EU Sovereignty Package: Ambitious, important—outcome uncertain

On June 3, 2026, the European Commission presented the European Technological Sovereignty Package. What CADA actually means, why “sovereignty washing” is the biggest risk—and what companies should be looking into now.

The European Commission has unveiled its European Technological Sovereignty Package. The central instrument is the Cloud and AI Development Act (CADA)—supplemented by a revised Chips Act 2.0, an open-source strategy, and a roadmap for the digitalization of energy infrastructure. The stated goal: to structurally reduce Europe’s dependence on non-European providers for semiconductors, artificial intelligence (AI), cloud infrastructure, and fundamental software components.

This is long overdue. But it is not enough.

What’s in the EU Sovereignty Package

The Cloud and AI Development Act (CADA) is the centerpiece of the package. It introduces, for the first time, a uniform EU-wide assessment system for cloud and AI sovereignty: four sovereignty levels that public bodies are to use to guide their procurement decisions. Any entity wishing to be considered for public contracts must undergo an audit and be recognized by a member state.

In parallel, CADA lays the groundwork for so-called “Cloud and AI Leadership Initiatives”—funding programs designed to strengthen research and infrastructure capacity. The investment target: approximately 320 billion euros by 2036, divided into 120 billion for the semiconductor ecosystem and 200 billion for data center capacity. Part of this is planned as private investment; it is not a pure subsidy program.

Chips Act 2.0 is intended to support Europe in building production capacity for next-generation semiconductors. The European Commission points to the structural starting point: According to the Draghi Report, the EU sources over 80 percent of its digital products, services, infrastructure, and intellectual property rights from non-European providers.

The package is politically sound—but must still be read critically

Europe’s structural dependence on U.S. tech companies is not an abstract phenomenon confined to strategy papers. It is tangible in practice: The U.S. CLOUD Act requires U.S. providers to hand over data over which they have “possession, custody, or control”—regardless of the physical location of storage (Congressional Research Service, Cross-Border Data Sharing Under the CLOUD Act, R45173). Having a data center in Frankfurt does not change this if the operator is based in Seattle. A report commissioned by the Federal Ministry of the Interior (BMI) and prepared by the University of Cologne documented this again in writing in 2025.

Added to this is the so-called “kill switch” risk: If political decisions lead a U.S. provider to restrict or block services, an organization loses its IT operations—not despite, but because of its cloud dependency. The International Criminal Court (ICC) experienced this in 2025, when the then-Chief Prosecutor temporarily lost access to his Microsoft emails. The ICC’s response: a complete switch to openDesk, the open-source suite from the Center for Digital Sovereignty in Public Administration (ZenDiS) (SecureCloud Blog, EU Resolution Promotes Digital Sovereignty: https://blog.securecloud.de/eu-resolution-f%C3%B6rdert-digitale-souver%C3%A4nit%C3%A4t).

The CADA package responds to this reality. The crucial question is: does it go far enough?

The Problem with Sovereignty Washing

The criticism from European cloud providers, united in the Cloud Infrastructure Service Providers in Europe (CISPE) association, is direct: The current CADA framework risks legalizing sovereignty washing instead of preventing it. The lower tiers of the assessment framework are designed in such a way that U.S. hyperscalers can meet them—and thus officially identify themselves as “sovereign,” even though they remain subject to the U.S. CLOUD Act.

CISPE succinctly summarizes the issue: The current framework risks causing confusion rather than providing clarity because it is developing a “sovereignty score” that conflates the impossible with the irrelevant. In practice, European providers could fare worse under this system than non-European hyperscalers— under the guise of an official EU sovereignty label.

This criticism is not lobbying. It identifies a structural problem: If sovereignty becomes a protectable marketing term, the entire regulatory project loses its operational effectiveness. What matters is not the label, but control—over jurisdiction, keys, operations, and exit.

The Federal Office for Information Security (BSI) has already presented a more practical evaluation approach with the C3A (Criteria enabling Cloud Computing Autonomy), published in April 2026, has already presented a more practical evaluation approach that is based more on verifiable evidence than on self-declarations.

The two risks that must not be conflated

In public debate, two structurally distinct risks are often lumped together. This leads to unclear protection requirements and misguided measures.

Data access risk (CLOUD Act / FISA Section 702): U.S. authorities can compel U.S. providers to hand over data located outside the U.S. This affects confidentiality and data sovereignty. Article 48 of the General Data Protection Regulation (GDPR) is intended to limit this on the EU side—the European Data Protection Board (EDPB) clarified this in 2025 in guidelines on Article 48 of the GDPR (EDPB, Guidelines 02/2024 on Article 48 GDPR). The conflict between U.S. access requirements and EU data protection principles is structural and unresolved.

Operational risk (kill switch): License suspensions, export control measures, or politically motivated service shutdowns can completely paralyze an organization’s IT operations—regardless of whether any data access has ever taken place. This risk affects operational capability, not primarily compliance.

Both risks are real. Both require different responses. A cloud provider that addresses the first risk through technical isolation does not necessarily resolve the second—and vice versa. CADA addresses both dimensions to some extent; the question is whether the defined levels are sufficient to actually provide protection.

What companies and government agencies should specifically examine now

The European Technological Sovereignty Package is a legislative proposal, not applicable law. Years will pass before its final adoption and implementation. For companies and government agencies that are already working with sensitive data today, the current legal and risk framework matters—not the future one.

Four key questions help distinguish between illusory sovereignty and genuine control:

- Jurisdiction: Is the provider subject exclusively to European law—or also to the laws of third countries, such as the U.S. CLOUD Act?

- Key control: Who actually holds control over encryption keys? “Encrypted” alone means nothing if the provider can technically access the content.

- Operations: Are all admin accesses, support processes, updates, and incident response handled exclusively in Europe—without access from the U.S. parent company?

- Exit Capability: Are data migration, portability, and recovery scenarios documented, planned, and tested?

These questions are not a theoretical exercise. Schleswig-Holstein implemented a complete overhaul of its email system—over 40,000 mailboxes, more than 100 million migrated emails and calendar entries—in six months and, according to its own figures, has already saved over 15 million euros in licensing costs.

Digital sovereignty is an infrastructure decision

The European Technological Sovereignty Package sets the right political direction. The crucial implementation question is whether CADA will codify a definition of sovereignty based on actual control—or one that allows hyperscalers to retain the label without changing the substance.

Regardless of this, the following applies to companies and government agencies: Those who take digital sovereignty seriously as a strategic requirement do not wait for the EU legislator. They are examining today which providers in their IT landscape are actually controllable—and where structural dependencies exist that could lead to an inability to act in an emergency.

SecureCloud operates its entire infrastructure on its own hardware at noris network AG in Nuremberg—exclusively in Germany, without a U.S. parent company, without third-country access, and certified according to the BSI C5 criteria catalog and ISO 27001. What the CADA package aims to achieve from a regulatory perspective is already structurally realized in this model.