Summary Concentration risk in the cloud market refers to the strategic and operational vulnerability arising from the EU's heavy reliance on a limited number of non-European hyperscalers. As proposed in the Cloud and AI Development Act (CADA), this dependence creates systemic risks regarding data sovereignty, operational continuity, and exposure to extraterritorial laws. The legislative proposal explicitly states that "three non-EU hyperscalers control over 70% of the European cloud market," a concentration that has driven EU provider market share down to 15%. To mitigate this, CADA introduces a four-tier "Union cloud computing sovereignty framework" under Article 16, requiring public sector bodies to procure cloud services based on strict assurance levels, thereby driving demand for diverse, European-owned alternatives.

Detail

Concentration risk is not merely a commercial concern about pricing power or vendor lock-in; under the proposed Cloud and AI Development Act, it is framed as a critical threat to the Union's economic security, sovereignty, and resilience. The legislative proposal explicitly identifies the lack of diversity in the cloud provider landscape as a primary driver for regulatory intervention, moving beyond general competition policy to address specific geopolitical and operational vulnerabilities.

The Current Landscape of Dependence

The explanatory memorandum for CADA highlights a stark reality regarding the structure of the European cloud market. It notes that the market is "characterised by a pronounced dependence on a limited pool of third-country providers." Specifically, the memorandum states that "three non-EU hyperscalers control over 70% of the European cloud market." This high degree of concentration has led to a significant decline in the market share of EU providers, which dropped from 29% in 2017 to 15% in 2022, a figure that has since stagnated.

This concentration creates several interlinked risks that the proposal seeks to address:

  1. Extraterritorial Legal Exposure: Large market incumbents are often subject to third-country jurisdictions where "laws with an extraterritorial effect apply, including laws mandating data access and transfer that may conflict with EU fundamental rights and data protection frameworks." This creates a legal environment where EU data protection standards can be undermined by foreign statutes.
  2. Operational Discontinuity: Dependence on a few providers exposes European users to risks of operational disruption. The memorandum states that this dependence "exposes European users to the risks related to operational discontinuity, particularly in scenarios where unilateral decisions by third-country actors could disrupt service provision."
  3. Strategic Vulnerability: The proposal argues that computing infrastructures are no longer mere technical assets but have become "strategic resources critical to the Union's economic security, sovereignty, resilience, and competitiveness." When these resources are concentrated in the hands of a few external actors, the Union loses the ability to act autonomously.

Systemic Risk Framing in the Proposal

The proposal frames concentration risk as a component of broader "systemic digital infrastructure risk." The explanatory memorandum emphasizes that the current landscape "poses a significant threat to its ability to benefit from the digital transformation and adopt AI-driven solutions."

Recital 46 of the proposal explicitly details the nature of this systemic risk, stating: "The Union still remains critically dependent on a limited number of cloud computing service providers subject to the control of third countries or legal entities established in third-countries. This exposes the Union to critical strategic dependencies and concentration risks, including vulnerabilities arising from the extraterritorial application of third-country laws, potential disruptions affecting the continuity, quality and resilience of cloud computing services, reduced control and oversight over personal and non-personal data and infrastructure, and the risk of undue economic or political influence being exercised through the control by third countries or legal entities established in third-countries of cloud computing services."

This framing elevates the issue from a market inefficiency to a matter of public order and security. The memorandum notes that the "current landscape of cloud and AI is characterised by a pronounced dependence on a limited pool of third-country providers," which creates a single point of failure for the entire digital ecosystem.

CADA's Response: The Sovereignty Framework

To address concentration risk, CADA moves beyond general competition policy to establish a specific "Union cloud computing sovereignty framework." This framework is designed to reduce reliance on third-country providers by creating a harmonized, auditable set of criteria for trusted cloud services.

Article 16 of the proposal establishes this framework, comprising four "Union assurance levels." These levels define the criteria cloud computing service providers must meet to offer services to Union entities and public sector bodies. The criteria escalate in strictness, addressing:

  • Establishment and Control: Whether the provider is established in the Union and free from third-country control.
  • Data Localization: Ensuring customer data remains exclusively within the Union.
  • Personnel and Infrastructure: Requirements for Union-based personnel and infrastructure, including Union citizenship for staff handling sensitive data at higher assurance levels.
  • Cybersecurity and Supply Chain: Adherence to high cybersecurity standards and transparency in software supply chains to prevent remote tampering or disruption.

By mandating that public sector bodies procure services aligned with these assurance levels (particularly for activities contributing to public order), CADA aims to create a stable demand signal for European providers. This is intended to stimulate investment in homegrown cloud capabilities, thereby diversifying the market and reducing concentration risk.

The proposal also includes mechanisms to support this transition, such as the designation of "data centre acceleration zones" to increase capacity and the establishment of a "European public sector cloud federation" to facilitate the sharing of sovereign capacity.

Link to Systemic Risk and Public Order

The proposal explicitly links concentration risk to the preservation of public order. Article 29 requires Member States and Union entities to conduct risk assessments to determine which public sector activities "contribute to the preservation of public order." If an activity is deemed to contribute to public order, Article 30(3) mandates that contracting authorities "shall only procure and use services that have been recognised as offering Union assurance levels 2, 3, or 4."

This creates a direct regulatory lever to force a shift away from the concentrated market dominated by the three non-EU hyperscalers. By restricting public procurement to services that meet strict sovereignty criteria, CADA aims to break the cycle of dependence and foster a more resilient, diverse cloud ecosystem.

What this means for you

For CTOs, architects, and SMEs, the proposed CADA regulations mean a shift in how cloud services are evaluated, procured, and integrated into your architecture. The era of selecting cloud providers based solely on price and feature sets is ending; sovereignty and supply chain resilience are becoming primary decision factors.

1. Procurement Criteria Will Change Public sector bodies and certain private entities (particularly those in critical sectors under NIS2) will be required to conduct risk assessments to determine the appropriate Union assurance level for their cloud services. As an architect or CTO, you will need to demonstrate that your chosen cloud provider meets these specific assurance levels. This means moving beyond standard SLAs to provide evidence of:

  • Legal Independence: Proof that the provider is not subject to third-country control that could compromise data or service continuity.
  • Data Residency: Technical guarantees that data processing and storage occur exclusively within the EU.
  • Supply Chain Transparency: Documentation of software components and dependencies to ensure no remote features can be used to tamper with or disrupt services.

2. Multi-Cloud and Sovereign Strategies To mitigate concentration risk, the proposal encourages a multi-vendor or multi-cloud strategy. Article 29(9) requires Member States and Union entities to consider whether a multi-vendor or multi-cloud strategy is appropriate in their risk assessments. For SMEs and enterprises, this means designing architectures that are not locked into a single hyperscaler. It also implies a growing market for European cloud providers who can offer recognized Union assurance levels.

3. Compliance Burden and Opportunities For cloud providers, achieving recognition at Union assurance levels 2, 3, or 4 requires independent third-party audits (Article 20). For users, this provides a standardized way to assess provider trustworthiness. However, it also means that not all current cloud offerings may qualify for critical public sector workloads. SMEs developing cloud-native applications should consider compatibility with sovereign cloud stacks from the outset to access these lucrative public sector contracts.

4. Long-Term Strategic Planning The proposal aims to triple EU data centre capacity and reduce dependence on non-European providers by 2035. This suggests a long-term transition period. Organizations should begin mapping their current cloud dependencies against the proposed assurance levels to identify potential gaps in sovereignty and continuity. Early adoption of sovereign-compliant architectures will position organizations to benefit from the growing European cloud ecosystem.

Common misconceptions

Misconception 1: CADA is a ban on non-EU cloud providers. CADA does not ban non-EU providers. Instead, it creates a tiered system where access to certain public sector contracts depends on meeting specific sovereignty criteria. A non-EU provider could theoretically meet these criteria if they are established in the EU, have EU-based infrastructure and personnel, and are not subject to third-country control that compromises data or service continuity. However, in practice, this will favor EU-established and controlled providers.

Misconception 2: Concentration risk is only about price. While price is a factor, CADA frames concentration risk primarily in terms of security, sovereignty, and continuity. The focus is on the risk of data access by foreign governments, service disruption, and loss of strategic autonomy, not just commercial pricing power.

Misconception 3: Only large enterprises are affected. While the procurement rules directly target public sector bodies and critical private entities, the ripple effects will impact the entire market. As public sector demand shifts toward sovereign providers, the market landscape will change, affecting all cloud users. Additionally, SMEs that are subcontractors to these entities will need to comply with related supply chain and data handling requirements.

Misconception 4: Sovereignty and cybersecurity are the same. CADA explicitly distinguishes between cybersecurity and sovereignty. While cybersecurity standards (like EUCS) are part of the assurance levels, sovereignty goes further to address legal and operational control. A service can be secure but still subject to third-country laws that allow data access or service disruption, which is the core concern of the sovereignty framework.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.