EU cloud sovereignty efforts criticized for favoring US hyperscalers

CISPE, representing 38 European cloud providers, has criticized the European Commission’s new Cloud Sovereignty Framework, arguing its “sovereignty score” is too vague and risks favoring incumbent US hyperscalers over local operators. The association contends the framework’s broad, weighted criteria could allow providers to achieve high scores without delivering genuine European sovereignty, undermining the policy’s intent to reduce reliance on foreign cloud platforms. CISPE calls for a binary sovereign designation supplemented by measurable safeguards tailored to specific use cases, emphasizing the need for transparent, workable tools for procurement.

The Commission defends the framework as a structured assessment across eight sovereignty objectives, covering strategic, legal, operational, supply chain transparency, technological openness, security and EU compliance, and environmental sustainability. Officials say it will create a level playing field in EU procurement and raise standards across the market. Meanwhile, AWS, Microsoft, and Google hold about 70 percent of cloud revenue in Europe, and each has introduced “sovereign” controls or business units aimed at EU customers, with AWS planning an EU-based unit operational by end-2025.

Notwithstanding these initiatives, data sovereignty remains constrained by the US CLOUD Act, as a Microsoft executive acknowledged in testimony to the French Senate, noting the inability to guarantee full European data control for US-headquartered providers. The Commission’s Cloud III DPS tender, launched this month, will award up to four contracts for sovereign cloud services between December 2025 and February 2026 based on the new framework. CISPE is separately developing labels for Sovereign Cloud and Operationally Resilient Cloud, with the former aligned to Gaia-X Level 3 to ensure immunity from foreign interference and the latter offering verifiable operational and legal controls for global supply chains.

The debate highlights a pivotal procurement and compliance inflection point: whether a multi-factor scoring model can meaningfully secure European sovereignty or whether a clearer, binary sovereign designation coupled with strict verifiability is required. For public buyers, the immediate challenge is aligning contractual terms and technical controls with EU law, Schrems II requirements, and sectoral mandates while accounting for extraterritorial risks. For providers, demonstrating effective control over jurisdictional exposure, support chains, and legal enforceability will be decisive under scrutiny from both regulators and courts.