CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 04, 2026

EU Prepares Path for Shutting Out US Cloud Providers

Data Breach Today Archived Jun 04, 2026 ✓ Full text saved

Commission Proposes That Sensitive Public Data Should Be Kept Local The European Union's executive arm singled a strong dislike for U.S. cloud service provider participation in public-sector procurements in a long-delayed legislative package meant to bolster continental self-sufficiency. The proposal called for sensitive public data to be stored locally.

Full text archived locally
✦ AI Summary · Claude Sonnet


    Cloud Security , Geo-Specific , Security Operations EU Prepares Path for Shutting Out US Cloud Providers Commission Proposes That Sensitive Public Data Should Be Kept Local David Meyer • June 4, 2026     Credit Eligible Get Permission Clouds over Paris. (Image: Shutterstock) The European Union's executive arm singled a strong dislike for U.S. cloud service provider participation in public-sector procurements in a long-delayed legislative package meant to bolster continental self-sufficiency. See Also: OnDemand | Cybersecurity for Cloud: Challenges and Strategies for Securing Your Enterprise Cloud A key element of the tech sovereignty package is a proposal for a Cloud and AI Development Act, which aims to boost cloud ecosystems in Europe. Much of the bill is concerned with things like supporting research and making it easier to deploy data centers, but it also introduces an EU-wide framework for assessing cloud and artificial intelligence sovereignty. This framework includes four assurance levels. Countries would get to choose for themselves which assurance levels are needed for which systems, but when it comes to Levels 3 and 4, the requirements demand that the provider is "not subject to the control of a third country or a legal entity established in a third country." Level 3 comes with the possibility of an exemption from this condition, but only if the provider can demonstrate that the third country - meaning a country outside the EU - cannot access customer data. That represents a massive complication for U.S. providers, as that country's Cloud Act demands just that of American cloud firms, regardless of where they store customer data, as long as a warrant has been issued by a U.S. court (see: US Takeover of Dutch Cloud ID Provider Blocked by Government). "With the USA, with the Cloud Act, it is difficult for their companies to reach Level 3," Henna Virkkunen, the commission's senior tech policy executive, said during a Wednesday press conference. "There are powers in this Cloud Act which are not in line with our rules here." Virkkunen added that it was important to ensure that sensitive European public-sector services aren't vulnerable to a "kill switch" - a commonly-invoked threat in European policy circles these days, regarding technology from the United States and China. The reaction from Big Tech's advocates was swift to arrive, with the Computer and Communications Industry Association decrying "discriminatory measures that directly undermine the EU's own digitalization goals." "The Cloud and AI Development Act is a direct recipe for fragmented discrimination across Europe in 27 different ways, not only in public procurement but potentially also across thousands of private critical entities, from banks to energy companies," said Daniel Friedlaender, senior vice president and head of office at CCIA Europe. "By pairing a strict mandate with unrealistic standards that the EU itself cannot meet, the commission is effectively giving national capitals carte blanche to shut out trusted global vendors from every major technology-producing nation outside the Union." The proposed assurance framework leans heavily on cybersecurity. Even Level 1 requires compliance with "state-of-the-art" standards. Higher levels all call for certificates under a European cloud cybersecurity certification scheme - denoting "substantial" security for Levels 2 and 3, and "high" for Level 4. The EU cybersecurity certification scheme is not up and running yet - it's been in the works for years, but implementation remains stalled due to disagreements between countries over sovereignty-related issues. Recognizing that fact, Wednesday's proposal says that, in the absence of such an EU-wide framework, cloud service providers will need to get certification from national authorities, if indeed they have such frameworks of their own. Experts from the Center for European Policy said Wednesday that the commission risks repeating the failure of the EU Cloud Cybersecurity Certification Scheme. "The EUCS failed because the most contested choices were delegated to a technical body without the mandate or legitimacy to make them," wrote CEP expert Philipp Eckhardt. "CADA needs a clear legislative framework for any sovereignty requirements it introduces, one that distinguishes between truly sensitive systems of public sector entities and critical infrastructure operators, and the vast majority of cloud use cases where the priority should be competition, portability and price." Cybersecurity also plays a significant role in the EU Open Source Strategy that the commission unveiled as part of the sovereignty package - though this element is merely a communication rather than a legislative proposal, meaning it doesn't need to be thrashed out between the commission, the European Parliament and EU countries over the coming months and perhaps years. In its Wednesday communication, the commission said open source can contribute to cybersecurity by allowing "wide public inspection" of source code and pledged to further promote the development of "open-source cyber threat intelligence frameworks, tooling for vulnerability coordination and disclosure, assurance and verification tools to strengthen the security of widely used open-source components, and support compliance with the Cyber Resilience Act" (see: Europe Girds for Looming IoT Security Regulations). Apart from CADA and the EU Open Source Strategy, the tech sovereignty package also includes a strategic road map for digitalization and AI in the energy sector - which is partly concerned with managing the soaring energy requirements of data centers - and a "Chips Act 2.0" that aims to secure a local supply of mainstream and advanced AI chips. "We cannot afford to depend on others for the technologies that keep our hospitals running, our energy grids stable and our services secure," European Commission President Ursula von der Leyen said. "This is about protecting our citizens, defending our interests and making our own choices." In related news, Politico reported Wednesday that the European Parliament was about to ditch Google as the default search tool on its computers, opting instead for France's Qwant over digital sovereignty and data-protection concerns.
    💬 Team Notes
    Article Info
    Source
    Data Breach Today
    Category
    ◇ Industry News & Leadership
    Published
    Jun 04, 2026
    Archived
    Jun 04, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗