Table of Contents
- Why is there a need for Technological Sovereignty?
- Understanding the cons of dependence on non-EU providers
- How Does CADA Address this Problem?
- What do these measures mean for people, businesses, AI infrastructure, etc.?
- The Impact of other Initiatives
- Next Steps
- Request sovereign EU proxy access
- Frequently Asked Questions (FAQs)
The start of June saw the European Union announce the European Technological Sovereignty Package. The proposal had been delayed three times before it was finally announced on 3rd June, 2026. In short, the policy aims to bolster the EU's autonomy over its digital future.
The policy was proposed due to escalating geopolitical fragmentation, and the EU's realisation that it is solely dependent on non-European organisations for critical digital infrastructure. This includes cloud providers, AI infrastructure, and semiconductors.
The package consists of four main interconnected initiatives, namely:
- Chips 2.0 Act
- Cloud and AI Development Act (CADA)
- EU Open Source Strategy
- Strategic Roadmap for Digitalisation and AI in Energy
Why is there a need for Technological Sovereignty?
The push for technological sovereignty is a direct reflection of the EU's attempt to curb the power of private non-EU tech companies and prevent their negative impact on the EU's democratic society. To solve such issues, they had to go beyond simply implementing regulations and look deeper into how the foundation of digital infrastructure is built, and who has the rights to govern its access.
Understanding the cons of dependence on non-EU providers
The technological sovereignty initiative falls under the Cloud and AI Development Act (CADA). Currently, more than 70% of the European cloud market is under the control of three major American cloud providers, namely Google Cloud, AWS, and Microsoft Azure.
The EU's major issue with this scenario is that although these companies operate data centers within Europe, the data belongs to European citizens and should fall under local jurisdiction. However, that is not the case, as the infrastructure remains subject to non-EU legal systems. This operational model also presents several other disadvantages:
- Kill switches: A foreign government can easily disrupt the services to a country's critical industries, such as healthcare, finance, public institutions, and energy grids.
- Legal loopholes: Under the US legal system, authorities can compel American cloud providers to turn over data stored in their European data centers. Consequently, European authorities struggle to enforce their own jurisdictional rights over data residing on US infrastructure.
- Vendor Lock-in: As previously explained, the majority of critical public contracts on European soil, such as energy, defence, and health, are all handled by non-EU contractors. The Commission is pushing to make sure that only EU-made software and infrastructure is used, at least for sensitive public tenders.
- Political issues: If the vendor in use has close ties to a foreign government that is hostile to your own, the dependency leads to unnecessary negotiation liability.
How Does CADA Address this Problem?
CADA proposes four levels of assurance. Each of these levels has multiple criteria that help different industries and organisations demonstrate their conformity. CADA is proposing a trust ranking system for cloud and AI providers.
A provider with a higher rank has more to prove in terms of independence, sovereignty, and control.
The four levels are:
- Level 1: Basic compliance
- Level 2: Stronger data protection
- Level 3: Full EU legal and operational control
- Level 4: Maximum sovereignty. At this level, there is almost zero foreign vendor dependency.
Level 1: Data Stays in Europe
At this level, the provider and the relevant subcontractors need to prove that data is stored in Europe. All data processing takes place within the EU, backups are stored in the EU, and GDPR transfer rules are adhered to.
A big disadvantage here is that if the vendor is a non-EU entity, then even though the data residency is in Europe, the company itself is answerable to non-EU legal jurisdiction and outside of the EU's legal control.
Level 2: No easy access to foreign legal systems
At this level, the drill-down on legal exposure starts.
The provider has to commit to customer-controlled encryption, more stringent audit controls, contractual promises around data access, and unambiguous protection against foreign legal requests.
At this level, you start incorporating concepts such as Bring Your Own Key (BYOK) and Hold Your Own Key (HYOK). This means that you manage the encryption key rather than the provider. With this rule in place, even if a foreign legal system requests access, data reading becomes harder.
Providers such as Exoscale or OVHcloud can build services around such a model more easily than foreign hyperscalers.
Level 3: Provider needs to be mandatorily European
A much stricter level, where the EU wants the cloud provider to be operationally independent from foreign control.
At this level, cloud providers need to be headquartered in the EU, infrastructure needs to be operated inside the EU, and operational teams need to be located within Europe. With these rules, no foreign government can forcefully compel access since the provider is not subject to foreign laws such as the US CLOUD Act. Providers with foreign ownership structures could find it difficult to meet these sovereignty requirements.
Level 4: Zero Foreign Dependency
This is the level of full sovereignty. The cloud provider is not under scrutiny; its entire supply chain is. To pass this level, a provider needs to prove it has EU-controlled infrastructure, an EU-operated software stack, and minimal to zero dependencies on non-EU vendors. It should have strong cybersecurity guarantees and uncompromised supply chain transparency.
At this level, the EU starts posing difficult questions such as:
- What is the country of origin for the hardware?
- Who manufactured the chips?
- Are foreign vendors needed for software?
- Is the networking equipment dependent on non-EU suppliers?
- Can issues in another country cause disruption of the supply chain?
The EU is essentially declaring that it wants infrastructure to continue to work even if foreign dependencies are eliminated.
What do these measures mean for people, businesses, AI infrastructure?
Such strict measures mean that European businesses need to start working on producing digital solutions that match the existing needs and standards. This directly increases competitiveness and simplifies scaling a successful business.
Bigger organisations have trust that the digital solutions produced within the EU are secure and compliant, which boosts adoption. Investors enjoy a predictable business environment and can create better opportunities for Europe's growth. Companies operating within regulated industries like finance, health, and defense have more interest, as compliance complexity and legal risk are brought down considerably for them. This also turns the tables on how providers are evaluated. Until now, organisations have used metrics such as scalability, cost, and developer convenience as their top priorities when choosing vendors. Under the new sovereignty framework, there are higher chances for EU-native cloud providers to become highly competitive as organisations prioritise legal jurisdiction, compliance readiness, scalability, and cost. For businesses, selecting the right compliant infrastructure early on helps bring down the risk of a costly migration if regulatory requirements become more rigid later.
People are assured that their data is stored securely and is protected from unnecessary transfers. The technology ecosystem is able to offer and sustain a bigger pool of technical jobs, like engineers, researchers, and infrastructure operators, rather than outsourcing them.
AI infrastructure cannot exist without cloud computing. Training and refining AI models demands enormous volumes of processing power, network capacity, and data storage, all offered by the cloud.
The EU is working towards improving its AI competency by establishing AI factories and gigafactories. Those are hubs with vast data sources, supercomputers, and training data, all necessary to build advanced AI solutions.
With CADA, Europe plans to make sure that it has the cloud capacity to match its AI ambition. With the initiative, the EU can guarantee Europe's success as an AI continent by:
- Building a sustainable data center capacity
- Increasing security and public investment
- Drawing clear plans for cloud and AI leadership
The Impact of other Initiatives
Chips Act 2.0
Currently, Europe is heavily dependent on Chinese manufacturers to meet its semiconductor requirements. The continent by itself produces only 10% of global semiconductors. The Act attempts to strengthen Europe's semiconductor manufacturing industry and supply chain.
EU businesses using semiconductors will be required to declare their supply chain details and will be encouraged to procure from European manufacturers.
EU Open Source Strategy
With Europe spending billions of euros annually on American proprietary IT products, software, and services, the Open Source strategy attempts to reduce that dependency and the loss of investment to EU providers. It proposes software that can be audited, reused, adjusted, and maintained within Europe. This is backed by the Open Source Maintenance Instrument, which aims at securing and maintaining widely used software components while building protocols to reduce dependence on non-EU vendors.
This initiative is focused on fields like cloud infrastructure, workplace software, collaboration tools, secure messaging, and email systems. The core of this strategy is that publicly funded software should remain open, accessible, and available for public use.
Strategic Roadmap for Digitalization and AI in Energy
With this initiative, the EU is connecting technology sovereignty directly to energy infrastructure. This new regulation will implement EU-wide sustainability ratings for data centers. The rationale behind it is quite simple: if critical infrastructure (the systems fueling AI and large-scale compute workloads) relies on non-EU providers, then true digital sovereignty is difficult to achieve.
With sustainability ratings becoming part of the procurement criteria and increased investment in domestic data center capacity, the new generation of EU cloud providers will be more competitive.
Next Steps
Companies affected by the European Technological Sovereignty Package will need to assess how the initiatives impact their European operations, market strategies, and supply chain relationships. Those in semiconductor, health, defense, and other high-critical industries will have to show their compliance with the package.
Additionally, engineering teams have to rethink how they design infrastructure. Earlier, modern systems were based on and relied on American solutions like AWS Lambda, DynamoDB, and Azure. These dependencies also make migration harder later on if sovereignty laws further tighten, and they probably will. Teams now need to start prioritising infrastructure architecture built on the foundation of Kubernetes, open source databases, and containerised workloads, rather than tightly coupling products to non-EU proprietary systems.
The package will now be considered in the European Parliament and Council. There are chances for multiple amendments in the legislative procedure and associated negotiations. Once the package is finalized, a one-year implementation procedure is expected.
Request sovereign EU proxy access
Services like QuotaGuard and Fixie solve the outbound static IP problem, but they depend on infrastructure outside of Europe. For EU businesses, that highlights growing concerns around compliance, jurisdiction, and infrastructure control.
OutboundGateway is the European alternative. It offers dedicated static IPs hosted completely on native EU infrastructure, designed for businesses that want stronger control over sovereignty, compliance, and where their traffic is processed.
Built with ❤️ for EU businesses who care about privacy and sovereignty.
Frequently Asked Questions (FAQs)
What is the European Technological Sovereignty Package?
The European Technological Sovereignty Package is a set of four EU initiatives announced in June 2026, comprising the Chips 2.0 Act, the Cloud and AI Development Act (CADA), the EU Open Source Strategy, and a Strategic Roadmap for Digitalisation and AI in Energy. Together they aim to reduce the EU's dependence on non-European providers for critical digital infrastructure such as cloud, AI compute, and semiconductors.
What are the CADA sovereignty levels and which one should a business target?
CADA defines four assurance levels, from Level 1 (data stored in Europe) up to Level 4 (zero foreign dependency across the whole supply chain). Most regulated EU businesses should aim for at least Level 2 or Level 3, where customer-controlled encryption and EU-headquartered, EU-operated infrastructure meaningfully reduce exposure to foreign legal requests such as the US CLOUD Act.
How does the sovereignty package affect how teams choose cloud and proxy infrastructure?
Under the new framework, organisations weigh legal jurisdiction and compliance readiness alongside scalability and cost, which favors EU-native providers. Engineering teams are encouraged to avoid tight coupling to non-EU proprietary services and instead build on open standards like Kubernetes, and to choose infrastructure partners, such as EU-hosted static IP providers, whose entire stack sits inside the EU.
