Europe's Tech Sovereignty Package: why "where is your cloud" just became a contract question

On 3 June 2026, the European Commission published its Tech Sovereignty Package. One Commission official called it "Tech Liberation Day". Ursula von der Leyen put it more soberly: Europe cannot afford to depend on others for the technologies that keep its hospitals running, its energy grids stable and its services secure.

Strip away the politics and something very practical happened. Cloud sovereignty stopped being a policy debate and became a compliance standard. And compliance standards end up in contracts, which is where I come in, and probably where you do too.

What is in the Tech Sovereignty Package?

Four components. Two are legislative proposals: the Cloud and AI Development Act, known as CADA, and Chips Act 2.0. Two are strategies: the EU Open Source Strategy and a Strategic Roadmap for Digitalisation and AI in Energy.

CADA is the one that will touch your contracts. The Commission's stated problem is stark. EU providers' share of the European cloud market fell from around 29% in 2017 to roughly 15% by 2022, and three non-EU hyperscalers now control over 70% of it. The Commission's legal worry is equally specific: the US CLOUD Act allows American authorities to compel access to data held by US providers wherever it sits, and unilateral sanctions could in theory cut services to European users. The Commission's Executive Vice President was blunt about the aim. Nobody should hold a kill switch over Europe's critical systems.

What does CADA actually do?

Three things worth a founder's or GC's attention.

  1. It creates a cloud sovereignty framework with four assurance levels. Any provider wanting to serve the EU public sector will need to meet Level 1, which requires EU-based data processing. The levels climb from there through independence from third-country control and software supply chain transparency, up to Level 4, which demands full EU ownership and control with no third-country interference. Providers get recognised under the framework after an audit. For sensitive workloads, member states will decide which level a contract requires.

  2. It puts an "EU added value" criterion into public procurement for cloud and AI services. Authorities will have to weigh how much a bidder strengthens the EU's technology supply chain, not just price.

  3. This is the part I keep pointing clients to, CADA reaches beyond the public sector. The proposal allows the Commission to require private companies regulated as essential entities under NIS2 to run similar sovereignty risk assessments on their cloud providers. Energy, transport, health, financial market infrastructure, digital infrastructure. If your customers sit in those sectors, their sovereignty questions become your sovereignty questions, one flow-down clause at a time.

Is this law yet?

No. CADA is a proposal, and the sovereignty framework is expected to be one of the central battlegrounds in trilogue between Council and Parliament. Industry has already argued that the top assurance levels amount to origin-based market restrictions dressed as technical safeguards. Some member states will push back. The timeline to adoption is likely years, not months.

So why write about it now? Because procurement behaviour moves faster than legislation. I am already seeing sovereignty-flavoured questions in supplier due diligence questionnaires: where is our data processed, who owns our sub-processors, can a non-EU government compel access to customer data. Those questions do not wait for the Official Journal. They arrive in an RFP on a Tuesday.

What should SaaS and AI companies do about CADA?

Four things, none of them expensive.

Know your own stack. If a customer asked you tomorrow which country your data sits in, which entities control your sub-processors, and what your exposure to the US CLOUD Act looks like through your hosting chain, could you answer in a page? Most scale-ups cannot. Building that map now costs a few hours. Building it under deadline pressure during an enterprise procurement costs deals.

Read your sub-processor list like a buyer would. Your Article 28 DPA already discloses your chain. Sovereignty due diligence is going to read that list with new eyes. If everything routes through one non-EU hyperscaler, decide whether that is a risk you can explain or a dependency you should hedge, for example by confirming your provider's EU sovereign cloud options.

Watch the flow-down. If you sell to banks, insurers, energy companies or healthcare, expect sovereignty assessment clauses to start appearing in their paper. Do not sign a clause that lets a customer terminate for "insufficient sovereignty assurance" without a definition, a cure period and a cost allocation. I have already redlined one of these. There will be more.

And keep perspective. The vast majority of the market stays open. The Commission has said as much, and full EU cloud autonomy is not realistic within five years given data centre, energy and semiconductor constraints. CADA is not a reason to re-platform. It is a reason to be able to answer questions about your platform crisply.

The bigger picture

Chips Act 2.0, the open source strategy and the energy roadmap matter less to my clients day to day, though the "open source first" principle for public sector software procurement is one to watch if you sell to government, and the promise of 12-month capped permitting for data centres will interest anyone building AI infrastructure in Europe.

The through-line is this. The EU has decided that digital dependency is a strategic weakness, and it is converting that view into procurement criteria, audit frameworks and contract terms. Whatever survives trilogue, the direction of travel is set. The companies that win from this are not the ones with the most European stack. They are the ones who can document and explain their stack before the buyer asks.


FAQ

Previous
Previous

The Fine Print Brief: what actually matters this week (14 July 2026)

Next
Next

The EU AI Act on 2 August 2026: what actually applies, what moved, and what I'd do this month