EU Sovereign Cloud Rules Set to Bar AWS, Google, Microsoft from Strategic Government Contracts
Draft legislation would mandate European-developed infrastructure for defense, energy, and healthcare tenders—escalating digital sovereignty from voluntary frameworks to binding procurement restrictions.
The European Commission will announce binding cloud sovereignty rules on June 3 that would restrict Amazon Web Services, Microsoft Azure, and Google Cloud from bidding on government contracts in defense, energy, healthcare, and critical infrastructure—the first legally enforceable challenge to US hyperscaler dominance in the €56 billion European sovereign cloud market.
The Cloud and AI Development Act (CADA), to be unveiled by EU tech chief Henna Virkkunen, introduces mandatory non-price procurement criteria requiring software and hardware developed within the EU for strategic sectors, according to Reuters. The draft represents a watershed shift from soft governance models like Gaia-X—which allowed US provider participation—to hard law under Article 114 of the Treaty on the Functioning of the European Union, making compliance obligatory across all 27 member states.
€69.4B
28%
From Voluntary Framework to Legal Mandate
The Commission has already demonstrated the viability of European alternatives. In April 2026, it awarded a €180 million sovereign cloud contract to four European providers—OVHcloud, STACKIT, Scaleway, and Proximus—over six years. Three of the four vendors achieved SEAL-3 (Digital Resilience) certification, the highest sovereignty level under the EU’s Cloud Sovereignty Framework, which evaluates operational autonomy, data protection, and immunity from extraterritorial jurisdiction.
That procurement served as proof of concept. CADA now seeks to institutionalize those standards across government IT spending in sensitive sectors. The legislation targets areas where exposure to US law—particularly the CLOUD Act, which grants US authorities access to data held by American companies regardless of storage location—poses security risks European policymakers increasingly view as unacceptable.
“A company subject to the extraterritorial laws of the United States cannot be considered sovereign for Europe. That simply doesn’t work.”
— Cristina Caffarra, Competition Expert and Eurostack Advocate
The Commission described the rules as “crucial for strengthening Europe’s own technological capacities, for Europe’s competitiveness and security,” per Reuters. The timing is deliberate: Europe faces a €1 trillion digital infrastructure investment gap relative to the United States, and policymakers view procurement policy as a lever to close that divide while reducing strategic dependency.
Market Redistribution and Industrial Policy
The hyperscalers’ combined 63% share of the global cloud market—AWS at 28%, Azure at 21%, Google Cloud at 14% as of Q1 2026, according to Statista—makes them the primary targets. In Europe specifically, American providers control roughly 90% of cloud infrastructure, a concentration that has shifted political will from concern to action.
European sovereign cloud spending is projected to reach €69.38 billion in 2026, up from €56.27 billion in 2025—a 23.3% increase driven by geopolitical tensions, regulatory pressure, and recent service disruptions that exposed single-vendor risk. France alone has allocated €1.8 billion to cloud sovereignty under its France Relance recovery plan, with €600 million earmarked for OVHcloud, Thales, and Orange.
| Level | Requirements | Providers |
|---|---|---|
| SEAL-1 | Basic data residency and GDPR compliance | Most EU cloud vendors |
| SEAL-2 | Operational autonomy, EU-based support | OVHcloud, STACKIT, Scaleway, Proximus |
| SEAL-3 | Digital resilience, immunity from extraterritorial law | OVHcloud, STACKIT, Scaleway (3 of 4 April 2026 winners) |
The legislation marks a departure from Gaia-X, the 2020 cloud federation initiative that failed to gain traction after allowing AWS and Microsoft participation—a decision critics viewed as “sovereignty-washing.” CADA, by contrast, is a binding legislative proposal under Article 114 TFEU (internal market harmonization), not a voluntary framework, according to analysis by Julien Simon, an AI expert and former AWS principal technical evangelist.
Precedent for Global Digital Protectionism
The EU’s move echoes the GDPR and Digital Markets Act playbook: establish extraterritorial regulatory standards that force global compliance while creating competitive advantages for domestic players. If CADA succeeds, expect copycat legislation in regions where Digital Sovereignty concerns are rising—ASEAN nations wary of both US and Chinese cloud dominance, Latin American countries prioritizing data localization, and jurisdictions where recent geopolitical tensions have exposed vendor concentration risk.
The regulatory signal extends beyond procurement. By institutionalizing sovereignty criteria, the EU is establishing a precedent for antitrust enforcement against hyperscaler duopolies. The Commission’s April tender explicitly evaluated providers on eight sovereignty objectives, including protection from extraterritorial jurisdiction, operational autonomy, and resilience to supply chain disruption—criteria that structurally favor European vendors over subsidiaries of US corporations subject to the CLOUD Act.
- Government IT market redistribution favoring OVHcloud, STACKIT, Scaleway, and SEAL-certified European providers in strategic sectors
- Precedent for global digital protectionism—potential copycat rules in ASEAN, Latin America, and other jurisdictions prioritizing sovereignty
- Enterprise cloud diversification pressure as regulatory risk escalates for organizations operating in sensitive sectors
- M&A catalyst for European cloud champions seeking scale to compete with hyperscalers in commercial markets
- Transatlantic trade tension escalation if US views procurement restrictions as discriminatory barriers
For hyperscalers, the impact depends on how aggressively member states implement the rules. AWS, Microsoft, and Google could pursue legal challenges on World Trade Organization grounds, arguing that the procurement criteria constitute discriminatory trade barriers. They could also structure regional subsidiaries designed to meet sovereignty requirements—though legal experts like Caffarra argue that corporate restructuring cannot overcome extraterritorial jurisdiction exposure.
What to Watch
Monitor the final legislative text on June 3 for language distinguishing “preference” from “requirement”—the former suggests EU providers receive scoring advantages in procurement evaluations, while the latter would constitute an outright ban on non-EU vendors in strategic sectors. The binding versus advisory distinction will determine actual market impact.
Track OVHcloud’s restructuring, announced in May 2026 and effective September 1, which prioritizes defense and sovereign cloud verticals. Revenue guidance and contract pipeline disclosures in Q3 2026 earnings will indicate whether CADA translates into material deal flow.
Watch for US government response. If the Office of the United States Trade Representative escalates this to a formal trade dispute, the EU may face pressure to soften procurement restrictions or offer carve-outs for specific use cases. Conversely, if Washington remains silent, expect other jurisdictions to interpret that as tacit acceptance of sovereignty-based market access restrictions—accelerating the fragmentation of the global cloud market along geopolitical lines.