The new rules being prepared by the European Commission regarding cloud services have raised alarms among major tech companies and industry associations, who fear that a restrictive definition of digital sovereignty could end up excluding non-European providers, especially those from the U.S. This concern was evident in the responses submitted to the public consultation on the future regulatory framework for cloud and artificial intelligence, part of the ambitious AI Continent Action Plan.
The consultation, which concludes this week, has gathered more than 130 contributions, mostly from Germany, Spain, and Belgium. According to the Commission’s text, the goal is to address the current lack of large-scale cloud offerings originating from Europe, capable of covering critical use cases with high security requirements, both in the public and private sectors. Currently, the reliance on giants like Google, Microsoft, and AWS is almost structural for many European companies.
Brussels is pushing for enhanced infrastructure, data access, skills, and the development of AI tools as key elements to reposition Europe as a relevant industrial player in this new technological era. However, the approach is generating debate.
A Digital Sovereignty That Doesn’t Close Doors
The German digital association Bitkom advocates that the concept of sovereignty should not impose barriers but rather reinforce freedom of choice, resilience, and diversification. Microsoft, for its part, asserts that imposing restrictive policies would be counterproductive. In its statement, the multinational argues that the European Union should focus on diversifying supply chains and establishing objective criteria based on security, transparency, and performance.
The international organization BSA, which groups software companies, warns that overly strict regulations could severely limit the ability of European customers to choose the services that best meet their needs. According to BSA, many EU companies currently turn to non-European providers for technical, cost, or functionality reasons that they cannot find with local players.
In response to these positions, David Carrero, co-founder of Stackscale (Grupo Aire)—a Spanish company specializing in cloud infrastructure, private cloud, PrivateGPT, and bare-metal servers with data centers in Spain and the Netherlands—believes that the debate should not focus on exclusion but rather on prioritizing real technological sovereignty. He asserts, “Digital sovereignty should not just be an aspiration, but a concrete strategy. It’s not about shutting the market to foreign providers, but ensuring that critical data, especially from the public administration and strategic sectors, always resides on European soil and, preferably, is managed by European companies.”
Carrero advocates for hybrid models that combine the best of both worlds: “Hybrid solutions allow for flexibility and competitiveness, but sensitive data must be protected under European jurisdiction. Only then can we ensure true digital sovereignty against extraterritorial legislations like the U.S. Cloud Act.” In his view, resilience cannot be divorced from localization and real control over the systems managing Europe’s strategic information.
In the same vein, the German internet industry group Eco believes that measures should be applied transparently and proportionally, with geographic location not being a default exclusion factor.
Microsoft and Data Protection in Uncertain Times
In parallel with the regulatory debate, Microsoft has reaffirmed its commitment to protecting European data. At an event in Brussels, Brad Smith, the company’s president, stated that Microsoft is willing to take any government attempts to access data from European public or business sector clients to court, provided there is a legal basis for opposing such actions.
Smith noted that this contractual protection comes with a compensation clause for customers in the event of a leak contrary to community law, although he considered such a situation to be "very unlikely." The tech giant has previously sued the administrations of Obama and Trump over similar issues and is now closely watching the direction of the new Republican presidency in the U.S.
The German Ministry of the Interior, for example, has expressed concern about the possibility that Donald Trump might review or repeal key agreements regarding data transfer between the EU and the U.S. In that context, Microsoft’s promise becomes a political and commercial signal.
Geopolitics Takes the Stage
The trade tension between the EU and the U.S. is also beginning to impact digital services. The president of the Commission, Ursula von der Leyen, has hinted that the bloc could impose tariffs on U.S. services if trade negotiations fail, which would add pressure to an already heavily regulated sector. A scenario that companies like Microsoft prefer to face as “a voice of reason,” in Smith’s words.
If digital services become embroiled in a trade war, Smith assured that the company would work to help its clients “manage whatever comes next.”
The EU has 90 days to find a negotiated solution, while a general 10% tariff from the U.S. remains in effect.
In this complex landscape, the European strategy to boost its own cloud and AI ecosystem must balance the need for technological sovereignty with openness, international collaboration, and real competitiveness. Because the risk, as companies warn, is that in the name of autonomy, innovation and access to essential services could be restricted at a critical time for Europe’s digital future.