cloud. Treat it as directional, not precise.
European cloud companies, predictably, love this. A coalition including France's OVHcloud, Germany's Nextcloud and Switzerland's Proton had already endorsed the procurement push before the package dropped. They stand to gain the most if Brussels actually codifies preferences into binding rules. That "if" is doing heavy lifting.
What happens next
The package, which also bundles a revised Chips Act 2.0 and an Open Source Strategy, now heads into negotiations with the 27 member states and the European Parliament. All 27 governments have to sign off. Given how procurement rules tend to get watered down once national interests start pulling in different directions, the version that emerges from trilogue could look meaningfully softer than Wednesday's proposal. The thing to watch is whether the funding and the binding language survive that process, or whether this stays a statement of intent.
