The European Commission has adopted an ambitious new strategy to strengthen Europe's independence in cloud computing and artificial intelligence, moving beyond regulatory oversight to actively build competing infrastructure and capabilities. On June 3, 2026, the Commission unveiled the Cloud and AI Development Act (CADA), a comprehensive package designed to reduce the continent's dependence on American technology providers like Microsoft, Google, and Amazon, which currently dominate Europe's cloud services market.

The initiative reflects growing concerns that Europe's reliance on foreign technology creates strategic vulnerabilities. According to the Commission, EU countries spend approximately 264 billion euros annually on American tech, with three U.S. giants controlling the cloud services infrastructure that underpins everything from hospital operations to energy grid management. The package represents a shift from simply regulating AI to actively building European alternatives that can eventually compete with established U.S. players.

What Does the Cloud and AI Development Act Actually Do?

Rather than attempting to decouple Europe from American technology, the CADA takes a longer-term approach focused on strengthening European companies and infrastructure. Commission President Ursula von der Leyen explained the rationale: "We cannot afford to depend on others for the technologies that keep our hospitals running, our energy grids stable and our services secure. This is about protecting our citizens, defending our interests and making our own choices".

The legislation targets three main areas to achieve this goal:

• Research and Innovation: Supporting the development of next-generation cloud and AI technologies, including frontier AI, industrial AI, and physical AI through "grand challenges" to drive future research efforts.
• Infrastructure Expansion: Tripling the EU's data center capacity within five to seven years by simplifying permitting procedures, improving access to energy and land, and increasing financing availability for digital infrastructure projects.
• Sovereignty Framework: Introducing a single EU-wide assessment system for evaluating cloud and AI providers based on their independence from third countries and their control over software supply chains.

The package also directs public money toward products that strengthen Europe's economy and independence, cuts regulatory red tape for data centers, and requires EU governments to develop national strategies for adopting cutting-edge technology. Additionally, the Commission plans to revise a 2023 chips law to increase Europe's demand for advanced semiconductors, addressing industry criticism about insufficient computing capacity.

How Does Europe's New Sovereignty Framework Work?

At the heart of the CADA is a four-level sovereignty assurance system that allows public sector organizations to choose cloud and AI providers based on their risk tolerance and the sensitivity of their operations. The framework represents a nuanced approach rather than an outright ban on American technology.

• Level 1 Sovereignty: Data is processed and stored in infrastructure located within the European Union, but providers may have foreign ownership or control.
• Level 2 Sovereignty: Providers must demonstrate independence from third countries and provide transparency over their software supply chain, including the origins of code and dependencies.
• Level 3 Sovereignty: Providers must be owned and controlled from within the EU and meet additional criteria such as personnel citizenship requirements, though the Commission can recognize third-country providers at this level.
• Level 4 Sovereignty: Providers must have full transparency and control over their software supply chain with no interference from any third country, representing the strictest protection level.

EU tech chief Henna Virkkunen explained the rationale for these escalating requirements: "We have defined here four levels of sovereignty. When we are coming higher in the levels, the requirements are very strict. We want to make sure that nobody has a so-called kill switch possibility there". She noted that the existing U.S. Cloud Act, which compels American companies to hand over data hosted on their services, makes it "difficult to reach" the stricter requirements.

Henna Virkkunen

Within one year of the legislation's adoption, EU governments will be required to conduct a "sovereignty risk assessment" for every digital service they rely on, measuring foreign control, potential access to sensitive data, and the risk of operational disruption. However, the Commission estimates that only about one percent of Europe's public services are sensitive enough to require the strictest Level 4 protection, meaning the vast majority of the market will remain open to international providers.

Why Is This Different From Previous EU AI Regulation?

The CADA represents a departure from the EU's earlier regulatory approach, exemplified by the AI Act, which focused on setting rules and restrictions for AI systems. Instead, the new package combines regulation with industrial policy, actively investing in European capabilities rather than simply constraining foreign ones. This reflects lessons learned from Europe's previous struggles to build competitive technology companies that could challenge American giants.

The package complements other recent EU initiatives, including the Chips Act 2.0 and the EU Open Source Strategy, creating a comprehensive ecosystem designed to support European innovation and reduce strategic dependencies in critical digital infrastructure. The Commission is also establishing "Experience and Acceleration Centres for AI" to drive adoption of cloud and AI technologies in strategic industrial and public sectors.

The political context matters significantly. The Commission has been careful to stress that the CADA is not aimed at picking a fight with American firms, particularly as the European Parliament finalizes a controversial trade deal with the United States. The U.S. could still retain high-level access to the European market through existing data privacy agreements and safeguards that major American companies have implemented.

What Happens Next?

The Commission's proposals will now move to national governments and the European Parliament for negotiations on the final version of the legislation. The outcome will depend not only on the formal text but also on how member states and the Commission choose to implement the sovereignty framework in practice. Some EU governments have already warned that it is neither realistic nor desirable to completely decouple the continent from U.S. technology, suggesting that implementation could be contentious.

The CADA represents Europe's most ambitious attempt yet to build technological independence while remaining pragmatic about the realities of global technology markets. By focusing on building European alternatives rather than simply restricting foreign access, the EU is betting on a long-term strategy to develop homegrown champions capable of competing with established American players. Whether this approach succeeds will likely shape European technology policy for the next decade.