The European Union is beginning to face an uncomfortable reality: regulating artificial intelligence, protecting personal data, or discussing strategic autonomy are not enough if critical infrastructure still depends on Amazon, Microsoft, and Google. The cloud has become the nervous system of government agencies, banks, hospitals, energy, defense, industry, and digital services. Those who control this layer not only host servers; they control computing capacity, AI tools, identity management, networks, observability, automation, and operational continuity.
The new front opening in Brussels points precisely there. According to documents known by Reuters, the European Commission is working on stricter criteria for cloud services used in highly critical public tenders. The proposal, linked to the upcoming Cloud and AI Development Act, could disadvantage or even exclude major U.S. providers from certain strategic contracts if they do not meet sovereignty, legal control, data protection, and supply chain requirements.
The debate is late, but it’s happening. For years, Europe accepted that its digital infrastructure was in the hands of U.S.-based platforms while focusing political energy on regulating the effects of this dependence. Now, artificial intelligence has changed the calculus. Without cloud infrastructure, data centers, chips, energy, software, and operational talent, there is no sovereign AI. And without sovereign AI, Europe risks regulating a market it doesn’t control.
Sovereignty is no longer just rhetoric; it’s a matter of procurement
The novelty is not just that Brussels talks about digital sovereignty; that has been happening for years. What’s significant is that the Commission aims to introduce mandatory, non-price criteria in sensitive public procurement. In other words, agencies shouldn’t only choose based on cost or technical prowess but also evaluate who controls the infrastructure, under what laws they operate, which providers are involved, where the data is stored, and how dependent they are on third countries.
This shift could reshape the market. AWS, Microsoft Azure, and Google Cloud dominate much of the European public cloud. The European Parliament has warned in various analyses about the high concentration of the cloud market in U.S. companies, while European providers hold a much smaller share. Additionally, there’s a recurring legal concern: the U.S. CLOUD Act allows U.S. jurisdictional authorities to demand data from providers, even if stored outside the U.S.
Hyper-scalers have understood the commercial risk and moved swiftly. AWS already markets its European Sovereign Cloud, with separated infrastructure in Germany and an announced €7.8 billion investment. Microsoft emphasizes its Sovereign Cloud, EU Data Boundary, and partnerships with local companies like Bleu (controlled by Orange and Capgemini) or Delos Cloud (SAP’s Azure-based subsidiary). Google has formed alliances such as S3NS with Thales and agreements with European players to remain eligible for sensitive contracts.
The question is whether that’s enough. A cloud can be hosted in Europe, operated by European personnel, offer strong encryption, comply with GDPR, and still maintain technical, legal, or update dependencies on a non-European provider. It can be secure, useful, and even reasonable for many workloads. But full sovereignty is something else entirely.
The risk of “sovereignty washing”
Europe risks creating an intermediate, comfortable category: “sufficiently sovereign” clouds that don’t offend major providers but aren’t independent enough to truly reduce strategic dependency. This is the same problem seen in other tech areas: frameworks are established, levels are assigned, exceptions are accepted, and ultimately the market ends up calling “sovereign” what’s just a more controlled version of previous dependence.
The Commission itself has begun measuring sovereignty through its Cloud Sovereignty Framework and SEAL levels. The model distinguishes between data sovereignty, digital resilience, and higher levels of autonomy. On paper, it’s progress: it sets criteria, requires documentation of controls, and allows comparison of providers. But it also introduces a gray area. In April 2026, the Commission awarded a tender worth up to €180 million for sovereign cloud services to four European providers or consortia. Among them is a consortium led by Proximus using S3NS, the joint venture of Thales and Google Cloud. The Commission has also defended that non-European technologies can meet minimum sovereignty levels if operated within a strict framework.
That’s the dilemma. If Europe accepts a cloud based on U.S. technology as sovereign because the contractual and operational framework is European, it may alleviate short-term problems but also perpetuate them. Conversely, demanding full sovereignty immediately risks leaving Europe without sufficient capacity, advanced AI services, elasticity, and incurring higher costs in some projects.
The solution isn’t to deny the power of hyper-scalers. AWS, Microsoft, and Google offer extraordinary technology, particularly in AI, managed services, databases, observability, security, and global deployment. Many European companies can’t replace them overnight without losing capabilities. But it’s also unwise to blindly accept the argument that a European commercial layer automatically grants sovereignty to a platform still dependent on external technical decisions, licensing, updates, IP, and jurisdiction.
Europe needs homegrown providers, not just stricter rules
The upcoming Cloud and AI Development Act could be a significant step if used to create genuine demand for European providers. Stackscale (Aire), OVHcloud, Scaleway, StackIT, Clever Cloud, T-Systems, Orange Business, Aruba, IONOS, SAP, Proximus, regional operators, and private infrastructure companies like Stackscale have opportunities if Europe commits to purchasing coherently. It’s not enough to preach sovereignty and then award the most critical contracts to the same old dependency chains.
However, limits must be acknowledged. Europe does not currently have an equivalent to AWS, Azure, or Google Cloud across all layers. It has good infrastructure providers—private cloud, bare-metal, colocation, Kubernetes, managed services, and sovereign platforms—but lacks a comprehensive continental offering with the same depth in AI, chips, foundational models, PaaS software, analytics, and global services. Additionally, much of the critical hardware comes from Asian or U.S. supply chains. Saying all hardware must be European sounds ideal in procurement but is difficult to enforce strictly today.
Therefore, policies should be smart and gradual. The most critical workloads—public health, justice, defense, digital identity, energy, systemic banking, or sensitive government data—should have stricter European control, portability, reversibility, encryption, local operation, and no critical dependency on third countries. For less sensitive workloads, hybrid clouds where hyper-scalers still play a role—provided the client retains real control over data, keys, outputs, and architecture—may make sense.
The mistake would be turning sovereignty into a premium label that’s purchased from the usual provider chain at extra cost and with longer contracts. Sovereignty should not be just an option on the catalog but a design condition: who operates, manages, can access, updates, audits, responds in crises, and how to exit if the provider no longer fits.
Europe faces an uncomfortable choice. It can buy wrapped digital sovereignty from U.S. companies and declare the problem resolved, or it can leverage public procurement power to build real European capacity—even if harder, slower, and less glamorous commercially. The former eases short-term tensions; the latter builds independence.
Digital sovereignty isn’t achieved by banning American logos or raising barriers without alternatives. It’s achieved through investment, conscious purchasing—favoring Europe when the load demands it—demanding portability, reinforcing European private and public cloud, supporting open-source software, creating stable public demand, and avoiding confusing compliance with control. If Europe fails to make that distinction, it will pay more for sovereignty that it will never fully attain.
Frequently Asked Questions
What does the European Union want to change in cloud tenders?
Brussels is working on stricter criteria for highly critical public contracts. The aim is to consider not only price but also sovereignty, data protection, jurisdiction, supply chain, and operational control.
Could U.S. providers like AWS, Microsoft, and Google be excluded?
They could be excluded or disadvantaged in some strategic contracts if final requirements demand strong European control and low exposure to non-EU jurisdictions. The proposal may still change and will need political support.
Is a cloud hosted by AWS, Microsoft, or Google in Europe truly sovereign?
It can improve data residency, compliance, and operational controls, but that does not guarantee full sovereignty. The key is who controls the technology, operations, keys, updates, admin plane, and exit procedures.
What should Europe do to reduce dependence on hyper-scalers?
Leverage public procurement to foster steady demand for European cloud, strengthen local providers, require portability, invest in data centers, software, talent, chips, and open models, and reserve critical workloads for infrastructure under European control and verifiable.