I have lost count of the headlines this month telling me Europe just voted to lock American cloud companies out of its most sensitive data. Two things in that sentence are wrong, and the two things are the whole story. Nobody voted, and almost nothing got locked out.
Here is what actually happened. On June 3 the European Commission published a proposal called the Cloud and AI Development Act, part of a wider tech sovereignty package. A proposal is not a law. It now goes into negotiation with the European Parliament and the member states in the Council, where it passes or fails on a qualified majority rather than a unanimous vote, and is not expected to be adopted until late 2027 at the earliest. There was no vote to lock anyone out. There was a first draft.
The draft sets up four sovereignty levels for public-sector data, graded by how sensitive the data is. Level 1 just asks that the data be processed and stored on infrastructure inside the EU, which the big American providers already do through their European data centers. Level 2 adds that the provider prove it is independent of any foreign government and come clean about its software supply chain. Level 3 requires that the provider be owned and controlled from inside the EU, down to a rule that the people working on the service, subcontractors included, be EU citizens. Level 4 demands full control of the supply chain with no third-country interference at all.
Now the part the headlines skipped. By the Commission's own impact assessment, as Computerworld reported, about 70 percent of public-sector workloads sit at Level 1, roughly 20 percent at Level 2, about 9 percent at Level 3, and only around 1 percent at Level 4. The tier that effectively shuts out a foreign company is that last 1 percent, the genuinely sovereign end: national security, defense, the data you would not want a foreign court reading. Level 3, the next 9 percent, leans toward EU-owned providers too, though not as an outright bar. The hyperscalers, the giant cloud companies (Amazon Web Services, Microsoft Azure, Google Cloud), keep the vast majority of it.
So why can an American company not just promise to reach Level 4 and be done with it? Because of a law passed not in Brussels but in Washington. The US CLOUD Act, on the books since March 2018, compels any company incorporated in the United States to hand over data it controls to US law enforcement, wherever in the world that data physically sits. A server in Frankfurt gives you no legal cover if the company running it is headquartered in Seattle. That is the real mechanism, and it is worth being precise about it: this is not a punishment for anything the companies did. It is a straightforward conflict of laws. Europe cannot honestly call its most sensitive data sovereign while the company holding it can be served a valid US warrant.
The Commission's tech chief, Executive Vice President Henna Virkkunen, put the fear plainly at the June 3 launch, in remarks CNBC reported: "We want to be sure nobody has a kill switch," she said, adding that in critical fields the EU wants to be sure it can always control the services and the data itself.
Predictably, the industry hated it. CCIA Europe, the trade group for big US tech, called the plan "a dangerous recipe for progressive market shutdown" and said Levels 3 and 4 are "closed-market requirements dressed up as policy thresholds." Its Daniel Friedlaender called the act "a direct recipe for fragmented discrimination across Europe in 27 different ways." What is funnier is that Europe's own cloud providers, through the group CISPE, are not thrilled either: they liked the strict Level 3 and 4 definitions but called Levels 1 and 2 "confusing and non-sensical," because a US hyperscaler can meet them and still get called sovereign. And there is already a side door: an American firm can reach Level 3 through a joint venture with a European partner, the way Google works through S3NS, a Thales-controlled venture.
I am, for what it is worth, sympathetic to the goal. I keep my own data on machines I can open, for exactly the reason Virkkunen named. But the honest version of this story is smaller and harder than the headline. The proposal does not conjure a European cloud into existence, and the bottleneck for the data centers it wants to triple within about 5 to 7 years is more likely electricity than paperwork. Europe's own providers have slid from about 29 percent of their home market in 2017 to roughly 15 percent by 2022, where Synergy Research Group says the share has held since, while Amazon, Microsoft, and Google hold about 70 percent of the European cloud market between them. A sovereignty label on a contract does not reverse that.
If you run anything you care about, do not read the headline and relax or panic. Ask the one question the whole fight turns on, the one that has nothing to do with where the server is: where is the company that holds your data incorporated, and whose courts can reach it there.






