Brussels put a date on cloud sovereignty
The Cloud and AI Development Act, the regulation the European Commission unveiled in June, is set for publication in the Official Journal on 15 July 2026 and enters into force on 4 August. It is the first EU-wide framework that tells government authorities in sensitive sectors, defence, justice, law enforcement and critical infrastructure, how to weigh who controls their cloud before they buy it.
The reason is a market fact. Three US providers, Microsoft, Amazon Web Services and Google, hold more than 70 percent of Europe's cloud market, while European providers sit near 15 percent. For years the sovereignty debate ran on voluntary labels and scoring rubrics. This is the point where it becomes a dated law with a procurement obligation attached.
Four levels, and where the money actually lands
The Act sets four assurance levels. Level 1 requires data hosted on EU servers and a guarantee that no law compels the provider to disclose software vulnerabilities to a third country. Level 2 adds that no foreign state can reach the data or trip a kill switch. Level 3 requires the provider to be free of third-country control, down to personnel. Level 4 demands components and products free of any foreign interference and the highest cybersecurity certification.
The distribution is the part most headlines miss. The Commission expects around 70 percent of contracts to land at Level 1, roughly 20 percent at Level 2, under 10 percent at Level 3, and about 1 percent at Level 4. In other words, most public cloud in Europe still admits the hyperscalers. The law does not evict them; it grades them, and it reserves the strict tiers for the small share of workloads where control is non-negotiable.
The escape hatches were written in on purpose
Two derogations soften the impact by design. Article 30 permits an exception where no adequate or reasonable alternative service exists, echoing the 2023 case in which France concluded only Microsoft could run its Health Data Hub. Article 18 opens a pathway for providers from associated third countries covered by an EU adequacy decision, a door that could in principle include the United States, though the anti-kill-switch requirements may still disqualify them.
That structure tells you how to read the near-term. A European buyer is not required to rip out AWS or Azure this year. The immediate work is classification: mapping each contract to a level, documenting why, and defending the choice. The sovereignty question moves from a slogan to a line item on a procurement file, which is a smaller change than the rhetoric suggests and a more durable one.
The real lever is concrete, not law
The Act's harder ambition is physical. It targets at least tripling the EU's data-centre capacity within five to seven years, and it tries to clear the path with faster permitting and better access to energy, land, water and financing. Its three pillars, research, capacity and autonomy, put buildout on equal footing with the rulebook, because sovereignty you cannot host is a paper claim.
The timeline confirms where the teeth are. The regulation takes force on 4 August 2026, but the first tier of sovereignty requirements applies from February 2028 and the highest tier becomes mandatory by August 2029. The compliance clock and the construction clock run together, and the providers with EU-controlled capacity on the ground in 2028 are the ones the strict tiers were written to favour.
What an owner does before August
The practical move is a cloud inventory read through the four levels: which workloads could a foreign order disrupt, which sit in sensitive sectors, and which would fail a Level 3 test today. Firms that sell cloud or software to European public bodies face the mirror of that question, because their buyers will soon ask for a level, not a logo. The transatlantic conflict is real: a provider caught between a US CLOUD Act request and a CADA assurance faces an impossible choice, and that risk now belongs in vendor reviews.
It is worth keeping the ceiling honest. As the legal analyst Kenneth Propp notes, the EU has tried sovereignty instruments before, from a blocking statute to the Data Act, with limited practical bite, and CADA's very existence reads as a symptom of low transatlantic trust rather than a cure. The law does not switch off the US clouds this year. It puts a dated, graded price on staying dependent, and the owners who map that price now will not be the ones scrambling in 2028.
Read next: A New Gate On Your Cloud Contracts | PEGI Now Age Rates Your Business Model



