EU's Tech Protectionism Exposes the Cost of Cloud Sovereignty
The EU's new cloud sovereignty framework will bar U.S. providers from sensitive contracts despite European alternatives lacking the scale to compete, risking market fragmentation and strengthening China's position.
Europe's bid for technology independence arrived with a built-in contradiction: The European Commission unveiled a cloud sovereignty framework June 3 that will lock out U.S. providers from sensitive government work, even as its own analysis confirms European companies cannot deliver the scale or capability required.
The Cloud and AI Development Act establishes a four-tier system designed to restrict American hyperscalers while European providers struggle to compete. The Commission's own assessment reveals the uncomfortable reality that the bloc depends on the very technology it now seeks to exclude.
This retreat from open markets will fragment the single market across 27 member states, harm European competitiveness, and ultimately strengthen China's position in advanced technology.
Three American companies control more than 70 percent of Europe's cloud infrastructure. The EU spends €264 billion annually on U.S. proprietary IT products and services, while European providers have seen their market share fall from 29 percent in 2017 to 15 percent in 2022, where it remains stagnant.
The legislation disguises origin-based market restrictions as technical safeguards.
The four-tier framework escalates in severity. Level 1 covers 70 percent of contracts, mandating EU data localization and self-assessment for vulnerability reporting. Level 2 applies to 20 percent of contracts, demanding complete EU-based operations and source code audits of third-country software components. Level 3 requires EU ownership with no third-country control for less than 10 percent of contracts.
Level 4, covering roughly 1 percent of defense applications, adds an absolute ban with no associated-country derogation and the highest European cybersecurity certification.
Executive Vice President Henna Virkkunen pointed to the U.S. CLOUD Act as making it "difficult to reach" stricter requirements, warning about "kill switch" risk. The 2025 ICC sanctions incident, which disrupted European officials' access to American payment systems and consumer platforms, became emblematic of what the Commission calls American "unpredictability."
Dutch MEP Bart Groothuis admitted to a "huge flip-flop" from his earlier opposition to moving away from American technology. "It was a clear indication that our great ally was going to colonize us," he said.
Behind the scenes, political pressures accelerated the framework's adoption. An anonymous Danish official revealed to Politico that their country had previously fought to keep the cloud market open but adapted its stance as global conditions shifted.
"We used to be one of the member states fighting the most to keep the cloud market open," the official said. "We still are, but the world has unfortunately changed, and we have adapted our position accordingly. The Greenland situation certainly sped things up."
The market reality defies the policy's ambitions. SAP and Deutsche Telekom, Europe's largest cloud providers, each hold only about 2 percent of the market.
John Dinsdale, chief analyst at Synergy Research Group, stated: "It will be incredibly difficult for European cloud providers to meaningfully reverse the market share trend. This is a game of scale."
Industry groups warn the framework will fracture Europe's single market along national lines. Daniel Friedlaender, CCIA Europe senior vice president, said the legislation is "a direct recipe for fragmented discrimination across Europe in 27 different ways."
"By pairing a strict mandate with unrealistic standards that the EU itself cannot meet, the Commission is effectively giving national capitals carte blanche to shut out trusted global vendors from every major technology-producing nation outside the Union," Friedlaender said.
Mitchell Rutledge, CCIA Europe policy manager, noted the contradiction between the EU's goals and its methods. "The EU's ambition to triple data centre capacity is the right one," he said. "But the way to achieve that goal is by attracting investment, not shutting it out."
Commission estimates show migration to sovereign services could cost up to €86 billion. An additional €120 billion in combined public and private investment is needed for the semiconductor sector by 2035, while €200 billion is required for cloud and AI data centre capacity by 2036.
The EU produces less than 10 percent of global semiconductors. U.S. AI investments reached $286 billion in 2024, compared to Europe's $21 billion and China's $12 billion.
Keegan McBride of the Tony Blair Institute for Global Change stated: "But a full retreat into a Europe-first tech approach will leave the continent weaker. Great powers don't just use technology at home — they must also have the global ambition to build, deploy, and export their technology to the world. Right now, Europe isn't doing this."
The framework's implementation faces fundamental contradictions. CISPE Secretary General Francisco Mingorance called the inclusion of S3NS, which uses Google Cloud infrastructure through a governance layer, in the Commission's €180 million sovereign cloud tender "clearly an own goal" that "threatens to institutionalize sovereignty washing at the highest levels."
The EU Cybersecurity Certification Scheme that CADA depends on has been stalled since December 2020. Only 2,257 edge nodes were deployed across the EU in 2024, against a Digital Decade target of 10,000 by 2030.
The Information Technology and Innovation Foundation assessed that "the only winner of European protectionism is China."
As Beijing wages a state-orchestrated campaign to dominate advanced industries with hundreds of billions in investment, every euro Europe spends building alternatives to American technology is a euro not invested in competing with China. Article 31 of CADA allows the Commission to extend sovereignty assessments to private-sector critical entities, meaning the protectionism could spread far beyond public procurement.
The EU is simultaneously proposing to join Pax Silica, a U.S.-led partnership on AI and semiconductors, in the same week as unveiling the sovereignty package. The contradiction underscores the policy's incoherence.