EU Tech Sovereignty Package: what it means for Cloud in Europe

What the package contains

It groups three legislative proposals.

The Cloud and AI Development Act (CADA) is the centrepiece. It introduces binding sovereignty requirements for cloud and AI services across the EU single market, defines which public-sector workloads must run on sovereign infrastructure, and targets tripling the EU's data centre capacity within five to seven years.

Chips Act 2.0 extends the original EU Chips Act with a focus on European semiconductor production to reduce supply chain exposure to non-European sources.

A new open source strategy sets a framework for open-source procurement and deployment in public-sector technology programmes.

The distinction from GDPR is worth spelling out: the GDPR set rules on how European data must be handled. CADA sets requirements on who controls the infrastructure that handles it.

Why Brussels has acted now

The US CLOUD Act, passed in 2018, authorises American law enforcement to compel any US-incorporated company to hand over data it holds, regardless of where that data is physically stored. Amazon, Microsoft, and Google are all US-incorporated. Their data centres in Frankfurt, Amsterdam, or Dublin do not place their operations beyond the reach of US law.

This creates a direct conflict with the GDPR, which prohibits transfers of personal data to foreign authorities without a valid legal basis. When both obligations apply at once, the cloud provider is caught between two legal systems, and US law has generally prevailed in practice.

What shifted in late 2025 and into 2026 was the political willingness to act on this, driven by transatlantic trade friction, data protection enforcement actions, and evidence that European public bodies were relying on infrastructure that could not guarantee GDPR compliance.

For the full legal breakdown, our earlier analysis covers the specific provisions and enforcement cases.

What CADA actually proposes

CADA is not a blanket ban on American cloud providers. It works through a tiered restriction model tied to the sensitivity of the data and the nature of the organisation handling it.

Public-sector organisations handling healthcare records, financial data, and judicial information will be required to use infrastructure that meets a defined sovereignty standard. AWS, Azure, and Google Cloud do not meet that standard as currently structured. They remain US-incorporated and therefore subject to US legal compulsion, regardless of where their servers sit.

CADA builds on the EU cloud sovereignty framework (published October 2025), which defines sovereignty effectiveness assurance levels, or SEAL:

• SEAL-2 (data sovereignty): operations managed by a European entity, but US-origin technology is permitted under a European operating structure.

• SEAL-3 (digital resilience): full independence from non-EU supply chains at the operational level, including software and control.

• SEAL-4: complete EU supply chain from hardware to software. No commercial provider has reached this yet.

The €180 million sovereign cloud tender awarded in April 2026 was the first live application of this framework. STACKIT, Scaleway, and the Post Telecom consortium (with OVHcloud and CleverCloud) each reached SEAL-3. Proximus, which partners with S3NS using Google-origin technology under European operational control, reached SEAL-2.

CADA also commits the EU to expanding European-operated data centre capacity by 2030, making sovereign alternatives practically available at scale, not just compliant on paper.

The 3 June vote: what it will determine

The package feeds into a vote on revised cloud procurement rules on 3 June 2026, which will determine how member state governments must weigh sovereignty when awarding cloud contracts.

The expected outcome is not a full exclusion of US hyperscalers, but a structural change to procurement criteria that requires contracting authorities to assess sovereignty alongside cost and performance. In practice, this makes it significantly harder for AWS, Azure, and Google Cloud to win contracts for sensitive workloads.

Member states with smaller domestic technology sectors have raised concerns about having adequate alternatives. The June vote will determine how much flexibility individual governments retain, but the direction is fixed by CADA regardless of the outcome.

Data residency is not cloud sovereignty

The key distinction in this debate is the one between data residency and genuine cloud sovereignty. It is also the distinction that American hyperscalers have the strongest commercial incentive to blur.

Data residency means your data is stored on servers physically within the EU. AWS, Azure, and Google all have European data centres. Your data sits there. The company operating those servers remains US-incorporated and subject to US legal process.

Cloud sovereignty means the infrastructure is operated by an entity that is not subject to foreign legal compulsion, controls its own technology stack, and cannot be ordered by a foreign government to disclose your data.

Earlier in 2026, 25 CEOs of European cloud providers wrote to the Commission warning against "sovereignty washing": rebranding US-controlled services with European compliance labels that do not change the underlying legal structure. They called on CADA to include a precise legal definition so that sovereignty cannot function as a marketing claim.

For a detailed look at how to test whether a provider actually meets the sovereignty standard, this analysis works through the specific legal criteria. For the broader regulatory background, our piece on why digital sovereignty can no longer be ignored has the full context.

What this means for your organisation

CADA focuses on the public sector initially. Private companies are not directly covered by the initial restrictions, but the practical reach extends further for three reasons.

Supply chain. If you provide technology services to healthcare organisations, financial institutions, courts, or government departments, sovereignty requirements on your clients will flow into their procurement criteria. A hospital that must use SEAL-3 infrastructure cannot contract a technology partner whose systems run on non-sovereign cloud.

Sectoral regulation. CADA aligns with the direction that the European Banking Authority, the European Health Data Space Regulation, and NIS2 have been moving independently. Organisations subject to DORA, NIS2, or sector-specific financial supervision should treat CADA as confirmation of where sectoral regulation is heading.

The timeline is concrete. The 27 May announcement and the 3 June vote give a defined legislative calendar. The question is no longer whether these requirements are coming, but when they reach your sector.

How Cyso Cloud approaches this

Cyso Cloud is Dutch-owned, European-operated, and not subject to the CLOUD Act. Our infrastructure is built on open source, meaning no proprietary lock-in and no foreign corporate structure above us.

We hold ISO 27001 and NEN 7510 certification. Our private cloud solutions and public cloud services, including Managed Kubernetes and GDPR-compliant object storage, run on open standards. You can review our certifications and security documentation at our Trust Centre.

If you want to understand where your current setup stands against the SEAL framework, or what a migration to CADA-compliant infrastructure would involve, we are happy to work through it with you.

The broader picture

Gartner puts worldwide sovereign cloud spending at $80 billion in 2026, with European spending growing 83 percent year-on-year. This is not demand created by the tech sovereignty package. It is demand that has been building for years, and that the package now formalises with regulatory obligation.

The 27 May announcement is the signal. The 3 June vote will be the mechanism. The requirement will follow.