preloader

· cloud eu regulation aws azure europe sovereignty

EU Prepares to Restrict US Hyperscalers from Strategic Government Cloud Tenders

Source: EU Cloud AI Act

A vote scheduled for June 3 in Brussels is poised to reshape how European public sector bodies procure cloud infrastructure. The European Commission’s proposed Cloud and AI Development Act – known by its working acronym CADA – would introduce strict eligibility criteria for cloud providers bidding on “strategically sensitive” government contracts across the EU, with rules that Amazon, Google, and Microsoft may struggle to meet in their current corporate structures.

EU tech commissioner Henna Virkkunen will present the act as part of a broader package of measures aimed at reducing European dependence on US technology infrastructure. The timing is pointed: it comes the same week as Microsoft’s Build 2026 conference and follows months of mounting political pressure from EU member states concerned about the reach of US surveillance legislation.

What the proposed rules would restrict

The draft document, leaked to Reuters and confirmed by multiple European outlets, introduces tiered procurement criteria for cloud services used in what the Commission classifies as highly critical state infrastructure. The targeted sectors are banking, energy, and healthcare – precisely the sectors subject to DORA and NIS2 – though the criteria could extend to other regulated domains through delegated acts.

Under the proposed framework, cloud providers bidding on sensitive government contracts in these sectors would need to demonstrate:

  • That they are not subject to laws of non-EU jurisdictions that could compel data disclosure without a European legal process (a provision directly targeting the US Cloud Act)
  • That their ownership, management, and data processing chains are sufficiently under EU governance
  • Priority is to be given to software and equipment developed in the EU

Providers that cannot demonstrate these criteria would be excluded from tender eligibility – not banned from the European market generally, but barred from winning the highest-sensitivity public procurement contracts.

Why the US Cloud Act is the trigger

The US Cloud Act of 2018 requires US-based companies to comply with US government demands for data stored on their servers, regardless of where those servers are physically located. For AWS, Azure, and Google Cloud – which together hold approximately 70 percent of European cloud infrastructure – this creates a structural problem for European data sovereignty advocates.

Even with EU data residency options and EU-specific compliance certifications, these providers remain US entities subject to US law. European regulators and national security advisors have long argued that this creates an irresolvable tension: data stored in a Frankfurt AWS data centre is still potentially accessible to US authorities under the Cloud Act, regardless of GDPR commitments.

CADA is the regulatory instrument designed to make that tension an explicit procurement risk rather than a theoretical concern.

The practical effect on European cloud strategy

AWS, Azure, and Google Cloud are not going away from the European market. The proposed restrictions apply specifically to the most sensitive public sector contracts, not to commercial cloud procurement or general government IT. European organisations in the private sector and sub-critical public administration will continue to have full access to all three hyperscalers.

What changes is the competitive landscape for large, sensitive public sector contracts. EU-headquartered providers – OVHcloud, Deutsche Telekom’s Open Telekom Cloud, STACKIT, Ionos, Hetzner, and national sovereign cloud initiatives – would gain a structural advantage in bidding for the contracts most affected by the new criteria.

For private sector European organisations, the signal is worth interpreting even if the rules do not apply directly. The EU’s direction of travel is unmistakable: regulators are building a framework that increasingly differentiates between cloud providers based on their exposure to non-EU legal jurisdiction. Organisations in financial services, healthcare, and energy that have been treating cloud sovereignty as a theoretical concern should now treat it as an active procurement variable.

What sovereignty-compliant alternatives actually look like

European sovereign cloud options have matured considerably. OVHcloud, Scaleway, and STACKIT offer managed Kubernetes, object storage, and managed databases with comparable functionality to hyperscaler equivalents. Several member states have also launched national cloud initiatives under the EU-funded GAIA-X framework.

The practical gaps compared to AWS, Azure, or Google Cloud are real but shrinking: model availability for AI workloads, the breadth of managed database options, and global CDN reach are areas where European alternatives still lag. Hybrid architectures – using European sovereign providers for regulated workloads and hyperscalers for non-regulated functions – represent the most pragmatic path for most organisations today.

What organisations should do before the vote

The June 3 vote is unlikely to produce immediately enforceable rules – EU regulatory packages typically require member state transposition and a transition period. But the direction is now clear enough to begin making architecture decisions.

Classify your workloads by sovereignty risk. Identify which systems process data that would be covered by DORA, NIS2, or national security requirements. Those workloads are the ones where regulatory exposure is highest under the current hyperscaler dependency.

Evaluate EU-origin alternatives. For regulated workloads, begin a formal comparison between your current hyperscaler configuration and the available European sovereign cloud options. Functionality gaps are smaller than they were two years ago, and closing the gap may be less disruptive than you assume.

Review contracts before they renew. Multi-year hyperscaler contracts signed today will extend into the period when these rules are likely to be enforceable. Build flexibility for workload migration into renewal negotiations rather than discovering the constraint when a contract is already locked.

If you want help mapping your infrastructure against EU sovereignty requirements, evaluating European cloud providers for regulated workloads, or designing a hybrid architecture that meets GDPR, DORA, and NIS2 constraints while maintaining the capabilities your team depends on, contact Excello Digital. We help European organisations navigate cloud strategy decisions with a clear view of the regulatory landscape they will operate in.

Back to news

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!