Thought Leadership
Health, judicial, and financial data held by public authorities is set to be hosted on European infrastructure. A blanket ban on AWS, Azure, and others is not on the table.
Brussels is tightening its grip on cloud usage in the public sector. According to a CNBC report citing two unnamed European Commission officials, the body is currently weighing how to shield particularly sensitive administrative data from access by non-European providers. At stake is health, judicial, and financial information processed by authorities and public-sector bodies in the member states.
Sovereign infrastructure instead of hyperscalers
Rather than imposing a blanket exclusion of foreign providers, the Commission is reportedly opting for a tiered approach. Depending on how sensitive the data in question is classified, varying requirements would apply to the cloud environment used. Providers from third countries, including the dominant US corporations, would not be ruled out of public contracts altogether. In certain sectors, however, they would effectively no longer play a role.
One official described the underlying idea to CNBC as defining specific areas in which European capacity simply has to be used. The deliberations are not yet final, however. Private companies will explicitly not be subject to the rules, the sources said.
Part of a wider package
The plans are embedded in the Tech Sovereignty Package, which the Commission has scheduled for 27 May 2026. It includes, among other things, the Cloud and AI Development Act (CADA) and the Chips Act 2.0. Both initiatives aim to promote European in-house development in data centres, cloud services, and semiconductors. Before any of this enters into force, all 27 member states would need to give their approval.
A Commission spokesperson declined to confirm the specific plans when asked by CNBC. She did indicate, however, that the goal is to enable more competition in the cloud and AI services market and to strengthen sovereign offerings, including through public procurement.
Cloud Act as a sore point
Political pressure has grown noticeably in recent months. As long as US providers remain subject to the 2018 Cloud Act, American law enforcement agencies can in principle access data stored with these companies. That holds true even when the servers themselves are located in a European data centre. With tensions running high between the EU and the second Trump administration, this arrangement has become untenable for many capitals.
Several governments have already started to break free from this dependency. France, for instance, unveiled its own video conferencing solution called Visio in January, which is set to replace Microsoft Teams and Zoom across the entire administration by 2027. Back in February, European governments confirmed to CNBC that they were ramping up their budgets for digital sovereignty and increasingly looking for open-source or homegrown alternatives.
Tenders are already under way
The Commission itself awarded a framework contract worth 180 million euros to four providers in April, tasked with supplying EU institutions with sovereign cloud services. One detail stands out: one of the selected consortia is a joint venture between French group Thales and Google Cloud. The arrangement illustrates how hard Europe finds it to replace US technology outright in the short term, at least without embedding it in a European legal structure.
Whether CADA and the sovereignty package can resolve this tension is unlikely to become clear before 27 May, and even then only after the usual rounds of negotiations with the Council and Parliament.
