Whose Cloud, Whose Rules? The Blind Spots in the EU's Technology Package
Brussels has finally given digital sovereignty a legal definition. The European Commission’s Technology Sovereignty Package, published on 3 June 2026 after three delays, covers cloud infrastructure, semiconductors, artificial intelligence, and open-source software.
Text by Martti Asikainen, 10.6.2026 | Photo by Adobe Stock Photos
In May 2025, the Chief Prosecutor Karim Khan of the International Criminal Court (ICC) lost access to his Microsoft email account. His bank accounts were frozen. Executive orders issued by US President Donald Trump had made it legally hazardous for American technology companies to provide him with their services (Quell, 2025).
Whether Microsoft acted directly or simply stepped back as compliance pressures mounted remains an open question. The outcome, however, was the same. The concept of a “kill switch” soon found its way into the heart of European political debate — and has not left it since.
Published after three delays, the Technology Sovereignty Package represents the European Commission’s most coherent response to date to this kind of vulnerability. The figures are stark. By the Commission’s own estimates, more than 80 per cent of the EU’s critical digital products, services, and intellectual property are in the hands of actors based outside Europe (European Commission, 2026).
Europe’s dependence on external actors raises legitimate concerns, but the package addresses them only in part. Whether the remedy will prove effective at all remains very much an open question.
What the Package Actually Proposes
The Technology Sovereignty Package consists of four main elements: a revised Chips Act designed to strengthen local semiconductor capacity; a new Cloud and AI Development Act (CADA), which establishes a tiered sovereignty framework for cloud procurement; a non-binding open-source strategy; and a roadmap for AI and the digitalisation of energy (European Commission, 2026).
Of these, CADA is by far the most significant — and the legislative centrepiece of the whole package. It divides cloud services into four tiers according to the sensitivity of the data they handle. In the most sensitive tier — covering banks, healthcare, and public administration — providers must meet European supply-chain requirements. In practice, this means that American cloud services cannot be used for the most confidential data.
The logic is fairly straightforward. Data held within European infrastructure is beyond the reach of any foreign government’s sanctions. The package also requires systematic assessment of sovereignty risks, replacing the current ad hoc approach with a structural one. This represents a genuine step in the right direction.
The practical effects are already making themselves felt in researchers’ daily working lives, even before the legislation comes into force. Several European governments have been actively moving away from US technology providers. France, for instance, has announced it will stop using products from non-European companies for sensitive government functions. Some universities are following their governments’ lead, though not always without reluctance (Kwon, 2026).
Research communities have built their working practices around shared cloud storage, project management platforms, and international data infrastructure. They are now beginning to find that the geopolitics of infrastructure increasingly determines what is practically possible.
The Other Document in the Room
The package cannot be assessed in isolation from its context. It was published in the same week as another significant EU legislative package: the Digital Omnibus, comprising two proposed regulations that together weaken both the phased implementation of the EU AI Act and the General Data Protection Regulation (GDPR) in the name of simplification. This is a contradiction that cannot be brushed aside.
The EU’s earlier achievements in digital regulation rested on a particular understanding of sovereignty: that citizens and democratic institutions have the right to shape the systems that affect them. The Technology Sovereignty Package shifts the emphasis away from this, towards competitiveness and strategic security.
Critics have spoken of sovereignty-washing — where regulation is rolled back in the name of strategic autonomy, whilst in reality, citizens’ protections are weakened even as businesses are shielded from competition. In their view, the legal safeguards embedded in European legislation are being eroded, even as the overall package is presented to citizens as a sovereignty victory. It is a choice.
The Centre for European Policy has warned that sovereignty built on protected domestic markets tends to produce complacent incumbents rather than competitive technology companies, and that a Europe which wins its digital future by excluding others from competition has not solved its technology problems but merely deferred them (CEP, 2026).
The EU has stated its ambition to compete on quality, but the package’s structural incentives point, according to critics, in precisely the opposite direction. Europe’s deeper structural challenges — fragmented capital markets, high energy costs, and a skills deficit — will not be resolved through procurement preferences alone (Sterling, 2026). In the worst case, preferential policies end up shielding incumbents from precisely the competitive pressure that growth would require.
How the Brussels Effect Cuts Both Ways
There is a well-documented phenomenon in regulatory studies known as the “Brussels Effect” — the process by which European regulations become global benchmarks, adopted or adapted by countries that had no seat at the drafting table (Bradford, 2012). Its force has historically depended not only on the EU’s market power but also on the perceived legitimacy of European regulation (Blauberger & Schmidt, 2023).
GDPR, for example, has been replicated across dozens of jurisdictions, and the AI Act is already being consulted by policymakers from Brazil to India to Kenya. The Technology Sovereignty Package may well follow the same path — but taken as a whole, it may prove more problematic in character than its predecessors. The CADA sovereignty-tier framework rests on EU definitions of what counts as “trusted” infrastructure.
These definitions are transmitted into practice through technical assistance programmes and the digital infrastructure frameworks carried along by European-funded projects, including in the Global South. Countries in the early stages of digital development, where the influence of funders on infrastructure choices is already considerable, may find themselves in a situation where European supply-chain preferences function as de facto standards — without ever having been consulted (Schoemaker, 2026).
This dynamic echoes what Couldry and Mejias (2019) describe with the concept of data colonialism: the extension of asymmetric power relations through the governance of digital infrastructures and the extraction of data. Research on digital infrastructure financing in Africa demonstrates that the source of investment shapes the governance models that are practically available to governments (Schoemaker, 2026).
Adding European sovereignty conditions to this landscape does not open up policy space for partner countries; it merely redirects an existing constraint in a new direction. The Commission’s digital sovereignty package asks who owns the cloud — but not how it is governed, or who bears responsibility. These are different questions, and they are decisive for people living beyond the EU’s borders.
What a Responsible Response Would Look Like
None of the above, however, constitutes an argument for leaving the EU’s digital infrastructure in its current state of dependency. The kill-switch scenario described at the outset is as real as the Commission’s estimated 80 per cent reliance on external actors. Reducing structural vulnerability is therefore, above all, a sensible — and under current geopolitical circumstances, a near-unavoidable — objective.
Several elements of the package also represent genuine improvements on the status quo: sovereignty-risk assessment, the promotion of open-source procurement, and the lowering of barriers to civil society participation in standardisation bodies. The concern lies not in these goals themselves but in the conception of sovereignty with which they are pursued.
Scholars have long observed that digital sovereignty is not a unified concept but a cluster of competing visions — from state control to technological autonomy, from collective self-governance to individual citizens’ agency (Couture & Toupin, 2019). The nationality of infrastructure is a necessary condition for digital autonomy, but it is rarely sufficient.
A layered understanding of digital sovereignty reveals that control over infrastructure does not in itself guarantee control over standards, applications, data, or users’ rights (Sheikh, 2022). A European cloud tier that processes citizens’ data in the shadow of a weakened AI Act and an eroded GDPR does not make citizens any more sovereign — it simply names a new actor who will mine their data.
In practical work on AI governance, the key question is seldom who runs the server. The primary question is who sets the rules and who enforces them. Storing data in a European data centre is a different matter from ensuring that the system processing that data is accountable, auditable, and respectful of individual rights.
The Technology Sovereignty Package places greater emphasis on the former than the latter — even though the nationality of the provider is the wrong question. What matters more is the governance model embedded within the service, who can audit it, and what legal remedies are available when something goes wrong.
Sovereignty without accountability is just another form of dependency.
Author
References
Blauberger, M. & Schmidt, S. K. (2023). The Brussels Effect, European Regulatory Power and Political Capital: Evidence for Mutually Reinforcing Internal and External Dimensions of the Brussels Effect from the European Digital Policy Debate. DISO 2, 5 (2023). https://doi.org/10.1007/s44206-022-00031-1
Bradford, A. (2012). The Brussels Effect. Northwestern University Law Review, Vol. 107, No. 1, 2012, Columbia Law and Economics Working Paper No. 533. https://ssrn.com/abstract=2770634
Centre for European Policy Network. (2026, June 3). EU Tech Sovereignty Package: Sovereignty as a prerequisite of openness in times of geopolitical shift. https://www.cep.eu/eu-topics/details/eu-tech-sovereignty-package.html
Couture, S. & Toupin, S. (2019). What does the notion of “sovereignty” mean when referring to the digital? New Media & Society, 21(10), 2305–2322. https://doi.org/10.1177/1461444819865984
European Commission. (2026, June 3). Commission proposes tech sovereignty package to strengthen Europe’s digital autonomy and resilience. IP/26/1187. https://ec.europa.eu/commission/presscorner/detail/en/ip_26_1187
Kwon, D. (2026, June 5). Europe is ditching US tech — what does this mean for researchers? Nature. https://doi.org/10.1038/d41586-026-01610-9
Quell, M. (2025, May 15). Trump’s sanctions on ICC prosecutor have halted tribunal’s work. Associated Press. https://apnews.com/article/icc-trump-sanctions-karim-khan-court-a4b4c02751ab84c09718b1b95cbd5db3
Schoemaker, E. (2026, June 8). Europe’s new rules, everyone else’s problem. Global Policy Journal. https://www.globalpolicyjournal.com/blog/08/06/2026/europes-new-rules-everyone-elses-problem
Sheikh, H. (2022). European Digital Sovereignty: A Layered Approach. Digital Society, 1(25). https://doi.org/10.1007/s44206-022-00025-z
Sterling, T. (2026, June 4). Europe’s tech ‘liberation day’? Computer says not yet. Reuters. https://www.reuters.com/legal/litigation/europes-tech-liberation-day-computer-says-not-yet-2026-06-04/
