Brussels stands at a crossroads. The European Commission plans to present its Tech Sovereignty Package on May 27. That package could bar U.S. cloud providers from handling the most sensitive public sector information across the bloc.
Discussions inside the Commission focus on financial records, judicial documents and health data held by governments. Two officials told CNBC that the rules would limit exposure of such material to platforms run by companies outside the EU. They spoke anonymously because the talks remain private.
The proposals stop short of a total ban. Overseas firms could still win government contracts for less critical workloads. Yet the shift targets exactly those areas where control matters most. One official put it plainly. “The core idea is defining sectors that have to be hosted on European cloud capacity.”
This move builds on years of mounting worry. The 2018 U.S. CLOUD Act lets American authorities demand data from U.S. companies no matter where it sits. European leaders see that as a direct threat to their autonomy. Transatlantic tensions, sharpened under the current U.S. administration, have only accelerated the push.
Market realities make the change painful. American providers dominate. Amazon, Microsoft and Google together control roughly 70 percent of European cloud capacity, according to studies cited in recent coverage. Between 80 and 90 percent of sensitive workloads already run on their infrastructure. Switching won’t come cheap or fast.
But the Commission shows determination. A spokesperson described the package as “about Europe waking up and getting its act together.” It will include the Cloud and AI Development Act along with Chips Act 2.0. Both aim to nurture homegrown options through procurement and market support. The full package still needs approval from all 27 member states. Consensus looks far from guaranteed.
France offers a glimpse of what’s possible. Paris plans to replace Microsoft Teams and Zoom with its own Visio tool by 2027 for all state services. The government developed the platform internally. Officials there argue the most sensitive data demands providers free from foreign legal reach. Germany, the Netherlands and Italy have joined similar efforts to build shared digital infrastructure.
European cloud firms welcome the direction but fear half measures. They warn that loopholes could render the rules meaningless. Frank Karlitschek, CEO of German provider Nextcloud, spoke at a POLITICO event in early May. He predicted the law would include “a little nice exception at the end” allowing U.S. providers when local alternatives fall short. He called it a “back door” for an industry that already holds overwhelming share.
His concern echoes across the sector. Francisco Mingorance, secretary-general of the European cloud lobby CISPE, criticized a recent €180 million Commission tender. One winning project paired French firm Thales with Google Cloud. “They have labeled Google proprietary technology as a sovereign alternative,” Mingorance said in POLITICO. “This is an open door for Microsoft, Amazon — everybody.”
Joel Åberg, spokesperson for Sweden’s Evroc, went further. “When it comes to sensitive government data and workloads, partial sovereignty is not sovereignty.” He argued that definitions allowing foreign software on European hardware create false confidence while real risks remain.
The Commission has tested its approach. In April it awarded contracts for sovereign cloud services to supply EU institutions. Four projects won funding. The benchmark used eight criteria, from legal exposure to component origins. Yet the inclusion of U.S. partnerships has European executives on edge. They see survival at stake if their innovations still depend on technology they cannot fully control.
U.S. providers haven’t stood idle. Microsoft offers a Sovereign Cloud in partnership with local European firms. Amazon runs its European Sovereign Cloud. Google provides air-gapped options. These offerings try to address jurisdictional worries. Critics counter that parent companies remain subject to U.S. law. Data stored with them carries inherent legal risk.
Recent reporting adds urgency. A TechRadar article from May 12 noted the rules could disproportionately hit the three American hyperscalers that command about two-thirds of the global market between them. Smaller European players would gain breathing room. Implementation details remain fluid. Member state buy-in will shape the final form.
Broader context reveals contradictions. The EU pushes hard for control over government data. At the same time it requires Google or Apple accounts for upcoming digital ID and age verification systems on Android and iOS devices. Commenters on technology forums have pointed out the irony. One OSNews discussion thread highlighted how such mandates lock citizens into the very ecosystems Brussels seeks to limit in public administration.
History shows this isn’t new. European “data nativity” rules date back roughly a decade. Early efforts with Microsoft involved third-party operators for Azure regions to limit U.S. jurisdiction. Results proved mixed. Quality, cost and features often lagged. The current push aims higher. It seeks not just storage in Europe but genuine operational independence.
Industry voices on X echoed the debate this month. Posts highlighted the Tech Sovereignty Package as a direct response to CLOUD Act exposure. Some analysts predicted discomfort for organizations built around single hyperscalers. Multicloud strategies may become standard for public sector bids.
Thibaut Kleiner, the Commission’s director for future networks, framed the stakes at a May event. The law, he said, will ensure Europe does not become a technology “colony.” His words captured the mood in Brussels. Years of strategic dependence now look like vulnerabilities that could be exploited.
Yet practical hurdles loom. Building competitive European alternatives takes time, talent and capital. Procurement rules that overemphasize geography risk shutting out superior security or resilience offerings from non-EU firms, warned Guido Lobrano of the tech lobby ITI. French and German officials have signaled openness to criteria based on European control and added value rather than simple nationality.
The coming weeks will clarify intent. When the Commission releases its proposal, markets will watch how strictly it draws lines around sensitive categories. Cloud contracts already in place may receive grandfathering. New tenders could shift dramatically toward local capacity.
Private companies face no direct changes. The package leaves their cloud choices untouched. That distinction matters. It shields the broader economy from immediate disruption while focusing protection on state secrets and citizen data.
Success or failure will shape Europe’s digital future. Get the definitions right and homegrown providers could scale. Miss the mark with generous exceptions and the effort risks becoming another symbolic gesture. Either way, the conversation has moved past debate. Concrete rules are coming. American cloud leaders are on notice.
EU Prepares to Wall Off Sensitive Government Data From American Cloud Giants first appeared on Web and IT News.