EU sovereignty plan accused of helping US cloud giants

Europe's efforts to reduce reliance on US hyperscalers is under fire from many of the local cloud providers it is designed to help.

CISPE (Cloud Infrastructure Service Providers in Europe), a trade association of 38 of the region's cloud providers has issued a withering criticism of the official EU Cloud Sovereignty Framework, saying it is drafted so vaguely it will likely favor incumbents over local operators.

Officials that represent the trading bloc need a clear definition of just what a sovereign cloud is, however, the framework [PDF] from the European Commission muddies the waters by inventing an opaque "sovereignty score" that dilutes meaningful standards.

The result? European cloud providers will likely score lower than foreign hyperscalers – an outcome CISPE suggests may be intentional to help public sector bodies avoid switching from their existing contracts with AWS, Microsoft Azure, and Google Cloud.

"CISPE's concern is that the Framework's criteria are so broad and weighted that they could allow a provider to tick enough boxes to get a high score without really delivering on the spirit of European sovereignty," a spokesperson told The Register.

"More fundamentally, we believe that you are either sovereign or you are not. Customers need a clear indicator. That's not to say that additional technological, legal or other safeguards can't deliver levels of control that are suitable for the cloud use cases customers need, especially those who participate in global supply chains."

CISPE claims it is trying to create tools that are "transparent, workable, and useful in the real world."

In a statement sent to The Register, a spokesperson at the EC said:

"The new Sovereign Cloud tender provides clarity and transparency on what sovereignty means and how it will be measured in public procurement.

"It creates a level playing field where cloud providers on the EU market can demonstrate their sovereignty strengths. It pushes the entire market towards a higher standard and compliance with European values.

"The Cloud Sovereignty Framework is a structured assessment tool to evaluate cloud services against eight sovereignty objectives. These objectives range from strategic, legal, and operational considerations to supply chain transparency, technological openness, security and compliance under EU law, and environmental sustainability. The framework transforms the concept of sovereignty into measurable, verifiable criteria."

AWS, Microsoft, and Google account for around 70 percent of cloud services revenues that are generated in Europe.

Sovereignty for cloud services has risen high up the agenda across the continent this year thanks to the volatile trading and political relationship with the Trump administration, and the realization of just how dependent businesses and governments in Europe are on AWS and Microsoft Azure.

In response, the cloud giants have added extra levels of control. Microsoft announced a five-point plan to reassure EU customers, while Google updated its sovereign cloud services in Europe, and AWS is forming a new EU-based cloud business unit that becomes operational by the end of 2025.

• Google reminds EU that Microsoft's cloudy licensing still stinks a year later
• Datacenter lobby blows a fuse over EU efficiency proposals
• EU cloud gang challenges Broadcom's $61B VMware buy in court
• EU cloud gang wins Microsoft concessions, but fair software licensing group brands them 'stalling tactic'

Despite this, a Microsoft executive admitted under oath in a French Senate inquiry in July that it cannot guarantee data sovereignty to European customers due to the CLOUD Act. The US legislation allows authorities stateside to demand access to any data held by American companies anywhere in the world.

Earlier this month, the European Commission announced a tender under the Cloud III Dynamic Purchasing System (Cloud III DPS) that will allow EU institutions and agencies to procure sovereign cloud services over six years.

Up to four providers are set to be awarded contracts based on the new Cloud Sovereignty Framework between December 2025 and February 2026, it said.

CISPE is working to develop labels that will distinguish Sovereign Cloud and Operationally Resilient Cloud services, something missing from the EU's procurement framework.

The first builds on Gaia-X Level 3 to guarantee immunity from foreign interference and full European control, according to CISPE, while the second offers customers – especially those in global supply chains – verifiable levels of operational and legal control over their data, even outside Europe. ®