Europe’s new tech-sovereignty plan doesn’t ban U.S. cloud giants — it sets four levels of “sovereignty” for sensitive government data, and an American law makes the top levels nearly impossible for them to reach

On June 3, 2026, the European Commission proposed a set of rules that would change how European governments buy cloud computing for their most sensitive data. The headline reaction framed it as Europe pulling a “kill switch” on American tech. The actual proposal is narrower and more specific: a single EU-wide framework that sorts cloud providers into four levels of “sovereignty,” meant to be applied by public bodies according to how sensitive the data is.

It is not a ban on Amazon, Microsoft, or Google. But the Commission’s own technology chief has been clear that the two highest levels would be difficult for U.S. companies to reach, for reasons written into American law rather than European preference. And the whole thing is a proposal, not a rule yet: it still has to be negotiated and approved by the EU’s member states before it binds.

What the Cloud and AI Development Act actually proposes

The cloud rules sit inside the European Technological Sovereignty Package, which the Commission adopted on June 3. The package bundles two draft laws, the Cloud and AI Development Act and the Chips Act 2.0, with an open-source strategy and an energy-and-AI roadmap. The stated reason is dependency: by a figure the Commission cites, the EU relies on non-EU countries for more than 80% of its key digital products, services, infrastructure, and intellectual property.

The Cloud and AI Development Act, or CADA, is organized around three areas the Commission labels research, development and innovation; capacity; and autonomy. The capacity goal is concrete: at least tripling the EU’s data-center capacity within five to seven years. The autonomy area is where the sovereignty grading lives.

CADA defines cloud and AI sovereignty across four assurance levels, to be used by public-sector bodies based on their own risk assessments. Providers can be recognized under the framework by member states after an audit. As the Commission describes them:

• Level 1: data is processed and stored in infrastructure located in the Union.
• Level 2: providers must show independence from third countries and transparency over their software supply chain.
• Level 3: providers must be owned and controlled from within the EU and meet additional criteria, such as the citizenship of personnel; the Commission can recognize third-country providers.
• Level 4: providers have full transparency and control over their software supply chain and no interference from a third country.

Crucially, the framework is a measuring stick for public buyers, not a blanket prohibition. The Commission has said it wants “the vast majority of the market” to remain open to international partners, and CADA also proposes a common EU procurement framework so public administrations can pool their purchasing power.

The “kill switch” and the law that makes the top tiers hard to reach

The sharpest line came from Executive Vice-President Henna Virkkunen. The Commission’s aim, she told reporters, is to make sure that providers handling critical workloads cannot hold a “kill switch” over them: the scenario in which a foreign company or government could freeze, cut off, or reach into Europe’s digital infrastructure. “We want to make sure that our most critical sensitive data is stored in Europe,” she said.

Virkkunen also named the obstacle directly. It would be hard for U.S. companies to reach the highest sovereignty levels, she said, because of the U.S. CLOUD Act, which lets American law enforcement request data held by U.S. companies regardless of where in the world that data is stored. A provider subject to that law cannot easily promise “no interference from a third country,” which is the Level 4 test.

That is what makes the proposal more than a relabeling of existing data-residency rules. Catherine di Lorenzo, a partner at the law firm A&O Shearman, told CNBC that the “direction of travel already goes well beyond data residency and includes ownership structures, immunity from extraterritorial laws, operational control, and supply-chain transparency.” Where data sits is a Level 1 question. Who ultimately controls the company, and whose laws it must obey, are the higher tiers.

The other half: Chips Act 2.0

The second draft law, the Chips Act 2.0, targets the hardware underneath. The Commission credits the original Chips Act with mobilizing more than €52 billion in public and private investment and helping create an estimated 46,000 direct and indirect jobs, while acknowledging that Europe still depends on other countries for advanced chip manufacturing and design.

The sequel leans on demand and speed rather than dependency alone. It would cap permitting for chip projects at a maximum of 12 months, set up “Demand Accelerators” to align new products with what industry actually needs, introduce “Grand Challenges” aimed at strategically important chips such as those for AI, and open State aid to “First-of-a-Kind” facilities not yet present in the Union. As CNBC reported, the Commission said it would “prioritize” building a foundry for advanced manufacturing inside the bloc. The framing is competitive as much as defensive: the Commission expects the global semiconductor market to reach €1.37 trillion by 2030, with AI-related components driving roughly 70% of that growth.

What is settled, and what is not

The most important caveat is the one easiest to lose in the “kill switch” coverage: this is a proposal. Both acts must be negotiated and approved by EU member states, all 27 of them, before anything binds, and the Commission’s published materials describe a sovereignty framework that public bodies may apply by risk level, not an order to remove U.S. providers. Reporting that the rules would simply bar American cloud companies from government work overstates what the text says.

It is also worth being precise about what the documents do and do not contain. The Commission’s own pages describe faster permitting, funding tools, and the sovereignty grading. Some secondary summaries have added claims, such as emergency powers letting Brussels override existing commercial chip contracts, that do not appear in the Commission’s primary descriptions of the package and are not treated as established here.

Whether the plan works is a separate question from whether it passes. Keegan McBride, who directs science and technology work at the Tony Blair Institute for Global Change, told CNBC that the package is “an important step” in an era when computing power and infrastructure will help decide which countries prosper, but warned that “a full retreat into a Europe-first tech approach will leave the continent weaker,” because great powers export their technology rather than only using it at home.

On the merits, the sovereignty framework looks more likely to strengthen Europe’s hand than to weaken it. The reason is the asymmetry the Commission identified: as long as a foreign statute can reach into infrastructure that European governments depend on, “sovereignty” is a word, not a condition. Writing down what the word actually requires, in tiers, forces both buyers and suppliers to be specific in ways that procurement rhetoric has not been. Costs will rise in the short term, and the choice set for public buyers will narrow before it widens; those are real risks, not rhetorical ones. But a public sector that cannot define the cloud it can trust is in a worse position than one that has defined it and now has to build toward it.

What Europe has produced, in the end, is a definition. It has written down, in four tiers, what it means by a cloud it can trust, and made plain that the most demanding of those tiers were drawn in a place its largest current suppliers may not be able to follow. The work that matters now is whether the member states hold the line on the definition once the lobbying begins.