EU Cloud and AI Development Act

EU: Sensitive Government Data to Be Removed from US Cloud Providers

EU, EU cloud regulation, EU Cloud and AI Development Act, Cloud sovereignty, European cloud policy, EU Cloud and AI Development Act proposal details, European Union cloud sovereignty rules for sensitive data, US Cloud, EU Cloud Sovereignty, Europe
Facebook
X
LinkedIn
Reddit
WhatsApp

The European Commission is preparing a new regulatory framework for cloud and AI services that could significantly advance EU cloud sovereignty and reshape how sensitive public-sector data is stored and governed across Europe.

According to an internal draft of the planned “EU Cloud and AI Development Act”, cited by Handelsblatt, military and healthcare data would in future be required to remain within European-controlled cloud environments.

Ad

The official presentation of the initiative is expected next week.

Four-tier sovereignty model to control data access

At the center of the proposal is a four-level sovereignty framework designed to classify cloud services based on control and risk. The assessment would take into account who operates the service, how supply chains and data processing are structured, where infrastructure is physically located, and how cybersecurity is ensured.

For highly sensitive sectors such as defense and healthcare, the draft sets strict requirements: data must be stored exclusively in cloud environments that are not accessible to foreign governments. These systems must also remain available and operational even in the event of geopolitical tensions, including sanctions or trade conflicts.

Ad

EU member states would be responsible for conducting their own sovereignty risk assessments and defining the required security levels for public-sector applications. The European Commission would provide overarching guidelines. In parallel, the EU plans to strengthen support for European semiconductor manufacturing as part of a broader strategy to reduce technological dependency.

AWS, Azure, Google Cloud: US hyperscalers remain part of the landscape

Despite its sovereignty push, the draft does not call for a general exclusion of major US cloud providers — a point likely to spark political debate. Providers such as Amazon Web Services, Microsoft Azure, and Google Cloud would remain available for public-sector workloads outside the highest protection categories.

The draft’s rationale is pragmatic: due to their dominant global market position, these hyperscalers are considered effectively irreplaceable for European administrations and businesses in the foreseeable future. Below the highest security tiers, AWS, Azure, and Google Cloud will therefore remain available as standard options for European public authorities. Against the backdrop of ongoing geopolitical tensions and legal frameworks such as the US Cloud Act — which can compel US companies to hand over data to US authorities even when it is stored in Europe — continue to raise concerns.


Lars Becker, IT Verlag GmbH

Lars

Becker

Deputy Editor-in-Chief

IT Verlag GmbH

Ad

Artikel zu diesem Thema

EU
8. May 2026
EU Commission moves to push US clouds out of sensitive government data
AWS
16. March 2026
AWS European Sovereign Cloud earns first compliance certifications
Cloud computing
27. February 2026
Why companies need to reassemble their compute
Cloud Computing
24. February 2026
Four digital sovereignty tools compared

Weitere Artikel

Netherlands Blocks U.S. Takeover of Cloud Provider
Data Leak at ETA Service Provider Exposes Passports and Selfies
Box CEO diagnoses “AI psychosis” in the executive suite
EU Commission Wants to Limit Foreign Satellite Services