CImages31f53638-cb0f-4d2a-b854-e4e4bd8f8f10

The European Union’s Cloud Computing Landscape: Navigating Fragmentation, Digital Sovereignty, and Regulatory Ambition

Many thanks to our sponsor Panxora who helped us prepare this research report.

Abstract

The European Union (EU) is at a pivotal juncture in its digital transformation, where cloud computing serves as an indispensable foundation for economic prosperity, technological innovation, and global competitive positioning. Despite its strategic importance, the EU’s approach to cloud policy has been notably fragmented, leading to a profound and disproportionate reliance on non-European cloud service providers, particularly those originating from the United States. This entrenched dependency gives rise to a spectrum of critical concerns spanning data sovereignty, cybersecurity resilience, and the potential erosion of Europe’s inherent digital autonomy. This comprehensive research report undertakes an in-depth examination of the multifaceted economic ramifications stemming from the EU’s current fragmented cloud policy. It further scrutinizes the profound strategic necessity for achieving digital sovereignty, rigorously evaluates the persistent challenges encountered in the development and scaling of viable European cloud alternatives, such as the ambitious GAIA-X initiative, and meticulously analyzes the evolving regulatory frameworks, including the landmark Data Act and Artificial Intelligence (AI) Act, meticulously designed to fundamentally reshape and reorient Europe’s cloud landscape. By synthesizing a broad array of contemporary academic literature, official policy documents, and incisive industry analyses, this report aims to furnish a holistic and nuanced understanding of the intricate challenges and significant opportunities that characterize and define Europe’s complex cloud policy landscape.

Many thanks to our sponsor Panxora who helped us prepare this research report.

1. Introduction

The advent and pervasive adoption of cloud computing have profoundly revolutionized the global digital economy, offering unparalleled scalability of computational resources, vigorously fostering innovation across sectors, and empowering businesses to operate with unprecedented levels of agility and responsiveness. For the European Union, the comprehensive embrace of cloud technology transcends mere technological advancement; it represents a strategic imperative of the highest order, critical for bolstering its economic standing, enhancing its global competitiveness, and securing its digital future. However, the EU’s cloud policy landscape remains persistently fragmented, characterized by a discernible lack of cohesive strategic direction and an alarming overreliance on non-European providers. This fragmentation is not merely an administrative inconvenience; it actively poses significant risks to the fundamental principles of data sovereignty, compromises cybersecurity integrity, and threatens the EU’s long-term digital autonomy. The implications extend far beyond the immediate economic sphere, impacting national security, the protection of fundamental rights, and the very fabric of European values in the digital age.

This report delves into these intricate issues with considerable depth, aiming to provide a nuanced understanding of the current state of Europe’s cloud policy and to critically assess its future prospects. It will dissect the economic consequences of market dominance by a few non-European hyperscalers, explore the multifaceted concept of digital sovereignty in practical terms, and critically evaluate the progress and pitfalls of key European initiatives. Furthermore, it will analyze the transformative potential of recent legislative efforts, such as the Data Act and the AI Act, in shaping a more resilient and self-determined European cloud ecosystem. The overarching objective is to identify pathways towards a more robust, secure, and competitive European cloud environment that genuinely serves the interests and values of its citizens and businesses.

Many thanks to our sponsor Panxora who helped us prepare this research report.

2. Economic Implications of Fragmented Cloud Policy

The EU’s fragmented and often reactive approach to cloud computing has inadvertently created a fertile ground for the entrenchment of non-European cloud service providers, particularly U.S.-based technology conglomerates. This entrenched dominance carries significant and multifaceted economic implications, extending far beyond simple market share statistics to impact capital flows, innovation capacity, and the long-term competitiveness of European enterprises. The fragmentation arises from a confluence of factors, including differing national regulatory interpretations, varied investment priorities across member states, and a historical lack of a unified European digital single market for cloud services. This complex interplay has inhibited the emergence of large-scale, competitive European cloud players capable of challenging the incumbents.

2.1. Market Dynamics and Economic Impact

The global cloud computing market is overwhelmingly dominated by a handful of hyperscale providers, namely Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). These providers, often collectively referred to as the ‘Big Three,’ command an estimated 70-80% of the worldwide cloud infrastructure services market, with their dominance being particularly pronounced within the European Union. This market concentration is a direct outcome of their colossal investment capabilities in data centre infrastructure, global network backbones, and extensive research and development in advanced cloud services and artificial intelligence capabilities. Their ability to offer highly competitive pricing, a vast array of integrated services (PaaS, SaaS, FaaS), and global reach makes them exceptionally attractive to businesses of all sizes, from nascent startups to multinational corporations.

However, this dominance comes at a substantial economic cost to the EU. A notable analysis, highlighted by the Financial Times, warned that the EU risks foregoing a staggering €1.2 trillion in economic gains if it fails to fundamentally reform its fragmented digital cloud policy [Financial Times, 2025]. This figure encompasses not just direct revenue losses but also the stifling of local innovation, the missed opportunities for job creation within the European cloud sector, and the substantial outflow of capital in the form of subscription fees, professional services, and data processing costs remitted to non-European entities. This financial drain directly impacts the EU’s gross domestic product (GDP) and limits its capacity for reinvestment in critical digital infrastructure and skills development.

Moreover, the concept of ‘vendor lock-in’ becomes a palpable economic threat. Once an organization commits substantial resources to a particular cloud provider’s ecosystem – migrating data, developing applications, and training personnel on proprietary services – the costs and complexities of switching to an alternative provider can become prohibitively high. This lock-in reduces competition, diminishes customer bargaining power, and can stifle innovation by limiting an enterprise’s agility to adopt best-of-breed services from diverse providers. For the EU, this means that even if competitive European alternatives emerge, the inertia and switching costs associated with migrating away from established non-European hyperscalers present significant barriers to their adoption, perpetuating the existing market imbalance.

The economic implications also extend to the development of a robust European digital ecosystem. The lack of indigenous hyperscale cloud providers means that much of the foundational digital infrastructure and the high-value data analytics and AI capabilities built upon it are controlled by foreign entities. This dependence can hinder the growth of European tech startups, limit the development of specialized cloud skills within the EU, and ultimately impede the continent’s overall digital competitiveness on the global stage.

2.2. Impact on European Businesses

The pervasive dominance of non-European cloud providers imposes distinct challenges on European businesses, particularly small and medium-sized enterprises (SMEs), which form the backbone of the European economy. While cloud services offer undeniable benefits in terms of agility and cost-efficiency, their adoption by European firms is frequently complicated by a confluence of factors.

Firstly, compliance with the EU’s stringent data protection regulations, most notably the General Data Protection Regulation (GDPR), poses a significant hurdle. Many non-European cloud providers, while offering robust services, may operate under legal jurisdictions (e.g., the U.S. CLOUD Act) that conflict with EU data sovereignty principles. This creates a complex compliance burden for European businesses, necessitating costly legal advice, customized contractual clauses, and often a compromise on optimal cloud architecture to ensure data residency and processing within the EU, or at least under robust contractual safeguards deemed equivalent to EU standards. The ongoing uncertainties following the Schrems II ruling, which invalidated the EU-U.S. Privacy Shield, continue to cast a shadow over transatlantic data transfers, forcing businesses to re-evaluate their cloud strategies and incurring additional operational and legal costs.

Secondly, the physical location of data centers and the latency associated with data transfer can impact performance-sensitive applications, particularly for businesses operating in sectors requiring real-time processing or low-latency access to data. While major non-European providers have established data regions within Europe, the fundamental control and ultimate legal jurisdiction over these facilities remain outside the EU, leading to sovereignty concerns. The lack of a strong, widely available network of truly European-controlled data centres can limit the ability of European firms to fully leverage cloud technologies for critical national infrastructure or highly sensitive data applications.

Thirdly, the competitive landscape for European businesses is distorted. U.S. counterparts often benefit from leveraging the advanced, often AI-driven, services natively integrated into the hyperscale cloud platforms, which may not be readily available, or as economically viable, for European businesses needing to ensure EU data residency or specific compliance. This can lead to a competitive disadvantage in areas like advanced analytics, machine learning, and scalable digital services, hampering the growth potential of European businesses and limiting their capacity to innovate and compete effectively on a global scale. European SMEs, in particular, may lack the resources and expertise to navigate the complex compliance requirements or to design hybrid cloud solutions that mitigate some of these risks, often leading them to adopt less optimal or less innovative cloud strategies.

Finally, the absence of a thriving European cloud ecosystem means fewer tailored solutions are developed specifically for European market needs and regulatory nuances. This gap forces European businesses to adapt their operations to global cloud offerings rather than having cloud services adapt to their unique requirements, potentially leading to inefficiencies or missed opportunities for sector-specific digital transformation.

Many thanks to our sponsor Panxora who helped us prepare this research report.

3. Strategic Imperative of Digital Sovereignty

Digital sovereignty, at its core, represents a nation’s or region’s inherent capacity to control its digital infrastructure, govern its data, and manage its technologies without undue external influence or interference. For the European Union, achieving genuine digital sovereignty transcends a mere technical aspiration; it is a profound strategic imperative, inextricably linked to safeguarding its economic interests, upholding its foundational data protection standards, preserving its democratic values, and ultimately maintaining self-determination over its digital future. The concept is multi-layered, encompassing not only the physical control of infrastructure but also the legal, ethical, and operational autonomy in the digital sphere.

3.1. Definition and Importance

While often conflated with data residency or technological independence, digital sovereignty is a far broader and more nuanced concept. It can be broken down into several interconnected dimensions:

Data Sovereignty: This is the most commonly understood aspect, referring to the ability to control data according to national or regional laws and values, regardless of where the data is physically stored. It encompasses the legal jurisdiction over data, its access, processing, and transfer.
Technological Sovereignty: This dimension pertains to the capacity to develop, deploy, and maintain core digital technologies and infrastructure (e.g., processors, operating systems, cloud platforms, cybersecurity tools) without excessive reliance on foreign intellectual property, supply chains, or vendors. It implies the ability to choose and control the technology stack from end-to-end.
Operational Sovereignty: This refers to the ability to operate digital systems and services autonomously, ensuring their continuous availability, resilience, and security against external threats, be they state-sponsored attacks, economic coercion, or technical failures stemming from external dependencies.
Regulatory/Legal Sovereignty: This involves the capacity to enforce domestic laws and regulations on digital services and data, even when the providers or data are located in other jurisdictions, and to resist the extraterritorial application of foreign laws.
Ethical Sovereignty: This less tangible but crucial dimension relates to the alignment of digital systems and their governance with a society’s fundamental values, such as privacy, human dignity, fairness, and non-discrimination. For the EU, this is particularly salient given its strong emphasis on fundamental rights.

For the EU, the importance of digital sovereignty cannot be overstated. Economically, it prevents capital outflow, fosters local innovation by creating demand for European digital solutions, and enables European businesses to compete on a level playing field by controlling their own digital destiny. Politically, it safeguards democratic processes from foreign interference and ensures the ability to define and enforce digital policies aligned with European values. In terms of security, it mitigates risks of espionage, cyber-attacks, and ensures resilience in critical infrastructure. Fundamentally, it allows the EU to define its own path in the digital age, rather than being a mere consumer or recipient of technologies and rules set by others.

3.2. Risks of Dependency

Overreliance on non-European cloud providers exposes the EU to a multitude of significant and interconnected risks, eroding its digital sovereignty and potentially undermining its long-term strategic interests. These risks are not theoretical; they have been starkly demonstrated by recent geopolitical events and legal challenges.

Firstly, and most prominently, is the risk associated with extraterritorial legal reach, particularly from the United States. The U.S. CLOUD (Clarifying Lawful Overseas Use of Data) Act, enacted in 2018, empowers U.S. law enforcement agencies to compel U.S.-based cloud service providers to disclose data stored anywhere in the world, regardless of local data protection laws or the nationality of the data subject [TechRadar, 2025]. This directly conflicts with the EU’s GDPR, which mandates strict conditions for international data transfers and emphasizes data protection as a fundamental right. The implications are profound: European citizens’ and businesses’ data, even when stored on servers located within the EU by a U.S. cloud provider, could be accessed by U.S. authorities without judicial oversight from EU courts.

This conflict came to a head with the Schrems II ruling by the European Court of Justice (ECJ) in July 2020. The ECJ invalidated the EU-U.S. Privacy Shield data transfer framework, primarily due to concerns about U.S. surveillance laws (like FISA Section 702) that were deemed not to offer adequate protection for EU citizens’ data against U.S. government access, fundamentally undermining data sovereignty. The ruling forced companies to rely on other mechanisms like Standard Contractual Clauses (SCCs), but also emphasized that these too must be supplemented by ‘additional safeguards’ to ensure protection equivalent to EU law. This has created legal uncertainty and operational complexity for countless European businesses reliant on U.S. cloud services, highlighting the direct conflict between different legal jurisdictions and the EU’s vulnerability to foreign legal mandates.

Secondly, cybersecurity risks are heightened. While major cloud providers invest heavily in security, reliance on foreign-controlled infrastructure introduces supply chain vulnerabilities. A state actor or malicious entity targeting a non-European cloud provider could potentially gain access to sensitive European data or disrupt critical services. The lack of complete visibility and control over the underlying infrastructure and software stack (e.g., proprietary code, hardware backdoors) prevents European entities from conducting full security audits, leaving them reliant on the assurances of foreign entities. This risk is amplified for critical infrastructure, governmental data, and highly sensitive industrial secrets, where compromised data could have severe national security or economic consequences.

Thirdly, economic control and technological lock-in become a concern. When critical digital infrastructure is largely controlled by foreign entities, the EU’s ability to define its own digital policies, foster its own tech champions, or even ensure the long-term viability of specific digital services can be compromised. Foreign providers could potentially prioritize their home markets, dictate terms, or discontinue services that are vital for European businesses, leaving the EU with limited alternatives. This dependency hinders the development of a competitive European cloud industry and stifles local innovation.

Fourthly, there are ethical and societal implications. The differing legal frameworks regarding privacy, surveillance, and data governance reflect distinct societal values. An overreliance on non-European cloud providers means that the fundamental rights of European citizens, particularly privacy, might be subject to the legal interpretations and enforcement practices of foreign jurisdictions, rather than strictly adhering to the more protective standards enshrined in EU law and values. This represents a subtle but significant erosion of the EU’s normative power and its ability to shape the digital sphere in alignment with its democratic principles.

In essence, the risks of dependency are systemic, touching upon legal autonomy, national security, economic resilience, and the preservation of fundamental rights. Addressing these risks through the pursuit of digital sovereignty is not an isolationist strategy but a pragmatic necessity for the EU to assert its strategic independence in an increasingly digital and interconnected world.

Many thanks to our sponsor Panxora who helped us prepare this research report.

4. Challenges in Developing European Cloud Alternatives

The aspiration for European digital sovereignty hinges significantly on the successful development and widespread adoption of viable European cloud alternatives. While the strategic imperative is clear, the path to establishing competitive and trustworthy European cloud offerings is fraught with considerable challenges. These obstacles range from the immense capital requirements and technological complexities to the formidable market dominance of established non-European hyperscalers and the fragmented nature of European demand and political will.

4.1. GAIA-X Initiative: Ambition Meets Reality

GAIA-X stands as the European Union’s most ambitious and prominent initiative aimed at fostering digital sovereignty by creating a federated, secure, and interoperable data infrastructure that inherently aligns with European values of transparency, openness, data protection, and security. Launched in 2019, its vision is not to build a single European hyperscaler to compete directly with AWS or Azure, but rather to establish a common technical framework and set of rules for data spaces and cloud services. The goal is to enable a trusted data ecosystem where data providers and consumers can securely and reliably share, process, and utilize data across multiple European cloud providers, ensuring interoperability and preventing vendor lock-in. GAIA-X promotes concepts like data portability, data sovereignty-by-design, and reversibility of data, emphasizing user control over their data’s destiny [Wikipedia, 2025b].

The initiative is built on several foundational principles:

Federation: Connecting various cloud and edge infrastructures, enabling users to move data and applications seamlessly between different providers.
Interoperability: Ensuring that data and services can be exchanged and understood across different platforms and sectors.
Trust and Transparency: Establishing clear rules for data handling, ensuring compliance with European legal frameworks like GDPR, and providing transparency on data location and processing.
Data Sovereignty: Empowering users to retain control over their data, defining who can access it, under what conditions, and for what purposes.
Openness and European Values: Promoting open standards and open-source solutions while embedding European ethical and data protection principles.

Despite these ambitious and commendable goals, GAIA-X faces formidable challenges in its implementation and widespread adoption:

Coordination and Governance Complexity: GAIA-X involves a vast ecosystem of diverse stakeholders, including EU member states, large corporations, SMEs, research institutions, and public bodies. Aligning the interests, technical specifications, and regulatory interpretations across 27 member states and hundreds of organizations is an immense coordination challenge. Ensuring consistent implementation of the GAIA-X framework across this disparate landscape requires robust governance and a high degree of political commitment.
Technical Complexity and Standardisation: Building a truly federated and interoperable data infrastructure requires agreement on common technical standards, APIs, and data models. Developing these while accommodating the varied existing systems and future innovations is a monumental technical undertaking. The risk of creating a complex, bureaucratic framework that is difficult for companies to adopt without significant re-engineering is palpable.
Competition from Established Hyperscalers: The ‘Big Three’ non-European cloud providers possess a significant first-mover advantage, immense financial resources, established customer bases, and highly mature service portfolios. GAIA-X, as a framework rather than a single provider, must demonstrate tangible benefits and a compelling value proposition that outweighs the perceived ease and comprehensive offerings of the incumbents. The challenge lies in convincing enterprises to invest in new architectures aligned with GAIA-X principles when existing solutions are readily available and widely used.
Funding and Investment: While public funding has been allocated, the sheer scale of investment required to build truly competitive cloud infrastructure and develop the necessary innovative services to match hyperscalers is colossal. European private capital markets have historically been more conservative in funding such large-scale, long-term infrastructure projects compared to their U.S. counterparts. Attracting sufficient and sustained investment from both public and private sources remains a critical hurdle.
Lack of Unified Market Demand: The demand for sovereign cloud solutions, while growing, is not yet uniform or sufficiently aggregated across Europe. Enterprises often prioritize immediate cost-efficiency and convenience over long-term strategic considerations like digital sovereignty. Creating a strong, unified market pull for GAIA-X compliant services is essential for its commercial viability.
Skill Gaps: Developing and managing advanced cloud infrastructure and data ecosystems requires a deep pool of highly skilled professionals in areas like cloud architecture, cybersecurity, data science, and AI engineering. Europe faces a significant talent shortage in these critical areas, which could impede the progress of GAIA-X and other European cloud initiatives.

Despite these challenges, GAIA-X has made progress in defining technical specifications, establishing data spaces for specific sectors (e.g., manufacturing, health, agriculture), and forming consortia. However, its ultimate success will depend on its ability to move beyond theoretical frameworks to deliver practical, scalable, and economically attractive solutions that genuinely empower European businesses and citizens with greater control over their digital assets.

4.2. Broader European Cloud Landscape and Investment

Beyond GAIA-X, the broader European cloud landscape presents a mixed picture. Numerous national cloud strategies exist, often leading to fragmented efforts rather than synergistic pan-European development. Countries like Germany, France, and Italy have pursued national sovereign cloud initiatives, sometimes in partnership with hyperscalers (e.g., ‘Trusted Cloud’ offerings that leverage hyperscaler infrastructure but with additional local controls), or through the development of indigenous platforms for public sector use. While these efforts reflect a growing awareness of the need for sovereignty, they can also exacerbate fragmentation if not harmonized at the EU level.

The challenge of investment and scale is particularly acute. The capital expenditure (CapEx) required to build and maintain hyperscale cloud infrastructure is astronomical. Companies like AWS, Microsoft, and Google invest tens of billions of dollars annually in data centers, network infrastructure, and R&D. European cloud providers, often smaller and more specialized, struggle to compete with this scale of investment. This disparity affects not only the physical infrastructure but also the breadth and depth of services offered, particularly in cutting-edge areas like advanced AI, quantum computing, and specialized industry solutions.

One emerging trend is the rise of European specialized cloud providers focusing on specific niches, such as confidential computing, secure data enclaves, or industry-specific platforms (e.g., for automotive, healthcare, or financial services). These providers often emphasize compliance, data residency, and a European value proposition. While they may not achieve hyperscale, their collective success in specific verticals could contribute to greater European digital independence.

4.3. Industry Perspectives on Regulation and Innovation

Industry leaders across Europe have expressed a complex array of perspectives regarding the EU’s regulatory approach to cloud computing and digital technologies. While generally supportive of the goals of data protection and sovereignty, there are significant concerns that the current legislative frameworks, if not carefully implemented, could inadvertently stifle innovation and technological progress, thereby hindering rather than helping Europe’s digital transformation.

Siemens and SAP, two prominent European industrial and software giants, for example, have notably called for revisions to the EU’s Artificial Intelligence (AI) Act, arguing that certain provisions could impede the development and deployment of advanced AI solutions [Reuters, 2025a]. Their primary concern is often the potential for overly prescriptive rules to create bureaucratic hurdles, limit experimentation, and disproportionately burden European developers and businesses, putting them at a disadvantage compared to global competitors operating under less stringent regulatory environments. This perspective emphasizes the need for regulatory frameworks to be ‘future-proof,’ agile enough to adapt to rapidly evolving technologies, and to promote innovation rather than merely mitigate risk.

Broader industry concerns often revolve around:

Regulatory Uncertainty and Fragmentation: Despite EU-level regulations like GDPR, the implementation and interpretation can still vary across member states, leading to a patchwork of rules that complicate pan-European operations for cloud providers and their customers. New regulations, while necessary, must be designed to enhance, not detract from, clarity and consistency.
Compliance Burden for SMEs: While large enterprises have the resources to navigate complex regulatory landscapes, smaller European cloud providers and tech startups often struggle with the compliance costs and legal expertise required to adhere to multiple overlapping regulations. This can act as a barrier to market entry and growth, ironically reinforcing the dominance of well-resourced non-European giants.
Interoperability and Open Standards: Many industry players advocate for regulations that actively promote interoperability and open standards, reducing vendor lock-in and fostering a more competitive ecosystem. However, the practical implementation of such requirements, without stifling innovation by proprietary solutions, remains a delicate balance.
Talent and Skills Development: A recurring concern across the European tech industry is the acute shortage of skilled professionals in cloud computing, cybersecurity, and AI. Regulations alone cannot address this; significant investment in education, vocational training, and talent attraction programs is crucial to build the human capital necessary for a sovereign European cloud.
Cybersecurity Certification: While the EU Cybersecurity Act provides for certification schemes, industry groups have voiced concerns that new cybersecurity labels should not discriminate against major international tech providers, but rather focus on ensuring robust security standards irrespective of origin [Reuters, 2024]. This highlights the tension between promoting European alternatives and maintaining access to global best-of-breed security practices.

In essence, the industry’s message is clear: regulation is necessary to protect European values and foster trust, but it must be proportionate, pragmatic, and enable, rather than hinder, the innovation critical for Europe’s digital future. A constructive dialogue between policymakers and industry stakeholders is vital to strike this delicate balance and ensure that Europe’s regulatory ambition translates into a competitive and sovereign cloud landscape.

Many thanks to our sponsor Panxora who helped us prepare this research report.

5. Regulatory Frameworks Shaping Europe’s Cloud Landscape

The European Union has embarked on an ambitious journey to reshape its digital landscape through a series of landmark legislative initiatives. These regulatory frameworks are not merely about imposing rules; they are strategic tools designed to foster a more competitive, secure, and value-driven digital single market, with a particular focus on addressing the challenges and opportunities presented by cloud computing and artificial intelligence. They aim to rebalance power dynamics, empower users, and embed European values into the very fabric of the digital economy.

5.1. The Data Act

The Data Act, formally known as the ‘Regulation on harmonised rules on fair access to and use of data,’ is a pivotal piece of legislation adopted by the European Union with the overarching aim of facilitating and promoting the exchange and use of data across the European Economic Area. It represents a cornerstone of the EU’s broader data strategy, seeking to unlock the vast economic and societal potential of industrial data, which is currently largely underutilized. The Act intends to harmonize rules on fair access to and use of data, thereby significantly enhancing data availability and fostering innovation across various sectors [Wikipedia, 2025c].

Key provisions and their implications for cloud computing include:

Increased Data Availability and Portability: The Act mandates that data generated by connected products (e.g., IoT devices) or related services should be made accessible to users (both consumers and businesses). This includes provisions for data portability, allowing users to switch easily between different data processing services, including cloud services. This is a direct measure to combat vendor lock-in, which has been a persistent issue in the cloud market, enabling users to migrate their data and applications more freely without prohibitive costs or technical barriers imposed by providers.
Fair Contractual Terms: It addresses imbalances in bargaining power between businesses, particularly SMEs, and large cloud service providers. The Act aims to ensure fairer contractual terms for data access and use, preventing exploitative clauses and promoting reasonable compensation for data sharing. This provision is crucial for small European cloud providers seeking to compete with hyperscalers by ensuring a more level playing field in contract negotiations.
Interoperability Requirements: The Data Act introduces provisions to foster interoperability between data spaces and services. This encourages the development of open standards and APIs, making it easier for different cloud platforms to communicate and exchange data, thereby supporting the vision of a federated European cloud ecosystem like GAIA-X. Better interoperability can reduce the complexity and cost of multi-cloud or hybrid cloud strategies for businesses.
Facilitating Public Sector Access to Data: It enables public sector bodies to access and use data held by businesses in exceptional circumstances, such as public emergencies or to fulfill a legal mandate, with appropriate safeguards. This can enhance data-driven policymaking and public service delivery, potentially leveraging cloud-based analytics platforms.
Safeguards Against Unlawful Data Transfer: While not primarily a data protection regulation (GDPR remains the core), the Data Act reinforces safeguards against unlawful international data transfers by cloud service providers. It seeks to ensure that non-personal data held in the EU by cloud providers is not accessed by third-country governments unless subject to a valid international agreement or strict legal conditions, thereby bolstering data sovereignty.

The Data Act is expected to profoundly reshape the competitive landscape of the cloud market in Europe. By empowering data owners, facilitating data portability, and promoting fairer contractual terms, it aims to stimulate competition, reduce dependence on a few dominant players, and encourage the growth of a more diverse and innovative European cloud sector. Its success will depend on effective enforcement and the willingness of market participants to adapt to the new rules.

5.2. The Artificial Intelligence Act

The Artificial Intelligence (AI) Act is a landmark European Union regulation that establishes a comprehensive common regulatory and legal framework for artificial intelligence within the EU. It is the world’s first comprehensive legal framework for AI, designed to ensure that AI systems used in the EU are safe, transparent, non-discriminatory, and respect fundamental rights and European values. The Act employs a risk-based approach, imposing stricter requirements on AI systems deemed to pose higher risks [Wikipedia, 2025a].

Its implications for cloud computing are significant, as most AI development, training, and deployment occur on cloud infrastructure:

Regulation of AI Models on Cloud: The Act’s focus on regulating ‘high-risk’ AI systems directly impacts cloud providers that offer AI-as-a-Service (AIaaS), foundation models, or host AI applications. Cloud providers offering these services will need to ensure that their platforms and the AI models they facilitate comply with the Act’s requirements regarding data governance, cybersecurity, human oversight, transparency, and robustness.
Data Governance for AI Training: The Act mandates strict requirements for the quality, relevance, and representativeness of data used for training AI systems, particularly for high-risk applications. Cloud providers, as hosts of vast datasets and training environments, will need to ensure that their infrastructure supports developers in meeting these data governance standards, potentially by offering specific tools or compliance-ready environments.
Cybersecurity for AI Systems: The AI Act aligns with other EU cybersecurity legislation by requiring high-risk AI systems to be resilient against cybersecurity threats. Cloud providers hosting these systems will need to demonstrate robust security measures to protect the AI models, data, and underlying infrastructure from attacks, tampering, and unauthorized access.
Transparency and Explainability: The Act emphasizes transparency, requiring providers of high-risk AI systems to offer clear documentation and information to users, enabling them to understand the system’s capabilities, limitations, and decision-making processes. Cloud providers may need to integrate features that help their customers meet these transparency requirements, especially for foundation models or general-purpose AI systems.
Market Surveillance and Post-Market Monitoring: The Act introduces market surveillance obligations for AI systems. Cloud providers, as key enablers of AI deployment, may be involved in supporting their customers in post-market monitoring activities, ensuring that deployed AI systems continue to comply with the Act over their lifecycle.
Impact on Foundation Models/Generative AI: The latest iteration of the AI Act specifically addresses ‘general-purpose AI models’ and ‘foundation models’ (like large language models), imposing requirements related to risk management, data governance, and energy efficiency. Cloud providers offering these models or the infrastructure for their development will face direct compliance obligations.

The AI Act is set to create a ‘European standard’ for trustworthy AI, which could become a global benchmark. For cloud providers, this means significant adjustments to their service offerings, a deeper integration of compliance features, and potentially a competitive advantage for those who can demonstrate adherence to the EU’s high ethical and safety standards for AI. While posing initial compliance challenges, it aims to foster public trust in AI technologies developed and deployed within the EU, which could ultimately accelerate their adoption.

5.3. Other Relevant Regulatory Frameworks

Beyond the Data Act and the AI Act, several other EU regulations and directives significantly shape the cloud landscape and contribute to the broader pursuit of digital sovereignty:

General Data Protection Regulation (GDPR): Enacted in 2018, the GDPR remains the foundational pillar of EU data protection law. It sets strict rules for the processing of personal data, granting individuals strong rights and imposing significant obligations on data controllers and processors, including cloud service providers. Its extraterritorial scope means that any cloud provider handling the personal data of EU residents must comply, regardless of their location. The GDPR, particularly its provisions on international data transfers (Articles 44-50), directly drives the demand for data residency within the EU and has been the legal basis for critical rulings like Schrems II, profoundly impacting the use of non-EU cloud services.
Network and Information Security (NIS2) Directive: Replacing the original NIS Directive, NIS2 significantly expands the scope of entities covered by cybersecurity requirements, including a broader range of digital service providers and critical infrastructure sectors, many of which rely heavily on cloud services. It imposes stricter cybersecurity risk management measures and reporting obligations for these entities. Cloud providers supporting these critical entities will face increased scrutiny regarding their security posture, incident response capabilities, and supply chain security. This directive aims to enhance the overall cyber resilience of the EU economy, inherently requiring more secure and transparent cloud operations.
Cybersecurity Act: This Act establishes a permanent mandate for the European Union Agency for Cybersecurity (ENISA) and introduces a voluntary, EU-wide cybersecurity certification framework for ICT products, services, and processes. While voluntary, certifications under this Act, particularly for cloud services, are becoming increasingly important for demonstrating trustworthiness and compliance with high security standards. This framework is crucial for building trust in European cloud services and could eventually become a de-facto requirement for critical applications.
Digital Markets Act (DMA) and Digital Services Act (DSA): While primarily targeting large online platforms (gatekeepers) and content moderation, these acts can indirectly impact cloud providers, especially if they are part of broader digital ecosystems designated as ‘gatekeepers’ (e.g., Google’s cloud services alongside its search and advertising business). The DMA aims to ensure fair and contestable digital markets by imposing specific obligations and prohibitions on gatekeepers, which could influence how cloud services are bundled or offered by integrated tech giants. The DSA focuses on creating a safer online environment, which may require cloud providers to adapt their policies regarding illegal content or user data handling if they are involved in hosting such content.

Collectively, these regulatory frameworks aim to create a cohesive, values-driven digital single market in Europe. They signify a shift from a purely reactive approach to a proactive strategy of shaping the digital future in line with European principles, encouraging a more diverse, secure, and sovereign cloud ecosystem.

Many thanks to our sponsor Panxora who helped us prepare this research report.

6. Policy Recommendations

Addressing the multifaceted challenges posed by the EU’s fragmented cloud policy and the pervasive reliance on non-European providers necessitates a comprehensive, multi-pronged strategic approach. This strategy must integrate robust policy initiatives, targeted investments, and foster widespread collaboration across all levels of governance and industry. The overarching goal is to cultivate a resilient, competitive, and truly sovereign European cloud landscape that safeguards data, promotes innovation, and aligns with the Union’s core values.

6.1. Strengthening Digital Sovereignty through Strategic Investment and Procurement

To effectively diminish the current overreliance on non-European providers, the EU must decisively prioritize the strategic development and maturation of its indigenous digital infrastructure. This involves a sustained commitment to fostering a vibrant European cloud ecosystem:

Targeted Investment in European Cloud Champions: The EU should establish and significantly scale up dedicated investment funds, potentially drawing from NextGenerationEU funds or new public-private partnerships, specifically aimed at bolstering European cloud service providers. This investment should focus on helping European companies achieve economies of scale, accelerate R&D in critical areas (e.g., AI integration, confidential computing, quantum-safe cryptography), and expand their data center footprint and service offerings to compete effectively with global hyperscalers. Support could also extend to niche European providers offering specialized, high-security, or sector-specific cloud solutions.
Strategic Public Procurement Policies: EU member states and European institutions should leverage their collective purchasing power to actively promote European cloud alternatives. This involves implementing ‘cloud-first’ but ‘sovereignty-preferred’ procurement policies that prioritize European providers meeting robust security, data protection, and interoperability standards, particularly for sensitive government data, critical infrastructure, and public sector applications. Framework agreements could be established with European cloud consortia to simplify procurement processes and aggregate demand.
Support for Open-Source Cloud Technologies: Investing in and promoting the development and adoption of open-source cloud technologies (e.g., OpenStack, Kubernetes, open-source AI frameworks) can significantly contribute to technological sovereignty. Open-source solutions offer greater transparency, auditability, and reduce vendor lock-in, enabling European entities to build and customize their cloud environments with greater control and independence. This includes funding open-source projects, fostering communities, and training a workforce proficient in these technologies.
Development of Secure and Interoperable European Cloud Federations: Beyond GAIA-X, the EU should actively support the creation of multiple, interconnected, and secure cloud federations across different sectors and geographies within Europe. These federations should leverage common European technical standards and legal frameworks to ensure seamless data exchange and application portability, fostering a genuinely interconnected digital single market for data and cloud services.
Capacity Building for Data Governance and Compliance: Provide financial and expert support to European businesses, especially SMEs, to enhance their understanding and implementation of data governance best practices and compliance with EU regulations (GDPR, Data Act, AI Act). This could include dedicated training programs, certification schemes for cloud professionals, and accessible legal guidance.

6.2. Enhancing Regulatory Coherence and Implementation Clarity

While the EU has a robust framework of digital regulations, there is a pressing need for greater coherence, clarity, and streamlined implementation to avoid regulatory fragmentation and unintended burdens on businesses:

Consolidate and Harmonize Regulatory Guidance: The European Commission and relevant EU agencies (e.g., ENISA, EDPB) should work to provide clear, consistent, and practical guidance on the interplay between various digital regulations (GDPR, Data Act, AI Act, NIS2, Cybersecurity Act) as they apply to cloud computing. This would help businesses and cloud providers navigate the complex compliance landscape more effectively and reduce legal uncertainty.
Establish ‘Regulatory Sandboxes’ and Innovation Hubs: To foster innovation while ensuring compliance, the EU should establish regulatory sandboxes specifically for cloud-based services and AI applications. These sandboxes would allow companies to test new technologies and business models in a controlled environment, with regulatory oversight and direct feedback, facilitating compliance while accelerating time-to-market for innovative European solutions.
Develop EU-wide Cloud Certification Schemes: Accelerate the development and adoption of robust, transparent, and internationally recognized EU-wide cloud security and data protection certification schemes under the Cybersecurity Act. Such certifications would provide a clear benchmark for trustworthiness, build confidence in European cloud services, and simplify procurement processes for businesses and public bodies. This should be distinct from self-certification and involve independent audit where necessary.
Promote Standardized Contractual Clauses for Cloud Services: The European Commission could develop and promote standardized, GDPR-compliant contractual clauses specifically tailored for cloud computing services, including provisions for data residency, jurisdiction, and sub-processing. This would reduce the burden on individual businesses to negotiate complex contracts and enhance legal certainty across the EU.
Ensure Proportionality and Risk-Based Regulation: Continuously review and adapt regulations to ensure they are proportionate to the risks identified and do not unduly burden innovation, especially for SMEs. The risk-based approach of the AI Act should serve as a model for future regulatory developments, focusing resources where the impact is greatest while allowing flexibility for lower-risk applications.

6.3. Fostering Collaboration and Capacity Building

Effective cloud policy requires broad-based collaboration among EU member states, industry stakeholders, research institutions, and the public sector. Building collective capacity and a shared vision is essential for success:

Strengthen Public-Private Partnerships: Encourage and fund collaborative projects between European cloud providers, large enterprises, SMEs, and research institutions to develop innovative cloud services, test new technologies, and build use cases aligned with European strategic priorities (e.g., smart cities, digital health, green cloud solutions). GAIA-X is a prime example of such a partnership that needs continued robust support.
Invest in Digital Skills and Talent Development: Launch comprehensive EU-wide programs to address the critical shortage of cloud computing, cybersecurity, and AI professionals. This includes investing in vocational training, university curricula reform, reskilling initiatives for the existing workforce, and attracting international talent to Europe. A skilled workforce is the bedrock of digital sovereignty.
Cross-Border Research and Innovation Networks: Fund collaborative research and innovation networks focused on next-generation cloud technologies, distributed ledger technologies, edge computing, and privacy-enhancing technologies. Sharing knowledge and resources across borders can accelerate technological breakthroughs and create a competitive advantage for European cloud innovation.
Establish a European Cloud Competence Centre: Create a centralized EU Cloud Competence Centre (or expand ENISA’s role) to act as a knowledge hub, offering technical expertise, best practice guidance, and support for the implementation of European cloud strategies and regulations across member states. This centre could also facilitate peer learning and address common challenges.
Promote Data Spaces and Interoperable Ecosystems: Actively support the creation and scaling of common European data spaces (e.g., for health, mobility, energy, manufacturing) by providing technical assistance, funding for pilot projects, and promoting the adoption of standardized interfaces and data models. These data spaces, often built on cloud infrastructure, are crucial for unlocking the value of data within a trusted framework.
International Dialogue on Data Governance: Engage proactively in international dialogues and standard-setting bodies (e.g., OECD, UN, G7) to promote European values and approaches to data governance and cloud computing. Advocating for global interoperability of trustworthy data flows, rather than a fragmented digital world, is in Europe’s long-term interest.

By taking decisive and coordinated action across these fronts, the EU can systematically address its cloud policy fragmentation, strengthen its digital sovereignty, and harness the full transformative potential of cloud computing to drive innovation, sustainable economic growth, and technological leadership in the digital era.

Many thanks to our sponsor Panxora who helped us prepare this research report.

7. Conclusion

The European Union’s journey towards a truly sovereign and competitive digital landscape is inextricably linked to its ability to master the complexities of cloud computing. The current reality of a fragmented cloud policy has fostered a profound and problematic reliance on non-European service providers, generating significant economic disadvantages, eroding digital autonomy, and raising fundamental concerns regarding data security and privacy. The risks associated with extraterritorial legal reach, cybersecurity vulnerabilities, and the stifling of indigenous innovation are no longer theoretical; they represent tangible threats to the EU’s economic resilience, national security, and its foundational values in the digital age.

Addressing these multifaceted challenges demands a comprehensive, strategic, and sustained approach. This strategy must be built on three core pillars: firstly, the determined strengthening of Europe’s digital sovereignty through targeted investments in European cloud infrastructure, the strategic leveraging of public procurement, and the active promotion of open-source solutions. Secondly, a concerted effort is required to enhance regulatory coherence, providing clear and consistent guidance across the myriad of impactful EU digital regulations, while simultaneously fostering an environment conducive to innovation through sandboxes and streamlined certification processes. Thirdly, fostering pervasive collaboration among EU member states, industry leaders, research institutions, and civil society is paramount, alongside significant investment in developing the critical digital skills necessary for a truly sovereign and thriving European cloud ecosystem.

Initiatives like GAIA-X represent ambitious steps towards a federated and trusted European data infrastructure, yet their success hinges on overcoming significant hurdles related to coordination, funding, and the formidable competitive landscape dominated by established global hyperscalers. Simultaneously, landmark legislative instruments such as the Data Act and the Artificial Intelligence Act are poised to fundamentally reshape market dynamics by promoting data portability, fostering fair competition, and embedding ethical considerations and fundamental rights into the very design and deployment of AI systems. These regulations, when effectively and proportionately implemented, have the potential to create a distinctive ‘European way’ of digital governance, setting a global standard for trustworthy and human-centric technology.

The strategic imperative for Europe is clear: to transition from being a consumer of digital infrastructure and services primarily dictated by foreign entities to becoming a proactive shaper and provider of a digital future aligned with its own values and strategic interests. By taking decisive, coordinated, and forward-looking action, the European Union can not only mitigate its current dependencies but also unlock the full potential of cloud computing to drive profound innovation, stimulate robust economic growth, and cement its position as a global leader in the responsible and secure development of advanced digital technologies. The future of Europe’s digital autonomy and prosperity rests on its ability to forge a truly sovereign, resilient, and competitive cloud landscape.

Many thanks to our sponsor Panxora who helped us prepare this research report.