The European Commission unveiled sweeping regulations Wednesday that will require cloud service providers handling government data to store and process information within the EU's borders, marking the bloc's most assertive move yet to assert digital sovereignty over critical public infrastructure.
The rules, which take effect in eighteen months, apply to any cloud provider seeking to bid on contracts for national, regional, or municipal government workloads across all 27 member states. Providers must demonstrate that data remains within EU jurisdiction and that access by non-EU authorities—including through foreign surveillance laws—can be effectively blocked.
"These measures ensure that sensitive public-sector data remains under European legal jurisdiction," a spokesperson for the Commission said in a briefing. "Member states have made clear that digital sovereignty is not an abstract principle but a practical requirement for protecting citizens' information and maintaining autonomous decision-making capability."
The regulations arrive as European governments have grown increasingly reliant on cloud infrastructure for everything from healthcare records to tax systems, while simultaneously expressing concern about the dominance of US-based providers and the reach of American surveillance laws.
Compliance challenges for US providers
The new framework poses significant operational hurdles for large US-based cloud companies, which have built global businesses on the ability to shift workloads across regions for efficiency and redundancy. The rules require not only that data storage occur within the EU but also that encryption keys, administrative access, and technical support functions remain under the control of EU-based personnel.
A spokesperson for a US technology industry association criticized the measures as protectionist. "These requirements create artificial barriers that will increase costs for European taxpayers while doing little to enhance actual security," the spokesperson said. "Data sovereignty is achievable through strong encryption and contractual safeguards, not through geographic mandates that fragment the internet."
The regulations permit US providers to continue serving EU government clients if they establish legally independent European subsidiaries with autonomous governance structures—a costly and complex undertaking that several companies have already begun exploring.
European providers see opportunity
European cloud companies, which have struggled to compete against better-funded US rivals, welcomed the new rules. An executive at a European industry consortium said the regulations "level the playing field" by ensuring that compliance with European law becomes a competitive advantage rather than a checkbox exercise.
"For years, European providers have invested in local infrastructure and legal compliance, only to lose contracts to global competitors offering lower prices," the executive said. "These rules recognize that sovereignty has value."
Several mid-sized European cloud providers have already reported increased interest from government procurement offices anticipating the new requirements. One company, which operates data centers across six member states, said inquiries from public-sector clients have doubled since draft regulations circulated in recent months.
The Commission emphasized that the rules do not prohibit governments from using non-EU providers for less sensitive workloads, and that private-sector clients remain free to make their own decisions about data location.
Analysts expect the regulations to influence cloud policy debates beyond Europe, as other governments weigh similar sovereignty concerns against the benefits of global cloud scale.
