The European Union has now published a set of measures aimed at boosting Europe’s tech industry to help reduce reliance on US and Chinese suppliers for AI, cloud, and semiconductors. The proposals include rules to restrict the use of US hyperscalers for certain public sector procurement purposes, but stop short of banning them outright.
“Technological sovereignty does not mean protectionism. Europe remains grounded in openness, partnership, and fair competition,” Henna Virkkunen, executive vice president for Tech Sovereignty, Security and Democracy, said in a statement Wednesday. “At the same time, Europe wants to be in the position to make its own choices, avoiding dependence on single dominant suppliers, especially from non-like-minded countries.”
The European Technological Sovereignty Package — released after several delays — includes two legislative proposals: the Cloud and AI Development Act and Chips Act (CAIDA) 2.0 and the Open Source Strategy and Strategic Roadmap for Digitalization and AI in Energy.
CAIDA aims to triple data center capacity in the next five to seven years by easing restrictions for deployments across the EU. It also includes rules that, if enacted, would require EU public bodies to meet certain sovereignty criteria for cloud service procurement related to certain sensitive workloads.
Amid ongoing trans-Atlantic tensions and a long-time deep reliance on US tech providers, European organizations have become increasingly wary of a “kill switch” that would cut off access to digital services. There are also concerns that US hyperscalers could be compelled to share data with US government under the CLOUD Act and Foreign Intelligence Services Act (FISA), even when data centers are located in Europe.
The CAIDA proposals include four levels of criteria for suppliers; the most basic includes data center infrastructure located and operated in the region – something many US cloud suppliers already provide – with stricter rules around supplier ownership, full control over the software stack, and more stringent cybersecurity certification.
The majority of existing EU public sector workloads (70%) fall under the first level, with 20% at level 2, and 9% at level 3. Only a small proportion (1%) of the most sensitive workloads would require level 4.
Other proposals include the Chips Act 2.0, a follow-up to the 2023 legislation that sought to improve semiconductor production capabilities; the updated version now aims to boost research and spur demand for domestically produced processors.
The legislative proposals must be negotiated by the European Parliament and Council of the European Union before adoption.