The EU Cloud and AI Act: What Organisations Need to Know.

Tech Sovereignty in Practice: Understanding the EU Cloud and AI Development Act

On 3 June 2026, the European Commission published its proposal for the Cloud and AI Development Act, a significant new regulatory framework that sits at the heart of the EU’s broader Tech Sovereignty Package. 

The proposal is a direct response to two concerns the Commission has been signalling for some time: a structural shortage of data centre capacity in Europe, and a growing dependency on a small number of non-EU cloud providers. EU-based cloud providers now hold around 15% of the European market, down from approximately 29% in 2017. The Commission has decided the moment for structural intervention has arrived.

The Cloud Sovereignty Framework

The most consequential element of the proposal is a cloud sovereignty framework built around four assurance levels. All cloud providers serving the public sector will need to meet at least Level 1, which requires infrastructure, assets, and customer data to be located within the EU. 

Higher levels impose progressively stricter requirements: EU-based personnel and operations, full compliance with EU cybersecurity certification, and at the highest level, complete EU ownership and control of the provider with no derogation available for third-country relationships. For large non-EU cloud providers, this framework represents a material shift in what operating in European public sector markets will require.

What This Means for Organisations Operating in Europe

Beyond public sector entities, the Act also affects private sector organisations designated as essential entities under the EU’s NIS2 Directive, who may be required to conduct their own risk assessments on cloud providers. Procurement rules will require public authorities to consider EU-added-value criteria when selecting cloud services. 

For organisations currently relying on non-EU providers for sensitive or regulated workloads, the Act introduces both near-term compliance questions and longer-term strategic choices about cloud architecture and vendor relationships. The legislative process has some way to run, but the direction of travel is clearly established.

Our View

The EU’s Cloud and AI Development Act reflects a deliberate and long-building policy decision to reduce strategic technology dependency. For organisations operating across European markets, the compliance implications are real, but so is the opportunity: those that understand the framework early and build cloud and AI strategies that are aligned with it will be better positioned than those who wait for clarity before acting. The sovereignty agenda is not going away, and cloud strategy in Europe will increasingly need to account for it.

Our Solutions

CF Digital helps organisations navigate complex technology environments, including evolving regulatory landscapes. Our cloud strategy, cybersecurity, and AI advisory capabilities are designed to help clients assess their current exposure, evaluate strategic options, and build the technical and governance architecture needed to operate effectively in regulated markets.

Learn more at digital-cf.com/services

Connect With Us

Keep up to date with the latest news and developments by following us on LinkedIn
Follow Us

WHO WE ARE

A group of companies focussed on people and technology solutions

DISCOVER MORE

WHAT WE DO

Talent solutions, with local know-how and global outreach

DIVE DEEPER

OUR PORTFOLIO

Leading businesses, servicing clients across the globe

OUR EXPERTISE