EU Sovereignty Act Cuts US Cloud From State AI Data

Brussels just told Amazon, Microsoft, and Google that European hospitals, banks, and courts may soon be barred from running their most sensitive data on American clouds. The European Commission's new technological sovereignty package, unveiled on June 3, is built around a single anxiety that one official stated bluntly: the fear that a foreign provider could one day flip a kill switch. After fifteen years of writing rules for an internet it does not own, Europe is finally trying to legislate its way to control of the physical and digital stack underneath artificial intelligence.

What Actually Happened

On June 3, the European Commission proposed the European technological sovereignty package, a bundle of measures spanning semiconductors, cloud, AI, and open source. It contains four main pieces: a revised Chips Act billed as Chips Act 2.0, the Cloud and AI Development Act known as CADA, a Strategy for an EU Open Digital Ecosystem, and a Strategic Roadmap for Digitalisation and AI in Energy. The unifying goal is to cut Europe's structural dependence on foreign technology providers, a dependence the Draghi report quantified starkly: the EU relies on non European suppliers for more than 80 percent of its digital products, services, infrastructure, and intellectual property.

The most consequential component is CADA. It sets an explicit target to triple EU data center capacity over roughly five to seven years, streamlines permitting for new builds, and introduces sovereignty risk assessments for government procurement of cloud and AI services in sensitive sectors. The Act defines four assurance levels for cloud and AI sovereignty that public bodies must apply based on their own risk profile. On current drafts, the practical effect would restrict EU member states from using US cloud providers to process sensitive public sector data in healthcare, finance, and judicial systems. Private sector use, for now, is left untouched, a deliberate limit that keeps the proposal politically survivable.

Chips Act 2.0 marks a quieter but telling pivot. Where the original 2023 Chips Act poured subsidies into building fabrication plants, the revision shifts the emphasis to building demand for European made chips. It proposes the first EU open foundry for sub 3 nanometer manufacturing, with pilot production targeted for 2030 to 2033, and introduces Demand Accelerators that link chip producers to buyers through offtake agreements. The admission embedded in that pivot is important: simply funding factories did not create a market, so Brussels is now trying to manufacture the customers as well as the silicon. The package is, in effect, Europe conceding that its first industrial policy attempt fell short and trying again with sharper tools.

Why This Matters More Than People Think

The easy headline is that Europe wants to regulate American cloud giants again. The deeper shift is that sovereignty has moved from a talking point to a procurement mandate with teeth. For a decade European data rules, from GDPR to the Data Act, governed how information was handled but rarely dictated whose infrastructure it ran on. CADA crosses that line. By tying assurance levels to where and by whom sensitive public data is processed, Brussels is converting a vague desire for autonomy into binding purchasing criteria that could redirect billions of euros in government cloud spending away from AWS, Azure, and Google Cloud toward European providers.

The timing is not accidental. The package lands amid open European anxiety about American reliability under a transactional US administration, where access to critical technology feels increasingly contingent on political alignment. When a senior official frames the goal as ensuring nobody holds a kill switch, the subtext is a fear that cloud access, chip supply, or AI model availability could be weaponized in a future dispute. That fear is no longer theoretical for European leaders who watched export controls and tariffs become routine instruments of policy. Sovereignty, in this framing, is not protectionism dressed up in principle. It is insurance against a dependency that suddenly looks like a vulnerability.

The energy dimension of the package is the piece most observers overlooked, and it may prove the most strategic. The Strategic Roadmap for Digitalisation and AI in Energy ties the sovereignty push directly to the power crunch that AI is creating across Europe. Tripling data center capacity is impossible without a parallel surge in generation and grid investment, and Brussels appears to grasp that compute sovereignty and energy sovereignty are now the same problem. A continent that imports its chips, its models, and its electricity has no autonomy at all. By bundling energy planning into a tech package, the Commission is signaling that the AI buildout will be treated as critical national infrastructure, with the permitting speed and capital priority that designation implies, rather than as a private commercial matter left to whichever hyperscaler moves fastest.

For the hyperscalers, the financial exposure is real but bounded, and that boundary is the point of friction. Government and regulated industry workloads in healthcare, finance, and justice are among the most lucrative and sticky cloud contracts in Europe. Losing the most sensitive tier of that business would dent revenue and, more painfully, hand European competitors a protected market in which to build scale. The American response will likely be to expand sovereign cloud offerings, local data residency, and European operated subsidiaries, which they have already begun. The question is whether Brussels accepts a US provider wrapped in European governance, or whether assurance levels are written tightly enough to require genuinely European ownership.

The Competitive Landscape

The immediate European beneficiaries are the sovereign cloud contenders who have spent years arguing that data residency requires European ownership, not just European data centers. France's OVHcloud, Germany's Schwarz Digits and its StackIT platform, and the Franco German Gaia X project have all positioned for exactly this moment. Mistral, France's frontier model champion, stands to gain if sovereignty rules push European institutions toward European models for sensitive workloads. SAP, Europe's largest software company, has its own sovereign cloud ambitions. For all of them, CADA is the regulatory tailwind they have lobbied for, a chance to compete against American incumbents on terms that partly neutralize the Americans' scale advantage.

The historical parallel is Europe's Airbus strategy of the 1970s, when the continent decided it could not depend on American aerospace dominance and built a heavily subsidized champion to compete with Boeing. That bet took two decades and enormous public money before Airbus reached parity, and it succeeded only because governments guaranteed demand through national carriers in the early years. The Demand Accelerators in Chips Act 2.0 and the procurement mandates in CADA are the cloud and silicon versions of that playbook: use the state's buying power to give domestic players a guaranteed early market they could never win on open competition alone. Whether it produces an Airbus or an expensive failure depends entirely on execution.

The American incumbents are not standing still, and history suggests regulation often entrenches the very giants it targets. When GDPR raised compliance costs, the burden fell hardest on small competitors while Google and Meta absorbed it and consolidated share. Critics argue CADA could repeat that pattern: AWS, Microsoft, and Google have the capital to build European subsidiaries, hire local staff, and clear assurance audits, while genuinely European challengers lack the scale to serve a continent. The risk is that sovereignty rules become a checklist the incumbents simply satisfy, leaving Europe with the appearance of independence and the reality of the same three providers wearing local badges. Regulation aimed at the powerful has a long habit of calcifying their power.

Hidden Insight: Europe Is Buying Compute, Not Capability

The non obvious flaw in the entire package is that it confuses owning infrastructure with owning capability. Tripling data center capacity and building a sub 3 nanometer foundry addresses the physical layer, the gigawatts and the silicon. But the value in the AI stack increasingly sits in the models, the tooling, and the talent, and on those layers Europe remains thin. A continent can host every server and still depend entirely on American and Chinese model weights, American developer ecosystems, and American chip designs from Nvidia and AMD even if the wafers are etched in Europe. Sovereignty over the building is not sovereignty over what happens inside it.

This is the same trap that snared SoftBank's French data center buildout and every European cloud initiative before it. Europe is very good at attracting and regulating the capital intensive, low margin physical layer, the data centers, the fabs, the power. It is structurally weak at the high margin intelligence layer, the frontier labs and the platform ecosystems where the rents actually accumulate. CADA pours public will into the layer Europe can control while doing comparatively little about the layer that matters most. The risk is a continent that owns the world's most regulated, most sovereign, and least valuable slice of the AI economy, hosting everyone else's intelligence on impeccably compliant European soil.

There is a sharper second order danger in the open foundry timeline. Pilot production for sub 3 nanometer chips is targeted for 2030 to 2033, which in semiconductor terms is a generation behind. TSMC and Samsung will be deep into 1 nanometer class processes by then, and Nvidia's roadmap will have moved several generations beyond whatever the EU foundry first yields. Building a domestic foundry that arrives perpetually one or two nodes behind the leading edge produces sovereignty in the most expensive and least useful form: a strategic asset that cannot actually serve the cutting edge AI workloads it was meant to liberate Europe from depending on. The bear case is a 20 billion euro fab that is obsolete the day it opens.

The uncomfortable truth the package dances around is that genuine technological sovereignty may simply be unaffordable for a continent that already spends less on AI than a handful of American firms do individually. Matching the combined capital expenditure of Microsoft, Google, Amazon, and Meta, which together commit hundreds of billions of dollars a year, would require a level of coordinated European investment that the bloc's fragmented budgets and 27 national vetoes make almost impossible. Brussels is attempting to legislate an outcome that ultimately requires capital and unity it does not have. The package may succeed in raising the floor of European capability while quietly failing at its stated goal of independence, which is a meaningful outcome but not the one the press release promises.

What to Watch Next

Over the next 30 to 90 days, watch the lobbying war over how tightly the four CADA assurance levels are defined. The entire impact hinges on whether the top tier requires genuinely European ownership or merely European data residency, a distinction worth billions to AWS, Azure, and Google Cloud. Expect intense pressure from both the hyperscalers and from member states like Ireland and the Netherlands, whose economies benefit from hosting American cloud operations and who have historically resisted rules that threaten that arrangement. The first draft text of the assurance criteria will reveal whether this package has teeth or is sovereignty theater.

Across 180 days and into 2027, track the legislative passage through the European Parliament and Council, where 27 member states with divergent interests must agree. Watch whether the Demand Accelerators in Chips Act 2.0 attract real offtake commitments from European chip buyers, because without guaranteed demand the open foundry is a subsidy in search of a customer. Watch also for the American diplomatic and trade response, since restricting US cloud providers from public contracts could trigger retaliation in a tense transatlantic trade environment. The clearest signal of seriousness will be the first major national government, likely France or Germany, that actually moves a sensitive workload off a US cloud onto a European one.

The mental model for judging this is to ask whether each measure builds demand or merely supply. Europe's past industrial policy failures, including the original Chips Act, poured money into supply, the factories and capacity, while ignoring whether anyone would buy the output. The smartest parts of this package, the Demand Accelerators and the procurement mandates, finally use the state as a guaranteed customer, which is how Airbus and early Silicon Valley defense contracts actually worked. If the final law preserves those demand side tools, Europe has a real shot at building viable champions. If they are watered down to placate trade partners and budget hawks, the package becomes another expensive monument to the gap between European ambition and European capability.

Europe can legislate sovereignty over every server on the continent and still rent its intelligence from California, because owning the building was never the same as owning what thinks inside it.

---