The EU Aims to Rewrite the Rules of Cloud Sourcing

The European Commission has taken a step toward strengthening the European Union’s own digital sovereignty after years of policy buildup. In April 2026, it awarded a sovereign cloud tender worth up to €180 million over six years. The deal is structured as four parallel contracts, deliberately reducing dependence on any single provider. The European Commission’s approach prioritises diversification and systemic resilience while strengthening strategic autonomy.

This move reinforces the European Commission’s broader push to deepen its own digital sovereignty. It aims to strengthen strategic control over critical technologies, ensuring a secure, compliant, and sovereign infrastructure. The deals span core EU institutions, including the European Parliament, European Council, and European External Action Service, as well as around 70 agencies.

PAC’s Take

The EU is Trying to Emancipate Itself Digitally

Sovereignty, security, and trust are now foundational requirements for European institutions across cloud, data, AI, and edge. Engagements with enterprises, especially in the public sector, confirm accelerating momentum to strengthen digital sovereignty. The aim is to reduce reliance on US providers amid rising concerns about extraterritorial access under the CLOUD Act. 

In this context, the EU’s Cloud III Dynamic Purchasing System tender reflects a structured, competitive procurement model that brings clarity, scalability, and consistency to Europe’s sovereign cloud ambitions and delivers clear benefits, because:

• It represents an attempt to digitally emancipate Europe. The European Commission aims to rebalance its dependence on US-dominated cloud providers by actively cultivating a more autonomous European ecosystem. Its selection criteria, covering strategic alignment, legal sovereignty, operational resilience, sustainability, transparency, openness, and security, set a new benchmark for European countries. By requiring strong assurance levels and limiting non-EU influence, the initiative hopes to boost trust, control, and long-term digital independence across Europe.
• The selected providers are aligned with the Cloud Sovereignty Framework. The Framework establishes standards for data residency, operational control, and legal jurisdiction. The goal is to protect against extraterritorial access. By prioritising EU-based infrastructure, transparent governance, and security-by-design, the EU announcement supports a foundation for its critical workloads. The selected consortium, including Post Telecom (with CleverCloud and OVHcloud), STACKIT, Scaleway, and Proximus (partnering with S3NS, Clarence, and Mistral AI), demonstrates Europe’s growing capability to deliver secure, sovereign, and innovative cloud solutions.
• It establishes a new benchmark for what sovereign cloud entails. Boosting digital sovereignty across EU institutions for compute capacity is central to this European Commission initiative. The solution enables sovereign hybrid architectures that ensure secure access under European governance and control. And the announcement sets a clear benchmark for organisations beyond EU bodies. It creates a reference model for public authorities across Europe, many of which are converging around these European-level requirements. Moreover, it encourages organisations in Europe to adopt EU-aligned standards when procuring critical cloud services.
• Buying from local providers might boost Europe’s digital economy. According to the CEO of Scaleway, every Euro spent with Scaleway generates a three times higher local economic impact compared to international hyperscalers. Even if this ratio is too optimistic, it highlights that strengthening European sovereign cloud solutions could reinforce Europe’s digital autonomy. Moreover, a more focused approach on European sovereign cloud providers could stimulate regional ecosystems, accelerate innovation, and build sustainable local capabilities across Europe.
• Technology and providers represent distinct layers in sovereign cloud design. The EU initiative addresses both. It expands the ecosystem by enabling a more diverse mix of European cloud and AI providers. This enhances competition and architectural flexibility. At the same time, it embraces a pragmatic hybrid model: it demonstrates that with the right governance, even non-European technologies can meet sovereignty requirements. However, the flip side is also true: for instance, US providers like IBM are advancing sovereignty solutions, including with NATO.

There is no Such Thing as Full Sovereignty

The EU deal announcement appears focused on the infrastructure layer. Most European sovereignty offerings from ISVs like SAP, ServiceNow, and Google still rely on US software stacks and hyperscalers, despite extending to the application layer. Despite the positive signals of the announcement for EU institutions and vendors, PAC remains sceptical about the extent to which European organisations can truly benefit from designing, deploying, and operating European sovereign cloud environments, because:

• Many EU initiatives remain small and appear to be lip service. Distributing just €180 million across four providers over six years results in limited funding per vendor, undermining the impact. Compared to the multi-billion-euro contracts routinely secured by hyperscalers like AWS and Azure, the scale of this announcement appears late, sub-scale, and strategically insufficient – especially when compared to US compute initiatives. Moreover, uncertainty remains about pricing and whether these EU deals imply premium costs or are supported by European subsidies.
• Sourcing for sovereign solutions is complex and time-consuming. Despite the headline announcement, the European Commission is still finalising the Cloud Sovereignty Framework. This means that some definitions and assessment criteria remain unsettled. This uncertainty risks delaying the implementation of sovereign cloud infrastructure. Moreover, updates to the European Chips Act and the proposed Cloud and AI Development Act add further complexity. Also, even if organisations wanted to change their sourcing approach, their procurement strategy might not be aligned.
• European vendors are still struggling to boost digital sovereignty offerings. While the announcement suggests viable European alternatives exist, it also underscores their fragmentation and inability to compete individually. The reliance on combined offerings spanning sovereignty, security, and AI highlights the need to pool capabilities just to remain relevant. For those vendors not selected, the signal is clear: without greater scale, coordination, and proactive engagement in European initiatives, they risk marginalisation in the fast-moving digital infrastructure marketplace.
• European cybersecurity remains intertwined with US tech infrastructure. Most European countries rely on US technology for national defence solutions, either directly or via European intermediaries dependent on US infrastructure. Even sovereign or air-gapped models, such as offerings from AWS and Delos Cloud, are built on US software stacks. Oversight mechanisms aim to mitigate risks under laws like the CLOUD Act. However, ongoing reliance on updates and patches ultimately exposes persistent structural dependence. This undermines claims of true operational sovereignty in Europe.