The European Commission is moving toward formal EU cloud procurement rules that could significantly reshape how public administrations award cloud contracts, potentially disadvantaging US hyperscalers in critical tenders. Rather than relying on open market competition, the EU is building a policy framework designed to strengthen Europe’s digital sovereignty and favor homegrown cloud providers.
Key Takeaways
- The EU Cloud and AI Development Act, proposed in 2026, aims to triple EU data centre capacity within 5-7 years
- New procurement guidance will recommend consistent national policies and essential criteria for public-sector cloud tenders
- The EUCS cybersecurity certification scheme will provide assurance for cloud services across the EU
- The Data Act targets vendor lock-in by making cloud provider switching fast, free, and technologically fluid
- Combined rules favour European cloud providers in critical infrastructure and sensitive-data workloads
The EU’s Digital Sovereignty Strategy Takes Shape
Europe’s cloud policy is no longer just rhetoric—it is becoming law. The European Commission plans an EU Cloud Rulebook and formal guidance on public procurement of data processing services as part of a coordinated sovereignty push. The strategy links three critical elements: cloud infrastructure capacity, AI development, and cybersecurity certification. By 2035, the EU wants to meet the data-processing needs of EU businesses and public administrations using infrastructure built to European standards and located within European jurisdiction. This is not a ban on US providers, but a structural shift that makes European alternatives more attractive for government contracts.
The Cloud and AI Development Act, set to be proposed in 2026, is the legislative backbone of this strategy. Its explicit goal is to foster the growth of European cloud providers while ensuring highly secure cloud capacity for highly critical use cases. Public procurement—where governments buy cloud services for defense, healthcare, finance, and other sensitive sectors—becomes the lever. If procurement guidance recommends that tenders prioritize providers with certain certifications, data residency, or ownership structures, US hyperscalers will face a structural disadvantage regardless of technical merit.
Certification and Vendor Lock-in: The Real Teeth
The EU Cloud Rulebook establishes a single European framework with binding and non-binding rules for cloud service users and providers. But the real enforcement mechanism is the European Cybersecurity Certification Scheme for cloud services (EUCS), being developed by ENISA under the Cybersecurity Act. This scheme is designed to provide increased assurance that data are secure wherever they are stored or processed. In practice, it means that cloud providers seeking to bid on critical EU public tenders may need EUCS certification—a credential that European providers can more easily obtain than US-based competitors operating under US legal jurisdiction.
Alongside this sits the Data Act, which tackles vendor lock-in by making it fast, free, and technologically fluid to switch cloud providers. On the surface, this sounds pro-competition. In reality, it reduces switching costs for customers moving between European providers while making it harder for locked-in customers of US hyperscalers to migrate away. The EU’s Regulation on the free flow of non-personal data reinforces this by ensuring all data can move freely within the EU, increasing legal certainty for cloud users. For US providers storing data in US data centres or subject to US law, this creates friction.
What This Means for Public Procurement
The procurement guidance will recommend consistent national policies plus essential criteria for public-sector tenders for data processing services. This is the critical detail. When a European government issues a tender for cloud services—say, for a national health system or defence ministry—the guidance will suggest evaluation criteria that favour European providers. These criteria might include data residency within the EU, EUCS certification, independence from non-EU legal systems, or ownership by EU entities. A US hyperscaler could still bid, but it would start from a disadvantage.
The timeline matters. The Commission will propose the Cloud and AI Development Act in 2026, with the goal of tripling EU data centre capacity within 5 to 7 years. This is not a distant future scenario. Governments are already planning infrastructure investments. Procurement guidance could influence contracts awarded in 2026 and 2027. US hyperscalers have months to prepare for a fundamentally different competitive landscape in their largest market outside North America.
How This Compares to Current Market Dynamics
Today, AWS, Microsoft Azure, and Google Cloud dominate European public procurement because they offer mature, reliable, feature-rich services at competitive prices. European alternatives like IONOS or OVHcloud exist but lack the scale and global footprint. The EU’s strategy is to change the rules so that scale and global footprint become liabilities rather than assets. A provider subject to US law and operating globally is now a risk factor in critical tenders. A provider with data centres only in Europe and no US parent company becomes an asset.
This is not protectionism in the crude sense—the EU is not banning US providers outright. It is structural protectionism: redefining the rules so that European providers win on criteria that have nothing to do with technical performance and everything to do with sovereignty and legal jurisdiction. US hyperscalers will adapt by building more European capacity and creating European legal entities, but they will never fully escape the fact that they are ultimately answerable to US law.
Why This Matters Now
The EU cloud rules matter because they signal a permanent shift in how Europe views cloud infrastructure. It is no longer a commodity service to be bought from the cheapest, most capable provider. It is strategic infrastructure, like electricity grids or telecommunications networks. Once that mindset takes hold in procurement policy, it spreads. If critical tenders start favouring European providers, private companies will follow, because they will assume that EU-approved providers are safer choices. The EU’s digital sovereignty agenda, once considered aspirational, is becoming regulatory reality.
Can US hyperscalers compete under the new rules?
Yes, but with constraints. AWS, Microsoft, and Google can establish European subsidiaries, build European data centres, and pursue EUCS certification. However, they remain ultimately subject to the CLOUD Act, which allows US law enforcement to compel data access regardless of where it is stored. This jurisdictional reality cannot be engineered away, and it will remain a competitive disadvantage in tenders for truly critical workloads.
When will the EU cloud procurement rules take effect?
The Cloud and AI Development Act is proposed in 2026. Procurement guidance could follow within months. However, implementation timelines vary by member state. Some countries may adopt the guidance quickly; others may take years. The real impact will be visible in tenders issued from 2026 onward, particularly in defence, healthcare, and financial services.
What is the goal of the EU Cloud Rulebook?
The EU Cloud Rulebook is designed to provide a single European framework with binding and non-binding rules for cloud service users and providers. Its purpose is to standardize cloud practices across the EU, reduce fragmentation, strengthen security through EUCS certification, and ensure that critical infrastructure and sensitive data are protected under a consistent set of European standards rather than subject to divergent national rules or US legal oversight.
The EU’s cloud strategy is not just about infrastructure or technology. It is about power. By linking cloud capacity, AI development, cybersecurity certification, and public procurement into one coherent policy, the Commission is reshaping the competitive landscape in Europe’s favour. US hyperscalers will remain powerful players, but they will no longer be the default choice for critical tenders. That shift alone is enough to reshape the cloud market for the next decade.
Edited by the All Things Geek team.
Source: TechRadar
