Summary The EU relies heavily on non-European cloud providers because it lacks enough competitive domestic capacity: three non-EU hyperscalers control over 70% of the European cloud market, and EU providers' share fell from 29% in 2017 to 15% in 2022. As proposed, the Cloud and AI Development Act (CADA) treats this as a strategic risk — these incumbents are subject to third-country laws with extraterritorial effect that may conflict with EU fundamental rights, and dependence exposes European users to operational discontinuity if third-country actors disrupt services. CADA's answer is to build domestic capacity and create a sovereignty framework so public bodies can procure services that match the sensitivity of their activities. CADA is still a proposal.

Detail

The dependence has commercial, legal and operational dimensions, all set out in CADA's explanatory memorandum and recitals.

Market concentration and the capacity gap

The root cause is a lack of sufficient, competitive domestic capacity. The memorandum records that, although the EU cloud market is growing significantly, the market share of EU providers decreased from 29% in 2017 to 15% in 2022 and has remained stagnant since. Meanwhile, three non-EU hyperscalers control over 70% of the European cloud market.

This sits alongside a physical shortfall: the Union's limited data centre capacity, the memorandum says, poses a significant threat to its ability to benefit from digital transformation, especially for AI workloads that need low-latency compute. With insufficient domestic capacity, European enterprises and public bodies route critical workloads through foreign infrastructure, and the EU becomes a less attractive destination for tech investment than regions with more abundant, lower-cost compute.

Extraterritorial legal risk

The legal concern is central. The memorandum states that large market incumbents are subject to third-country jurisdictions where laws with an extraterritorial effect apply, including laws mandating data access and transfer that may conflict with EU fundamental rights and data-protection frameworks. In other words, a provider can be fully compliant with EU data-protection law and still be exposed to a foreign legal order that can reach the data or the service.

Operational discontinuity and public order

Beyond legal conflict, the memorandum points to the risk of operational discontinuity — scenarios in which unilateral decisions by third-country actors could disrupt service provision. The proposal frames the ability of the Union and its Member States to retain control over critical digital infrastructure as a policy imperative, because loss of control can undermine the continuity of essential services, particularly in the public sector.

How CADA responds

Under Article 1, CADA would establish a framework for strengthening the cloud and AI ecosystem at Union level. The parts aimed squarely at dependence are:

  1. A sovereignty framework. As proposed, Article 16 would create four Union assurance levels with criteria set out in Annex II, against which cloud services can be assessed and formally recognised. This lets public authorities procure services whose control and data-handling characteristics match the sensitivity of the activity.
  2. Capacity expansion. The proposal aims to triple EU data centre capacity in the next five to seven years and to reach the needed capacity by 2035, supported by acceleration zones and streamlined permitting.
  3. Demand-side procurement rules. Member States and Union entities would carry out risk assessments to identify which activities have public-order relevance (Article 29), and contracting authorities would procure at the matching assurance level — level 1 as a baseline, levels 2 to 4 where the risk assessment requires it (Article 30).

What this means for you

For public bodies and the businesses that supply them, dependence on non-EU providers stops being purely a procurement-and-price question and becomes a question of resilience and control.

  • Know where your data and control actually sit. A service can meet data-protection rules and still be subject to a third country's reach. CADA's assurance levels are designed to surface exactly that distinction.
  • Expect risk-based classification. If adopted, public bodies would assess which activities have public-order relevance and procure at the corresponding assurance level. Most routine services would sit at level 1.
  • Check recognition before you buy. Public buyers would look to the central repository of recognised services (Article 22) and procure at the appropriate level rather than treating all providers alike.
  • Plan ahead, but expect no special grace period. Beyond the one-year window before the rules apply (Article 48), the proposal as drafted does not give buyers or providers an extra migration period — so mapping current dependencies early is worthwhile.

Common misconceptions

"The EU is banning non-EU cloud providers." No. CADA creates a tiered assurance system, not a ban. Non-EU providers can operate, though they may struggle to meet the criteria for the higher levels because of third-country control and extraterritorial-law concerns.

"GDPR compliance already guarantees sovereignty." No. GDPR protects personal data but does not address operational autonomy or the risk that a third country's laws compel access to data or the service. That gap is precisely what the assurance levels target.

"Sovereign cloud is only for national security." No. The highest levels (3 and 4) are aimed at the most critical activities, but the framework applies broadly: even routine public-sector activities would require at least level 1.

"This is only about market share." No. The proposal frames dependence as a combination of commercial concentration, extraterritorial legal exposure and operational-continuity risk — not just a competition statistic.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.