On June 3, the European Commission published its long-gestating European Technological Sovereignty Package, a sprawling and ambitious compendium of measures intended to strengthen Europe’s capacity in semiconductors, artificial intelligence (AI), cloud services, and open-source software. “We cannot afford to depend on others for the technologies that keep our hospitals running, our energy grids stable, and our services secure,” a press statement from Commission President Ursula von der Leyen asserted. A senior commission official who worked on the package jubilantly declared that its launch represented “Tech Liberation Day!”
The proposed Cloud and AI Development Act (CADA) is the centerpiece of the package. It also is the most important piece of legislation from the perspective of transatlantic relations, since it is squarely aimed at U.S. cloud service companies’ oligopolistic position in the European market. Indeed, as a leading European tech policy observer commented, “CADA represents a significant change in tone for the Commission, which has maintained its ‘open market’ credentials long after the U.S. and China abandoned them.”
The commission’s Explanatory Memorandum accompanying the legislation delicately acknowledges that “the current landscape of cloud and AI is characterized by a pronounced dependence on a limited pool of third-country providers.” The market share of EU providers has diminished steadily in the past decade to about 15 percent. Even worse, as outlined by the commission in the memorandum, is that three U.S. cloud service providers—Microsoft, Amazon Web Services, and Google—currently control more than 70 percent of the European cloud market.
According to the memorandum, the commission sees two potential legal risks from this situation. First, these providers are subject to the U.S. CLOUD Act, which enables unilateral U.S. government access to European data for law enforcement purposes. And second, unilateral U.S. sanctions measures could result in the disruption of services to European users (the so-called kill switch).
Europe’s Path Toward Tech Sovereignty
Europe’s turn to tech sovereignty has been building for some time. More than five years ago, France began urging industrial policy solutions to address the lack of European champions in cloud services. France’s ambitions, however, were stymied at the EU level by northern European countries committed to the free market, such as Germany, the Netherlands, and Denmark. Former European Central Bank President Mario Draghi’s 2024 report detailing Europe’s failure to develop an innovative tech sector jump-started a wide-ranging debate over competitiveness. By 2026, most of the former tech sovereignty skeptic countries of northern Europe had joined France in seeking ways to bolster Europe’s home-grown tech sector.
The EU’s objection to the CLOUD Act dates back to the enactment of the U.S. law in 2018. In fact, negotiations between Washington and Brussels have been ongoing fitfully since 2019 to create a consensual means for law enforcement authorities to directly obtain access to foreign-located information needed for criminal investigations and prosecutions. These conversations, however, have stalled under the second Trump administration. Meanwhile, unilateral U.S. authority to demand European data pursuant to the CLOUD Act continues to loom large in Europe’s consciousness. For instance, the Dutch government just blocked an intended U.S. corporate acquisition of the Dutch company operating the country’s national ID system, citing the CLOUD Act in its investment screening decision.
Europe’s concern about the U.S. “kill switch” is of more recent vintage. In February 2025, the Trump administration imposed sanctions against European senior officials of the International Criminal Court (ICC), which had issued an arrest warrant for Israeli Prime Minister Benjamin Netanyahu over alleged war crimes in Gaza. The U.S. measures caused practical difficulties for the Hague-based ICC officials, cutting them off from payments systems such as Visa and Mastercard and from consumer online marketplaces including Amazon, Airbnb, and Booking.com.
The ICC sanctions quickly became emblematic for many in Europe not only of the Trump administration’s attack on the multilateral legal order but also, as one commentator put it, of “the unpredictability, the threats, the willingness to weaponize” Europe’s dependence on U.S. companies. If Trump’s ambition to acquire Greenland has accelerated the strategic estrangement between the United States and Europe, then the administration’s ICC sanctions have played a similar, deeply divisive role in bringing Europe to conclude that it can no longer rely with confidence on U.S. cloud services companies.
CADA’s Promotion of European Cloud Services
Article 16 of CADA would establish a single, EU-wide framework for determining the degree of sovereignty demanded for cloud service procurements by member state and EU authorities, primarily those with responsibilities for public order, national security, internal security, external border management, defense, and justice or law enforcement. Much discretion is left to member states to determine which procurement contracts require which level of sovereignty assurance, but with intricate European Commission oversight and powers of intervention.
The scheme has four assurance levels that providers must meet in order to qualify for contracts in these areas. In general, the more sensitive the public data involved, the higher the level of assurance required. The requirements are detailed in an annex to the proposed legislation. In ascending order of severity:
- Level 1 – An EU entity, including EU-based subsidiaries of U.S. companies, must host the data on servers located within EU territory; in addition, a provider subject to the control of a third country must guarantee that there are no laws or practices in that country requiring it to report information on software vulnerabilities to third country authorities prior to those vulnerabilities being exploited.
- Level 2 – In addition to the Level 1 requirements, a provider must demonstrate that third countries cannot access the hosted data or flip a “kill switch” to turn off service.
- Level 3 – In addition to the Level 2 requirements, a provider may not be subject to the control of a third country or a legal entity there.
- Level 4 – In addition to the Level 3 requirements, a hosting provider must demonstrate that its components and products are not subject to third-country control and must meet the highest level of European cybersecurity certification.
The legislation also contains two important derogation authorities. One, which is general in nature, permits contracting authorities exceptionally to turn to companies not meeting the requisite level of assurance where “no adequate or reasonable alternative or comparable cloud computing service exists” (Article 30). If current procurement practice in EU member states is any guide, this exception could leave the door open to the major U.S. cloud service providers. For example, even France’s data protection authority and its courts concluded in 2023 that only Microsoft had the technical and operational capabilities to operate the country’s Health Data Hub, which is a repository for French residents’ health data. (France, however, recently has decided to shift in the future to a French provider for the Health Data Hub.)
Article 18 provides a second derogation from the Level 3 requirements, available to cloud providers from “associated third countries” that meet three conditions: The country has received an EU adequacy decision under the General Data Protection Regulation; it does not require providers to grant governmental access to non-personal data protected under Article 32 of the EU Data Act; and it does not compel providers to degrade or disrupt service continuity, including through sanctions measures. The United States has received an adequacy decision for commercial personal data transfers from EU territory under the EU-U.S. Data Privacy Framework. However, the anti-kill switch requirement could still block U.S. companies from qualifying for this derogation power—even with adequacy status in hand.
Further, the European Commission has taken pains to signal publicly that the CADA requirements may not be as onerous as they first appear. The large majority of European public data contracts—about 70 percent—fall under Level 1, it says. Since EU-based subsidiaries of U.S. companies already offer services that localize European data in Europe, they would appear to meet most of the Level 1 requirements. The commission estimates that 20 percent of contracts likely would fall under Level 2, less than 10 percent under Level 3, and roughly 1 percent of contracts, mainly in defense-related areas, would require Level 4 sovereignty.
Nonetheless, if Level 3 and 4 requirements effectively exclude foreign providers, the commission will have created a preserve for European providers who eventually could approach the scale needed to compete with the U.S. Big Three. One of the aspirant European cloud services companies, France’s OVHcloud, has estimated that it needs 15 percent of the continent’s public-sector procurement walled off from foreign competition in order to reach the necessary competitive scale.
Potential U.S. Government Reactions
Beyond the commission’s public efforts to downplay the exclusionary effect of the sovereignty assurance scheme, it seemingly has designed the system of sovereignty assurances to head off potential U.S. government objections. The EU’s tiered approach to assurance levels bears a resemblance to FedRamp, the U.S. government’s own standardized framework for assessing the security of cloud services and authorizing which companies may bid to supply the federal government in sensitive sectors. (One important difference, however, is that foreign companies can qualify for FedRamp’s highest level of security.)
The general derogation power offers U.S. providers some prospect that the superiority of their cloud service offerings will keep portions of the European public procurement market open to them that might otherwise be closed. Similarly, the provision on associated third countries appears designed to acknowledge the commission’s adequacy finding for data transfers to the United States, even as it simultaneously creates uncertainty over its potential applicability given other conditions.
Further, it is noteworthy that the second Trump administration has not yet resorted to trade retaliation on behalf of U.S. tech companies, though U.S. Ambassador to the European Union Andrew Puzder has repeatedly criticized the Digital Markets Act (DMA) and Digital Services Act (DSA) as unfairly targeting them. The Office of the U.S. Trade Representative (USTR), in its annual National Trade Estimate Report, tracks enforcement actions brought against U.S. companies under both laws—including a €200 million fine levied against Meta and €500 million against Apple under the DMA, and a €120 million fine against X under the DSA. Ongoing DMA investigations of U.S. companies may yield fines later this year. USTR has yet to act against either law.
These elements tentatively suggest that CADA may not become another chapter in the tumultuous saga of U.S.-EU trade relations in the Trump era. But industry associations representing technology companies from the United States, Canada, Japan, and Australia have already written to EU member state governments urging the revision of CADA “in a manner that remains consistent with the principles of non-discrimination, proportionality, and openness to key trade partners.” Affected U.S. cloud providers already have privately expressed concerns about CADA to the U.S. Commerce Department, which has quietly begun engaging with European counterparts.
Obstacles for U.S. Cloud Service Companies
The assurance level system will require foreign cloud service providers seeking the most sensitive European government procurement contracts to clear a daunting bar proving their independence from foreign law. In several parts of CADA, the European Commission appears to have consciously sought to counteract foreign law in ways that inevitably will create difficulties for U.S. cloud companies.
Even Level 1 requirements, for example, may conflict with U.S. laws requiring that unexploited software vulnerabilities be reported to the U.S. government, such as the law governing cyber incidents. Other countries, including China, maintain similar reporting requirements.
The requirements for Level 2 or higher assurances intentionally put U.S. providers in a difficult position with respect to two separate U.S. laws: the CLOUD Act and U.S. sanctions law as applied to mandate service interruptions. A cloud company that receives a unilateral CLOUD Act request to make data available to U.S. law enforcement is in principle bound to comply, even if the data is located outside the United States. The ICC episode likewise illustrated that companies can be compelled by U.S. law to cut off services in Europe to sanctioned officials.
Commission Executive Vice President for Technological Sovereignty Henna Virkkunen highlighted the commission’s ambition to short-circuit any future episode triggered by foreign sanctions law, telling the press that “[w]e want to make sure that nobody has a so-called kill switch possibility there.” And while the commission’s objection to the unilateral extraterritorial reach of the CLOUD Act is not new, CADA raises the stakes by inserting the issue directly into procurement decisions.
Ironically, some European governments enjoy powers similar to those they find objectionable in foreign hands. A number of member states—including Belgium, Denmark, France, Ireland, and Spain—can compel production of foreign-located evidence. Canadian prosecutors have ordered French cloud service provider OVH to supply data in a Canadian criminal case, and OVH has publicly acknowledged that it complies with the CLOUD Act and analogous foreign laws. EU sanctions have themselves, on at least one occasion, led a U.S. cloud service provider to suspend service to a sanctioned entity outside EU territory. It cannot be ruled out that even European companies doing business in the United States could run afoul of CADA’s requirements.
* * *
The EU’s proposed sovereignty assurance scheme aims to achieve several goals at once. It seeks to harmonize security-related requirements for the cloud service providers hosting sensitive public-sector data across Europe, while leaving open the possibility of extending the assurance level system to private-sector contracts in critical areas. CADA also would advance the interests of European companies by reserving a significant portion of this market to them. And it would assert the primacy of EU law over foreign laws that reach into its territory in ways that create incompatibilities for providers seeking to satisfy all the legal regimes to which they are subject.
This is not the first time the EU has sought to push back against the long reach of U.S. law. It maintains a blocking statute that can be utilized to counteract the effects of a third country’s sanctions regime—a law activated in 2018 against U.S. Iran sanctions. The EU Data Act similarly bars the transfer of non-personal data in response to a unilateral third-country law enforcement request. Neither measure has proved notably effective in practice.
There is thus reason to wonder whether the conflicts of law CADA contemplates will prove as troublesome as they first appear. But the likelihood that they will be incorporated into EU law is itself a testament to the current low ebb in transatlantic relations.
– Kenneth Propp is senior fellow at the Europe Center of the Atlantic Council, senior fellow at the Cross-Border Data Forum, and adjunct professor of European Union Law at Georgetown Law. He also advises companies on transatlantic digital policy. From 2011-2015 he served as Legal Counselor at the U.S. Mission to the European Union in Brussels, Belgium. Published courtesy of Lawfare.
