The European Union wants governments to assess whether their cloud providers pose sovereignty risks and, if so, switch providers within 12 months. The urgency behind the proposal is stark: EU cloud providers’ share of their own market collapsed from 29% in 2017 to just 15% in 2022 and has stagnated since, leaving three non-EU hyperscalers controlling over 70% of European cloud infrastructure.
Under a proposed Cloud and AI Development Act released on June 3, the European Commission would create a four-tier cloud sovereignty framework, require public authorities to conduct risk assessments, and tie government procurement to EU-defined assurance levels. The proposal also introduces new conditions for foreign cloud providers and measures promoting open-source software and a European public-sector cloud ecosystem.
Sovereignty tiers for cloud providers: The proposal establishes a Union cloud computing sovereignty framework comprising four assurance levels. Providers seeking recognition must apply to a national competent authority, and recognition would be valid across the EU.
The framework creates four classifications:
- Union Assurance Level 1: Entry-level recognition based on a provider’s self-assessment and an EU statement of conformity.
- Union Assurance Level 2: Requires an independent third-party audit and compliance with additional sovereignty requirements.
- Union Assurance Level 3: Requires stricter sovereignty safeguards and independent auditing.
- Union Assurance Level 4: Highest assurance level intended for the most sensitive public-sector activities.
The proposal adopts a cumulative approach. Providers seeking recognition at a higher level must satisfy all requirements applicable to lower levels. The compliance process differs across the tiers:
- Level 1 relies on self-certification.
- Levels 2, 3, and 4 require independent audits.
- Providers must submit evidence supporting compliance.
- Regulators can reassess recognised services.
- The Commission will maintain a central repository of recognised cloud services.
Government risk assessments: The proposal requires Member States and EU institutions to conduct risk assessments to determine which assurance level is appropriate for different public-sector activities. Those assessments must consider:
- The sensitivity and criticality of data.
- Risks arising from third-country access to data.
- Risks to public order.
- Potential service disruption.
- Risks to the rights and freedoms of individuals.
Governments must also consider whether a multi-cloud or multi-vendor strategy is appropriate.
The Commission may review the outcome of those assessments. If it concludes that the selected assurance level does not adequately address public-order concerns, it may specify a different assurance level through implementing acts.
Migration and foreign service providers: The proposal also includes migration requirements. Where a risk assessment requires a public authority to move to another cloud service, the transition period cannot exceed 12 months, subject to technical feasibility and continuity requirements.
The proposal separately establishes conditions under which providers linked to third countries can qualify for Union Assurance Level 3.
The third country must:
- Have a GDPR adequacy decision.
- Not have measures that conflict with EU lawful-access requirements.
- Not have powers that can compel service disruption or degradation.
- Maintain an open market for EU cloud providers.
- The third country must have no measures in place to impede the provision of state-of-the-art technologies and services by the cloud provider.
- Grant equivalent access to public procurement procedures.
The Commission may amend, suspend, or repeal that recognition if those conditions are no longer met.
Sovereignty levels become procurement requirements: Public authorities whose activities are not considered relevant to public order must use cloud services recognised at Union Assurance Level 1 at a minimum.
Where risk assessments identify public-order concerns, authorities may be required to procure services recognised at Levels 2, 3 or 4. The proposal also requires member states to:
- Apply “Union added value” criteria when procuring cloud services and AI systems.
- Monitor procurement of cloud and AI systems.
- Report on procurement outcomes.
- Develop national cloud and AI strategies aligned with the regulation.
EuroCloud Federation and open-source obligations: The proposal establishes a European public sector cloud federation, known as the EuroCloud Federation. The federation is intended to support cooperation between public authorities using cloud services across the EU and facilitate the sharing of cloud resources and capabilities.
The proposal also contains measures promoting open-source software. Member States and Union entities are encouraged to support the use, development, and sharing of open-source solutions. The proposal provides for:
- An EU-wide Open Source Solutions Catalogue.
- Reuse of software developed with public funds.
- Cooperation between public-sector Open Source Programme Offices.
- Measures supporting open-source adoption across public administration.
Also read:
- Google Cloud outage after Delhi facility fire raises questions about India’s digital resilience
- Full Interview: Douglas Kramer, chief legal officer at Cloudflare, on overblocking, piracy orders and AI crawlers
- Reliance partners with Meta to build a 168 MW data center in Gujarat
For You
- Read Reasoned by Nikhil Pahwa: How AI is changing our world
- Sign up for MediaNama's Daily Newsletter to receive regular updates
- Sponsor a MediaNama Event
























