Summary The EU's dependence on US hyperscalers stems from two structural problems: a shrinking market share for European cloud providers, which fell from 29% in 2017 to 15% in 2022, and a shortage of domestic data centre capacity. According to the explanatory memorandum, three non-EU hyperscalers control over 70% of the European cloud market. As proposed, the Cloud and AI Development Act (CADA) would address this through a sovereignty framework (Article 16) so that public-sector procurement can prioritise trusted, autonomous services, alongside measures to accelerate domestic infrastructure. CADA is a proposal and not yet in force.

Detail

The European Union's reliance on non-European cloud providers is not merely a commercial preference; the proposal frames it as a structural vulnerability affecting economic security, data sovereignty and operational resilience. The proposed Cloud and AI Development Act (CADA) explicitly identifies this dependence as a primary driver for legislative intervention. Three interconnected factors explain it: market concentration, a physical capacity gap, and the resulting strategic risks.

Market concentration and the decline of European providers

The most immediate reason is the market dominance of a few non-European providers. The CADA explanatory memorandum states that "three non-EU hyperscalers control over 70% of the European cloud market." This means a large share of European businesses, public administrations and critical infrastructure rely on infrastructure owned and operated by entities subject to third-country jurisdictions.

This dominance has come at the expense of European providers. The memorandum records that the market share of EU providers "decreased from 29% in 2017 to 15% in 2022 and has remained stagnant since then." Even as the European cloud market grew, the benefits accrued disproportionately to non-European incumbents. The lack of a competitive European supply base reinforces a dependency that is hard to reverse without targeted policy support.

The data centre capacity gap

Beyond market share, there is a physical infrastructure deficit. The memorandum notes that "the Union's limited data centre capacity poses a significant threat to its ability to benefit from the digital transformation and adopt AI-driven solutions," particularly the high-performance compute needed for modern AI workloads.

Because domestic capacity is insufficient to meet demand driven by AI and digitalisation, European enterprises and public bodies are pushed to "route critical workloads through foreign hyperscaler infrastructure." Data centres are capital-intensive and slow to build, so this gap cannot close quickly. As proposed, CADA aims to "triple EU capacity in the next five-to-seven years," but until that capacity is realised, reliance on existing infrastructure would remain acute.

Strategic risks and sovereignty

The dependence is not only economic; the proposal treats it as a sovereignty and security concern. The memorandum warns that large market incumbents are "subject to third-country jurisdictions where laws with an extraterritorial effect apply," including laws "mandating data access and transfer that may conflict with EU fundamental rights and data protection frameworks."

This extraterritorial reach is associated with several specific risks:

  1. Data access: third-country authorities may compel providers to hand over data stored in the EU, in tension with EU legal safeguards.
  2. Operational discontinuity: the memorandum points to "operational discontinuity, particularly in scenarios where unilateral decisions by third-country actors could disrupt service provision."
  3. Vendor lock-in: heavy reliance on a small group of providers reduces the ability of public authorities to switch or to negotiate fair terms.

To mitigate these, CADA would establish a "Union cloud computing sovereignty framework" in Article 16, introducing four "Union assurance levels" that categorise cloud services by their trustworthiness and autonomy, with criteria set out in Annex II. The aim is a harmonised set of criteria that let public-sector bodies identify and procure services that minimise these sovereignty risks.

What this means for you

For public-sector procurement officers, CADA as proposed would add a new dimension to cloud procurement: sovereignty assurance. You would no longer evaluate only price, performance and security, but also the strategic autonomy of the provider.

1. Risk assessments would be mandatory. Under Article 29 of the proposal, Member States and Union entities would carry out risk assessments to determine which public-sector activities require higher assurance. These assessments would weigh, among other things, the sensitivity, criticality and magnitude of the data; the risk and impact of unlawful third-country access; and the risk of service disruption (Article 29(2)).

2. Procurement requirements would follow the assurance level. Article 30 sets procurement obligations based on the risk assessment:

  • Union assurance level 1: for public-sector activities that do not contribute to the preservation of public order, you would use services recognised as at least level 1 — the baseline.
  • Union assurance levels 2, 3 or 4: for activities identified as contributing to public order in the sectors named in Article 30(3) (national security, internal security, external border management, defence, justice or law enforcement, and the sectors in Annex I or II of the NIS2 Directive), you would only procure services recognised at level 2, 3 or 4.

3. Understand the assurance levels (Article 16 and Annex II).

  • Level 1: the provider established in the Union, with infrastructure and customer data remaining within the Union unless the public body explicitly requires otherwise; transparency on subcontractors; limited non-EU subcontracting only with strict governance safeguards.
  • Level 2: adds independent audit, optional personnel screening where the public body requires it, European cybersecurity certification at "substantial" level (where a scheme exists), a ban on using service data to train or fine-tune third-country-operated AI systems, and support performed within the Union.
  • Level 3: requires personnel involved in the service to be Union citizens; in principle no third-country control, with a narrow derogation only where the Commission has designated an associated third country by implementing act (Article 18).
  • Level 4: the highest level; no derogation for third-country control, and the provider must show that no third country holds effective control over the software supply chain.

4. Plan for transition. Where a risk assessment requires migration to another service, it would have to happen within a reasonable transition period not exceeding 12 months (Article 29(6)). Review existing contracts early and involve IT and legal teams in the required assessments.

Common misconceptions

"GDPR is enough to protect EU data." The memorandum states that while the EU-US Data Privacy Framework addresses transatlantic data transfers, it "does not remove sovereignty concerns about dependence on third-country providers." Sovereignty here extends beyond transfers to operational autonomy, service-continuity risk and the influence of third-country laws.

"CADA would ban US cloud providers." It would not. It would create a tiered framework. A US provider could qualify for level 1 if it meets the criteria, but reaching the higher levels — especially 3 and 4 — would be far harder for providers subject to third-country control, absent a designation by the Commission under Article 18.

"All public-sector cloud use requires the highest level." The framework is risk-based. Article 30 distinguishes general activities (level 1) from public-order activities (levels 2, 3 or 4), as determined by national risk assessments.

"European providers are automatically sovereign." Establishment in the EU is not sufficient. Providers would still need to meet criteria on data location, personnel, cybersecurity certification and supply-chain transparency, and an EU provider controlled by a third-country entity would face additional scrutiny at levels 3 and 4.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.