Europe Means Business on Cloud and AI Sovereignty

On 3 June, the European Commission presented its European Technological Sovereignty Package, a highly anticipated set of measures billed as a generational effort to address Europe’s reliance on foreign technology. The package answers the 2024 Draghi Report which called for a reduction in foreign dependence and increased competitiveness to achieve European prosperity and security in a digital age.

The Commission’s tech sovereignty package consists of four instruments: two pieces of legislation – the Cloud and AI Development Act (CADA) and the Chips Act 2.0 – and two strategic documents, the Open Source Strategy and Strategic Roadmap for Digitalisation and AI in Energy. Altogether, an ambitious set of proposals.

If enacted, the package will reshape how Europe builds, buys and trusts its digital infrastructure. How far it goes will be decided in the negotiations ahead, at the European Parliament and among member states. Drawing on RUSI’s ongoing research on Cloud Sovereignty, this article focuses on the CADA: its aims, priorities and methods, and the fault lines likely to emerge as it is debated in Brussels.

Why Now?

European officials are not short on problems. The bloc faces febrile economic growth, aging populations, rising costs of living, slowing birth rates and insurgent populist parties. Beyond the EU’s borders, Russia’s continued war in Ukraine demands time and resources from Brussels, the US-Iran-Israel conflict has created a global energy shock, and an ever-looming climate crisis requires rapid electrification and decarbonisation.

Against this backdrop, the Commission is targeting simplification of regulations to promote growth and supporting rearmament through initiatives such as SAFE. Simplification and rearmament both bet significantly on technology, whether to boost productivity or improve battlefield readiness. Aiming for sovereignty where technology is critical is worthy, but it will come with trade-offs. Pursuing it nonetheless shows that Brussels has decided the cost of dependency now exceeds the cost of action.

Calls for European tech sovereignty are not new. Concerns about a ‘kill switch’ in critical technologies have been heard before, the Chips Act 2.0 is a product of its predecessor falling short, and ambitions for European alternatives to American hyperscale cloud have been around for a decade or more, from GAIA-X to the EuroStack project. What has changed is the calculus. Europe’s reliance on foreign countries for over 80% of digital products, services and infrastructure is now viewed as a direct risk to its resilience, exacerbated by turbulent relations with Washington and Beijing and the weaponisation of rare earths and chips. Meanwhile, the productivity gains associated with AI adoption are now presented as existential – scalable and secure compute is fundamental to strategic competition. The risks of not taking decisive action have come to outweigh the difficulty of doing so.

What Will CADA Do?

The CADA rests on three pillars: improving research and innovation in cloud and AI, faster deployment of data centres in Europe, and strategic autonomy in the most critical capabilities.

On the first, the CADA wants Europe’s innovation environment to disrupt dominant computing paradigms, either opening new market segments or increasing the efficiency of existing technologies. Within this, improvements to compute energy efficiency are complementary with the accompanying energy strategy and are seen as a priority. The Commission is under pressure to ensure CADA does not compromise its climate commitments and is aware that Europe’s expensive and unstable energy prices put it at a disadvantage relative to the US and China.

On the second, the Commission has set an objective to triple Europe’s data centre capacity over five to seven years, aligning with the Apply AI Strategy and other measures to promote adoption. To support this ambition, the CADA proposes to harmonise and accelerate data centre permitting across member states, and improve access to energy, land, water and financing – an effort expected to require approximately €200 billion of mostly private investment. As the Commission and Draghi acknowledge, passing the CADA is insufficient to ensure the success of this pillar. Tying European capital markets together, reducing the cost of energy and member-states implementing provisions remains necessary.

The third pillar aims to ensure that sovereign solutions exist and are chosen for the most critical use-cases. The CADA proposes to do this primarily through an EU-wide Union cloud computing sovereignty framework comprising four assurance levels:

• Level 1: Localisation of data.
• Level 2: Auditing and mitigations of foreign control.
• Level 3: Exclusion of foreign control and EU personnel requirements.
• Level 4: Full European development and control alongside other provisions.

The framework would apply by default in the public sector. Member-states would determine the sensitivity of their workloads, assess providers against the appropriate level and enforce the terms. This will require many member-states to stand-up audit and assessment capacities for cloud which are sorely needed, particularly as, if a provider is audited and found in breach, there is then a requirement to migrate to a compliant service. Furthermore, the Commission can designate third countries whose providers can be audited up to level 3. The third pillar also floats a cross-Union procurement mechanism allowing the Commission to negotiate contracts on behalf of multiple member-states.

Fault Lines Exist and will Widen as the CADA Moves Forward

As the CADA is digested, areas of disagreement will begin to come into focus. One fault line will be access to capabilities. Critics will argue that sovereignty requirements restricting European defence and national security customers from accessing the most advanced cloud and AI services will damage the resilience and security that the act aims to protect. The counterargument is that an inferior or absent capability may be preferable to one that is untrustworthy. By presenting sovereignty as a continuum and allowing governments to self-select the sensitivity of their workloads, the Commission is putting the ball in member-states’ courts and trying to avoid the argument. But will a government be able to politically defend not placing every national security workload in the highest assurance level? As the allianceEurope increases its readiness, further obstacles to digitally enabled cohesion will set preparations back.

A second fracture will be cost and competitiveness. Sovereign options are characterised as costly and with stretched budgets, member states may baulk at paying a premium. Insulated from global competition, the companies providing these localised services may become uncompetitive even if they achieve the scale within European markets that the CADA envisages. However, European providers contest that they are not cost competitive in like-for-like pricing with fair competition. European companies say they are cost competitive and US hyperscale cloud argues their sovereign options mean they are compliant anyway. Measures under CADA are also not without equivalents, China and the US tightly control public sector digital capability use, the latter with the FedRAMP scheme – albeit based primarily on security.

Third is Washington. The Trump administration has criticised EU tech policies it sees as unfairly disadvantaging US companies and has shown willingness to leverage American tech advantage to impose costs in international disputes. The EU Commission has been careful to soften messaging on the Tech Sovereignty Package, for example by committing to join the Pax Silica – a US-led partnership on AI, semiconductors, critical minerals, export controls and tech standards – in the same week. The US has yet to react publicly to the Commission’s sovereignty package, but there it is a clear it will likely further strain Euro-Atlantic relations.

Finally, the inter-state politics of the Act and its enforcement will be complex. The Commission is trying to reshape European digital sovereignty without itself being a sovereign entity – it must rely on member states to also prioritise strategic autonomy and accept trade-offs. That reliance will either be a strength or vulnerability. The stalled EU cybersecurity certification scheme (EUCS) offers a cautionary tale: technical consensus led to deadlock when sovereignty requirements met national interests. And member-states have precedent going their own way. Germany, Denmark, the Netherlands and others have moved away from foreign digital service providers, but France’s domestic intelligence agency in December 2025 extended its partnership with Palantir, even as Paris championed European alternatives. There is a gap between sovereignty rhetoric and what is procured in practice. Success beyond highly sensitive public sector uses will also depend on subsequent, promised measures coming to pass: integrated capital markets, cheaper energy, expanded skills. While the CADA is impressive, it does little to address that three non-European companies hold roughly 70% of Europe’s cloud markets.

The digital sovereignty package is the clearest signal to date that Europe views cloud and AI as strategically necessary and worth incurring costs. Whether it amounts to a generational shift or an ambitious initiative that loses momentum in implementation will depend on whether Brussels and twenty-seven capitals hold their nerve when faced with trade-offs.

© RUSI, 2026.

The views expressed in this Commentary are the authors', and do not represent those of RUSI or any other institution.

For terms of use, see Website Terms and Conditions of Use.

Have an idea for a Commentary you'd like to write for us? Send a short pitch to commentaries@rusi.org and we'll get back to you if it fits into our research interests. View full guidelines for contributors.