The European Commission today put cloud sovereignty on the legislative track. As part of a broader Tech Sovereignty Package published on June 3, Brussels proposed a Cloud and AI Development Act that would restrict foreign providers from bidding on state tenders in sensitive sectors, while setting an explicit target to triple EU data center capacity over the next five to seven years. The package frames sovereignty as both an industrial policy and a procurement instrument, and it is the most concrete signal yet that the second Von der Leyen mandate intends to use buying power to reshape the European cloud market.
The political timing is not subtle. The act lands two days after a coordinated open letter from thirteen European technology firms and seven Greens/EFA MEPs, and one day after AWS pre-empted publication with a blog post arguing the rules would hurt European startups. Three audiences are moving at once: Brussels publishing legal text, European challengers asking for enforceable criteria, and the US hyperscalers defending market access in regulated verticals where their European revenue is concentrated. For any team running banking, energy or healthcare workloads on AWS, Azure or Google Cloud, the procurement calculus changes from this week forward, regardless of when the act formally clears Council.
Inside the assessment criteria for sensitive verticals
The headline mechanism is a single EU-wide framework to assess cloud and AI sovereignty. According to the Commission's draft, qualifying providers in sensitive verticals, named today as banking, energy and healthcare, will need to demonstrate that core software and hardware are developed in the EU. Assessment criteria include levels of data protection, the degree of third country control over data and services, and reciprocity in foreign markets. The Commission is keeping the language deliberately broad, with the stated intention of keeping most of the market open to like-minded partners, but the verticals it has chosen cover the bulk of where European public sector cloud spend actually lands.
Crucially, the Commission also proposes acting as a central purchasing body for member states and EU institutions buying cloud and data center capacity. That is the structural change worth tracking, because it shifts negotiating uses from twenty seven fragmented national tenders to a single counterparty in Brussels. The 180 million euro sovereign cloud services contract awarded earlier this spring to four European providers already showed where the procurement winds were blowing, and centralised purchasing would let the Commission repeat that model at much larger scale across health systems, regulators and energy operators.
Thirteen European providers warn against sovereignty washing
The political signal was reinforced by a parallel open letter from thirteen European firms including OVHcloud, Proton, Nextcloud, Mastodon, Ecosia, Clever Cloud and Cloud Temple, co-signed by seven Greens/EFA MEPs led by co-president Terry Reintke. The signatories argue that the current framework is "incomplete in its implementation and insufficient in its effect" and that non-European providers operate at a "structural advantage that exempts them from the standards Europe expects of its own actors."
The most operationally useful line in the declaration is its sixth principle, which warns against "sovereignty washing" and demands that any sovereignty claim be grounded in enforceable criteria: genuine operational control, privacy, transparency, interoperability, and legal independence from non-democratic jurisdictions. That language is almost certainly going to migrate into tender evaluation grids. Procurement officers in Paris, Berlin and Madrid now have a politically endorsed checklist they can paste into the qualification section of a framework agreement, and challenger providers have a vocabulary they can use to file complaints when an incumbent claims sovereignty without meeting those tests.
How AWS, Microsoft and Google are framing the pushback
The US hyperscalers are reading the same signal. AWS pre-empted the publication with a June 2 post titled "Why applying the DMA to cloud would regulate away EU competitiveness and resiliency," arguing that "regulation should be shaped by what companies do, not where they come from." The post warned that increased regulation would slow European access to new AI and cloud capabilities, raise costs for startups, and push infrastructure investment to other regions. Microsoft and Amazon both declined to comment to Reuters on the act itself, and Google has stayed silent, which is a tell in itself. Expect coordinated written submissions during the Council reading rather than press statements over the next two weeks, with the heaviest lobbying focused on narrowing the definition of "sensitive sectors" and on carving out joint ventures with European partners as a route to compliance.
What this means for European procurement teams we advise
For the technology leaders we work with at retailers, banks and energy companies, the question is not whether the act will pass in its current form. Unanimous Council backing plus Parliament approval is a tall order, and we expect at least eighteen months of negotiation before a final text. The more useful question is how procurement officers respond in the meantime, and the answer is already visible in draft frameworks circulating in France and Germany: sovereignty clauses, audit rights and country-of-origin attestations are appearing in tender language now, well before adoption.
Our position on the AWS, Azure and Google Cloud account conversation is direct. We are telling clients to ask, in writing, for an EU sovereignty roadmap with concrete dates against the developed-in-the-EU criteria, and to treat any answer vaguer than a named product SKU and a target quarter as a negative signal worth pricing into renewal. We are also recommending a parallel paid pilot, capped at 250,000 to 500,000 euros over twelve months, with at least one qualifying European provider such as OVHcloud, Scaleway or IONOS. The point is not to migrate. The point is to hold a credible second-supplier option when the 2027 renewal cycle opens, because contracting from zero against a forty percent incumbent premium is a losing negotiation. Retail peers including Carrefour, Ahold Delhaize and Schwarz Group already operate workloads adjacent to regulated finance and energy counterparties, and the integration layer is where inherited sovereignty obligations will bite first.
The Council vote in late 2026 sets the real deadline
The act now goes to Council working groups through the summer, with a first orientation debate expected at the Telecoms Council in late 2026. If that debate produces a qualified majority in favour of the central purchasing body provision, the negotiating position hardens and the hyperscalers will need to commit to EU joint ventures or accept exclusion from the next wave of public banking and health tenders, worth several billion euros annually. If the debate stalls on the unanimity requirement, the Commission falls back on the 180 million euro contracting model and expands it incrementally, which produces the same outcome more slowly. Either path makes a written sovereignty roadmap from each incumbent provider a non-optional artefact for any EU public sector cloud plan dated 2027 or later, and any architecture team that waits for the final legal text will be negotiating from a weaker position than the one available today.
