Brussels is moving to do for digital infrastructure what it did — too late — for energy: reduce a structural dependency before it becomes a crisis. The European Commission on Wednesday unveiled a sweeping tech sovereignty package, setting up what is likely to become a direct clash with Washington over access to European public-sector contracts and the jurisdictional reach of US surveillance law over European data.
Henna Virkkunen, Executive Vice-President for Technological Sovereignty, Security and Democracy, framed the package as a corrective to years of market-led drift. More than four-fifths of EU digital products, services, and intellectual property originates with non-European providers. That proportion, Virkkunen said, can no longer be treated as a natural market outcome — it is a strategic exposure the Commission intends to reduce.
The centrepiece is a Cloud and AI Development Act that, for the first time, introduces a formal sovereignty assessment into public procurement. Member states would be required to evaluate the jurisdictional risks of their digital contracts before signing them. At the most sensitive tier — covering critical government systems — US cloud hyperscalers would be barred outright from competing.
The target is unmistakable: the US CLOUD Act gives American authorities the legal power to compel US companies to hand over data stored anywhere in the world, including on servers physically located in Europe. For years, European regulators flagged this as incompatible with GDPR. The Commission is now trying to turn it into a procurement disqualifier.
The Act creates four sovereignty tiers. Only European providers — or non-European ones that can demonstrate verified data localisation and legal ring-fencing — would qualify for the top two. The practical effect is to close the most valuable government contracts to AWS, Microsoft Azure, and Google Cloud unless they restructure their European operations substantially beyond their current offerings.
Chips Act 2.0 is the second pillar. The original 2023 Chips Act aimed to double Europe's share of global semiconductor production to 20% by 2030 — a target already under strain. The revision goes further: the Commission would gain emergency powers to intervene in chipmakers' commercial decisions during a supply crunch.
Under the new framework, Brussels could override existing contracts and order semiconductor firms to prioritise EU crisis-critical orders. Companies that withhold supply chain information during a shortage would face fines of up to €300,000. A pooled chip procurement mechanism — modelled loosely on the EU's pandemic-era vaccine buying — is included to give smaller member states negotiating power against the major foundries.
The Commission also announced an Open Source Strategy that sets the EU on a longer trajectory toward sovereign digital infrastructure. It ties public funding of open-source software to EU governance standards and targets tripling EU data centre capacity over five to seven years. The ambition is to build an alternative hyperscaler ecosystem rooted in European law — not just European geography.
The timing is deliberate. The package lands as EU-US trade tensions remain elevated following this year's tariff standoff, and as the Commission navigates the inherent tension between asserting strategic autonomy and not triggering a tech trade war. Brussels has watched Washington use its dominant tech companies as instruments of foreign policy — through export controls, surveillance agreements, and sanctions compliance demands — and concluded that durable European institutions cannot be built on infrastructure it does not legally control.
The package is the most explicit Commission move yet to treat digital dependency as a geopolitical risk category. Whether it delivers depends less on Brussels than on member states, whose procurement agencies have spent years integrating US cloud platforms and will face real commercial and diplomatic pressure to keep them. The hardest test will come the first time a government invokes the sovereignty tier to exclude a major American provider — and then has to absorb whatever comes next.
