What the EU Is Actually Proposing
The framing of “banning US clouds” is a simplification that obscures what the European Commission is actually doing. The May 27 package is targeted and sector-specific — it does not propose removing AWS, Azure, or Google Cloud from all European public procurement. It proposes that three specific categories of public-sector data — financial records, judicial information, and health data — must be hosted on European sovereign cloud infrastructure.
According to Computerworld’s reporting on the package, the Tech Sovereignty Package includes the Cloud and AI Development Act (CADA), Chips 2.0, and a Cloud Sovereignty Framework with eight criteria (strategic, legal, operational, environmental) for qualifying public contracts. The Commission explicitly restricts the scope to public administrations — “in the private sector, there is currently nothing that can compel a company to choose European technology.”
The underlying rationale is the US Cloud Act. US law grants American authorities the right to demand data held by US companies, including data stored in European data centers. The GDPR provides some protection — the EU’s Schrems II jurisprudence has repeatedly challenged EU-US data transfer mechanisms — but the Cloud Act operates at the company level, not the data location level. A file stored in an AWS Frankfurt data center is potentially accessible to US authorities via AWS’s US corporate structure. European policymakers regard that as an unresolvable tension with data sovereignty for sensitive government records.
A concrete early signal: the HDH French public interest group switched from AWS to Scaleway for health data infrastructure, citing this regulatory trajectory. Deutsche Telekom’s T-Systems, Stack IT, and Proximus are among the European providers positioned to receive redirected procurement contracts. GCTi Cloud’s analysis confirms the April 2026 allocation of €180 million to four sovereign cloud projects as the first materialisation of this commitment.
The Market and Timeline Context
The Commission has already put money into this transition. In April 2026, it awarded €180 million over six years to four sovereign cloud projects. European spending on sovereign cloud services is expected to nearly double in 2026. The May 27 announcement will formalise the policy framework around what is already a moving commercial reality.
GCTi Cloud’s analysis of the proposed restrictions puts a sobering timeline on the transition: Commission officials have estimated 15+ years to fully reduce dependence on US technologies. The CADA regulation, like all EU regulations, will go through a legislative process — Council and Parliament — before becoming binding law. The May 27 package is a proposal, not an enacted regulation. Enterprises have time, but not unlimited time — and procurement frameworks aligned with the regulation’s direction now will be more resilient than those built in reactive mode after enactment.
The ghacks.net analysis notes that the scope question remains open: whether restrictions extend to cloud services that use European data centers but are operated by US companies (AWS Europe, Microsoft Azure Europe) or only to European-headquartered providers is a critical implementation detail that the package has not resolved.
Advertisement
What Enterprise Procurement Leaders Should Do Now
The uncertainty in the regulatory timeline is not a reason to wait — it is a reason to act in ways that are useful regardless of the exact outcome. A procurement strategy that is resilient to the CADA scenario will also be a better strategy under current GDPR requirements.
1. Map your public-sector contract data flows against the three sensitive categories
The three restricted categories — financial, judicial, health — are the starting point for the compliance assessment. Any enterprise with public-sector contracts in EU member states should map which data flows in those contracts touch these categories, which cloud services process them, and which provider operates those services. This mapping is needed for GDPR data processing documentation anyway. Done now, it becomes the baseline for CADA compliance readiness without additional cost.
2. Build contractual flexibility into upcoming cloud renewals
Cloud contracts signed in 2026 and 2027 that lock in a US provider for three to five years without migration-out provisions will be problematic if CADA enactment creates a compliance obligation mid-contract. Enterprises renewing AWS, Azure, or Google Cloud agreements for public-sector use cases should negotiate: a data portability clause guaranteeing export of data in open formats within 30 days of notice, a most-favoured-nation clause if the provider launches a European legal entity structure that qualifies under CADA criteria, and a regulatory change provision that allows termination or restructuring if applicable law changes. These are standard enterprise cloud contract terms that many legal teams fail to negotiate.
3. Evaluate European sovereign cloud providers as a second-source, not just an alternative
The typical enterprise reaction to a regulatory change is to seek a single alternative provider. That approach will create dependency on whichever European sovereign cloud provider wins public procurement tenders, replicating the concentration risk the regulation is designed to address. A more resilient architecture runs sensitive public-sector workloads on a European sovereign provider (T-Systems, OVHcloud, Scaleway, or national alternatives) while retaining US provider relationships for workloads not covered by the restriction. The eight-criteria Cloud Sovereignty Framework gives procurement teams an objective rubric for evaluating candidates.
4. Monitor the CADA legislative track as a leading indicator for private-sector extension
The package currently exempts private companies. But EU regulatory patterns suggest that public-sector restrictions often propagate to private sectors over 3–5 year cycles — GDPR, NIS2, and DORA all followed this trajectory. Enterprise risk teams should treat the CADA public-sector restriction as a leading indicator and begin scenario planning for a private-sector extension that could affect financial services, healthcare, and legal services companies regardless of public contract exposure.
The Antitrust Question
The Tech Sovereignty Package will not escape an antitrust challenge. AWS, Microsoft, and Google have each invested billions in European infrastructure — Azure alone operates data centers in 18 EU regions. Their legal teams will argue that a procurement restriction based on corporate nationality rather than technical or security criteria violates EU single-market principles and WTO non-discrimination rules.
The Commission’s counter-argument is that the Cloud Act creates a specific security externality that justifies the restriction under the same logic as the bloc’s defence procurement carve-outs. Whether that argument holds depends on how the CADA’s criteria are written — if the criteria are objective and performance-based (encryption standards, audit rights, jurisdiction of law) rather than nationality-based, the legal challenge is harder. The Commission’s allocation of €180 million to specifically European cloud projects suggests the political intent is to support European champions, but the legal text will need to be nationality-neutral to survive challenge.
For enterprise procurement teams, the antitrust uncertainty is a reason to follow the legislative track closely, not a reason to ignore the direction of travel. The EU has enacted landmark technology regulations (GDPR, DSA, DMA, AI Act, DORA) over sustained political opposition from US technology companies in every case. European sovereign cloud spending is expected to nearly double in 2026 — confirming that the market is already moving in the regulation’s direction ahead of formal enactment. The probability that the cloud sovereignty direction is abandoned is lower than the probability that it is enacted in some form.
Frequently Asked Questions
Will the EU Tech Sovereignty Package ban AWS and Azure completely in Europe?
No. The May 27, 2026 package targets only three specific data categories — financial, judicial, and health data — within public-sector contracts. Private companies retain freedom of provider choice. AWS, Azure, and Google Cloud continue operating across Europe and will remain dominant for the vast majority of enterprise workloads not covered by the public-sector restriction.
What is the US Cloud Act and why does the EU consider it a data sovereignty risk?
The US Cloud Act (2018) allows US law enforcement to compel US cloud providers to produce data stored anywhere in the world, including European data centers, under certain legal conditions. This creates a conflict with GDPR’s data protection principles because a file stored in an AWS Frankfurt facility is potentially accessible to US authorities via AWS’s US corporate structure — regardless of where the data physically sits. The EU views this as an unresolvable structural risk for sensitive government data.
Which European cloud providers are positioned to benefit from the CADA restrictions?
The Commission specifically funded four sovereign cloud projects in April 2026, with Deutsche Telekom’s T-Systems, Scaleway, Stack IT, and Proximus named. OVHcloud (France) and Ionos (Germany) are also positioned. These providers have built Cloud Sovereignty Framework certifications and have existing public-sector procurement relationships that the CADA framework would formally validate and prioritise.
—
Sources & Further Reading
🔗 Related Intelligence
EU Cloud and AI Development Act: How Europe’s Sovereign Cloud Rules Redraw Global Procurement
Sovereign Cloud Wars: Data Localization Mandates Collide with the US CLOUD Act
EU AI Factories: Compute Is Becoming Industrial Policy
