EU Plans New Rules for Foreign Cloud Providers Handling Sensitive Data

The European Commission is preparing a Tech Sovereignty Package to be presented on 27 May, signaling a firmer approach to how public-sector data is handled within the European Union. Central to the discussions is the idea of limiting the use of non-EU cloud providers for processing sensitive government data, as part of broader efforts to strengthen Europe’s digital autonomy.

According to officials involved in the talks, the focus is on defining categories of public-sector data that would require hosting on European cloud infrastructure. Financial, judicial, and health data are among the areas under consideration. While U.S. and other third-country cloud providers would not be excluded from public contracts altogether, their ability to process high-sensitivity data could be restricted depending on the risk profile involved.

The proposals reflect growing concerns over Europe’s reliance on U.S. cloud providers, particularly in light of the U.S. Cloud Act, which allows American authorities to request data from U.S.-based companies regardless of where the data is stored. Recent political tensions have intensified calls within the EU to reduce strategic dependencies in critical digital infrastructure.

The Tech Sovereignty Package is expected to include the Cloud and AI Development Act and Chips Act 2.0, both aimed at fostering European alternatives. In parallel, the Commission has already taken practical steps, including awarding €180 million in contracts to European sovereign cloud projects. Once unveiled, the package will require approval from all 27 member states, marking a significant test of the EU’s ambition to assert greater control over its digital future.