EU considers restricting U.S. cloud

Cloud infrastructure is the boring layer that runs governments — records, case files, internal apps, procurement systems, all of it. That is why Brussels’ latest move matters. The European Commission is preparing a tech package for May 27 that could restrict when EU governments can use U.S. cloud providers for sensitive public-sector data. The point is not just privacy. It is leverage, dependence, and who ultimately sits under the law when something goes wrong. (cnbc.com) ### What is Brussels actually considering? The Commission is working on a broader “Tech Sovereignty Package,” and one piece under discussion would steer sensitive government workloads away from U.S. cloud platforms and toward services Brussels considers sovereign or trusted. The reporting so far points to limits tied to the sensitivity of the data, not a bla(cnbc.com)not appear to be the main target here — this is about public-sector data first. (cnbc.com) ### Why does the nationality of a cloud provider matter? Because in cloud, the legal wrapper matters almost as much as the server. Even if data sits in Europe, a provider headquartered in the U.S. can still face U.S. legal demands under the CLOUD Act. That is the core European fear — not that every request will happen, but that the possibility itself means t(cnbc.com)ignty” means reducing that outside reach. (cms.law) ### Didn’t Europe already start doing this? Yes — quietly. On April 17, the Commission announced a sovereign cloud tender worth up to €180 million over six years for EU institutions and agencies. It awarded contracts to four provider groups: Post Telecom with OVHcloud and CleverCloud, STACKIT, Scaleway, and a Proximus-led partnership that uses S3NS, Clarence, and Mistral. That was not rhetoric. It was Brussels moving budget. (commission.europa.eu) ### What is this SEAL thing? The Commission built its own Cloud Sovereignty Framework to score providers against eight criteria, including legal, operational, supply-chain, and compliance factors. It uses “Sovereignty Effectiveness Assurance Levels,” or SEAL, from 0 to 4. Providers needed(commission.europa.eu)elves. Most winners hit SEAL-3, which is about resilience against disruption from non-EU third parties. Basically, Brussels is turning sovereignty from a slogan into a procurement checklist. (commission.europa.eu) ### Why is this a big deal for U.S. hyperscalers? Because Europe’s public sector is not a side market. If the Commission turns “trusted cloud” into a formal rule for sensitive workloads, it could redirect a lot of government demand away from the three dominant U.S. players. And those comp(commission.europa.eu)t moving elsewhere. (cnbc.com) ### Is this really about security, or industrial policy? Both. The security case is the clean public argument. But the industrial-policy angle is obvious too. Brussels wants European cloud capacity to exist, scale, and stop being permanently dependent on foreign platforms. One Commission official framed the wider package in terms of avoiding Europe becoming a “technological colony.” That is blunt language, but it captures the mood. (politico.eu) ### What happens next? The key date is May 27, 2026, when the Commission is expected to present the package after earlier delays. The text could still change, and any eventual rules would face the usual EU legislative grind. But the direction is already clear. Europe is no longer just regulating Big Tech from the outside — it is starting to rewire its own purchasing from the inside. (cnbc.com) ### Bottom line This is a cloud story, but really it is a power story. Brussels is saying that for the most sensitive state data, technical capability is no longer enough. Jurisdiction now counts too. (commission.europa.eu)