The European Union is preparing cloud-computing procurement rules for highly critical public-sector contracts that could make it harder for Amazon Web Services, Microsoft Azure and Google Cloud to win sensitive state work, according to draft documents reported by Reuters on June 1, 2026. The measure would sit inside the forthcoming Cloud and AI Development Act, a broader Brussels effort to turn “digital sovereignty” from conference language into buying rules. The immediate target is not the whole cloud market, but the most sensitive slice of it: government data, critical infrastructure, defence-adjacent systems and public services where jurisdiction matters as much as uptime. That distinction is important, because Europe is not trying to unplug from American cloud overnight; it is trying to decide where dependence becomes a security risk.
For years, European officials have talked about digital sovereignty as if it were a destination everyone supported and nobody had to pay for. The cloud proposal changes the argument because procurement is where slogans meet budgets, incumbents and operational risk. If a public authority must evaluate whether a supplier is exposed to foreign legal control, whether it depends on non-European components, and whether its operations can withstand geopolitical pressure, the cloud contract stops being a commodity purchase.
That is why this reported draft matters more than another Brussels white paper. Amazon, Microsoft and Google are not merely vendors in the European cloud market; they are the infrastructure layer beneath public administration, regulated industry, research, healthcare, banking and increasingly AI. They bring scale, security engineering, developer ecosystems and service catalogs that few European competitors can match. They also bring a jurisdictional problem that no amount of branding can entirely erase.
The Commission’s apparent move is therefore not a sudden anti-American lurch. It is the logical next step in a decade of European concern about data protection, strategic autonomy and the mismatch between where data is stored and who may ultimately compel access to it. The EU has already built a dense legal environment around privacy, cybersecurity, platform regulation and data governance. Cloud procurement is where those laws become operational.
The central question is not whether Europe can survive without US hyperscalers. In the near term, it plainly cannot. The harder question is whether the most sensitive parts of government and critical infrastructure should be architected around companies subject to non-EU law, even when those companies operate European regions, hire European staff and wrap their services in sovereign-cloud commitments.
That dominance gives public buyers a practical reason to stick with them. A ministry moving legacy systems to cloud wants proven resilience. A hospital network wants managed databases, identity services and disaster recovery. A defence contractor wants secure collaboration, analytics and access controls. A government AI program wants accelerators, orchestration tools and model-management infrastructure. In each case, the hyperscalers can say they already have the platform, the certifications and the staff.
But usefulness is not neutrality. Once a government builds its workflows around a particular cloud ecosystem, exit becomes expensive. Data formats, identity systems, security tooling, automation scripts, analytics services and AI pipelines all deepen the relationship. A supplier that begins as a cheaper or faster infrastructure provider can become a strategic dependency.
That is the dependency Brussels is trying to price into procurement. Traditional public tenders reward cost, capability, reliability and compliance. The reported approach would add a more political category: whether a provider is sufficiently insulated from non-European legal claims and strategic leverage. For cloud providers, that is an uncomfortable test because it reaches beyond data-center geography into ownership, control and legal exposure.
This is also why the proposal is likely to be fought in the details rather than the headlines. Nobody needs to say “ban Microsoft” for a procurement rule to disadvantage Microsoft. A tender can remain formally open while weighting sovereignty criteria in a way that makes US-controlled providers hard to select for highly critical workloads. In Brussels, the most consequential market-access fights often hide inside scoring matrices.
The hyperscalers have spent years narrowing that gap in commercial terms. They have built European data regions, created sovereign cloud offerings, partnered with local telecoms and integrators, added customer-managed encryption features, and promised more transparency around government requests. Microsoft, AWS and Google all understand that “your data stays in Europe” has become a sales requirement in the public sector.
Yet the draft approach reported by Reuters suggests Brussels may be unconvinced that these measures are enough for the highest-risk contracts. That does not mean every sovereign-cloud product is meaningless. It means the Commission may be preparing to distinguish between operational sovereignty — where the service is run locally, with local controls — and legal sovereignty, where foreign compulsion risk is minimized by ownership and governance.
That distinction is where the debate becomes sharper. A US provider can localize infrastructure, employ European administrators, allow encryption keys to be controlled in Europe and contract through an EU subsidiary. But if the parent company remains subject to US law, critics argue the residual risk remains. The providers counter that practical safeguards, legal challenge processes and technical controls matter more than nationality.
Both claims contain truth. Cloud security is not achieved by passport. A poorly run “European” cloud can be less secure than a well-run American one. But sovereignty is not only a security property; it is a power relationship. Brussels is asking who can ultimately order, interrupt, inspect or influence the systems that governments rely on.
That is the likely evolution here. Europe does not need to nationalize cloud infrastructure to reshape demand. It can tell public buyers that critical contracts must consider sovereignty risks, operational resilience, supply-chain exposure and the use of European-developed technology. Those criteria would push ministries, agencies and regulated sectors toward a different definition of value.
This is the part US tech companies will dislike most. They are accustomed to arguing that they meet or exceed European security and compliance requirements. They can point to certifications, audits, data residency controls, encryption options and vast operational experience. But a sovereignty-weighted tender asks a different question: not “are you secure?” but “are you controllable within Europe’s legal and political order?”
The reported Cloud and AI Development Act appears designed to make that question harder to avoid. If the Commission defines “highly critical” narrowly, the rule may affect only a limited number of sensitive government and infrastructure projects. If it defines the term broadly, the policy could reach far into public-sector IT, regulated industries and AI infrastructure. The fight over definitions may decide whether this becomes a symbolic carve-out or a major market intervention.
This also explains why European cloud providers have been pressing for stronger sovereignty language. They do not merely want fairness in abstract competition. They want procurement rules that recognize what they see as their comparative advantage: European ownership, European jurisdiction and closer alignment with EU law. Their challenge is proving that this advantage can coexist with the performance, reliability, developer tooling and pricing public buyers expect.
But the protectionism charge will not disappear just because the Commission uses security language. A rule that rewards European-developed hardware and software, or penalizes exposure to foreign legal orders, will predictably help European suppliers and hurt US incumbents in sensitive tenders. Washington is unlikely to view that as a neutral technical adjustment if major American firms are effectively pushed out of strategic public contracts.
The EU’s answer will be that the United States does the same thing in its own way. Washington has national-security procurement rules, export controls, foreign investment reviews and restrictions around sensitive technologies. China has built far more explicit technology sovereignty into its state procurement and industrial policy. Europe, by comparison, has often been the market most open to foreign platforms while regulating their behavior after the fact.
The new cloud approach would alter that posture. Instead of merely policing how global technology companies operate inside Europe, the EU would be shaping which companies are appropriate for certain public functions in the first place. That is a more muscular form of digital policy, and it will test whether member states are willing to accept the costs that come with strategic autonomy.
Those costs will not be theoretical. Public buyers may face fewer bidders, higher prices or more complex multi-cloud architectures. Some projects may take longer. Agencies that already run on hyperscaler platforms may need to segregate workloads by sensitivity, move certain datasets, or redesign procurement plans around sovereignty tiers. The political question is whether Europe considers those costs an insurance premium or an avoidable burden.
A broader definition could cover large parts of public administration, healthcare, education, research, energy, transport, banking supervision and AI services used by governments. That would make the policy much more consequential. It would also create more legal and commercial uncertainty, because agencies would need to determine whether ordinary digital transformation projects cross into sovereignty-sensitive territory.
The ambiguity is not accidental. Policymakers often prefer broad language at the proposal stage because it gives them bargaining room. But cloud contracts are long-lived, expensive and technically sticky. If vendors and buyers cannot predict which rules apply, procurement slows down and lawyers become the first cloud architects.
That uncertainty could hurt European providers as well as US ones. Smaller European cloud firms may welcome sovereignty criteria, but they also need predictable demand, clear certification processes and realistic technical requirements. If “highly critical” becomes a moving target, public agencies may delay tenders rather than risk choosing the wrong supplier. Sovereignty policy that cannot be operationalized becomes another compliance fog.
The Commission’s recent work on sovereign-cloud evaluation suggests it understands this problem. A credible framework has to measure more than ownership. It needs to examine legal jurisdiction, operational control, supply-chain dependency, security standards, resilience, environmental requirements and the role of AI systems. That is a complicated scoring model, but without it the policy becomes either performative or arbitrary.
Microsoft has already leaned heavily into European digital sovereignty commitments. Google has developed sovereign-cloud partnerships in Europe. AWS has promoted European sovereign cloud models and regional control mechanisms. These are not cosmetic moves; they reflect real customer demand and real regulatory pressure.
But the more Brussels emphasizes legal and ownership control, the harder it becomes for US hyperscalers to solve the problem without changing their corporate structures. A sovereign cloud operated by a European partner may reduce operational risk, but if core software, updates, support chains or parent-company obligations remain tied to the United States, critics will argue that sovereignty is incomplete. That is why European rivals use the phrase sovereignty washing.
The hyperscalers will respond that Europe risks confusing nationality with capability. They will argue that large-scale cyber resilience, rapid patching, threat intelligence, redundancy and mature security operations are themselves sovereignty-relevant, because a weak cloud is not sovereign in any meaningful sense. They will also warn that excluding global providers could slow AI adoption and raise costs for taxpayers.
That counterargument will land with some member states. Countries with smaller IT budgets, urgent modernization needs or heavy dependence on existing Microsoft and cloud ecosystems may resist hard restrictions. Governments that see Russia, cybercrime and infrastructure sabotage as immediate threats may prioritize proven resilience over industrial-policy purity. Europe’s internal split may be less “pro-US versus anti-US” than “security through autonomy versus security through capability.”
That matters because AI systems are not passive databases. They process sensitive inputs, generate operational recommendations, automate decisions and shape workflows. A government using cloud AI to analyze healthcare records, detect fraud, manage energy systems or support defence logistics is not merely renting servers. It is embedding external infrastructure into state capacity.
This makes sovereignty harder to define. A cloud workload can sometimes be localized. An AI stack may involve model providers, chip supply chains, training data, orchestration services, monitoring tools and cross-border support. Even if the data remains in Europe, the dependencies can extend far beyond a single region.
European policymakers understand this, which is why cloud sovereignty and AI capacity are now joined in the same political file. The EU wants more than compliant hosting. It wants the ability to develop, deploy and govern strategic computing capacity without relying entirely on companies whose investment priorities are set in Seattle, Redmond and Mountain View.
The problem is timing. Europe wants sovereignty in the same decade that AI infrastructure is becoming more capital-intensive. Building competitive cloud and AI capacity requires money, chips, energy, talent, software ecosystems and customers willing to tolerate transition costs. Procurement preferences can create demand, but they cannot instantly create hyperscaler-equivalent platforms.
That could be healthy if done well. Too many cloud migrations have treated legal control, exit planning and supply-chain dependency as secondary issues. A sovereignty lens forces organizations to ask harder questions before they are locked into a platform. Where is the data processed? Who administers the system? Which legal entity controls the service? What happens if a foreign order conflicts with EU obligations? How portable is the workload if policy changes?
It could also become a mess. European public procurement is already slow and complex. Adding sovereignty scoring without clear templates could produce conservative buying, consultant-driven paperwork and uneven implementation across member states. Some agencies may overclassify workloads to avoid risk; others may underclassify them to preserve access to favored tools.
The best version of the policy would create tiers. Ordinary workloads could continue to use a broad range of certified cloud providers. Sensitive workloads would require stronger contractual, technical and operational controls. Highly critical workloads would face the strictest sovereignty requirements, potentially favoring European-controlled providers or tightly governed consortia. That approach would preserve choice while acknowledging that not all government data carries the same risk.
The worst version would blur everything. If nearly all public-sector cloud becomes “critical,” the EU risks creating a procurement bottleneck before European capacity is ready. If almost nothing qualifies, the policy becomes theater. The success of the proposal will depend less on the headline and more on the boring machinery of classification.
There will likely be a middle outcome. US hyperscalers will remain deeply embedded in Europe, especially for commercial customers, ordinary public-sector workloads, developer platforms and AI services where capability dominates procurement. European providers will gain more protected opportunities in sensitive government and critical-infrastructure niches. Hybrid and multi-cloud architectures will become the politically acceptable compromise, even when they are technically and financially awkward.
That compromise may be the point. Brussels does not need to eliminate US providers to reduce dependency. It needs to prevent a world in which every critical European digital function eventually runs through a handful of non-European cloud platforms. Sovereignty policy is partly about creating alternatives before a crisis proves they were needed.
The danger is that Europe underestimates how hard it is to build those alternatives. Cloud is not just data centers. It is automation, APIs, security operations, observability, developer trust, partner ecosystems, procurement muscle and a culture of relentless platform iteration. A protected market can nurture providers, but it can also shelter mediocrity if customers are forced to buy services that lag behind global standards.
That is why the proposed rules should be judged by whether they raise European capability, not merely whether they redirect contracts. If sovereignty becomes a synonym for local incumbency, it will fail. If it creates demand for secure, interoperable, high-performing European infrastructure, it could change the market over time.
Brussels Moves the Sovereignty Debate From Speeches to Purchase Orders
For years, European officials have talked about digital sovereignty as if it were a destination everyone supported and nobody had to pay for. The cloud proposal changes the argument because procurement is where slogans meet budgets, incumbents and operational risk. If a public authority must evaluate whether a supplier is exposed to foreign legal control, whether it depends on non-European components, and whether its operations can withstand geopolitical pressure, the cloud contract stops being a commodity purchase.That is why this reported draft matters more than another Brussels white paper. Amazon, Microsoft and Google are not merely vendors in the European cloud market; they are the infrastructure layer beneath public administration, regulated industry, research, healthcare, banking and increasingly AI. They bring scale, security engineering, developer ecosystems and service catalogs that few European competitors can match. They also bring a jurisdictional problem that no amount of branding can entirely erase.
The Commission’s apparent move is therefore not a sudden anti-American lurch. It is the logical next step in a decade of European concern about data protection, strategic autonomy and the mismatch between where data is stored and who may ultimately compel access to it. The EU has already built a dense legal environment around privacy, cybersecurity, platform regulation and data governance. Cloud procurement is where those laws become operational.
The central question is not whether Europe can survive without US hyperscalers. In the near term, it plainly cannot. The harder question is whether the most sensitive parts of government and critical infrastructure should be architected around companies subject to non-EU law, even when those companies operate European regions, hire European staff and wrap their services in sovereign-cloud commitments.
The Hyperscalers Are Too Useful to Ban and Too Powerful to Ignore
The European cloud market has a structural imbalance that policymakers can describe but not easily reverse. AWS, Microsoft Azure and Google Cloud offer computing scale, global networks, advanced security services, AI infrastructure, developer tools and compliance machinery that took years and staggering capital expenditure to assemble. European providers can be strong in hosting, managed services, private cloud, specialized compliance and local support, but the hyperscalers define the market’s technical baseline.That dominance gives public buyers a practical reason to stick with them. A ministry moving legacy systems to cloud wants proven resilience. A hospital network wants managed databases, identity services and disaster recovery. A defence contractor wants secure collaboration, analytics and access controls. A government AI program wants accelerators, orchestration tools and model-management infrastructure. In each case, the hyperscalers can say they already have the platform, the certifications and the staff.
But usefulness is not neutrality. Once a government builds its workflows around a particular cloud ecosystem, exit becomes expensive. Data formats, identity systems, security tooling, automation scripts, analytics services and AI pipelines all deepen the relationship. A supplier that begins as a cheaper or faster infrastructure provider can become a strategic dependency.
That is the dependency Brussels is trying to price into procurement. Traditional public tenders reward cost, capability, reliability and compliance. The reported approach would add a more political category: whether a provider is sufficiently insulated from non-European legal claims and strategic leverage. For cloud providers, that is an uncomfortable test because it reaches beyond data-center geography into ownership, control and legal exposure.
This is also why the proposal is likely to be fought in the details rather than the headlines. Nobody needs to say “ban Microsoft” for a procurement rule to disadvantage Microsoft. A tender can remain formally open while weighting sovereignty criteria in a way that makes US-controlled providers hard to select for highly critical workloads. In Brussels, the most consequential market-access fights often hide inside scoring matrices.
The CLOUD Act Is the Shadow Over Every Sovereign-Cloud Pitch
The US CLOUD Act is not the only reason Europe is uneasy about American hyperscalers, but it has become the cleanest symbol of the problem. The concern is straightforward: a US-based provider may be subject to legal demands from US authorities even when the data is stored outside the United States, depending on the circumstances. For European policymakers, that creates a gap between data residency and true jurisdictional control.The hyperscalers have spent years narrowing that gap in commercial terms. They have built European data regions, created sovereign cloud offerings, partnered with local telecoms and integrators, added customer-managed encryption features, and promised more transparency around government requests. Microsoft, AWS and Google all understand that “your data stays in Europe” has become a sales requirement in the public sector.
Yet the draft approach reported by Reuters suggests Brussels may be unconvinced that these measures are enough for the highest-risk contracts. That does not mean every sovereign-cloud product is meaningless. It means the Commission may be preparing to distinguish between operational sovereignty — where the service is run locally, with local controls — and legal sovereignty, where foreign compulsion risk is minimized by ownership and governance.
That distinction is where the debate becomes sharper. A US provider can localize infrastructure, employ European administrators, allow encryption keys to be controlled in Europe and contract through an EU subsidiary. But if the parent company remains subject to US law, critics argue the residual risk remains. The providers counter that practical safeguards, legal challenge processes and technical controls matter more than nationality.
Both claims contain truth. Cloud security is not achieved by passport. A poorly run “European” cloud can be less secure than a well-run American one. But sovereignty is not only a security property; it is a power relationship. Brussels is asking who can ultimately order, interrupt, inspect or influence the systems that governments rely on.
Europe’s Cloud Rulebook Is Becoming a Market Instrument
The Commission has already signaled that it wants an EU Cloud Rulebook and guidance on public procurement of data-processing services. On paper, that sounds like bureaucratic harmonization: a single European framework for rules that cloud users and providers can understand. In practice, harmonization can become industrial policy when it determines who qualifies for sensitive work.That is the likely evolution here. Europe does not need to nationalize cloud infrastructure to reshape demand. It can tell public buyers that critical contracts must consider sovereignty risks, operational resilience, supply-chain exposure and the use of European-developed technology. Those criteria would push ministries, agencies and regulated sectors toward a different definition of value.
This is the part US tech companies will dislike most. They are accustomed to arguing that they meet or exceed European security and compliance requirements. They can point to certifications, audits, data residency controls, encryption options and vast operational experience. But a sovereignty-weighted tender asks a different question: not “are you secure?” but “are you controllable within Europe’s legal and political order?”
The reported Cloud and AI Development Act appears designed to make that question harder to avoid. If the Commission defines “highly critical” narrowly, the rule may affect only a limited number of sensitive government and infrastructure projects. If it defines the term broadly, the policy could reach far into public-sector IT, regulated industries and AI infrastructure. The fight over definitions may decide whether this becomes a symbolic carve-out or a major market intervention.
This also explains why European cloud providers have been pressing for stronger sovereignty language. They do not merely want fairness in abstract competition. They want procurement rules that recognize what they see as their comparative advantage: European ownership, European jurisdiction and closer alignment with EU law. Their challenge is proving that this advantage can coexist with the performance, reliability, developer tooling and pricing public buyers expect.
The Commission Is Trying to Avoid Calling Protectionism by Its Name
Brussels will frame the proposal as risk management, not protectionism. That argument is not frivolous. Governments routinely apply special rules to defence procurement, critical infrastructure, classified systems and national-security-sensitive supply chains. If cloud now performs functions once handled by state-owned data centers or tightly controlled contractors, it is reasonable for governments to scrutinize who controls that infrastructure.But the protectionism charge will not disappear just because the Commission uses security language. A rule that rewards European-developed hardware and software, or penalizes exposure to foreign legal orders, will predictably help European suppliers and hurt US incumbents in sensitive tenders. Washington is unlikely to view that as a neutral technical adjustment if major American firms are effectively pushed out of strategic public contracts.
The EU’s answer will be that the United States does the same thing in its own way. Washington has national-security procurement rules, export controls, foreign investment reviews and restrictions around sensitive technologies. China has built far more explicit technology sovereignty into its state procurement and industrial policy. Europe, by comparison, has often been the market most open to foreign platforms while regulating their behavior after the fact.
The new cloud approach would alter that posture. Instead of merely policing how global technology companies operate inside Europe, the EU would be shaping which companies are appropriate for certain public functions in the first place. That is a more muscular form of digital policy, and it will test whether member states are willing to accept the costs that come with strategic autonomy.
Those costs will not be theoretical. Public buyers may face fewer bidders, higher prices or more complex multi-cloud architectures. Some projects may take longer. Agencies that already run on hyperscaler platforms may need to segregate workloads by sensitivity, move certain datasets, or redesign procurement plans around sovereignty tiers. The political question is whether Europe considers those costs an insurance premium or an avoidable burden.
The Real Dispute Is Over Who Gets to Define “Critical”
The phrase “highly critical” will carry enormous weight. A narrow definition could cover classified systems, defence-related workloads, intelligence-adjacent platforms, emergency services, key public registries and certain critical-infrastructure operations. In that version, the proposal is a targeted safeguard, disruptive but defensible.A broader definition could cover large parts of public administration, healthcare, education, research, energy, transport, banking supervision and AI services used by governments. That would make the policy much more consequential. It would also create more legal and commercial uncertainty, because agencies would need to determine whether ordinary digital transformation projects cross into sovereignty-sensitive territory.
The ambiguity is not accidental. Policymakers often prefer broad language at the proposal stage because it gives them bargaining room. But cloud contracts are long-lived, expensive and technically sticky. If vendors and buyers cannot predict which rules apply, procurement slows down and lawyers become the first cloud architects.
That uncertainty could hurt European providers as well as US ones. Smaller European cloud firms may welcome sovereignty criteria, but they also need predictable demand, clear certification processes and realistic technical requirements. If “highly critical” becomes a moving target, public agencies may delay tenders rather than risk choosing the wrong supplier. Sovereignty policy that cannot be operationalized becomes another compliance fog.
The Commission’s recent work on sovereign-cloud evaluation suggests it understands this problem. A credible framework has to measure more than ownership. It needs to examine legal jurisdiction, operational control, supply-chain dependency, security standards, resilience, environmental requirements and the role of AI systems. That is a complicated scoring model, but without it the policy becomes either performative or arbitrary.
US Providers Will Try to Localize the Problem Without Surrendering Control
AWS, Microsoft and Google are unlikely to treat this as a simple lost market. Their strategy will be to prove that European sovereignty can be achieved through architecture, contracts and partnerships rather than exclusion. Expect more local operating models, more EU-based control planes, more encryption-key promises, more partnerships with European telecoms and defence contractors, and more language about customer control.Microsoft has already leaned heavily into European digital sovereignty commitments. Google has developed sovereign-cloud partnerships in Europe. AWS has promoted European sovereign cloud models and regional control mechanisms. These are not cosmetic moves; they reflect real customer demand and real regulatory pressure.
But the more Brussels emphasizes legal and ownership control, the harder it becomes for US hyperscalers to solve the problem without changing their corporate structures. A sovereign cloud operated by a European partner may reduce operational risk, but if core software, updates, support chains or parent-company obligations remain tied to the United States, critics will argue that sovereignty is incomplete. That is why European rivals use the phrase sovereignty washing.
The hyperscalers will respond that Europe risks confusing nationality with capability. They will argue that large-scale cyber resilience, rapid patching, threat intelligence, redundancy and mature security operations are themselves sovereignty-relevant, because a weak cloud is not sovereign in any meaningful sense. They will also warn that excluding global providers could slow AI adoption and raise costs for taxpayers.
That counterargument will land with some member states. Countries with smaller IT budgets, urgent modernization needs or heavy dependence on existing Microsoft and cloud ecosystems may resist hard restrictions. Governments that see Russia, cybercrime and infrastructure sabotage as immediate threats may prioritize proven resilience over industrial-policy purity. Europe’s internal split may be less “pro-US versus anti-US” than “security through autonomy versus security through capability.”
AI Raises the Stakes Because Cloud Is No Longer Just Storage
The Cloud and AI Development Act links two infrastructure questions that can no longer be separated. Modern AI depends on cloud-scale compute, specialized chips, vast data pipelines, model hosting, identity systems and developer platforms. If Europe is dependent on US cloud for sensitive public workloads, it may also become dependent on US infrastructure for public-sector AI.That matters because AI systems are not passive databases. They process sensitive inputs, generate operational recommendations, automate decisions and shape workflows. A government using cloud AI to analyze healthcare records, detect fraud, manage energy systems or support defence logistics is not merely renting servers. It is embedding external infrastructure into state capacity.
This makes sovereignty harder to define. A cloud workload can sometimes be localized. An AI stack may involve model providers, chip supply chains, training data, orchestration services, monitoring tools and cross-border support. Even if the data remains in Europe, the dependencies can extend far beyond a single region.
European policymakers understand this, which is why cloud sovereignty and AI capacity are now joined in the same political file. The EU wants more than compliant hosting. It wants the ability to develop, deploy and govern strategic computing capacity without relying entirely on companies whose investment priorities are set in Seattle, Redmond and Mountain View.
The problem is timing. Europe wants sovereignty in the same decade that AI infrastructure is becoming more capital-intensive. Building competitive cloud and AI capacity requires money, chips, energy, talent, software ecosystems and customers willing to tolerate transition costs. Procurement preferences can create demand, but they cannot instantly create hyperscaler-equivalent platforms.
Public Buyers Will Be Forced to Think Like Geopolitical Risk Managers
For IT departments, the most immediate impact may be procedural rather than ideological. Procurement teams will need to classify workloads more carefully. Architects will need to distinguish ordinary productivity systems from critical data-processing environments. Security officers will need to document jurisdictional exposure alongside more familiar controls such as encryption, identity management and incident response.That could be healthy if done well. Too many cloud migrations have treated legal control, exit planning and supply-chain dependency as secondary issues. A sovereignty lens forces organizations to ask harder questions before they are locked into a platform. Where is the data processed? Who administers the system? Which legal entity controls the service? What happens if a foreign order conflicts with EU obligations? How portable is the workload if policy changes?
It could also become a mess. European public procurement is already slow and complex. Adding sovereignty scoring without clear templates could produce conservative buying, consultant-driven paperwork and uneven implementation across member states. Some agencies may overclassify workloads to avoid risk; others may underclassify them to preserve access to favored tools.
The best version of the policy would create tiers. Ordinary workloads could continue to use a broad range of certified cloud providers. Sensitive workloads would require stronger contractual, technical and operational controls. Highly critical workloads would face the strictest sovereignty requirements, potentially favoring European-controlled providers or tightly governed consortia. That approach would preserve choice while acknowledging that not all government data carries the same risk.
The worst version would blur everything. If nearly all public-sector cloud becomes “critical,” the EU risks creating a procurement bottleneck before European capacity is ready. If almost nothing qualifies, the policy becomes theater. The success of the proposal will depend less on the headline and more on the boring machinery of classification.
Europe’s Cloud Gamble Will Be Measured in Migrations, Not Press Releases
The most concrete test will come when agencies start awarding contracts under the new rules. If European providers win sensitive workloads and deliver them reliably, Brussels will claim proof that sovereignty policy can build market capacity. If projects become more expensive, delayed or technically constrained, critics will argue that the EU sacrificed performance for symbolism.There will likely be a middle outcome. US hyperscalers will remain deeply embedded in Europe, especially for commercial customers, ordinary public-sector workloads, developer platforms and AI services where capability dominates procurement. European providers will gain more protected opportunities in sensitive government and critical-infrastructure niches. Hybrid and multi-cloud architectures will become the politically acceptable compromise, even when they are technically and financially awkward.
That compromise may be the point. Brussels does not need to eliminate US providers to reduce dependency. It needs to prevent a world in which every critical European digital function eventually runs through a handful of non-European cloud platforms. Sovereignty policy is partly about creating alternatives before a crisis proves they were needed.
The danger is that Europe underestimates how hard it is to build those alternatives. Cloud is not just data centers. It is automation, APIs, security operations, observability, developer trust, partner ecosystems, procurement muscle and a culture of relentless platform iteration. A protected market can nurture providers, but it can also shelter mediocrity if customers are forced to buy services that lag behind global standards.
That is why the proposed rules should be judged by whether they raise European capability, not merely whether they redirect contracts. If sovereignty becomes a synonym for local incumbency, it will fail. If it creates demand for secure, interoperable, high-performing European infrastructure, it could change the market over time.
The Contract Fine Print Is Where Digital Sovereignty Becomes Real
The near-term lesson for WindowsForum readers is practical: cloud strategy is becoming regulatory strategy. Administrators and IT leaders in Europe, and vendors selling into Europe, should assume that public-sector cloud decisions will increasingly be reviewed through sovereignty, resilience and jurisdictional-control lenses.- Public-sector buyers should begin mapping which workloads are ordinary, sensitive and highly critical before new procurement rules force the exercise under deadline pressure.
- Organizations using US hyperscalers for sensitive European workloads should review data flows, support access, encryption-key control, subcontractors and exit plans.
- European cloud providers have a policy opening, but they will need to prove they can meet government expectations for scale, reliability, security and price.
- US cloud providers will likely respond with deeper European operating models, but those models may not satisfy regulators if ownership and legal control remain the decisive tests.
- The biggest fight will be over definitions, because the meaning of “highly critical” will determine whether this is a narrow safeguard or a broad market shift.
- AI infrastructure will make the issue harder, because sensitive public-sector computing increasingly depends on cloud platforms, accelerators and model services that cross traditional procurement categories.
References
- Primary source: EU Today
Published: 2026-06-02T08:30:10.228494
EU Cloud Rules Could Restrict US Big Tech Access to Sensitive State Contracts - https://eutoday.net
According to a Reuters report based on draft documents, the European Commission plans to introduce strict criteria for “highly critical” state tenders under
eutoday.net
- Related coverage: digital-strategy.ec.europa.eu
Cloud computing
The European Commission aims to provide European businesses and public authorities with access to secure, sustainable and interoperable cloud infrastructures and services.digital-strategy.ec.europa.eu
- Related coverage: commission.europa.eu
Commission launches a new procurement process for Cloud Services
DG Digital Services (DIGIT) of the European Commission launches CLOUD III DPS, a new dynamic purchasing system (DPS) for multi-tenant IaaS/PaaS cloud services.commission.europa.eu
- Related coverage: edps.europa.eu
Guidelines on the use of cloud computing services by the European institutions and bodies
The EU institutions, bodies and agencies (“the EU institutions”) have been considering the use of cloud computing services because of advantages such as costs savings and flexibility gains. They are nevertheless faced with the specific risks that the cloud computing paradigm involves and remain...www.edps.europa.eu
- Related coverage: competition-policy.ec.europa.eu
Cloud
Approved IPCEI Next Generation Cloud Infrastructure and Servicescompetition-policy.ec.europa.eu
- Related coverage: marketscreener.com
EU cloud rules to curb Amazon, Google access to strategic tenders, draft document shows
Europe plans to propose strict criteria for cloud computing services in highly critical state tenders that could exclude Amazon, Microsoft and Google from such projects, according to documents seen by...www.marketscreener.com
- Related coverage: data.europa.eu
Cloud computing in the Digital Decade: Building Europe’s digital future | data.europa.eu
Cloud computing is the delivery of digital services, such as data storage, processing and software, over the internet rather than through local servers or personal devices. It allows users to access powerful computing resources on demand, enabling faster innovation, better scalability and more...data.europa.eu
- Related coverage: techradar.com
Dozens of European cloud CEOs call for real tech sovereignty ahead of Cloud and AI Development Act | TechRadar
CISPE warns of "sovereignty washing"www.techradar.com - Related coverage: itpro.com
European Commission awards digital sovereignty contracts, backs Google Cloud involvement
The Commission has picked four providers to offer services for EU bodies, but one consortium includes Google Cloud
www.itpro.com
- Related coverage: tomshardware.com
Google, Microsoft, Meta, and Amazon capex spending to hit $725 billion in 2026, up 77% from last year — analyst says bear thesis is 'garbage'
Microsoft's CFO attributed $25 billion of its record capex budget to rising memory chip prices.www.tomshardware.com
- Related coverage: futurium.ec.europa.eu
- Related coverage: eulisa.europa.eu
