EU Tech Sovereignty Package

CADA's defining mechanism is not a tariff or a ban - it is a hierarchy. The act creates a single EU-wide framework sorting cloud providers into four tiers of 'sovereignty', with the upper tiers effectively reserved for providers that can guarantee critical workloads are insulated from non-EU legal reach ^[7]. The lever sits in public procurement: governments, hospitals, courts and parts of the financial system that handle sensitive workloads will be steered toward higher tiers, while lower tiers remain available for less sensitive use. That choice of design is what makes the package operationally serious. Brussels did not try to outlaw Amazon, Microsoft or Google directly; it built a graded scale and let the buyers do the work.

The explicit justification is the 'kill switch' problem. The Commission and reporting on the package frame it as ensuring that providers of critical workloads do not hold a kill switch over European data, covering systems as concrete as hospital infrastructure and fighter jets ^[3][7]. That is a direct reference to extraterritorial US laws - principally the Cloud Act - which can compel US-headquartered providers to hand over data regardless of where it is stored. The tiering converts that legal exposure into a procurement constraint: if a workload is sovereignty-critical, only providers immune to such reach qualify.

Gartner analyst Lydia Clougherty Jones notes that even at proposal stage the impact 'is far reaching', with 'Government procurement processes... increasing reliance on EU entities, deprioritizing reliance on non-EU entities' ^[4]. That is the tell. Discriminatory effects do not require the final text to pass; once buyers know the directionality, RFPs start shifting. The four-tier ladder is, in effect, a market-segmentation tool dressed as a technical taxonomy - and it gives Brussels a lever that scales with each new procurement cycle rather than a single binary moment of legislation.

Strip away the rhetoric and the numbers are uncomfortable. The original Chips Act delivered only about EUR 13.75 billion in approved state aid by early 2026, compared with roughly $33.7 billion in grants plus $5.5 billion in loans disbursed under the US CHIPS Act by January 2025 ^[12]. Chips Act 2.0 now talks about mobilising on the order of EUR 120 billion ($140 billion) in semiconductor investment by 2035 ^[13], but that headline relies heavily on private capital following the policy signal rather than fresh treasury commitments. The EU still produces under 10% of the world's chips and remains almost entirely dependent on US and Asian fabs for advanced sub-5nm devices ^[7].

The cloud math is bleaker still. The package's own framing acknowledges that over 80% of EU digital products, services, infrastructure and IP are sourced from non-EU countries ^[1], and the three US hyperscalers control roughly 70-80% of the EU cloud market ^[8]. Against that, the Open Source Strategy carries a EUR 2 billion seven-year envelope - while EU proprietary IT spending sits at roughly EUR 264 billion per year ^[11]. The ratio is not subtle: open source is funded as a symbolic counterweight, not a like-for-like substitute.

This is what makes Chips Act 2.0's pivot revealing. The draft 'shifts the emphasis from building factories to building demand for European-made chips' ^[12], particularly sub-10nm devices used in AI, HPC, defense and automotive applications. That is, in effect, an admission that Chips 1.0's supply-side bet underdelivered: pouring money into fabs without guaranteed offtake produced fewer plants than promised. Demand-side pull - sovereign cloud, defense procurement, automotive mandates - is cheaper than fabs and faster to legislate. But it also means Brussels is now competing for capital flows it cannot match dollar-for-dollar, hoping that a guaranteed market and a sovereignty premium will close the gap that subsidies could not.

The most underrated signal in the package is that the targets have already started capitulating. Amazon, Microsoft and Google have each rolled out 'sovereign' product lines in anticipation of exactly this kind of regime: AWS European Sovereign Cloud, Microsoft's partnerships with Bleu in France and Delos in Germany, and the Google-Thales joint venture S3NS ^[6][8]. Each is structured to put governance, operations and ideally encryption keys inside an EU corporate shell, ring-fencing workloads from US legal reach. CADA's four-tier ladder turns that architecture into a product roadmap: hit a higher tier, win the high-margin sovereign workload.

That is why CCIA Europe's Daniel Friedlaender is fighting the framing rather than the goal. His warning that CADA is 'a direct recipe for fragmented discrimination across Europe in 27 different ways, not only in public procurement but potentially also across thousands of private critical entities, from banks to energy companies' ^[10]matters because the regulation explicitly intends to spill from public to private sovereignty-critical sectors. Synergy Research's John Dinsdale notes the broader structural reality: hyperscalers are projected to own 67% of global data-centre capacity by 2031 ^[4]. Even if Europe triples its own data-centre capacity in 5-7 years as CADA targets ^[2], displacing that gravitational pull requires either captive demand or operator-of-record arrangements - exactly what sovereign SKUs deliver.

The domestic winner is narrower than the policy suggests. ASML, Infineon, STMicroelectronics and NXP gain a more captive demand base for European silicon, and in AI the political framing keeps returning to a single name: Mistral AI is treated as Europe's sole cutting-edge AI competitor against OpenAI, Anthropic and DeepSeek ^[8]. That is a remarkably thin bench. Bart Groothuis's complaint that 'you cannot train an LLM in the EU that complies with all existing rules' ^[9]exposes the contradiction at the heart of the package: the same regulatory perimeter being used to exclude foreign frontier models also constrains the few domestic ones the policy is supposed to favour. Sovereign cloud capacity without sovereign training data and sovereign compute is a hollow win.

The package's biggest risk is procedural. Every measure requires approval from all 27 EU member states ^[5], which means countries with deep US cloud dependencies, big TSMC investments or simply different threat models can each extract concessions or stall. The Commission's own past track record is the warning: Bruegel's verdict on the original Chips Act - 'underdelivered' with only EUR 13.75B in approved state aid by early 2026 ^[12]- is precisely what happens when an ambitious supply-side plan meets fragmented national execution. The political appetite has shifted toward demand-side levers in part because they require fewer national checks to bite.

The contrarian view, sharply argued by CCIA, is that sovereignty regulation will produce the opposite of a single market. Friedlaender's '27 different ways' line is not rhetoric; it is a forecast that each member state will operationalise the sovereignty tiers differently, applying its own definitions of 'critical' entities to banks, energy companies and other private operators. CCIA policy manager Mitchell Rutledge captures the strategic tension directly: 'The EU's ambition to triple data centre capacity is the right one. But the way to achieve that goal is by attracting investment, not shutting it out' ^[10]. The implication is that the same act designed to fix fragmentation in EU cloud could lock it in for a generation.

The political class is split in a revealing way. Renew Europe's framing - 'a step when we needed a leap' - flags the package as foundationally correct but timid ^[9], while German MEP Matthias Ecke's blunter line that 'Europe cannot regulate its way out of technological dependency' ^[8]captures the structural worry: rules without fabs, models and compute are theatre. Sentiment in European communities online tracks this ambivalence - the most engaged voices on X and Reddit lean toward 'too little, too late' rather than outright opposition, treating Cloud Act exposure as a real risk while questioning whether Brussels can execute. The actual test arrives not in Brussels but in the next round of national defence, health and financial-sector procurement calendars, where the four-tier ladder either reshapes RFPs - or quietly does not.