Commission’s sovereign cloud plan doesn’t push US hyperscalers out

The Commission’s long anticipated digital infrastructure law – the Cloud and AI Development Act (CAIDA), proposed on Wednesday as part of a wider tech sovereignty package – would ensure US cloud providers aren’t ousted from the European market.

The original impetus for CAIDA was to insulate critical EU data from Chinese and US extraterritorial laws and foreign government overreach – including the prospect of a digital “kill switch” being triggered by a hostile power, rendering vital online services unavailable.

The proposal revealed on Wednesday requires EU countries to assess risks to the accessibility and availability of their public administrations and draw up national plans to migrate their data to cloud services certified under four EU-harmonised “assurance levels”.

The first requires data to remain stored in Europe, a tier that effectively keeps the door open to US hyperscalers such as Google, Amazon, and Microsoft, all of whom already operate data centres located in the EU.

The second level requires that no foreign state can access the public-sector data, which is presented as a safeguard against “kill switch” risks. However, a senior EU official confirmed that US companies can still qualify, akin to how US-backed European entities were among those awarded a Commission tender in April.

The third is framed as requiring EU ownership and control – but the Commission can still recognise non-EU providers as “equivalent” through data adequacy-style arrangements.

This could potentially include US firms, given the Commission’s track record of not revoking EU-US data protection adequacy frameworks, despite major compliance doubts.

The fourth level requires full control of the entire technology stack – from hardware to software – a level of sovereignty that’s not currently met by any European provider.

The Commission estimates that around 70% of EU public data will fall under level 1; 20% under level 2; 9% under level 3; and roughly 1% – mainly defence-related data – under level 4.

Such a breakdown would leave US companies free to service all EU private-sector data and between 70%–99% – the vast majority – of public-sector data, depending on future political and organisational choices.

However, if 15% of public-sector data is ring-fenced for European providers, EU cloud alternatives could reach sufficient scale to compete with US hyperscalers, France’s OVHcloud CEO Octave Kalba told Euractiv in January.

While CAIDA risk assessments are mandatory, the implementation of national cloud migration plans is left to individual EU countries, potentially weakening incentives to ditch US providers.

A senior Commission official also said CAIDA aims to drive Europe’s data-centre energy demand to 60GW by 2035 – about 5x current installed capacity.

(nl)