# The Cloud Security Act Explained: What It Means for ASML and Europe > Source: > Published: 2026-06-30 10:12:48+00:00 Here is the loophole in plain terms. American rules block China from buying the most advanced AI chips outright. They have far less to say about a Chinese company simply renting time on those same chips through a US cloud provider, with the hardware sitting safely in a data centre somewhere outside China. Same computing power, no physical chip ever changing hands, and until now, very little stopping it. On 26 June 2026, Reps. **Josh Gottheimer** (D-NJ) and **John Moolenaar** (R-MI), who chairs the House Select Committee on China, [introduced](https://gottheimer.house.gov/posts/release-gottheimer-moolenaar-introduce-bipartisan-bill-to-close-loophole-in-advanced-ai-chip-export-controls) the** Cloud Security Act** to deal with exactly this. Gottheimer explained that: *“We can’t let our adversaries – especially China – dodge our export controls by simply renting what they can’t buy.”* ## What Is the Cloud Security Act? The Cloud Security Act is a bipartisan US bill that [targets](https://www.axios.com/2026/06/26/gottheimer-moolenaar-ai-cloud-security-bill) a specific weakness in existing chip rules: the gap between buying a chip and using one. Current export controls focus on the sale of advanced semiconductors. They were written for a world where getting your hands on computing power meant taking physical delivery of hardware. That world is gone. Today you can train a large AI model on chips you never see, never own, and never import, by renting capacity from a cloud provider. The bill is short and pointed. It doesn’t ban anything new or add fresh licensing paperwork. Instead, it changes what cloud providers are allowed to do when they spot something suspicious. ## How Does the Cloud Security Act Work? When a US cloud provider like **Amazon Web Services**, **Microsoft Azure** or **Google Cloud** suspects a foreign customer is misusing advanced AI compute, it currently has a strong reason to stay quiet. The **Stored Communications Act **[generally](https://www.webpronews.com/bipartisan-push-targets-cloud-loophole-in-ai-chip-controls/) bars companies from voluntarily handing customer records over to the government, which means a provider that reports suspicious activity could be exposing itself to legal risk. So, there is a perverse situation today. A cloud company might strongly suspect that a shell entity is renting compute to train models for a sanctioned customer, and yet reporting that suspicion could land the provider in legal trouble. Therefore, the safe move is silence. The Cloud Security Act removes that disincentive. It gives providers a legal safe harbour to flag suspected foreign misuse to the **Department of Commerce**, without fear of liability. Crucially, it does not force them to report. It simply makes it safe to do so when they choose to. The bet is that, given cover, most major US providers would rather cooperate than look the other way. ## Why Does the Cloud Loophole Matter? Because renting is nearly as good as owning when what you actually want is the computation, not the silicon. An advanced AI model is trained by running enormous calculations across thousands of high-end chips for weeks or months. Whether those chips sit in your own building or in a rented data centre on another continent, the model that comes out the other end is the same. For a country shut out of buying the hardware, cloud access is not a workaround at the margins. It is a complete substitute for the thing the export controls were meant to deny. That is why Washington has started treating cloud access as a national-security question in its own right, rather than an afterthought to the hardware rules. ## How Does the Cloud Security Act Fit With the MATCH Act? This is the part worth slowing down on, because the bill makes far more sense once you see what it sits next to. Washington has been quietly assembling a stack of measures, each covering a different layer of the AI supply chain. The [MATCH Act](https://mrkt30.com/match-act-explained-the-us-ban-on-asmls-china-chip-tools/) goes after the tools that make chips, which is why it landed so hard on **ASML’s** DUV equipment business. The** Remote Access Security Act**, which has already [passed](https://www.lw.com/en/insights/what-the-remote-access-security-act-means-for-export-controls-compliance-programs) the House, treats remote or cloud access to controlled chips as a regulated export in its own right. The Cloud Security Act fills the space between them by focusing on who gets to use the compute once it exists. Stacked together, the direction is very clear. Washington is moving away from reactive entity-list sanctions and towards proactive, ecosystem-wide control of the whole compute stack: the manufacturing tools, the chips themselves, and now cloud access to them. Ongoing **Bureau of Industry and Security enforcement**, which keeps tightening licence rules for Chinese-headquartered firms operating abroad, points the same way. The era of plugging single leaks is giving way to controlling the entire system. ## What Does the Cloud Security Act Mean for ASML and Europe? ASML is the obvious pressure point. It is already caught between US demands to limit its China sales and the simple fact that China remains a major customer. Every new layer of US control narrows its room to manoeuvre, and the Cloud Security Act signals that the frontier is still moving. The message to European firms is that this is no longer only about what hardware you can sell. It is increasingly about who is allowed to touch the infrastructure that hardware powers. You can read how this squeeze has built up in our coverage of [ASML’s role in European tech sovereignty](https://mrkt30.com/european-tech-sovereignty-asmls-crown-jewel-in-the-ai-race-2026/) and the [disputed EUV machine in China](https://mrkt30.com/us-claims-asml-euv-machine-in-china-asml-says-impossible/). There is a second, quieter problem for European cloud users. If Washington keeps treating cloud access to controlled chips as a form of export, as the Remote Access Security Act already does, then European companies running AI workloads through US-owned infrastructure may find themselves inside the reach of US export law whether they planned to be or not. Most of Europe’s AI compute still runs on American big tech. That dependence has always been a sovereignty talking point. Bills like this one turn it into a concrete operational question. Brussels has its own tools, the [EU ](https://mrkt30.com/eu-ai-act-august-2026-deadline-what-startups-need-to-know/)[AI Act](https://mrkt30.com/eu-ai-act-august-2026-deadline-what-startups-need-to-know/) and the Digital Markets Act among them, but the pace of US tightening is currently outrunning the EU’s ability to negotiate alignment. That gap is exactly where Europe’s tech champions are most exposed. ## What Happens Next? There are three things worth watching: **ASML’s next earnings call**. Any fresh US guidance on equipment or cloud-access rules tends to surface quickly in how ASML talks to investors, which makes its communications a reliable early signal of where the regulatory line is heading. **The European Commission’s response**. Brussels has stayed notably quiet on what the MATCH Act means for European exporters. If cloud access becomes a regulated export under US law, that silence gets harder to maintain. **BIS enforcement**. The Bureau of Industry and Security has been steadily tightening conditions on Chinese-headquartered firms with overseas arms. The cases to watch are the ones that test how broadly “cloud access” actually gets interpreted. For now, the Cloud Security Act still has to pass. But its direction of travel is unmistakable. The AI chip war has moved off the factory floor and into the cloud, and Europe is standing right in the middle of it. **See Also:** [European Tech Sovereignty: ASML’s Crown Jewel in the AI Race 2026](https://mrkt30.com/european-tech-sovereignty-asmls-crown-jewel-in-the-ai-race-2026/) [US Claims ASML EUV Machine in China: ASML Says Impossible](https://mrkt30.com/us-claims-asml-euv-machine-in-china-asml-says-impossible/) [MATCH Act Explained: The US Ban on ASML’s China Chip Tools](https://mrkt30.com/match-act-explained-the-us-ban-on-asmls-china-chip-tools/) ## Frequently Asked Questions **When was the Cloud Security Act introduced?** On 26 June 2026, by Reps. Josh Gottheimer (D-NJ) and John Moolenaar (R-MI). **Does the Cloud Security Act ban anything?** No. It gives US cloud providers legal cover to voluntarily report suspected foreign misuse of AI compute. It does not create a new ban or a mandatory reporting duty. **How is it different from the MATCH Act?** The MATCH Act restricts the export of chipmaking equipment, hitting ASML’s DUV tools. The Cloud Security Act targets access to the finished compute through the cloud. Different layers of the same supply chain. **Why does it matter for Europe?** It adds regulatory pressure on ASML and raises questions for European companies that run AI workloads on US-owned cloud infrastructure, which could be drawn into US export rules.