Brussels mulls tech sovereignty package

Cloud policy is the part of tech politics that usually sounds boring — until governments start deciding who may hold court records, hospital files, and tax data. That is where Brussels seems to be heading now. The European Commission is preparing a broader Tech Sovereignty Package for May 27, and one live piece of it could restrict how U.S. cloud companies like Microsoft, Amazon, and Google handle sensitive public-sector data inside the EU. The point is not to kick American firms out of Europe altogether. The point is to draw a harder line around the state’s most sensitive systems. ### What is the package actually about? Basically, this is Brussels trying to turn “digital sovereignty” from a slogan into operating rules. The package due later this month is expected to bundle several measures — including the Cloud and AI Development Act, a follow-on Chips Act, and an open-source strategy — all meant to reduce dependence on foreign technology in critical areas. The Commission’s own framing is blunt: tech sovereignty means being able to act independently by controlling key technologies, data, and infrastructure. (cnbc.com) ### What changed this week? What changed is that the cloud piece stopped being abstract. Officials familiar with the talks say the Commission is discussing rules that would limit the use of non-EU cloud platforms for sensitive government workloads. The sectors named are financial, judicial, and health data processed by governments and public bodies. That is much more specific than a generic “buy European” message — it points at the exact workloads Brussels thinks should sit on sovereign infrastructure. (euractiv.com) ### Is this a ban on AWS, Azure, and Google Cloud? Not exactly. The current discussion is narrower than that. Overseas cloud providers would not be shut out of all government contracts, but they could face restrictions when the data is sensitive enough. Private companies are also not the target here. The talks described so far apply to governments and public-sector organizations, not to ordinary businesses choosing a cloud vendor. (cnbc.com) ### What does “sovereign cloud” mean here? This is the load-bearing term. Brussels has already built a Cloud Sovereignty Framework that scores cloud services across legal, strategic, operational, and technological dimensions. In other words, the fight is not just over where a server sits. It is also about who controls the company, what laws can reach the data, how the supply chain works, and whether Europe can keep operating if geopolitics turns ugly. (cnbc.com) ### Why are U.S. providers the problem case? Because they dominate the market Europe wants to de-risk from. The Commission says the EU relies on non-EU countries for more than 80% of key digital products, services, infrastructure, and intellectual property. Officials have also started talking in openly political terms — warning that Europe could become a “technological colony” if it keeps building critical systems on tech it does not control. That is stronger language than last year’s usual competition-and-compliance talk. (interoperable-europe.ec.europa.eu) ### Is Brussels already putting money behind this? Yes — and that matters. The Commission recently launched a €180 million sovereign-cloud procurement for EU institutions and agencies. So this is not just a philosophical debate about autonomy. Brussels is already creating a scoring system, defining assurance levels, and using procurement to reward services that meet its sovereignty tests. The package would extend that logic from Commission purchasing into wider public-sector rules. (digital-strategy.ec.europa.eu) ### What is the catch? The catch is that Europe wants both openness and insulation. U.S. hyperscalers are deeply embedded, technically mature, and often cheaper at scale. So any tougher rule will force tradeoffs — speed versus control, convenience versus jurisdictional risk, and maybe lower short-term efficiency in exchange for more local capacity later. Even Commission officials have hinted the package has faced heavy lobbying and repeated delays before landing on the current May 27 target. (ec.europa.eu) ### So what should readers watch next? Watch the final legal definitions. If the package says certain public-sector workloads must run on “European cloud capacity,” that is a real market intervention. If it settles for softer procurement preferences, the effect will be slower and smaller. Either way, Brussels is moving cloud from a cost-and-features decision into a sovereignty decision — and that is the real shift. (cnbc.com) (euractiv.com)