The European Commission has introduced the Cloud and AI Development Act, a proposal designed to protect cloud sovereignty by establishing a tiered framework that dictates which cloud service providers public authorities can use, tying procurement to risk assessments and assurance levels.
- Four-tier cloud sovereignty framework to regulate government cloud use
- Public authorities must assess risks and may face provider migration within 12 months
- Introduces cooperation via EuroCloud Federation and promotes open-source software
What happened
On June 3, 2026, the European Commission unveiled the Cloud and AI Development Act, proposing a comprehensive cloud sovereignty legal framework for public sector cloud usage across the EU. This initiative responds to the significant erosion of European cloud providers’ market share, which dropped from 29% in 2017 to 15% in 2022, while non-EU hyperscalers now control over 70% of EU cloud infrastructure.
The proposal introduces a four-tier system requiring cloud providers to obtain recognition by meeting progressively strict assurance levels. Public authorities must conduct detailed risk assessments to determine appropriate cloud service levels for their activities. If providers pose unacceptable sovereignty risks, authorities will be compelled to switch providers within a year. The act also mandates conditions on foreign providers tied to third countries and supports EU-wide cooperation through the creation of a EuroCloud Federation.
Why it matters
This legislation marks a crucial step toward reclaiming digital sovereignty for the European Union, ensuring sensitive government data and operations are hosted within compliant cloud environments that meet specifically defined EU standards. The framework addresses growing concerns over dependency on foreign cloud providers and potential security or public order risks that arise from that dependence.
By linking procurement policies to assurance levels and risk assessments, the EU aims to stimulate growth and trust in European cloud providers, potentially reversing years of market share decline. Further, the act’s emphasis on open-source technologies and federated cloud capabilities aligns with broader EU goals of transparency, interoperability, and digital resilience in government IT infrastructures.
What to watch next
Implementation details and timelines will be critical to watch as EU member states begin applying risk assessments and migrating to compliant providers where required. The 12-month migration window places an immediate operational challenge on public authorities and cloud vendors alike, demanding infrastructure adaptability and transition planning.
Also, the criteria and ongoing oversight for foreign provider eligibility under Level 3 assurance will be closely scrutinized, especially in the context of geopolitical influences. Additionally, tracking the development and impact of the EuroCloud Federation and the uptake of open-source software initiatives within public sector cloud usage will illuminate the longer-term strategic effects of the legislation.