The EU's CADA: Europe Declares Cloud Sovereignty War on AWS, Azure, and Google Cloud

On June 3, 2026, the European Commission published one of the most consequential technology regulations of the year: the proposed Cloud and AI Development Act, or CADA. Buried within its 40,000 words of legislative text is a direct challenge to three of the world’s most powerful technology companies — Amazon Web Services, Microsoft Azure, and Google Cloud — and a blueprint for how Europe intends to reclaim sovereignty over its own digital infrastructure.

The Commission framed the proposal as the centerpiece of its Tech Sovereignty Package, but the plain language of the regulation is less diplomatic: Europe’s cloud market has been quietly colonized, and Brussels intends to change that.

The Problem Brussels Is Trying to Solve

The data cited in the CADA proposal tells a stark story. EU-based cloud providers’ collective market share has fallen from approximately 29% in 2017 to around 15% by 2022, a collapse that has happened quietly, transaction by transaction, as European enterprises and governments chose AWS, Azure, and Google Cloud over domestic alternatives. The trend has continued since; by 2026, the three US hyperscalers are estimated to control more than 70% of European cloud revenue.

The regulation is driven by two interlocking anxieties. The first is capacity: Europe lacks sufficient AI-ready data center infrastructure to support its ambitions for sovereign AI development. The second is dependency: European public sector entities — hospitals, tax agencies, defense ministries, police forces — are running critical workloads on infrastructure owned, operated, and ultimately governed by US law, including the CLOUD Act, which allows US authorities to compel data disclosure even from EU-based data centers.

CADA’s stated goal is to triple EU data center capacity within five to seven years. The mechanism it uses to get there is a cloud sovereignty framework built around public procurement.

The Four Union Assurance Levels

The regulation’s most technically detailed — and most commercially disruptive — element is a graduated framework of Union assurance levels that public sector bodies must apply when procuring cloud services.

Level 1 (Baseline) requires cloud providers serving public bodies to establish infrastructure and customer data within EU borders. Non-EU controlled providers must additionally guarantee they cannot be compelled to disclose system vulnerabilities to foreign authorities — a direct response to CLOUD Act exposure.

Level 2 (Enhanced) goes significantly further. All personnel, infrastructure, and assets involved in delivering the service must be EU-based. Providers must hold EU cloud certification and demonstrate technical measures preventing third-country access to customer data, including protection against sanctions-driven data disclosure.

Level 3 (Strict) adds an ownership requirement. Control of the provider must be EU-based, with limited derogations for countries holding EU adequacy decisions that maintain reciprocally open markets to European providers. This level would be applied to providers deemed to “contribute to the preservation of public order” — a deliberately broad category.

Level 4 (Strictest) demands EU ownership without any derogations, highest-level European cybersecurity certification, and demonstrated third-country independence over both software design and ongoing maintenance. At this level, the regulation effectively mandates European-built software stacks, not merely European data residency.

What This Means for US Hyperscalers

The commercial implications for AWS, Microsoft Azure, and Google Cloud are significant.

At Level 1 and 2, the hyperscalers can likely comply through existing or expanded EU data center footprints. All three already operate EU-based regions, and all three have existing GDPR compliance machinery. The additional burden would be contractual — restructuring agreements to eliminate foreign-authority disclosure obligations — and operational, with staff localization requirements adding cost.

Level 3 is where it becomes genuinely disruptive. The EU ownership requirement cannot be satisfied by simply opening more European data centers. AWS is owned by Amazon, a US corporation. Azure is a Microsoft division. Google Cloud is a Google division. Meeting Level 3 would require the creation of separately owned EU entities — structures analogous to the EU-based joint ventures that some US defense contractors use to participate in European government procurement. Whether the US hyperscalers would create such structures, and whether the Commission would accept them as genuinely independent, is a central question the regulation leaves unresolved.

Level 4 effectively defines a market that US-headquartered providers cannot enter as currently structured. The winners at Level 4 would be European-owned, European-built providers — a category that today includes a thin roster of companies: OVHcloud, Hetzner, Deutsche Telekom’s T-Systems, and a handful of other national champions with modest market share.

The “Union Added Value” Lever

Beyond the assurance levels, CADA introduces a procurement criterion that has been relatively underreported: Union added value. Public authorities evaluating cloud and AI service bids must assign a weighting — up to 15 points — to the degree to which a provider:

• Contributes to strengthening the EU’s digital technology supply chain
• Integrates technologies developed in the EU
• Conducts R&D and innovation within EU borders
• Delivers services using hardware components designed or manufactured in the EU

This criterion does not exclude non-EU providers from winning contracts. But it explicitly tilts the procurement field toward domestic champions — particularly at the application and AI layer, where European providers are increasingly competitive with US alternatives.

Data Center Acceleration Zones

The regulation also introduces a structural mechanism to address Europe’s data center capacity deficit: data center acceleration zones in which member states are required to complete permitting processes within 12 months. This is a direct response to the current landscape, where large-scale data center approvals in Germany, the Netherlands, and other major EU markets routinely take three to five years.

Alongside this, CADA creates a strategic project designation pathway for critical data center infrastructure, enabling preferential access to public funding, expedited grid connections, and planning priority. The mechanism borrows from the EU’s existing Critical Raw Materials Act strategic project framework, which has successfully accelerated lithium and cobalt processing capacity in Europe.

The Open Source Mandate

A provision that has attracted less attention than the sovereignty framework but may prove equally consequential: CADA establishes an “open source first” principle for public sector technology adoption. Public bodies procuring cloud and AI services must demonstrate they have considered open source alternatives before choosing proprietary software. This principle, if enforced, would create systematic procurement pressure toward EU-developed open source tools — a tailwind for European AI companies building on open foundations like Mistral’s models or EU-funded research infrastructure.

What Happens Next

What the European Commission adopted on June 3 is the opening move in a legislative process that requires agreement from both the European Parliament and the Council of the EU before any provision becomes binding. That process — known as trilogue — typically takes 12 to 36 months for complex digital legislation.

The CADA proposal is particularly contentious, and US technology industry associations have already signaled strong opposition, framing the assurance levels as de facto protectionism in violation of WTO commitments. The US government, which has watched EU digital regulation evolve from a standards-setting exercise to a geopolitical tool, is expected to raise the legislation formally in trade discussions.

Within Europe, the debate will likely center on whether the regulation is calibrated correctly. Some member states — particularly those with strong US tech investment relationships, like Ireland — have reason to seek softer assurance level requirements. Others, particularly France and Germany, are expected to push for more aggressive enforcement timelines.

For enterprises operating across Europe, the practical advice is clear: the CADA’s assurance level framework will shape public sector contract eligibility for a generation. Cloud strategy decisions made now will determine whether organizations are positioned as compliant suppliers or excluded parties when the regulation eventually takes effect.

GDPR took years to fully enforce. Its legacy is permanent. CADA appears to be aiming for the same long arc.