25 heads of European cloud companies have had enough of hollow promises. In an open letter to the EU Commission, they demand: The planned Cloud and AI Development Act (CADA) must define real sovereignty - and not legitimize the fig leaf of US hyperscalers.
The letter dated March 17, 2026 is addressed to Henna Virkkunen, who, as Executive Vice-President for Technological Sovereignty in the EU Commission, is responsible for CADA. The letter was signed by the CEOs of the companies organized in the industry association CISPE (Cloud Infrastructure Service Providers in Europe). Their accusation: AWS, Microsoft Azure and Google Cloud dominate the European cloud market with a market share of around 70 percent - and sell themselves as "sovereign", although they are subject to the US CLOUD Act and therefore have to grant US authorities access to European data in case of doubt.
CISPEcalls this by its name: "sovereignty washing".
Five demands against sham sovereignty
The five principles that CISPE wants to see included in the CADA are clearly formulated:
Firstly, sovereignty must be defined by actual control - not by the mere location of a data center in the EU. Who operates the infrastructure, who owns the company and which jurisdiction it is subject to must be decisive.
Secondly, where full sovereignty cannot be implemented immediately, resilience must be ensured - through customer-controlled encryption, data portability and technical reversibility. Specifically, this means ensuring protection against extraterritorial access such as the US CLOUD Act.
Thirdly, the signatories are calling for reserved procurement shares for European providers - in line with the "Buy European - Ensure Resilience - or Explain" principle. Large framework agreements that effectively exclude European providers should be prevented.
Fourthly, competition and interoperability should be strengthened, the anti-competitive bundling of AI and cloud services should be prevented and the role of open source software should be recognized.
Fifth: Tax-funded investments in cloud and AI infrastructure should primarily benefit the European ecosystem.
Why the timing is no coincidence
CADA is the first EU law to explicitly address cloud services and artificial intelligence. The EU Commission had announced the draft for the first quarter of 2026. The fear of European providers: If the definition of sovereignty in the law is too soft, Brussels will legitimize exactly what the industry criticizes as "sovereignty washing" - and cement the dominance of US hyperscalers instead of breaking it up.
CISPE Secretary General Francisco Mingorance puts it in a nutshell: CADA is a "unique opportunity to bring Europe back to the forefront of the digital economy". This should not be squandered by legitimizing sovereignty-washing.
Microsoft in front of the French Senate: "No, I can't guarantee that"
Microsoft itself has confirmed that the criticism of the hyperscalers' promises of sovereignty is not out of thin air. In June 2025, Anton Carniaux, Chief Legal Officer of Microsoft France, was asked under oath before the French Senate whether he could guarantee that French citizens' data would never be passed on to US authorities without the consent of French authorities. His answer was unequivocal: He could not guarantee that.
This admission does not only apply to Microsoft. Every US provider is subject to the CLOUD Act - and thus to the same structural weakness. No matter how many "EU Data Boundaries", "Sovereign Clouds" or "Data Guardian" programs they set up: As long as the parent company is based in the USA, access by US authorities remains legally possible.
Washington exerts pressure: US government opposes Europe's sovereignty initiatives
Anyone who dismisses the CISPE letter as pure industry policy is overlooking the geopolitical context. The US government has made it unmistakably clear that it views European regulation in the digital sector as an attack on American companies - and is prepared to take action against it.
On February 21, 2025, President Trump signed a memorandum entitled "Defending American Companies and Innovators from Overseas Extortion and Unfair Fines and Penalties". It openly describes European digital regulation as "extortion" and "unfair punishment" of American companies. The memorandum authorizes the US Trade Representative to consider retaliatory tariffs against countries whose tax or regulatory structure has a "discriminatory" or "disproportionate" effect on US companies.France, Italy and Spain are among the countries mentioned by name.
The text is not only aimed at digital taxes: it is also explicitly directed against regulations that "undermine the global competitiveness or intended operations of US companies". The EU Institute for Security Studies (EUISS) classifies the memorandum as an open attempt to influence European legislation - and as a signal that digital issues are no longer the subject of transatlantic cooperation, but are instead becoming a lever in an escalating economic conflict.
At the end of 2025, Washington further escalated the tone: during a visit to Brussels, US Secretary of Commerce Howard Lutnick directly linked the dismantling of European digital regulation with possible tariff relief. And the Trump administration imposed visa sanctions against five European citizens, including former EU Commissioner Thierry Breton - on the grounds of "extraterritorial censorship".
The irony is obvious: a US government that describes European data protection laws and sovereignty initiatives as "blackmail" simultaneously expects European companies and authorities to entrust their most sensitive data to US providers without hesitation - who are subject to the same CLOUD Act that the EU has identified as a structural legal conflict. Anyone who still talks about "partnership at eye level" in this constellation has not understood the seriousness of the situation.
Study: 83% consider cloud shutdown to be realistic
Parallel to the CISPE letter, a recent study by Lünendonk & Hossenfelder provides alarming figures: 83% of the companies surveyed in the DACH region consider a so-called "kill switch scenario" to be realistic - i.e. the possibility of a cloud provider unilaterally restricting or switching off access to critical IT services. At the same time, only 57 percent have an exit strategy. Almost half have no plan B.
Particularly revealing: 96% of the companies surveyed expect digital sovereignty to become even more important over the next three years - even if the geopolitical situation eases.
The hour of the European providers
Local cloud providers currently hold a market share of around 15 percent. With CADA, they could make up ground, particularly in public contracts and in the handling of sensitive data. The fact that European investment in sovereign cloud infrastructure is set to rise from 6.9 billion dollars (2025) to 23.1 billion dollars (2027) according to Gartner underlines the momentum.
In January 2026, the EU Parliament adopted a resolution on "European technological sovereignty and digital infrastructure" by a large majority - the clearest political step to date towards reducing Europe's dependencies in critical areas. The Bundestag is also discussing a comprehensive restructuring of its IT away from Microsoft and towards European solutions.
What real sovereignty means in practice
CISPE compares the dilution of the concept of sovereignty with the phenomenon of greenwashing: a cloud service is either sovereign or it is not. There is no such thing as "75 percent sovereignty" - just as there is no such thing as "75 percent organic".
Four test questions help to distinguish pseudo-sovereignty from genuine sovereignty:
Jurisdiction: is the provider subject exclusively to EU law - or also to the law of third countries?
Key control: Who really holds the encryption keys? "Encrypted" is not enough if the provider controls the keys.
Portability: Are there standards, exit plans and tested migration paths?
Operation: Are all admin access, support processes, updates and incident response in Europe?
Why SecureCloud makes no compromises when it comes to sovereignty
SecureCloud is one of the European cloud providers that benefit directly from a consistent definition of sovereignty in CADA - because they already meet the requirements today. Our entire infrastructure is located exclusively in Germany: our own hardware, operated in colocation at noris network in Nuremberg. No US parent company, no third country dependencies, no vulnerability to the US CLOUD Act or the Patriot Act.
SecureCloud is BSI C5-tested, ISO 27001-certified and GDPR-compliant. The platform includes SecureShare for encrypted data exchange, SecureWork for collaborative work with traceable rights and versions, SecureSign for legally binding digital signatures and SecureMail for secure email communication.
For organizations in highly regulated sectors in particular - law firms, hospitals, financial service providers, public authorities, the manufacturing industry - this means true data sovereignty without compromises. And the switch is easier and quicker than most people think.
Conclusion: CADA must not become a fraudulent label
The demands of the 25 European cloud CEOs are justified and overdue. If the Cloud and AI Development Act defines sovereignty for what it is - control, not location - Europe could finally have an effective tool against structural dependence on US technology. If not, CADA will become the next example of regulation that is well-intentioned but misses the mark.
For companies with sensitive data, the message is clear: don't wait for regulation. Check now how sovereign your cloud stack really is - and whether your data will really remain under your control in an emergency.
If you want to know what a switch to a fully sovereign cloud infrastructure looks like in practice, get in touch with us - or try SecureCloud for free.