What’s unfolding in Brussels is not a minor regulatory update. This is a fundamental reshaping of how Europe wants to control its digital future.
Four Pillars, One Goal: Digital Independence
The Technology Sovereignty package comprises four distinct proposals working in concert. There’s the updated Chips Act 2.0 to build semiconductor capacity. The pivotal CADA to secure cloud and AI infrastructure. A new Open Source Strategy to strengthen the public commons. And a Strategic Roadmap for Digitalisation and AI in Energy to decarbonize while maintaining sovereignty.
Together, they signal a shift from importing digital solutions to building European alternatives. The underlying message is clear: Europe cannot afford to depend on non-European cloud providers for critical data and AI capabilities.
Two Decades of Sovereignty Efforts Converge Here
The push for digital sovereignty in the EU is not new. Efforts dating back two decades include early attempts at building a European cloud for research and more recent initiatives like Gaia X. What’s different now is the level of consensus. CADA represents an unprecedented alignment on what cloud sovereignty truly means for the bloc.
This timing reflects genuine anxiety. Geopolitical tensions are rising. Transatlantic relations are shifting. European policymakers worry about data control and potential “kill-switch” scenarios where non-EU service providers could cut access to critical infrastructure. The proposal is their answer to that vulnerability.
How CADA Changes the Cloud Game
The proposal doesn’t just set aspirations. It mandates specific assurance levels for public sector cloud contracting and outlines sovereignty criteria for each level. Here’s what that means in practice:
Public agencies will face new requirements when purchasing cloud services. Vendors will undergo stricter screening. Data transfers to countries outside the EU face new restrictions. Cloud and AI providers may be prohibited from training models on data generated from their services. Personnel screening and EU nationality requirements could come into play.
These aren’t theoretical constraints. They’re operational hurdles that will reshape vendor relationships across the continent.
The Real Test: Negotiation and Implementation
The package now enters a critical negotiation phase in Brussels where its content will evolve. Member states are already squaring up around three core questions:
What exactly is an assurance level? The proposal defines them at a high level, but the details matter enormously for compliance. Which criteria matter most? How will they be enforced?
How does this interact with existing law? Clarifying the relationship between “commercially sensitive data” and the GDPR will determine the real scope of the regulation.
Who decides what changes? The proposal gives the Commission significant power to update assurance criteria over time. Member states are unlikely to accept that without guardrails.
One more wildcard: Article 31 suggests that private sector companies could voluntarily adopt this framework. If that provision survives negotiations, the reach of CADA expands dramatically across the entire European economy, not just public procurement.
What This Means for Tech Companies and Member States
For European tech firms: CADA creates both protection and opportunity. Homegrown cloud and AI providers get a level playing field in public procurement. But they also inherit compliance obligations that international competitors may not face.
For international vendors: Contracts with EU public bodies will require reassessing. Data handling practices may need restructuring. Some service models may simply become incompatible with the rules.
For member states: The negotiation is really about control. How much authority does Brussels get to reshape their digital markets? How much do individual countries retain over their own infrastructure?
What Happens Next
The proposal moves into formal legislative processes now. Amendments will be tabled. Compromises will be struck. The final version could look quite different from what the Commission proposed. But the underlying objective is locked in: Europe wants sovereign control of its cloud and AI infrastructure.
EVP Henna Virkkunen signaled this priority in her mission letter months ago. This package is the delivery on that promise. Whether it succeeds depends on how Brussels handles the countless technical and political details ahead.
Follow Hashlytics on Bluesky, LinkedIn , Telegram and X to Get Instant Updates
