The European Union is preparing cloud-computing rules that could make it harder for Amazon, Microsoft and Google to win sensitive public-sector contracts, in a move that would test Brussels’ effort to reduce dependence on foreign technology without provoking a wider transatlantic dispute.
According to a Reuters report based on draft documents, the European Commission plans to introduce strict criteria for “highly critical” state tenders under its forthcoming Cloud and AI Development Act. The proposed rules could require public buyers to consider data protection, sovereignty risks, operational resilience and the use of European-developed software and hardware when awarding cloud contracts.
The legislation is expected to be presented by EU technology chief Henna Virkkunen as part of a broader package aimed at strengthening Europe’s digital capacity. The European Parliament’s legislative train schedule identifies the Cloud and AI Development Act as a Commission initiative intended to support Europe’s cloud and artificial intelligence infrastructure.
The political issue behind the proposal is not simply procurement. Cloud services are now part of the basic infrastructure of government, banking, healthcare, energy, defence-related industry and public administration. Decisions over who hosts, processes and controls sensitive data have therefore become questions of economic security and regulatory sovereignty.
US companies remain dominant in cloud computing. Amazon Web Services, Microsoft Azure and Google Cloud have the scale, capital and technical capacity that many European public and private-sector customers rely on. For Brussels, that dominance creates a strategic dilemma. Excluding major providers too aggressively could raise costs and reduce options for public buyers. Leaving the market unchanged could deepen Europe’s dependence on companies subject to non-EU law and commercial priorities.
One concern frequently raised in Europe is the reach of US legislation, including the Cloud Act, which can allow American authorities to seek access to data held by US-based providers, including data stored outside the United States in certain circumstances. US companies have tried to address such concerns through sovereign-cloud products, local partnerships and European data-residency offers. The draft EU approach suggests that Brussels may not regard those measures as sufficient for the most sensitive categories of public procurement.
The Commission’s own cloud policy already points in this direction. Its cloud-computing policy page says the EU plans to compile an EU Cloud Rulebook and guidance on public procurement of data-processing services. That framework is intended to create a single European approach to binding and non-binding rules for cloud users and providers.
The draft reported by Reuters would go further by turning sovereignty criteria into a practical procurement filter. If adopted, public authorities could be required to weigh not only price and performance, but also whether a cloud supplier is sufficiently insulated from foreign legal control and whether critical components are European.
That would have direct commercial consequences. Large US cloud providers could still compete for many European contracts, but they could face barriers in the most sensitive tenders. European providers, including firms that have long argued for stronger sovereignty requirements, would gain a clearer policy advantage. The question is whether they can offer comparable capacity, reliability and price at the scale required by governments and critical sectors.
The proposal may also create friction with Washington. The United States has previously objected to EU measures that it views as targeting American technology companies. If the new rules are seen as effectively excluding US firms from strategic public contracts, they could become another point of dispute in an already strained trade and technology relationship.
Brussels will argue that the measure is not protectionism but risk management. The Commission has increasingly framed technology dependence as a security issue, particularly after disruptions linked to energy, semiconductors, telecommunications and defence supply chains. Cloud infrastructure now sits within that broader debate.
The plan still faces negotiation with EU member states and the European Parliament. Some governments are likely to support a stronger European preference, particularly where state data or critical infrastructure is involved. Others may be wary of higher costs, reduced competition or retaliation from the United States. Public-sector buyers may also resist rules that complicate procurement or restrict access to established providers.
The test for the Commission will be whether it can define “highly critical” services clearly enough to avoid legal uncertainty. A narrow definition would limit the impact to sensitive government and critical-infrastructure systems. A broad definition could affect a much larger share of public-sector technology procurement and invite stronger opposition from industry and trading partners.
The proposal marks a shift in EU digital policy. Brussels is not only regulating foreign technology platforms after they enter the European market. It is now considering whether strategic public contracts should actively favour providers that meet European sovereignty standards. That makes the Cloud and AI Development Act a market-access issue as much as a technology-policy file.
For Europe, the decision will show how far the EU is prepared to go in turning digital sovereignty from a political slogan into binding procurement rules. For US technology groups, it may become one of the most consequential tests yet of whether their European operations can satisfy Brussels’ growing demand for control over critical digital infrastructure.
