Skip to main content

Cloud and AI Development Act: A Rulebook, Not an Industry

Cloud and AI Development Act: A Rulebook, Not an Industry
Photo by Reto Simonet / Unsplash

The EU's Cloud and AI Development Act gives Europe one cloud-sovereignty rulebook at last. But it can't legislate the compute, energy and chips that decide it.

I ended my last post on European cloud sovereignty with a complaint and a prediction. My complaint was that twenty-seven national variants of "sovereign cloud" are a worse outcome than one shared European standard, even a weaker one. Ask and it shall be given you...

Today I got the single standard I had asked for. The Cloud and AI Development Act writes one Union-wide definition of cloud sovereignty into law, which is more than three years of stalled certification fights ever managed. That is real, and I will give it real credit below. But a common rulebook is only the first step. The hard part is execution, and execution is the part you cannot put in a Regulation - or at least not easy. This post is in two parts: first what the Commission actually proposed, neutrally; then what I make of it.

What the Commission actually proposed

On 3 June 2026, under Executive Vice-President Henna Virkkunen, the Commission tabled a four-document Technological Sovereignty Package. Two of the four are binding Regulations; the other two set direction without creating obligations. Here is the package at a glance:

Instrument Type Key points
Cloud and AI Development Act (COM(2026) 502) Regulation (binding) A single EU-wide sovereignty framework with four assurance levels (Art. 16), graded on control over the service and supply chain, where AI-inference data is processed, infrastructure location and cybersecurity. Names the Commission a central purchasing body (Arts. 22, 37–40); makes Member-State sovereignty risk assessments mandatory (Art. 29); creates "frontier AI" projects with access to EuroHPC compute (Arts. 8–9) and data center acceleration zones with faster permitting (Arts. 10–14). Targets a tripling of data center capacity in 5–7 years and sovereign services for critical public workloads by 2035. Binds providers selling to Union entities and public sector bodies; private operators in NIS2 high-criticality sectors start voluntary, with a delegated-act trigger to make assessments mandatory (Art. 31); "Union added value" non-price criteria become mandatory in innovative cloud and AI tenders (Art. 32).
Chips Act 2.0 (COM(2026) 504) Regulation (binding) Repeals and replaces the 2023 Chips Act. Sets up a "Chips for Europe Initiative 2.0" for capacity and R&I; recognizes "European semiconductor technology initiatives" that must be domestic, first-of-a-kind and reduce dependence on non-domestic suppliers (Art. 14), with priority areas including a sub-2nm open foundry, a European memory fab, RISC-V automotive processors and AI accelerators (Annex II); a 12-month permitting ceiling (Art. 21); a supply-chain monitoring platform (Art. 34) and a European Semiconductor Board. Crisis toolbox: priority-rated orders that override existing contracts (Art. 42), a Council-declared crisis stage up to 12 months (Art. 39), fines up to €300,000 plus periodic penalties (Art. 51). Carries no financial envelope of its own; funding routes via the Chips JU and the proposed post-2027 European Competitiveness Fund.
Communication on European Tech Sovereignty + EU Open Source Strategy (COM(2026) 503) Communication (non-binding) Sets the political frame and a working definition of "digital sovereignty" that the binding acts are meant to operationalise. Bundles an EU Open Source Strategy: open standards, support for open-source projects, and adoption inside public administrations to cut lock-in to a few global vendors.
Strategic Roadmap for Digitalisation and AI in Energy (COM(2026) 501) Roadmap (non-binding) Steers AI and digital tools into the energy system: grid optimisation, energy efficiency in buildings and industry, demand-side flexibility, and more sustainable integration of the energy load of data centers. Non-binding direction, delivered through existing energy law.

The Cloud and AI Development Act (CADA) is well reasoned: a Commission estimate that Europe depends on non-EU sources for more than 80% of its key digital products, services, infrastructure and intellectual property, while Amazon, Microsoft and Google hold roughly 65 to 70% of the European cloud market and European providers about 15%.

If you read only one part of this package, read the CADA. Its procurement rules decide how billions of euros of public cloud and AI contracts are awarded across all twenty-seven member states, which is the lever with the most immediate effect on both the US hyperscalers and the European providers hoping to take their place. The Chips Act's crisis powers matter, but they bite only once a shortage is formally declared. The roadmap and the Communication, for all the launch-day fanfare, oblige no one - they are aspirational.

Procurement and chip crisis powers

The binding force in the package sits in two places, and neither is the part that builds anything. The first is procurement, and it is worth being precise about who is bound. The sovereignty framework is relevant for providers that want to sell to Union institutions and public sector bodies, from ministries down to bodies governed by public law; it can sideline the US hyperscalers from the most sensitive of those contracts on grounds of foreign-law exposure and control over the supply chain. Private operators in the sectors NIS2 classes as highly critical, banking, energy and health among them, are not forced in: Article 31 lets them run the same assessments voluntarily, and hands the Commission a delegated-act trigger to make them mandatory later "where duly justified". On top of that, Article 32 obliges contracting authorities to score every innovative cloud and AI tender partly on the bidder's contribution to a European ecosystem, a non-price criterion whose direction of travel is not very subtle.

The second is crisis power, and it lives in the Chips Act 2.0. The new Regulation repeals and replaces the 2023 European Chips Act rather than amending it. It keeps the supply-side ambition but adds a demand-side and emergency toolbox: in a Council-declared crisis stage lasting up to twelve months (Article 39), the Commission can issue priority-rated orders that take precedence over a firm's existing private and public contracts (Article 42), backed by fines of up to 300,000 euros and periodic penalty payments for non-compliance (Article 51). Strategic projects also get a hard permitting ceiling of twelve months (Article 21). Virkkunen called the package "a significant turning point in Europe's approach to technology sovereignty". On the legal instruments, she is right. The question is what the instruments can actually move.

That is what was announced. Here is my perspective.

Credit where it's due, and the trap

Start with the credit, because it is justified. In my post on Germany's BSI C3A I argued that the expensive problem in European cloud policy was not weak sovereignty rules but fragmentation: every member state bolting its own variant onto the EU baseline, so a company with workloads in Germany, France and the Netherlands pays lawyers to map between three semi-compatible schemes. CADA's Article 16 is the first serious attempt to replace that mess with a single Union framework. If you read my last post as a demand for one shared standard, the Commission just tried to supply it. Thanks for that.

The interessting part is what the standard does in practice, and you can see it by reading Annex II. Levels 1 to 3 are built so that the joint-venture wrappers I described last time, Bleu and Delos Cloud running Microsoft Azure under French and German control, S3NS or T-Systems running Google, can qualify: EU establishment, EU-located infrastructure, Union-citizen personnel, data and telemetry residency. Those are exactly the things a well-built Trusted Operator construction delivers. Level 3 even contains an explicit derogation allowing providers under third-country control to be audited for it once the Commission adopts an implementing act.

Level 4 is a different animal: it demands effective control over "the design, development, maintenance and evolution" of the software itself, a complete software bill of materials, and support performed exclusively by Union residents. I do not know the respective contracts but I am speculating that Delos cannot demonstrate control over Azure's evolution, and S3NS cannot demonstrate it over Google's. Level 4 is the one tier the "wrappers" cannot reach, which turns the whole framework into a classification fight: which workloads will be deemed to need Level 4, and who is allowed to decide.

So who could deliver Level 4 today? The empirical shortlist already exists: in the Commission's own cloud tender this spring, the providers that reached SEAL-3 with technology developed in-house were OVHcloud, Scaleway, StackIT, CleverCloud and Post Luxembourg, and you can add Dassault's Outscale, which built its own stack and was among the first through SecNumCloud. Schwarz's StackIT is a credible candidate: German-incorporated, running its own stack out of German and Austrian data centers, BSI C5 attested, with the BSI partnership behind it. The harder question is the software beneath all of them. A strict reading of the effective-control test reaches even open source, because Kubernetes and Linux are governed by foundations established in the United States. I do not think that reading kills open source; the right to fork is the strongest form of control there is, provided you can staff the fork, and organizing exactly that muscle is what the IPCEI-backed NeoNephos initiative under Linux Foundation Europe is for. You do not have to write the stack from scratch. You do have to be able to credibly own its evolution. What Level 4 delivers is infrastructure and a thin platform layer from a handful of mid-sized providers, not the several-hundred-service catalogue an Azure tenant takes for granted; the sovereignty tax I priced in the C3A post applies in full.

And the framework does not retire the national schemes; it leans on them. Its evidence annex requires cybersecurity certification under the EU cloud scheme "to be established" under the 2019 Cybersecurity Act, the EUCS that has been stuck for years, and adds that in its absence "national cybersecurity certification schemes shall apply, where they exist". Read that twice: the binding Union framework's keystone is a certification scheme that does not exist, with C3A and France's SecNumCloud written in as the interim evidence base. The optimistic reading is that the framework becomes the shared layer everyone converges on once EUCS finally lands. The pessimistic reading, and the one my own argument points to, is that it becomes layer twenty-eight, a recognition procedure stacked on top of the national schemes it was supposed to replace. Procurement-grade sovereignty is not the same thing as operational autonomy.

You can't legislate concrete or gigawatts

This is the part that worries me most, and it is the part no Regulation reaches. The package commits Europe to tripling data center capacity and standing up AI gigafactories. A target is not a turbine. Tripling compute runs straight into two walls the legal text cannot move: power and silicon.

Look at what has actually happened on the supply side. Intel cancelled its roughly 30-billion-euro Magdeburg fab in July 2025, and the German subsidy of around 10 billion euros that went with it was never disbursed. Wolfspeed and ZF suspended their 3.2-billion-dollar silicon-carbide plant in Saarland indefinitely; ZF pulled its 170-million-euro stake and a 515-million-euro subsidy package went onto the shelf with the project, killed by weak electric-vehicle demand rather than by any failure of ambition. The first Chips Act's report card makes the pattern hard to dismiss: the European Court of Auditors concluded in June 2025 that the 20% market-share target is very unlikely to be reached, with the Commission's own forecast putting the EU at 11.7% of the global market by 2030, up from 9.8% in 2022. What those commitments have actually produced so far is one TSMC-led fab under construction in Dresden with 5 billion euros of approved German aid, an Infineon power fab next door, and a set of pilot lines.

Don't get me wrong. This is real and useful, but it lands nowhere near the target. A demand-side Chips Act with crisis powers can re-route orders between fabs that exist. It cannot summon fabs that two well-funded attempts just failed to build. And on my reading of the text, it brings no new money of its own: there is no financial grant scheme in the Regulation, the explanatory memorandum points to the over 52 billion euros already committed under the 2023 Act, and fresh support is routed through the existing Chips Joint Undertaking and a proposed post-2027 European Competitiveness Fund that is still being negotiated. The pattern is obligations now, money later, maybe.

And the compute / AI shortage is not abstract: leading-edge TSMC capacity is allocated through 2027 - most certainly longer. The GPU rental market is booked out months ahead, and one analysis tracked H100 rental prices rising 40% in five months. You do not regulate your way out of a physical shortage.

CADA's own building lever makes this very obvious. The data center acceleration zones do not exist yet, and the Regulation names no locations; Member States are to designate at least one zone each within six months of entry into force, judged on grid capacity, clean-energy generation, connectivity and waste-heat reuse. Meanwhile, the pipeline that already exists tells you where the constraint actually sits. The Commission's AI gigafactories initiative drew 76 expressions of interest across 60 sites in 16 member states, more than 230 billion euros of indicative investment and an appetite for at least three million GPUs. The capital is queuing. And yet the formal call has slipped twice, to the second quarter of 2026, dogged by funding questions, in reporting that landed one day before this package was announced. In the meantime Softbank has announced the intent of building 75 billion euros worth of capacity in France - because of the relationship of Emmanuel Macron to Masayoshi Son - not because of EU grants. The demand side of European compute is not the problem.

OB, but here is the optimism: Europe can and should build this. The Schwarz Group, the company behind Lidl, is putting roughly 11 billion euros into a 200-megawatt data center campus in Lübbenau through its StackIT arm, designed for up to 100,000 GPUs and due online around 2027, and it has signed a sovereignty partnership with the BSI to back it. That is a genuine sovereign build at scale. It is private, financed off a retailer's balance sheet, and it happened because a company decided the capability was worth owning, not because a directive told it to. Against the American hyperscalers' build-out, it is still small. The traction that exists in European infrastructure today is coming from balance sheets, not from Brussels.

A fab is not a fab

One more layer of flesh on the bone, because the package's crisis logic depends on it. "Fab" sounds like a generic chip factory, and it is not.

Leading-edge logic foundries, the plants that make 3nm and 2nm CPUs and GPUs, memory fabs turning out DRAM, NAND and the high-bandwidth memory that AI accelerators are starved for, and analog, power and ASIC fabs are three different industrial species. They run different equipment on different processes with different economics, and converting one into another is a matter of years and billions, not of decrees.

I owe my grasp of that distinction to a conversation with a former ams OSRAM technical leader, whose fabs make sensors and application-specific chips that no logic foundry would touch.

If you do a reality check and map Europe's flagship builds and the picture sharpens. ESMC in Dresden is a foundry, the EU's first capable of FinFET at all, and it will make 28/22nm CMOS and 16/12nm FinFET at around 40,000 wafers a month for cars and industry from 2027. Infineon's Smart Power Fab next door is not a foundry at all; it is an integrated manufacturer making its own power and analog chips for charging systems, motor control and data center power supply. This is German automotive.

They produce not a single processor, GPU or byte of memory. Europe has had no DRAM industry since Qimonda went bankrupt in 2009; Samsung, SK Hynix and Micron control 94% of global DRAM revenue, and the high-bandwidth memory that feeds AI accelerators is made almost entirely in Korea. Leading-edge logic below 12nm does not exist on this continent, and Magdeburg was the project that was supposed to change that. From ASIC to 3nm GPU, the spectrum the package implicitly promises is covered at exactly one end.

Now re-read the crisis powers against that taxonomy. A priority-rated order makes a fab "accept and prioritise" orders of crisis-relevant products it already produces; it re-sequences an order book. It cannot make Infineon's power line print GPUs, and it cannot conjure a memory fab by decree. In a rerun of the 2021 automotive chip crunch, when the shortage was exactly the mature-node parts Dresden will make, the lever is real and Europe will be glad to have it. In the scenario the package is actually written against, a cut-off from AI compute, there is no European order book to prioritize.

The Chips Act 2.0 knows this: its Annex II names a sub-2nm open foundry and a European memory fab as priority areas. But priority areas with no financial backing are invitations, not capacity. My assessment, plainly: the crisis powers genuinely help Europe allocate what it already makes, and do nothing for what it does not. They are a sensible tool for the last war.

Which raises the question the annex politely avoids: who would actually build that sub-2nm open foundry? Exactly three companies on earth operate leading-edge logic at that level, TSMC, Samsung and Intel, and not one of them is the domestic undertaking Article 14 requires. Intel has just shown in Magdeburg what its commitment to European leading edge is worth. You might argue that this can change, but now as the United States own a stake in Intel I doubt it.

TSMC could do it, but its first 2nm fab took roughly four years from ground-breaking to volume production, on home soil, with a finished process and reserved lithography slots, while ASML's EUV capacity is booked through 2027 (again, most certainly longer) by the incumbents' own expansion plans. A European new entrant would need to license a process nobody sells, queue years for the machines, and then create yield curves the incumbents took decades to master. Japan's state-backed Rapidus, the one live attempt at exactly this play, was founded in 2022 with an IBM-licensed process and is still unproven. A ten-year horizon for a European open foundry is not pessimism; it is the base case. And the segment Europe is actually building is not safe either: SemiAnalysis' Dylan Patel warned in April 2024 that America, Europe and Japan "will get completely destroyed in 14nm and above nodes" as Chinese mature-node capacity floods exactly the range Dresden will produce. The honest reading of the open-foundry priority area is a placeholder for a future negotiation with a non-domestic giant, on whatever terms that giant can extract value from Europe.

Industrial policy by tender

The third move in the package is to use public procurement as industrial policy: steer billions of euros of government cloud and AI spending toward sovereignty-graded providers, with the Commission as a central buyer. I understand the logic. I am skeptical of the result.

Industrial policy delivered through tender criteria tends to produce protected suppliers rather than competitive industries, because the incentive it creates is to clear the certification bar, not to beat a global rival on price and capability. The US software industry is already on record calling the approach discriminatory and a driver of market fragmentation, which is self-interested but not wrong.

The package was sold partly on the line that Europe wants to be sure nobody holds a "kill switch" over its critical systems. That is a real concern. But a procurement preference does not remove a kill switch if the certified provider is still a wrapper over a foreign stack, and it does raise the bill for every public body that now has fewer compliant options. Forcing buyers toward European labels is not the same as creating something European worth buying.

Scaffolding, not traction

Let me close the loop I opened. I asked for one European standard instead of twenty-seven, and the Commission delivered the standard. That was the easy 20%. The hard 80% is whether anything gets built inside the frame, and on that the package is thin in exactly the places that decide it. It legislates procurement and crisis hard, and it legislates compute, energy and chips softly, with targets and roadmaps where it needs power plants and fabs. The scaffolding is better than the fragmentation it partly replaces. Scaffolding is not a building.

I want to be fair, and I want to be optimistic where the evidence earns it. Europe is not incapable. The implication is that the most valuable thing the package could do is the least glamorous: clear the permitting and the grid connections, get the power to the sites, and back the builders who are already moving, while treating procurement preference as the weakest lever rather than the headline. If a year from now I can point to gigawatts permitted, fabs breaking ground, and European compute actually coming online, I will revise this verdict upward gladly. Until then, the score is not in the legal text. It is in the concrete, and the concrete is not pouring fast enough.

If you are setting your organization's cloud or sovereignty strategy, weighing what to certify against what to actually build, or trying to read this package for your own infrastructure roadmap, I am happy to compare notes, on LinkedIn or by email.

Thinking out loud, by email

Occasional notes on technology, Europe, and whatever else has my attention. No spam — unsubscribe anytime.

Member discussion