On 3 June 2026, the European Commission published its Tech Sovereignty Package: a set of legislative proposals and strategic documents designed to reduce European dependence on non-EU digital infrastructure. The package contains four components. Two are legislative – the Cloud and AI Development Act (CADA) and Chips Act 2.0 – and two are strategic: an EU Open Source Strategy and a Strategic Roadmap for Digitalisation and AI in Energy.
The Commission’s framing is direct. The EU currently relies on non-European sources for more than 80% of key digital products, services, infrastructure, and intellectual property. Three US-based hyperscalers collectively hold more than 70% of the European cloud market. Europe produces less than 10% of global semiconductors. The package addresses each of these dependencies explicitly.
The Cloud and AI Development Act
CADA is the component most immediately relevant to organisations running cloud workloads in Europe.
The act introduces a four-tier EU Cloud Sovereignty Framework that assigns cloud services to assurance levels based on criteria including where infrastructure is physically located, the legal jurisdiction governing the service provider, the degree to which the supply chain is European-controlled, and the cybersecurity standards applied. The four levels are expected to range from basic commercial services through to fully EU-controlled infrastructure meeting the requirements of the most sensitive public sector and critical infrastructure workloads.
The practical consequence is that public sector procurement rules across EU member states will increasingly require cloud services to meet a specified assurance level. For organisations supplying services to governments, hospitals, energy operators, or financial regulators, the tier of cloud service they run on will become a contractual and regulatory variable, not just an architectural one.
CADA also includes a commitment to triple EU data centre capacity over the next five to seven years, targeting sufficient infrastructure to be in place by 2035. Streamlining permitting for data centre construction is part of the proposal, addressing a bottleneck that has slowed European hyperscaler alternatives from scaling as fast as demand.
Chips Act 2.0
The original Chips Act aimed to restore Europe’s share of global semiconductor production to 20% by 2030. Chips Act 2.0 refocuses on the specific technologies that matter for AI workloads: advanced nodes at 3 nanometres and below.
The proposal includes support for an EU-based open foundry capable of manufacturing AI chips at leading-edge node sizes, with pilot production targeted between 2030 and 2033. It also strengthens crisis preparedness mechanisms for semiconductor supply disruptions, a direct response to the chip shortages that affected automotive, medical, and technology manufacturing between 2020 and 2023.
The Open Source Strategic Turn
The Open Source Strategy frames open-source software not primarily as a development methodology but as an industrial policy instrument. The Commission argues that increasing European adoption of and contribution to open-source infrastructure reduces licence dependency on foreign technology vendors, lowers costs, and accelerates the development of European AI and cloud capabilities.
This is a meaningful shift in how EU institutions have talked about open source. Previous strategies have promoted open source in the public sector primarily on procurement efficiency grounds. The new framing positions it as a sovereignty tool – a way to reduce the leverage that US platform vendors can exercise through proprietary licensing terms.
What This Means for European Organisations
For organisations making cloud architecture decisions today, the Tech Sovereignty Package sets a direction even before legislation is enacted. Several trends are already under way.
The movement of sensitive workloads from US hyperscalers to European providers is accelerating. France moved its national Health Data Hub from Microsoft Azure to Scaleway earlier in 2026. The Commission’s own procurement shifted €180 million of cloud spend to STACKIT, Scaleway, Post Telecom, and Proximus. Both decisions preceded the CADA proposal and will not be reversed by it.
The four-tier sovereignty framework, once legislated and implemented, will create categories of workload for which using a US-headquartered cloud provider is simply not an option, regardless of where that provider’s data centres are physically located. Organisations that use AWS, Azure, or Google Cloud for workloads that will fall into the upper tiers of the framework should begin assessing their architecture options now, before a compliance deadline forces a migration under time pressure.
At the same time, the proposal does not amount to a blanket preference for European providers. The Commission has been careful to frame the package as strengthening European capability rather than excluding non-European services. Lower-tier workloads, those with no public sector or critical infrastructure nexus, will continue to run on hyperscaler infrastructure for many organisations, and the commercial advantages of those platforms in AI tooling, managed services, and global reach are real.
The question for most European organisations is not whether to engage with this shift, but when and how selectively to apply it. The organisations that build that analysis into their cloud strategy now will be better positioned than those who approach it reactively when procurement rules change.
If you need help assessing how the Cloud and AI Development Act’s sovereignty tiers apply to your current workloads, evaluating European cloud alternatives for specific use cases, or designing a migration approach that keeps critical data under EU legal jurisdiction without sacrificing the managed services your teams depend on, contact Excello Digital. We help European organisations make cloud decisions that hold up as the regulatory landscape changes.