EU Weighs Restricting 3 US Cloud Giants on Data Sovereignty Fears

The European Union is preparing to unveil a "Technology Sovereignty Package" on May 27 that could restrict its governments from using U.S. cloud providers for sensitive public-sector data, according to Commission officials. The proposal targets the processing of financial, judicial, and health data, aiming to bolster the bloc's strategic autonomy from American technology giants.

"The package is about Europe waking up and getting its act together," a Commission spokesperson told CNBC. It would "improve opportunities for sovereign cloud offerings, including through public procurement, and support the entry into the market of a more diverse set of cloud and AI service providers."

The move comes as transatlantic tensions highlight Europe's dependency on U.S. hyperscalers. Under the 2018 CLOUD Act, U.S. law enforcement can compel American tech companies to provide user data, regardless of where it is stored globally. This has fueled concerns in the EU about data sovereignty and potential foreign surveillance, particularly for critical government information.

At stake is a significant share of the European public-sector cloud market, where Amazon Web Services, Microsoft Azure, and Google Cloud are dominant. The proposed rules would not be an outright ban but would limit the use of non-EU cloud platforms based on data sensitivity, potentially shifting lucrative government contracts toward homegrown European providers.

Sovereignty Package Aims to Boost Homegrown Cloud

The core of the proposal, which must be approved by all 27 member states, is to define specific sectors that must host their data on European cloud infrastructure. The "Tech Sovereignty Package" includes two key legislative pillars: the Cloud and AI Development Act (CADA) and the Chips Act 2.0. Both are designed to encourage the development and procurement of sovereign European technology solutions.

This legislative push reflects a growing political will to reduce digital dependency. Several European governments have already begun exploring alternatives to U.S. technology. France, for example, announced in January it would roll out a government-developed video conferencing tool, Visio, as an alternative to Microsoft Teams and Zoom by 2027. In a sign of the shifting procurement landscape, the EU recently awarded a 180 million euro tender to four European sovereign cloud projects.

US CLOUD Act Underpins European Concerns

The primary driver for the EU's action is the legal reach of the United States government. The U.S. CLOUD Act and Section 702 of the Foreign Intelligence Surveillance Act (FISA) create a potential conflict for U.S.-based cloud providers operating in Europe. These laws can compel them to provide "technical assistance" to U.S. authorities to access data, even if it belongs to foreign citizens and is stored on foreign soil.

This creates what experts call a "sovereignty paradox." Hyperscale clouds from companies like Amazon, Microsoft, and Google achieve economies of scale through their global, interconnected nature. However, as U.S. entities, they are subject to U.S. court orders that can override local data protection promises. According to a Computer Weekly investigation, even with measures like customer-held keys and encryption, data can be vulnerable during processing or through court-ordered software updates.

The dependency is stark. In the UK public sector alone, 95% of central and local government bodies spent money on U.S. hyperscale cloud services in the 2023-2024 financial year, highlighting the deep integration that the EU's new rules seek to address.

This article is for informational purposes only and does not constitute investment advice.