As the European Union sharpens its digital agenda for next year, cloud sovereignty is at the centre of Brussels’ policy priorities. The bloc remains heavily dependent on US hyperscalers for critical digital infrastructure; EU institutions are now trying to rebalance through regulatory and industrial measures. It all comes together in the EU Cloud and AI Development Act.
“No US company can guarantee that the US government will never access your data”, says Christoph Strnadl, Chief Technology Officer of Gaia-X, a European initiative launched in 2019 to support the EU goals of cloud autonomy. He pointed to repeated acknowledgements by US tech firms themselves. “For critical data, you will never, ever use a US company. Sovereignty means having strategic options — not doing everything yourself.”
Enter the legislation. Marked in the calendar for the first quarter of 2026, the EU Cloud and AI Development Act refers to a framework aimed at strengthening Europe’s autonomy over cloud infrastructure and data. Its core objectives are to reduce strategic dependency on non-EU providers, give users more control over their data, and ensure that critical services can operate under EU laws. As Executive Vice-President Henna Virkkunen puts it, it will “improve cloud services and upscale our high-performance computing capacity in an energy-efficient way”.
Cloud sovereignty as a privacy guarantee
Today, most cloud infrastructure used by European businesses and public administrations is controlled by a small number of US firms. Estimates show that Amazon Web Services, Microsoft Azure and Google Cloud together control more than 70% of the European cloud market, while European providers account for only a small share of revenues.
This dominance raises legal, economic and political questions. In particular, as EU data protection rules, such as GDPR, clash with the US CLOUD Act, which allows American authorities to compel US-based companies to provide access to data, even when it is stored in Europe.
You might be interested
US dependence
Cloud computing is a necessary part of the modern economy. Banks, hospitals, energy grids and manufacturing plants rely on cloud services for data storage, software delivery and increasingly complex analytics. When these services run on infrastructure governed by non-European law, questions arise over jurisdiction, data protection and resilience in the event of political or technical disruption.
Beyond legal exposure, geopolitical risk also plays a role. Strnadl warns that Europe’s dependence on a small number of foreign providers leaves it vulnerable to decisions taken outside the EU. “If tomorrow a US administration decided to stop service delivery to Europe, everyone would be out of business,” he says. “Email, public administration, political communication — for critical services, we need alternatives.”
If tomorrow a US administration decided to stop service delivery to Europe, everyone would be out of business – Christoph Strnadl, CTO at Gaia-X
Recent disruptions have underlined those risks. In November, a major outage at Cloudflare disrupted access to millions of websites and online services across Europe. Canva, ChatGPT, Signal and others went offline. This real-life example highlighted the dependence of platforms on a small number of infrastructure providers.
Sovereign, not lonely
Defining sovereignty in the digital field is a long debate, and accomplishing it takes time. “Sovereignty does not mean you have to do everything yourself”, says Strnadl. “Sovereignty means that for critical things, you have strategic options.”
Sovereignty does not mean you have to do everything yourself – Christoph Strnadl
Brussels is not seeking to cut Europe off from global cloud services, nor to ban non-EU providers. Instead, the goal is to ensure that for sensitive services, European can rely on infrastructure governed under EU law. “For normal data, it doesn’t matter,” Strnadl says. “But for critical services — email, public administration, political communication — you need alternatives.”
EU Cloud priorities for 2026
For Mr Strnadl, the EU’s cloud priorities for 2026 are not about new frameworks, but applying existing ones. “The framework, the software and the criteria are all there,” he stated. “The challenge now is adoption.”
The CTO stressed that this transition cannot be imposed from the top down. “Technology adoption that involves a mind shift does not happen in two years”. He compares cloud governance to earlier shifts such as service-oriented architecture or the Internet of Things. In his view, the challenge is even greater now, as cloud ecosystems require multiple independent companies to coordinate. “Cooperation needs trust,” Strnadl says. “And trust needs a trust framework. Without trust, ecosystems will not survive.”
