EU cloud rules to curb Amazon, Google access to 70% of market

The European Commission will propose strict procurement criteria Wednesday that could exclude Amazon, Microsoft and Google from sensitive government cloud contracts across all 27 member states.

The European Commission will propose strict procurement criteria Wednesday that could exclude Amazon, Microsoft and Google from sensitive government cloud contracts across all 27 member states, according to a draft document seen by Reuters.

"Technological sovereignty means that Europe has the capacity to freely design, understand, choose from different home-grown sources, build, operate and effectively regulate the digital systems on which its society and economy rely," a group of 13 European cloud providers and lawmakers said in an open letter seen by Reuters.

The proposal, part of the Commission's Cloud and AI Development Act, introduces mandatory non-price award criteria including requirements for software and hardware developed within the EU. The restrictions target public-sector workloads handling financial, judicial and healthcare data — the most sensitive categories of government information. Private-sector companies are explicitly excluded from the rules.

The push, driven by fears of US surveillance under the 2018 CLOUD Act, threatens the roughly 70% of Europe's cloud market controlled by AWS, Microsoft Azure and Google Cloud. The legislation requires backing from EU member states and the European Parliament in the coming months, with internal divisions already emerging between the Nordics and Ireland — where US cloud companies have significant operations — and countries pushing for stricter sovereignty requirements.

The CLOUD Act, passed by the US Congress in March 2018, resolved a long-running legal dispute by establishing that American-incorporated companies must comply with US government data requests regardless of where their servers are located. No contractual data-residency clause can override that statutory obligation, according to legal experts. The EU's Schrems II ruling in 2020 by the Court of Justice of the European Union established that contracts cannot override foreign government access laws, creating the legal foundation for the sovereignty push.

The timing of the Commission's announcement amplifies the argument. Ten days before the package was presented, a contractor for the US Cybersecurity and Infrastructure Security Agency left administrative credentials for three AWS GovCloud accounts on a public GitHub repository for six months. The repository contained 844 megabytes of data including plaintext passwords for dozens of internal CISA systems. CISA said it found no evidence of data compromise, but the incident illustrated the procedural risks inherent in reliance on US-controlled infrastructure.

Dutch Precedent Sets Investment-Screening Standard

One day before the Commission's package, the Dutch government issued its first-ever acquisition prohibition under the national Investment Screening Bureau. State Secretary Willemijn Aerdts blocked IBM spinoff Kyndryl from acquiring Solvinity, the Dutch cloud company that hosts DigiD — the national digital identity system used by millions of Dutch citizens to access government services, healthcare records and tax filings. The BTI concluded that bringing Solvinity under Kyndryl's ownership would subject the identity data to potential compelled disclosure under the CLOUD Act.

The Commission's proposal now faces a legislative path through all 27 member states. Worldwide sovereign cloud spending is forecast to reach $80 billion in 2026, with European spending growing 83% year-over-year from a base of $6.9 billion in 2025, according to Gartner. Local European cloud providers hold roughly 15% of the market, leaving a significant capacity gap that the Commission's compromise — allowing non-European technologies within strict governance frameworks — is designed to bridge.

The Commission awarded a €180 million sovereign cloud tender in April to four European provider groups, including a consortium led by Belgian telecom Proximus using infrastructure from S3NS, a joint venture where French defense company Thales holds a controlling stake and Google Cloud provides the underlying technology. The inclusion drew criticism from European cloud trade association CISPE, whose secretary general Francisco Mingorance called recognizing S3NS as sovereign "clearly an own goal" that "threatens to institutionalize sovereignty washing at the highest levels."

This article is for informational purposes only and does not constitute investment advice.