EU rethinks dependence on US tech

European officials are turning a long-running debate about digital sovereignty into a procurement question after the controversy over International Criminal Court prosecutor Karim Khan’s Microsoft email account. Microsoft said in June 2025 that it had not stopped or suspended services to the ICC, but the episode intensified concern in Brussels and other European capitals about how much leverage U.S. technology companies hold over critical institutions. The European Commission has already moved part of that debate into public purchasing, awarding a sovereign cloud tender in April. Officials are now discussing wider limits on the use of non-EU cloud providers for sensitive government data. ### How did Karim Khan’s email become part of Europe’s tech debate? Karim Khan’s email access became a political issue after reporting in May 2025 said his Microsoft-linked account had been disconnected following U.S. sanctions targeting him personally over the ICC’s work on Israel. Politico reported on June 4, 2025 that Microsoft President Brad Smith said the company “did not in any way involve the cessation of services to the ICC,” while a spokesperson said Microsoft had stayed in contact with the court throughout the process that disconnected the sanctioned official from Microsoft services. Donald Trump’s February 2025 executive order, as described by Politico, targeted Khan directly after the court’s move against Israeli Prime Minister Benjamin Netanyahu. Even with Microsoft disputing that it had cut off the court itself, the case fed European concern that U.S. sanctions or political pressure could affect access to digital infrastructure used by international bodies and public institutions. (politico.eu) ### What has the European Commission already done? The European Commission said on April 17, 2026 that it had awarded a sovereign cloud tender worth up to 180 million euros over six years for EU institutions, bodies, offices and agencies. The Commission said the tender was launched in October 2025 to strengthen the “digital sovereignty posture” of Union entities and to encourage providers that comply with EU laws and values. (politico.eu) Four groups won contracts: a Post Telecom-led partnership with OVHcloud and CleverCloud, Germany’s STACKIT, France’s Scaleway, and a Proximus-led partnership using services from S3NS, Clarence and Mistral. The Commission said it designed a Cloud Sovereignty Framework to translate digital sovereignty into “objective, measurable procurement criteria.” (commission.europa.eu) ### What does “sovereignty” mean in this procurement model? The Commission said its framework measures providers across eight objectives, including legal, operational, security and supply-chain factors, and grades them through “Sovereignty Effectiveness Assurance Levels,” or SEAL. To qualify, providers had to reach at least SEAL-2, which the Commission described as a data-sovereignty level under which providers abide by EU law without extra technical protection from customers. (commission.europa.eu) Most of the awarded providers reached SEAL-3, which the Commission said means their service, technology or operations are immune from supply-chain disruption from non-EU third parties. The Commission said those providers mostly use European technologies and “cannot be blocked by a non-EU third party.” ### Are broader restrictions on U.S. cloud providers now under discussion? (commission.europa.eu) CNBC reported on May 7, 2026 that the European Commission was considering rules that would restrict governments’ use of U.S. cloud platforms for sensitive data. The report said officials were discussing proposals under a planned “Tech Sovereignty Package” expected on May 27. The discussions described by CNBC would not bar overseas providers from public contracts entirely, but could limit their use in handling sensitive workloads. (commission.europa.eu) The sectors under discussion included financial, judicial and health data processed by governments and public-sector organizations, according to the report. ### Why does procurement matter more than rhetoric here? April 17, 2026 is the date the Commission moved from broad digital-sovereignty language to a live purchasing framework with named suppliers, contract values and eligibility thresholds. (cnbc.com) That matters because the Commission’s own description says sovereignty criteria are now built into how EU institutions buy cloud services, not just how they talk about them. May 27 is the next date to watch. CNBC reported that the Commission is expected to present its Tech Sovereignty Package then, and officials told the outlet that cloud restrictions for sensitive government data were still under discussion as of early May. (cnbc.com) (commission.europa.eu)