EU’s Cloud Sovereignty Push Leaves Room for US Hyperscalers

The EU’s latest tech‑sovereignty package centers on the Cloud and AI Development Act (CADA), a legislative framework that seeks to triple data‑center capacity across member states within the next five to seven years. By defining four assurance levels for public‑sector cloud contracts, the Commission aims to standardise what constitutes a "sovereign" service. Level 1 focuses on data residency, while Level 4 imposes strict controls over software supply chains and bans third‑country access, a move that could redirect roughly €264 billion (about $288 billion) of public‑sector IT spend toward compliant providers.

For the three U.S. hyperscalers—AWS, Google Cloud and Microsoft Azure—that currently command roughly 70% of the European cloud market, CADA represents both a regulatory hurdle and a strategic inflection point. Analysts stress that full‑scale migrations to European‑run clouds are expensive and can span several years, meaning the market will evolve incrementally through "sovereign enclaves" for high‑sensitivity workloads. Nonetheless, the new rules turn sovereignty into a competitive differentiator; providers that can demonstrably meet Level 3 or Level 4 criteria may capture a larger slice of public‑sector contracts, while those relying on centralized, non‑EU control could see reduced opportunities.

Enterprises and public bodies stand to gain clearer procurement guidelines, reducing the risk of "sovereignty washing" where vendors claim compliance without substantive controls. The emphasis on open‑source solutions and joint ventures with European cloud firms encourages a more diversified supply chain, potentially spurring investment in regional data‑center infrastructure. While U.S. providers are not barred outright, their future success in Europe will hinge on aligning product roadmaps with EU data‑jurisdiction requirements, reshaping the competitive landscape for cloud services over the coming decade.