Skip to main content
Perspective:
Perspective
11 Jun 2026
10 minute read

Responding to the new EU Tech Sovereignty Package – implications for cloud and AI

Suchitra Nair
Robert MacDougall
Matteo Orta

At a glance

  • Designed to strengthen Europe’s capacity in semiconductors, AI, cloud and Open Source, the EU’s new Tech Sovereignty Package comes at a time when the intersection between technology and geopolitics is more pronounced than ever.
  • One of the most eagerly awaited elements of the four-part package is the proposed new EU-wide framework to assess sovereignty requirements for cloud service procurement by public bodies, while, in the European Commission’s own words, “keeping most of our market open to like-minded partners”.
  • The framework contains an approach to assessing cloud sovereignty based on a range of detailed criteria, including location of company establishment, infrastructure and data, as well as third country control.
  • Primarily affected parties – namely cloud computing service providers and public sector bodies – will need to determine their strategies relevant to the proposed requirements.
  • Companies in sectors of high criticality such as telecoms, banking and energy should also have this on their radar, given the potential for this framework to be applied to their procurement of cloud computing services in the future.
  • The regulatory proposal will now be negotiated by the European Parliament and the Council of the European Union, meaning that further amendments are still to be expected.
  • Nonetheless, with significant detail now on the table, affected organisations should prepare their strategic response, identifying potential risks and opportunities relevant to the specifics of their operating model going forward.

Introduction

At a time of geopolitical uncertainty and change, EU Policymakers are increasingly concerned about dependencies on critical technologies from third countries, and the impact that this might have on the EU’s digital economy and resilience.

Indeed, this concern is starkly evidenced by a statistic included in the European Commission’s new Tech Sovereignty Package – that despite the EU market for cloud computing services growing significantly, the market share of EU providers decreased from 29% in 2017 to 15% in 2022 and “has remained stagnant since then”.

The Commission is also concerned that even though there are numerous cloud computing services in the EU marketed with sovereignty in mind, these services “do not address the core sovereignty issues allowing for the extra-territorial reach of third-country laws and the possible degradation or disruption of the service”.

The new package of measures has therefore been eagerly awaited, with many expecting it would provide a definitive view of the most pressing (and challenging) questions that are being raised in the market, such as:

  • What does tech sovereignty mean in practice?
  • How realistic is it for policymakers to restrict service provision from companies headquartered in non-EU countries, given current market dependencies?
  • What technologies, and sectors, will any restrictions apply to?

Whether the proposed new measures are perceived as going too far, or not far enough, will likely depend on the market position, and nationality, of the organisation in question. The proposed new rules will have particular relevance to the following:

  • Cloud computing service providers seeking to provide services to public bodies in the EU, who will now need to demonstrate which level of sovereignty assurance they are able to meet.
  • Public sector bodies in the EU who will need to carry out a sovereignty risk assessment, based on the scope of their remit, to understand what level of cloud sovereignty they are required to procure.
  • Companies in sectors of high criticality such as telecoms, banking, energy or transport, who may be required to procure cloud computing services consistent with this sovereignty framework in the future.

Taken as a whole, the proposed new sovereignty framework represents vital reading for the companies and public sector bodies who may be affected, either directly or indirectly, by its contents.

What does the new Tech Sovereignty Package contain?

The new package is multifaceted, containing two new legislative proposals, a strategic roadmap (essentially, how the Commission plans to achieve a political and industrial goal) and a Communication (essentially, a non-binding policy paper).

The four distinct elements of the new package are set out in Figure 1 below.

Skip to description

Figure 1: Overview of the new Tech Sovereignty Package

What does tech sovereignty mean in the context of the new package?

The European Commission is performing something of a balancing act with the new package, as illustrated by the Tech Sovereignty Communication that forms part of it.

It is clear from the new communication that tech sovereignty is a two-sided coin.

On the one side, representing “Europe’s ability to develop, control and scale the critical technologies, infrastructure, services and data, including digital ecosystems, that underpin its economy, security and society, while derisking and diversifying supply chains and technological exposure to reduce strategic dependencies and resist foreign interference”.

While on the other, being “grounded in openness, partnership and fair competition. It does not mean isolation, protectionism, or tech decoupling.”

There is no single, succinct regulatory definition of tech sovereignty contained in the new package. Instead, it proposes a new EU-wide sovereignty framework. This is what we will now focus on for the remainder of this article.

Overview of the new tech sovereignty framework

The proposed sovereignty framework is included as part of the new Cloud and AI Development Act (‘CADA’). It contains four different levels of assurance, with numerous criteria in respect of each which can be used to demonstrate conformity.

The framework applies to the provision of a cloud computing service, consistent with the definition in the previous NIS2 Directive, i.e. “a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations”. The recitals to the CADA are clear that this includes on-demand access to AI systems (as defined in the AI Act). Therefore, only the delivery and making available of the AI System forms part of this cloud computing service (i.e. the AI system itself and its underlying model are not within scope).

From a customer perspective, it is important to note that the immediate focus of the new sovereignty framework is on cloud computing services procured by public sector bodies. However, the CADA highlights the possibility of applying it to cloud service procurement by private sector companies in sectors of high criticality in the future.

Another notable element of the new framework is that it contains provisions which enable third country regimes to be found to provide comparable levels of protection to that which exists in the EU. Broadly speaking, the Commission may determine (via secondary regulation) third countries whose regimes are seen as being compatible with assurance level 3. To be determined as such, a series of cumulative tests need to be met, one of which is that the country’s regime is subject to a relevant adequacy decision under the GDPR. Other tests include that the third country has no measures in place to compel the cloud computing service provider to degrade or disrupt service continuity or provision, and that it maintains an open market to EU cloud computing services.

An overview of the new framework is set out in Figure 2 below. This outlines the four levels of cloud sovereignty that have been proposed in the CADA, illustrating each level by reference to one of the key criteria relevant to a conformity assessment (in this case, third-country control over provider and subcontractors).

Skip to description

Figure 2: Overview of the new cloud sovereignty framework

Implications of the new sovereignty framework

The new framework has material implications and/or potential implications for three distinct entities, namely cloud computing service providers, public sector bodies and private sector companies in sectors of high criticality.

Cloud providers

It is envisaged that cloud computing providers seeking to provide services to public sector bodies in the EU review their activities against the specific criteria associated with each assurance level. The criteria become more stringent the higher the level of assurance (taking just one example, self-assessment is acceptable for assurance level 1, whereas an independent audit is required to demonstrate compliance with assurance levels 2, 3 and 4). Member States are required to designate national authorities responsible for recognising the auditing procedure and framework and the supervision of cloud providers going forward.

Public sector bodies

Public sector entities in the EU should carry out risk assessments (one year after entry into force of the CADA, and every two years, or whenever necessary, after that) to determine which assurance level is required for its activities (with the Commission expected to provide guidance in this area). The public body is also expected to consider whether a multi-vendor or multi-cloud strategy is appropriate, based on any relevant operational, regulatory or resilience-related circumstances.

Private sector companies in sectors of high criticality

The CADA is also clear that private sector entities in critical sectors (as identified in Annex I of the NIS2 Directive) may voluntarily carry out similar assessments in relation to their procurement of cloud computing services, and that if required, the Commission may adopt delegated acts specifying the need for such assessments in the future. Therefore, companies in sectors such as energy, transport, banking, financial services infrastructures, health and digital infrastructures should also have this on their radar.

In Figure 3 below, we set out three high-level examples of how the new sovereignty framework would apply and/or potentially apply to each of these three different entities.

Skip to description

Figure 3: how cloud computing service providers, public sector bodies and private sector companies in sectors of high criticality are affected by the new sovereignty framework

How affected organisations can respond to the new sovereignty framework

The new sovereignty framework underscores the importance of affected organisations pro-actively responding to the evolving EU sovereignty landscape. The different organisations affected by it will obviously need to respond to it in different ways

For cloud service providers, there are five key steps that can be taken, as follows:

  • Step 1 - Establish position with respect to the four levels of sovereignty assurance – the most obvious starting point is for cloud service providers to review their activities against the sovereignty framework that has now been proposed, reaching a view on the level of sovereignty assurance they are able to provide.
  • Step 2 - Map sovereignty risks and/or opportunities – based on the findings of the review at step 1, incorporating relevant internal (e.g. commercial, strategic) and external (e.g. political and regulatory) factors.
  • Step 3 - Prioritise the greatest risks and/or opportunities – prioritising the most material findings will provide a firm basis on which to proceed.
  • Step 4 - Develop a target-state activity/service view mapping – to ensure that the company has an optimal sovereignty strategy that is complementary to its business strategy.
  • Step 5 - Develop a business roadmap to be reviewed on an ongoing basis – this remains a fast-moving area with dependencies changing in light of the evolving external political landscape. Ensuring that a business roadmap is in place, with check-in points enabling review on an ongoing basis, will therefore be essential. This will help guide future investment, legal entity and governance structures and activity/ service offering decisions.

For public sector bodies, there are a number of initial steps that can be taken, in anticipation of further guidance being provided:

  • As an initial step, public sector organisations should map the current cloud providers that they use and under which sovereignty category they may fall.
  • These organisations will also need to establish the likely level of cloud sovereignty that will be required based on their particular remit. There is obviously a wide range of considerations that will be relevant here, given the specific requirements of certain Ministries, such as defence.
  • The text of the CADA is clear that assurance levels should provide for a “proportionate framework”, observing that most public services would not require the highest levels of assurance, and that in some specific cases Union assurance levels 3 or 4 may be considered necessary and proportionate in preserving public order.
  • Going forward, attention will focus on the risk assessment to be performed by Member States and Union entities, to be informed by the European Commission’s future guidance.

For private sector companies in sectors of high criticality as identified in the NIS2 Directive, although any binding obligations appear still some way off, this should also feature on the corporate agenda:

  • The CADA is clear that there is nothing to stop such companies carrying their own voluntary risk assessments, noting that cloud sovereignty assurance requirements in the public sector “tend to be mirrored by private-sector entities operating in regulated industries”.
  • In addition, CADA also provides for the Commission to mandate such measures where it considers they are required given the criticality of the sector in question.
  • Therefore, companies in the sectors identified in the NIS2 Directive, particularly in regulated sectors such as telecoms, financial services or energy, should also be planning their cloud computing procurement strategies in this respect.
  • This should be based on both an assessment of both their internal activities and how this is being affected by the external geopolitical environment.

Conclusion and next steps

The text will now be negotiated by the European Parliament and the Council of the European Union, meaning that further amendments are still to be expected. Once finalised, a one-year implementation period will follow.

In the meantime, organisations that effectively map their activities against this emerging, more detailed definition of sovereignty, and respond in an agile way to developments in the external environment, will be well placed to stay ahead of the curve.

Get in touch

Suchitra Nair

Suchitra Nair

Partner | Head of the EMEA Centre for Regulatory Strategy
+44 (0)20 7303 7963
Robert MacDougall

Robert MacDougall

Director
+44 (0)20 7007 2348
Matteo Orta

Matteo Orta

Manager
+44 (0)20 8039 7554

Our thinking

Vulnerable Customers: taking stock of regulatory expectations

Over the last two years, numerous FCA publications across all sectors include mentions of the treatment of VCs.
Perspective
10 minute read
Blog

Assessing your Vulnerable Customer Framework

Protecting the interests of consumers in vulnerable circumstances is a key focus for FCA and a sector specific priority for Wealth Firms particularly.
Perspective
3 minute read
Blog

Monitoring Consumer Duty Outcomes: Key findings from the FCA’s Multi-firm Review in the Insurance sector

The FCA published its insurance multi-firm review of outcomes monitoring under the Consumer Duty. It sets out the FCA’s key findings from its review of 20 larger insurance firms’ approach to monitoring outcomes under the Duty.
Perspective
5 minute read

FCA Consumer Duty Board Report Review and Workplan

In December 2024, the FCA published the first annual Consumer Duty Board Report Review and upcoming Consumer Duty priorities for H1 2025. The review covered 180 firms across the retail banking, wholesale, insurance, payments, consumer investments and consumer finance sectors.
Perspective
3 minute read