How does the EuroCloud Federation support digital sovereignty?

Summary As proposed in the Cloud and AI Development Act (CADA), the EuroCloud Federation would serve as a strategic mechanism to enhance the EU's digital sovereignty by enabling public sector bodies to share trusted, secure cloud and data centre capabilities. By pooling resources from national and European initiatives, the federation aims to reduce the public sector's reliance on non-EU providers for sensitive workloads, ensuring that critical data remains under EU jurisdiction and operational control. This collaborative framework allows Member States to leverage collective infrastructure and buying power, directly supporting the autonomy objectives set out in Title IV of the proposal.

Detail

The Cloud and AI Development Act (CADA) identifies a critical vulnerability in the EU's digital infrastructure: a pronounced dependence on cloud computing services provided by non-European entities. This dependence poses significant risks to data sovereignty, operational continuity, and the preservation of public order. To address this, CADA introduces the EuroCloud Federation as a key instrument for fostering a sovereign, resilient, and interoperable public sector cloud ecosystem.

The Strategic Objective: Pooling Trusted Capabilities

The primary goal of the EuroCloud Federation, as established in Article 34 of the CADA proposal, is to facilitate the sharing of public sector data centre services and cloud computing services. The federation is designed to bring together national and European cloud initiatives that provide highly trusted and secure public-sector cloud capabilities.

As proposed, the EuroCloud Federation would not create a single, monolithic EU cloud provider. Instead, it acts as a federation—a network of existing national and EU-level cloud infrastructures. This structure allows Union entities and public sector bodies to voluntarily participate, connecting their secure cloud environments to a broader European network. By doing so, the federation aims to:

1. Enhance Sovereignty: Ensure that sensitive public sector data is processed and stored within a framework that adheres to EU legal standards and sovereignty requirements, thereby mitigating risks of extraterritorial access.
2. Increase Resilience: Create a diverse pool of cloud resources that can be shared across borders, reducing the risk of single-point failures and vendor lock-in.
3. Optimize Resources: Allow Member States to share idle capacity and specialized resources, improving the overall efficiency and cost-effectiveness of public sector IT infrastructure.

How the Federation Works: Sharing and Interoperability

The operational core of the EuroCloud Federation is defined in Article 35, which outlines the strict conditions for sharing services. A "sharing entity" (a member of the federation) can share its data centre or cloud computing services with a "using entity" (another member).

For this sharing to occur, specific conditions must be met to maintain the integrity and security of the network:

• Ownership and Control: The sharing entity must directly or indirectly own the hardware through which the service is provided. If the hardware is owned by an intermediate legal entity, the sharing entity must exercise control over that entity. This ensures that the ultimate responsibility for the infrastructure remains with a trusted public sector body.
• Security and Resilience: The sharing entity must implement appropriate technical, operational, and organizational measures to ensure the effective, secure, and resilient provision of services. This includes robust risk analysis, access control policies, and incident handling procedures.
• Commission Approval: Before any services are shared within the federation, the sharing entity must demonstrate to the European Commission that it fulfills these conditions. The Commission then assesses the information and allows the sharing entity to participate in the federation.

Financial Model: Cost Recovery, Not Profit

A critical aspect of the EuroCloud Federation's design is its financial structure, which is intended to prevent market distortion and ensure fair competition. According to Article 35(5) and Recital 73, the sharing entity may charge a fee to the using entity. However, this fee is strictly limited to the costs incurred in relation to the sharing of the service.

The proposal explicitly states that these fees do not constitute a pecuniary interest within the meaning of EU public procurement rules. Consequently, the sharing of services within the EuroCloud Federation does not fall under standard public procurement procedures. This exemption is crucial because it lowers administrative barriers, allowing public bodies to share resources quickly and efficiently without undergoing lengthy tender processes for every transaction. The fees are intended solely to cover additional costs such as resource allocation, isolation, access management, and compliance with EU law.

Integration with the Sovereignty Framework

The EuroCloud Federation is closely tied to CADA's broader Union Cloud Computing Sovereignty Framework (Title IV, Chapter I). This framework defines four "Union Assurance Levels" (UAL 1–4) based on criteria such as data location, personnel citizenship, and cybersecurity standards.

Public sector bodies are required to conduct risk assessments (Article 29) to determine the appropriate assurance level for their activities. Activities involving sensitive data or critical public order functions may require higher assurance levels (UAL 2, 3, or 4). The EuroCloud Federation supports this by providing a curated pool of services that have been vetted for security and sovereignty. By participating in the federation, public bodies can more easily access cloud services that meet these high sovereignty standards, thereby reducing the need to rely on non-EU providers that may not offer equivalent guarantees against extraterritorial data access or service disruption.

Governance and Platform

The European Commission is tasked with establishing and maintaining a platform for the EuroCloud Federation (Article 34(3)). This platform will provide:

• A catalogue of available public sector data centre and cloud computing services.
• A service platform for the exchange and orchestration of computing, storage, and network resources.

The costs of administering the federation and maintaining the platform are to be jointly financed by the members through fees levied by the Commission (Article 36). These fees are internal assigned revenues, ensuring the sustainability of the federation without placing an undue burden on the general EU budget.

What this means for you

For public-sector procurement officers and IT directors, the EuroCloud Federation represents a significant shift in how cloud services are acquired and managed.

• Access to Sovereign Cloud: You will have access to a verified pool of cloud services that meet EU sovereignty standards. This simplifies the procurement process for sensitive workloads, as you can rely on the federation's vetting process to ensure compliance with the Union Assurance Levels.
• Cost Efficiency: By sharing resources with other Member States, you can potentially access specialized computing power or storage capacity that would be too expensive to build locally. The cost-recovery model ensures that these shared services are priced fairly, based on actual usage and costs.
• Reduced Vendor Lock-in: The federation encourages a multi-cloud, multi-vendor approach. By participating, you reduce your dependence on any single commercial provider, enhancing your organization's resilience and negotiating power.
• Compliance Support: As CADA mandates that public sector bodies procure cloud services meeting specific assurance levels, the EuroCloud Federation provides a practical pathway to compliance. You can focus on identifying your risk profile and selecting appropriate services from the federation's catalogue, rather than navigating complex international sovereignty assessments for each vendor.

Common misconceptions

• Misconception: The EuroCloud Federation will replace national cloud providers.

  • Reality: The federation is a collaborative network, not a replacement. It builds on existing national and European initiatives. Member States retain control over their infrastructure but gain the ability to share it with others.

• Misconception: Services in the EuroCloud Federation are free.

  • Reality: While not profit-driven, services are not free. Sharing entities can charge fees to cover the costs of resource allocation, management, and compliance. However, these fees are strictly regulated to ensure they do not constitute a commercial profit margin.

• Misconception: Any cloud provider can join the EuroCloud Federation.

  • Reality: Participation is limited to Union entities and public sector bodies. Private companies cannot directly participate as members. The sharing entity must own or control the hardware, ensuring that the infrastructure remains under public sector control.

• Misconception: The EuroCloud Federation is only for large Member States.

  • Reality: The federation is designed to be inclusive, allowing smaller Member States to access resources from larger networks and vice versa. This promotes balanced geographic deployment and reduces disparities in cloud capacity across the EU.

Related

• Why was the EuroCloud Federation created? CADA's public-sector cloud strategy
• Why does CADA separate the EuroCloud Federation from Commission procurement?
• Who runs the EuroCloud Federation under CADA?
• Who pays for running the EuroCloud Federation under CADA?
• Who can join the EuroCloud Federation under CADA?

This is general information about a draft EU regulation, not legal advice.