The EU's tech sovereignty initiative limits US cloud services and introduces Chips Act 2.0.

      The European Commission has introduced a tech sovereignty package aimed at limiting US cloud providers from handling sensitive government data and has initiated Chips Act 2.0 to enhance advanced semiconductor production in Europe. The Cloud and AI Development Act establishes four tiers of sovereignty for public-sector cloud applications.

      Following the Trump administration's sanctions against the chief prosecutor of the International Criminal Court, Microsoft suspended his email account. This incident, although brief and administrative, served as a wake-up call for European policymakers. If one American company could sever a senior international official's communication so easily, what else could be affected?

      On Wednesday, the European Commission addressed that concern with new legislation. Its tech sovereignty package, the most extensive effort to diminish the bloc's reliance on foreign technology, focuses on cloud computing, artificial intelligence, semiconductors, and open-source software as part of a unified strategy.

      “We want to be sure nobody has a kill switch,” said Commission Executive Vice-President Henna Virkkunen to CNBC.

      The key component is the Cloud and AI Development Act (CADA), which establishes a framework for cloud “sovereignty” across the EU, defining four levels. Public authorities must evaluate their infrastructure's dependency on non-EU companies and assign their workloads to the appropriate tier.

      This will have a substantial impact. At the highest tiers, providers are required to demonstrate EU ownership and control, employ personnel from the EU, and prove independence from foreign legal jurisdictions. This last requirement directly challenges the US Cloud Act, which permits American law enforcement to access user data from US companies regardless of its location. Complying with these standards would be challenging for Amazon Web Services, Microsoft Azure, and Google Cloud in their current forms.

      The restrictions are focused on sensitive workloads within the public sector, including healthcare, finance, and judicial systems. However, private-sector cloud operations will remain unaffected.

      The package also includes a follow-up to the EU’s initial Chips Act, which was enacted in 2023. Chips Act 2.0 shifts focus from merely constructing fabrication plants to promoting demand for semiconductors manufactured in Europe and enhancing design capabilities that are predominantly situated outside the continent.

      The Commission stated it would “prioritize” establishing a foundry for advanced semiconductor production within the EU. There are discussions about a €30 billion facility that could produce chips at the advanced 3nm node, with funding coming from the Commission, member states, and private companies.

      The updated strategy aims for a total investment of €120 billion by 2035, but achieving that target hinges on political commitment that has historically fluctuated regarding the long-term investment needed for semiconductor manufacturing.

      CADA also sets an infrastructure goal: to triple the EU’s data center capacity within five to seven years, aiming to meet the needs of European enterprises and public administrations by 2035. The Commission estimates around €200 billion in mainly private investment will be needed.

      To speed up deployment, the Act will simplify permitting processes and pinpoint suitable locations for new facilities. The aim is to ensure European organizations can conduct AI operations on European infrastructure, rather than relying on US hyperscaler data centers regulated by US law.

      The key question is whether GPU-as-a-service and other intermediary models will qualify as genuinely sovereign, or if the Commission will insist on complete European control over the hardware stack.

      Europe has made digital sovereignty announcements before. The original Chips Act pledged €43 billion to increase the EU’s global semiconductor market share to 20% by 2030, a goal that most experts now view as unrealistic. Additionally, the €180 million sovereign cloud contract granted earlier this year was only a small fraction of what US hyperscalers invest in a single quarter.

      What distinguishes this package is its regulatory strength. CADA does not merely promote European alternatives; it limits the use of non-EU providers for certain categories of government data, imposing compliance obligations that cannot simply be met by hosting American cloud services within Europe. The sovereignty tiers demand structural autonomy, not just data residency.

      The geopolitical reasoning is evident. As stated in the Commission’s own framing: “As geopolitical fragmentation increases and supply chains become more weaponized, technological dependencies are turning into strategic risks.” The real question is whether Europe can develop the industrial capacity to align with that assessment, and this time it has provided itself a legal framework to attempt to do so.