TL;DR
The European Commission has proposed a tech sovereignty package that restricts US cloud providers from processing sensitive government data and launches Chips Act 2.0 to build advanced semiconductor capacity in Europe. The Cloud and AI Development Act creates four sovereignty tiers for public-sector cloud use.
When the Trump administration sanctioned the International Criminal Court’s top prosecutor earlier this year, Microsoft cancelled his email account. The incident was brief and bureaucratic. It was also, for European policymakers, clarifying. If a single American company could cut off a senior international official’s communications at the stroke of a pen, what else could be switched off?
On Wednesday, the European Commission answered that question with legislation. Its tech sovereignty package, the most comprehensive attempt yet to reduce the bloc’s dependence on foreign technology, targets cloud computing, artificial intelligence, semiconductors, and open-source software in a single coordinated push.
“We want to be sure nobody has a kill switch,” Commission Executive Vice-President Henna Virkkunen told CNBC.
The cloud crackdown #
The centrepiece is the Cloud and AI Development Act, or CADA, which creates an EU-wide framework defining four tiers of cloud “sovereignty.” Public authorities will be required to assess how much of their infrastructure depends on non-EU firms and match their workloads to the appropriate tier.
The practical effect is significant. At the highest levels, providers must demonstrate ownership and control from within the EU, employ EU-national personnel, and prove independence from third-country legal jurisdictions. That last requirement is a direct shot at the US Cloud Act, which allows American law enforcement to request user data from US companies regardless of where it is stored. Meeting these criteria would be difficult, if not impossible, for Amazon Web Services, Microsoft Azure, and Google Cloud as they are currently structured.
The restrictions apply to sensitive public-sector workloads in healthcare, finance, and judicial systems. Private-sector cloud use is not affected.
Chips Act 2.0 #
The package also includes a successor to the EU’s original Chips Act, which entered into force in 2023. Chips Act 2.0 shifts emphasis from simply building fabrication plants to stimulating demand for European-made semiconductors and securing the design capabilities that currently sit almost entirely outside Europe.
The Commission said it would “prioritise” building a foundry for advanced semiconductor manufacturing within the bloc. Reports indicate a €30 billion facility capable of producing chips at the cutting-edge 3nm node is under discussion, with funding split between the Commission, member states, and private enterprises.
The revised strategy targets €120 billion in total investment by 2035. Whether that figure is achievable depends on political will that has historically wavered when it comes to the sustained, decade-long commitments semiconductor manufacturing demands.
Tripling data centre capacity #
CADA also sets an infrastructure target: tripling the EU’s data centre capacity within five to seven years, with the goal of fully meeting the needs of European businesses and public administrations by 2035. The Commission estimates this will require approximately €200 billion in mostly private investment.
To accelerate deployment, the Act will streamline permitting processes and identify suitable sites for new facilities. The ambition is to ensure that European organisations can run AI workloads on European infrastructure, rather than routing them through US hyperscaler data centres governed by US law.
The question is whether GPU-as-a-service arrangements and other intermediary structures will count as genuinely sovereign, or whether the Commission will require end-to-end European control of the hardware stack.
The gap between ambition and execution #
Europe has announced digital sovereignty initiatives before. The original Chips Act promised €43 billion to double the EU’s global semiconductor market share to 20% by 2030, a target that most analysts now consider unattainable. The €180 million sovereign cloud contract awarded earlier this year was a fraction of what US hyperscalers spend in a single quarter.
What makes this package different is its regulatory teeth. CADA does not merely encourage European alternatives. It restricts the use of non-EU providers for specific categories of government data, creating a compliance obligation that cannot be met by simply hosting American cloud services on European soil. The sovereignty tiers require structural independence, not just data residency.
The geopolitical logic is clear enough. As the Commission’s own framing puts it: “As geopolitical fragmentation deepens and supply chains are increasingly weaponised, technological dependencies are becoming strategic liabilities.” Whether Europe can build the industrial capacity to match that language is the question it has been asking itself for a decade. This time, at least, it has given itself a legal framework to try.