Europe's approach to artificial intelligence regulation is entering a critical new phase. The European Parliament and Council have reached a provisional agreement on the Digital Omnibus on AI Regulation, marking a significant step forward in translating the EU AI Act from policy framework into enforceable rules. Simultaneously, the European Commission has proposed the Cloud and AI Development Act, which introduces a new sovereignty framework for cloud services that could reshape how organizations across Europe access computing power and manage data.

What Is the Digital Omnibus and Why Does It Matter?

The Digital Omnibus represents a consolidation of multiple EU digital policy initiatives into a single regulatory package. The provisional agreement signals that lawmakers have found common ground on how to implement AI governance across the continent. This comes as the EU continues to enforce existing digital regulations, including the Digital Services Act (DSA), which has already resulted in significant fines against major platforms.

The timing is crucial. While the EU AI Act established the foundational principles for AI regulation, the Digital Omnibus and Cloud and AI Development Act are designed to operationalize those principles. They address not just the models and algorithms themselves, but the infrastructure, data governance, and trust mechanisms that organizations need to deploy AI responsibly at scale.

How Is Europe Approaching Cloud Sovereignty and AI Infrastructure?

The Cloud and AI Development Act introduces a four-level assurance framework for cloud services, providing a standardized way for European organizations to evaluate the sovereignty characteristics of the platforms they use. This is a departure from previous EU digital legislation, which focused primarily on content moderation and competition. The new framework places operational autonomy and strategic resilience at the center of Europe's digital strategy.

The framework recognizes a fundamental reality: AI adoption at scale depends on trusted digital ecosystems. Organizations must be able to discover data and services, verify the characteristics of digital assets, establish trust with partners, and exchange information securely while maintaining control over their assets. Without interoperability, ecosystems remain fragmented. Without governance, digital sovereignty remains a political ambition rather than an operational reality.

Steps Organizations Can Take to Prepare for New EU AI Regulations

• Assess Data Governance Practices: Review how your organization collects, stores, and shares data. The new regulations emphasize data governance, confidentiality, and consent as core priorities. Ensure your systems can demonstrate compliance with these requirements and that you have clear audit trails for data usage.
• Evaluate Cloud Service Sovereignty: Audit your current cloud infrastructure against the four assurance levels being introduced by the Cloud and AI Development Act. Identify which services meet which sovereignty levels and plan migrations if necessary to align with your organization's risk profile and regulatory obligations.
• Document AI System Reliability: If your organization uses AI tools, prioritize documentation of accuracy, reliability, and explainability. Research from the European Medicines Agency shows that "accuracy and reliability of AI tools" is the highest regulatory priority across all stakeholder groups, so demonstrating these characteristics will be essential for compliance.

What Are Regulators Prioritizing in AI Oversight?

The European Medicines Agency (EMA) recently published research on regulatory priorities for AI across the medicine lifecycle, surveying 273 people including regulators, industry professionals, patients, academics, and healthcare professionals. The findings reveal what European regulators consider most important when evaluating AI systems.

"Accuracy and reliability of AI tools" emerged as the highest priority "by a substantial margin," according to the researchers. Respondents were most concerned with how AI-generated outputs can be trusted when they inform evidence generation and regulatory decisions. The next highest priorities were data governance, confidentiality, and consent, followed by ethics, fairness, and bias prevention.

Based on these findings, the EMA identified 10 priority research areas. The top three all relate to accuracy and reliability, with researchers wanting to understand how AI systems can remain robust when data changes over time and when it is important for models to be explainable. This research agenda reflects a broader European regulatory philosophy: AI systems must be trustworthy, transparent, and demonstrably safe before they can be widely deployed.

How Are Existing EU Digital Regulations Being Enforced?

The EU is not waiting for new legislation to take effect before enforcing digital rules. The European Commission fined Temu 200 million euros under the Digital Services Act for failing to adequately assess systemic risks related to illegal products on its platform. The Commission found that the platform's risk assessment relied on general sector-level data rather than platform-specific analysis.

Temu must submit an action plan by the end of August 2026, which will be reviewed by the European Board for Digital Services and the Commission, with possible further measures in case of non-compliance. This enforcement action demonstrates that the EU is serious about holding platforms accountable for their governance practices, even as new regulations are being finalized.

What Role Will Existing Frameworks Play in Implementation?

The Gaia-X initiative, a federated framework for trusted digital collaboration, is positioned as a natural precursor to the Cloud and AI Development Act's sovereignty framework. Gaia-X has already transformed its governance and trust principles into operational reality, with over 200 member organizations across Europe and beyond, including cloud providers, industrial leaders, SMEs, public administrations, research institutions, and technology companies.

The Gaia-X Label scheme, launched in operational form at the Gaia-X Summit 2025, provides a three-level sovereignty assurance framework for cloud services. Labels are verified against defined criteria covering trust, data sovereignty, transparency, and compliance. Cloud service providers including OVHcloud, 3DS OUTSCALE, T-Systems, Docaposte, and Orange Business have already achieved Gaia-X compliance and are listed in a catalogue that allows users to search and compare services by sovereignty levels.

The Commission's Cloud Sovereignty Framework explicitly references Gaia-X policy rules as one of its foundational inputs. The Cloud and AI Development Act's four assurance levels and Gaia-X's three-level Label scheme share the same underlying logic: structured, verifiable, graduated sovereignty assurance that gives buyers a clear and comparable basis for procurement decisions. This alignment suggests that organizations already working with Gaia-X-certified services will have a smoother transition to the new regulatory framework.

The success of the Cloud and AI Development Act's assurance framework will depend on implementation rigor. For the four levels to serve as a meaningful signal to buyers, the criteria at each level must be clear, auditable, and consistently enforced. Ambiguity in the lower assurance levels risks creating conditions for "sovereignty washing," where services are presented as compliant without meaningfully addressing the strategic dependencies and operational autonomy concerns that the Act is designed to resolve.

What Happens Next in the EU AI Regulatory Timeline?

The provisional agreement on the Digital Omnibus represents progress, but the regulatory process is not yet complete. The agreement must still be formally adopted by the European Parliament and Council. Meanwhile, the Cloud and AI Development Act is moving through the legislative process, with implementation details still being finalized.

For organizations operating in Europe or serving European customers, the message is clear: AI governance is no longer a future concern. It is happening now, through enforcement of existing rules like the Digital Services Act, through research that informs regulatory priorities, and through new frameworks that are being operationalized by industry leaders. The combination of the Digital Omnibus, the Cloud and AI Development Act, and initiatives like Gaia-X suggests that Europe is building a comprehensive ecosystem for trustworthy, sovereign AI development and deployment.