Summary The market share of EU-based cloud computing providers fell from 29% in 2017 to 15% in 2022 and has remained stagnant since, leaving the bloc dependent on a small number of non-EU hyperscalers. As the proposed Cloud and AI Development Act (CADA) frames it, this concentration creates strategic dependencies and risks to operational continuity, control over data, and the Union's autonomy. To respond, CADA would establish a four-tier sovereignty framework (Article 16) and oblige public bodies to procure recognised services by assurance level (Articles 29–30) — using public demand to stimulate trusted European supply.

Detail

The decline in EU cloud market share

The Explanatory Memorandum to the proposed CADA reports that the market share of EU cloud computing service providers decreased from 29% in 2017 to 15% in 2022 and has remained stagnant since. It states that three non-EU hyperscalers currently control over 70% of the European cloud market. As proposed, this is not treated as a mere commercial statistic but as a structural vulnerability: the Memorandum notes that dependence on a limited pool of third-country providers exposes European users to risks of operational discontinuity, "particularly in scenarios where unilateral decisions by third-country actors could disrupt service provision." It also observes that large market incumbents are subject to third-country jurisdictions where laws with extraterritorial effect apply, including laws mandating data access and transfer that "may conflict with EU fundamental rights and data protection frameworks."

Why this matters: concentration risk and strategic autonomy

The proposal links this market dynamic to public-order concerns. Recital 46 states that the Union "remains critically dependent on a limited number of cloud computing service providers subject to the control of third countries," exposing it to "critical strategic dependencies and concentration risks, including vulnerabilities arising from the extraterritorial application of third-country laws," potential service disruptions, reduced control over data and infrastructure, and the risk of "undue economic or political influence." It concludes that retaining control over infrastructure, data, assets and technology systems under Union and national jurisdiction "has become an imperative policy objective."

The proposal is explicit that existing law is not enough on its own. Recital 47 acknowledges that Union law already covers cybersecurity, data protection, interoperability and portability, but says "there is no cross-cutting Union regulatory framework establishing a harmonised understanding of what constitutes a trusted cloud computing service" for mitigating these risks — and that fragmented national approaches risk splintering the internal market. Cybersecurity certification can address technical criteria, but as proposed it is not, by itself, treated as sufficient for sovereignty concerns such as service disruption or access to data by foreign authorities.

CADA's response: a sovereignty framework plus demand-side rules

As proposed in Article 16, CADA would establish a Union cloud computing sovereignty framework comprising four Union assurance levels, with the criteria set out in Annex II, that providers must meet to provide cloud services to Union entities and public sector bodies. The criteria escalate:

  • Union assurance level 1 (Annex II, Section 1) requires, among other things, that the provider is established in the Union; that infrastructure and assets are located in the Union unless the public sector body requires otherwise; and that customer data, including metadata and telemetry, remain exclusively within the Union unless the body explicitly requires otherwise. It permits outsourcing technical and operational support outside the Union only where measures ensure traceability, security and governance and do not compromise operational autonomy.
  • Levels 2, 3 and 4 add progressively stricter requirements, including independent third-party audits, Union citizenship for personnel involved in the service at levels 3 and 4, European cybersecurity certification at level 3, and — at levels 3 and 4 — that the provider and its subcontractors are not subject to the control of a third country (with a narrow derogation at level 3 for associated third countries under Article 18).

Crucially, the proposal does not stop at defining standards; it would mandate their use. Under Article 29, Member States and Union entities would carry out risk assessments to identify public-sector activities that contribute to the preservation of public order and to determine the appropriate assurance level. Under Article 30, contracting authorities whose activities have been identified as contributing to public order must procure only services recognised at levels 2, 3 or 4, while bodies whose activities have not been so identified must use services recognised at level 1. By tying public procurement to recognised levels, CADA aims to create reliable demand for trusted European providers and reverse the stagnation in EU market share.

What this means for you

As a public-sector procurement officer, the proposed CADA would change how you evaluate and select cloud services — shifting from price and performance alone to a documented, risk-based sovereignty assessment.

  1. Conduct mandatory risk assessments. Under Article 29, your authority would carry out risk assessments to identify activities contributing to the preservation of public order — covering sectors under the NIS2 Directive (Directive (EU) 2022/2555) and the areas of national security, internal security, external border management, defence, justice and law enforcement — and determine the appropriate assurance level.
  2. Align procurement with assurance levels. Under Article 30, if your assessment identifies an activity as contributing to public order, you would procure only services recognised at levels 2, 3 or 4; otherwise you would use level 1 services.
  3. Verify recognition. For level 1, providers would issue an EU statement of conformity (with automatic, Union-wide recognition for SMEs under Article 17(3)); for levels 2–4, they would need a positive audit opinion from an independent auditor (Article 20). You would check the central repository the Commission would maintain under Article 22.
  4. Support European supply. Procuring recognised services would directly contribute to building resilient European infrastructure and reducing concentration risk.

Common misconceptions

  • Misconception: CADA bans non-EU cloud providers.
    • Reality: As proposed, CADA would not ban non-EU providers. It creates a tiered system; non-EU providers can still operate, though they may face hurdles meeting the strictest criteria for public-sector contracts at levels 2–4. Article 18 allows the Commission to recognise certain "associated third countries" as eligible to be audited for level 3, subject to strict cumulative criteria including a relevant GDPR adequacy decision and safeguards against unauthorised access or service disruption.
  • Misconception: Cybersecurity certification is enough.
    • Reality: Higher assurance levels would require European cybersecurity certification, but the proposal treats certification as necessary, not sufficient. A service can be secure yet still subject to foreign legal jurisdiction; CADA's framework also addresses operational autonomy and third-country control.
  • Misconception: This only affects large national bodies.
    • Reality: The procurement obligations apply to contracting authorities generally, including regional and local bodies. The Article 29 risk-assessment duty falls on Member States and Union entities.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.