Summary

• Draft EU cloud rules would add sovereignty and non-price tests to sensitive public-sector tenders.
• Amazon, Microsoft, and Google could face weaker access to strategic contracts in sectors such as health, energy, and banking.
• The proposal would turn cloud procurement into a policy tool for resilience, competition, and digital sovereignty.

The European Commission is preparing cloud procurement rules that could make it harder for Amazon, Microsoft, and Google to win the most sensitive public-sector technology contracts in Europe.

Draft provisions under the forthcoming Cloud and AI Development Act would introduce stricter sovereignty criteria for highly critical public tenders. The rules are expected to apply to strategically important cloud computing projects, especially in sectors such as banking, energy, healthcare, and government.

Rather than treating cloud buying as a straightforward contest over price, functionality, and delivery capacity, the proposal would require public buyers to consider a wider set of non-price criteria. Those could include data protection, exposure to control by third countries, the openness of cloud markets outside the EU, and the use of European-developed software and hardware.

The Commission’s wider cloud computing policy already sets out plans for a Cloud and AI Development Act intended to expand European data centre capacity and support the cloud and AI needs of businesses and public administrations by 2035. Procurement rules would give that industrial policy a sharper operational edge, especially where public bodies are buying services that underpin critical national systems.

US hyperscalers would not be shut out of Europe altogether. Amazon, Microsoft, and Google remain deeply embedded in European enterprise and public-sector technology estates, and each has developed sovereign cloud offers, local partnerships, or region-specific controls to address European concerns. The commercial risk lies in a narrower but more valuable class of work where foreign control, legal jurisdiction, and strategic dependence become formal procurement disadvantages.

Cloud infrastructure now sits beneath tax systems, hospitals, energy platforms, police databases, education services, financial systems, and national administration. Once those services move into external cloud environments, governments have to assess more than uptime and security certifications. They need to understand who controls the provider, what foreign legal obligations may apply, how support chains are structured, and whether the public body can move workloads if policy, pricing, or geopolitical conditions change.

European suppliers will not win those workloads by nationality alone. Public buyers still need reliable platforms, strong security tooling, migration support, developer ecosystems, data services, and credible resilience arrangements. A sovereignty test that rewards weak providers would raise costs without strengthening Europe’s position. A procurement regime that ignores supplier dependence entirely would leave critical public services exposed to concentration risks that are now difficult to dismiss.

The proposal would also influence regulated private markets. Cloud decisions made by governments often shape the risk appetite of banks, utilities, healthcare providers, insurers, and critical infrastructure operators. If EU institutions turn sovereignty into a formal buying requirement, boards and technology teams in sensitive sectors are likely to revisit cloud concentration, exit planning, supplier governance, and data residency.

A more centralised procurement role for Brussels could further increase pressure on the hyperscalers. If EU institutions and member states coordinate purchases of cloud, software, data centre, and AI services, the Commission would gain more leverage over market structure. That would also create a difficult delivery burden, because complex technology buying does not become simpler when it is pulled into a larger political machine.

The proposal still needs backing from EU countries and the European Parliament, and its final form may change. Even so, the direction is clear. Europe is moving beyond after-the-fact regulation of dominant technology companies and towards using procurement, infrastructure policy, and industrial strategy to shape who builds the next layer of the digital economy.