The European Commission is preparing to introduce a technological sovereignty package later this month that could limit companies like microsoft, Amazonand Google of the processing of certain sensitive data for public sector organizations in Europe.
The restrictions are expected to cover financial, judicial and health-related data, according to two anonymous Commission officials cited by CNBC. A Commission spokesperson described the initiative as “a goal for Europe to wake up and act together.”
What the EU technological sovereignty package would cover
The restrictions, as described by Commission sources, are expected to specifically target public organisations. Private companies will remain free to select any cloud platform they prefer to handle their proprietary data. The main focus appears to be on US-based cloud providers, which currently dominate European public sector cloud workloads.
The Commission sees the package as a way to support European cloud providers and boost sovereign cloud options. One commissioner said the goal is to create opportunities for EU-based companies to grow and reach institutional users who currently rely on US cloud platforms.
Additionally, plans include reforming public procurement to offer more diverse AI and cloud service options for European public bodies.
How it fits into Europe’s broader regulatory push
The Technology Sovereignty Package is being developed alongside two other major regulatory initiatives: the Cloud and AI Development Act and the Chip Act 2.0. These efforts are part of a broader European effort to reduce dependence on US-based technology infrastructure.
European authorities have been working for years to create a sovereign cloud market. The proposed restrictions on US suppliers mark a more significant intervention than previous voluntary frameworks and could impact Microsoft Azure, Amazon Web Services and Google Cloud’s existing contracts with European public sector bodies.
What is unclear about the EU technological sovereignty package
The Technological Sovereignty Package has not yet been formally presented. Commission members are still reviewing specific provisions before the package is released. Details such as the scope of the restrictions, the categories of data involved, the implementation schedule and any transition provisions for existing public sector contracts have not been finalized.
The EU has not made any comments on how these restrictions might interact with existing data protection frameworks or with US companies offering EU-based data residency services designed to comply with GDPR and related regulations.
