The European Commission has set out a new Tech Sovereignty Package aimed at reducing Europe’s dependence on foreign digital infrastructure across semiconductors, artificial intelligence, cloud, data centres and open source technology.
The package includes proposals for Chips Act 2.0 and a Cloud and AI Development Act, alongside an Open Source Strategy and a roadmap for digitalisation and AI in energy. It comes as the Commission says the EU relies on non-EU countries for more than 80% of key digital products, services, infrastructure and intellectual property.
Cloud is one of the most exposed areas. Regulated data, AI workloads and business-critical systems increasingly sit inside global cloud platforms, raising practical questions for CIOs over which systems process sensitive data, where they are hosted, who controls the infrastructure, and what it would cost to move them.
Nick Reed, chief strategy officer at Bizzdesign, an enterprise transformation software provider, said many organisations need a clearer picture of their technology estate before they can make meaningful sovereignty decisions.
“CIOs need visibility into application dependencies, data flows and classifications, third-party suppliers, business criticality, migration costs and timelines, and potential customer and operational impacts before any decision is made,” Reed said.
“Without that, organisations risk either overspending on unnecessary migration programmes or underestimating their regulatory and operational exposure.”
Sovereign cloud demand is rising
The Commission’s Cloud and AI Development Act is intended to support cloud and data centre capacity in Europe, accelerate cloud and AI adoption in strategic sectors, and introduce a single EU-wide sovereignty framework for cloud and AI.
The wider sovereignty debate is also moving beyond policymakers. Enfuce research, based on a survey of 3,000 consumers and 500 senior executives at payment providers across Europe, reveals that 60% of consumers agreed the EU and UK should move away from US-owned technologies where possible. Among payment providers, 72% agreed that the UK and EU should reduce reliance on US-owned technologies in general, while 57% said they had already started to do so.
The same research found that 62% of consumers and 75% of payment providers were concerned that geopolitical tensions could lead foreign-controlled payment networks to restrict or stop payments in their market. But the report also points to a commercial limit: only one in five consumers said local ownership would be a primary reason to choose a new payment system.
According to Reed, sovereign cloud demand is already visible, with the European market projected to reach €100 billion by 2031. But he warned against assuming that demand will flow straight to European providers.
“The demand is there, but it won’t necessarily flow automatically or exclusively to European providers,” Reed said.
He suggests geopolitical uncertainty is increasing demand for cloud services that offer stronger assurances around data control and risk. The EU Cloud Sovereignty Framework, published by the European Commission in October 2025 as a procurement methodology, reflects that direction. It groups assessment criteria into eight sovereignty objectives: strategic, legal and jurisdictional, data and AI, operational, supply chain, technological, security and compliance, and environmental sustainability.
Reed said the Commission’s own procurement activity shows how those assessments may work. In April 2026, the Commission used a formal tender worth €180 million to establish four “EU-sovereign” cloud providers. Of those, he said, only one incorporated US cloud infrastructure, through a consortium integrating Google Cloud infrastructure via the Thales joint venture S3NS.
“It won on the basis of the framework’s technical and operational assessment rather than corporate origin, a result that has not gone unnoticed,” Reed said.
AWS and Microsoft have also set up independent European legal entities and EU-resident operations to compete in this market.
Reed said European providers may have an advantage in open architecture and data portability, particularly where hyperscaler environments create switching costs. At the same time, US cloud providers still have large R&D budgets and advanced AI capabilities.
“The market will reward whoever can demonstrate the precise technical controls required for a given workload,” Reed said. “That’s good news for European providers who meet that bar, but it’s not a guaranteed shift in their favour.”
Compliance, resilience and innovation
Sovereignty requirements are arriving alongside existing rules on operational resilience, technology risk and supplier oversight.
In financial services, the EU’s Digital Operational Resilience Act has increased scrutiny of ICT supplier risk, resilience testing, incident support and auditability. NIS2 applies more broadly across key sectors and places stronger expectations on supply chain risk management.
Reed said enterprises need to balance the speed needed for innovation with the control required for compliance and resilience.
“Innovation needs speed and openness, and collaboration with partners who can move at the same pace,” Reed said. “Compliance and resilience pull in the other direction because what you need there is confidence and control, and those things don’t always sit naturally together.”
The balance will vary by jurisdiction. Reed said the EU has specific regulations in this area, while the UK and other jurisdictions rely on a more flexible, principles-based model focused on business service survival.
“Increasingly, regulators and boards are asking whether organisations can continuously demonstrate control over critical business services,” Reed said.
He added that standard enterprises have “virtually zero leverage” to demand bespoke audit rights from global technology giants and must work within standard vendor agreements.
“Attempting to reach the maximum level of control everywhere results in overinvestment, and possibly operational paralysis,” Reed said.
Reed said organisations need a business value-led view of how important services rely on applications, data, technology and third parties. That can help firms manage risk investment in line with organisational value, rather than creating separate programmes for each compliance standard.
“Resilience needs to follow the same logic, treated as a business-led continuous operational capability rather than siloed checklist-based exercises,” he said.
Migration decisions need workload-level evidence
The Tech Sovereignty Package is likely to renew debate around cloud repatriation, European hosting and alternative providers. Reed said enterprises should begin by understanding which workloads require stronger sovereignty controls.
“The starting point is understanding how much sovereignty you need, and across which dimensions,” Reed said.
The EU Cloud Sovereignty Framework scores cloud services using Sovereignty Effectiveness Assurance Levels, or SEAL, from SEAL-0 for no sovereignty to SEAL-4 for full digital sovereignty. Reed said the legal and jurisdictional dimension deserves particular attention.
“The legal and jurisdictional dimension is worth paying particular attention to because if the laws are in place but you can’t enforce them, you’re not protected,” Reed said.
Scoring each workload can help CIOs identify regulatory gaps. But Reed said that is only part of the decision, because cloud repatriation can be expensive and enterprise IT environments are often deeply connected through applications, data flows, suppliers and business processes.
“Cloud repatriation is complex and expensive, and enterprise IT environments are deeply interconnected in ways that mean dependencies rarely sit within neat boundaries,” Reed said.
He pushes for a workload-by-workload assessment that balances sovereignty requirements against the full cost of migration, based on a connected view of the supply chain.
“It all comes back to a workload-by-workload assessment that balances sovereignty requirements against the true total cost of migration, grounded in a connected view of what the supply chain looks like rather than a broad, all-or-nothing mandate,” Reed said.
As Europe pushes for greater digital autonomy, enterprises will face more questions about their cloud exposure, supplier dependency and data control. Many will need to start by mapping what they already rely on.
