On 3 June, the European Commission adopted its Tech Sovereignty Package, and at its centre sits the proposed Cloud and AI Development Act, CADA. The Act would introduce an EU Cloud Sovereignty Framework built around four Union Assurance Levels, and its top tiers are designed, deliberately, to be difficult or impossible for Amazon Web Services, Microsoft Azure, and Google Cloud to meet. For any organisation running regulated workloads in Europe, this is the clearest signal yet that cloud vendor selection is becoming a compliance decision, not just a technical one.
Four tiers, and a ceiling for US hyperscalers
Level 1, the baseline, requires EU establishment, data localisation within the EU, and transparency around subcontracting and data flows. Nearly every cloud provider wanting any public sector business at all will need to clear this bar. Intermediate levels add independent verification, enhanced cybersecurity controls, and supply chain transparency requirements such as software bills of materials. The higher tiers are where the framework bites: they impose strict criteria on ownership, operational control, and exposure to third-country legal regimes, a direct reference to the reach of US law, including the CLOUD Act, over American providers regardless of where their EU data centres physically sit.
Member states and EU institutions will each be required to run sovereignty risk assessments, using a template the Commission will provide, to decide which assurance level applies to a given contract. Defence and national security use cases sit at the top by default. Banking, energy, healthcare, and other sectors the Commission considers essential to public order may also be pushed into the higher tiers following a national risk assessment, though the framework leaves real room for member states to apply it differently from one another.
The market gap this is meant to close
European cloud providers currently hold roughly 15 percent of the EU cloud market, against a combined 70 percent held by AWS, Azure, and Google Cloud. CADA’s other headline goal, alongside the sovereignty framework, is to triple EU data centre capacity over the next five to seven years so that gap has somewhere to be filled from. That is a direct opening for European and EU-based providers, including Hetzner and other regional players, that already meet data localisation and ownership criteria most hyperscaler regions cannot.
American industry groups have already characterised the upper assurance tiers as closed-market thresholds dressed up as risk management. The Commission’s position is that governments have always treated defence, intelligence, and critical infrastructure differently from ordinary commercial procurement, and that applying the same logic to cloud dependency is not protectionism, it is catching policy up with where workloads actually run.
Timeline: slower than the headlines, but the direction will not reverse
The Commission is aiming for trilogue negotiations between the Council and Parliament to conclude by the fourth quarter of 2026, with rules taking effect roughly 18 months later. Complex EU digital legislation has historically taken 12 to 36 months to negotiate, and the cloud sovereignty framework is expected to be one of the most contested pieces of this package, so a finalisation date in 2027 or later would not be a surprise. What is unlikely to change between now and then is the underlying policy direction. Sovereign cloud spending in Europe is already growing 83 percent year on year, and procurement teams in regulated sectors are not waiting for the ink to dry before starting architecture reviews.
What this means for European organisations right now
Waiting for CADA to be finalised before acting is the wrong instinct. Contracts signed today in banking, energy, healthcare, and public-adjacent sectors will still be running when the higher assurance tiers take effect, and re-platforming a production workload off a hyperscaler under contract-renewal time pressure is a far worse position than starting the assessment now, on your own timeline.
- Map your current cloud estate against the four proposed assurance levels to understand which workloads would need to move, and which already qualify
- Identify which workloads genuinely require the highest sovereignty tiers, rather than assuming every regulated system does, since over-classifying adds unnecessary cost and complexity
- Evaluate EU-based and multi-cloud architectures for workloads likely to fall into the higher tiers, including where European providers can meet requirements a hyperscaler region cannot
- Build contract flexibility into any cloud agreement signed this year, so a future sovereignty risk assessment does not force an emergency migration
- Track the CADA trilogue process directly rather than relying on vendor messaging, since both hyperscalers and European challengers have strong incentives to frame the outcome favourably
If your organisation needs help mapping its cloud estate against the EU’s coming sovereignty framework, assessing which workloads should move to European infrastructure, or designing a multi-cloud architecture that stays compliant regardless of how the CADA trilogue lands, contact Excello Digital. We help European organisations make cloud decisions that hold up under regulatory change, not just under today’s pricing.
