The European Union has taken a firm step toward technological autonomy with the publication of an ambitious package of measures aimed at reducing dependence on US and Chinese providers in critical areas such as artificial intelligence, cloud computing, and semiconductors. Although the proposals do not completely ban US cloud giants, they establish significant restrictions on public procurement for sensitive workloads, marking a before and after in the bloc's digital strategy.

Henna Virkkunen, Executive Vice President for Technological Sovereignty, Security and Democracy, stated: “Technological sovereignty does not mean protectionism. Europe remains committed to openness, collaboration and fair competition. At the same time, Europe wants to be in a position to make its own decisions, avoiding dependence on single dominant providers, especially from countries that do not share our values.”

The package, called European Technological Sovereignty, includes two key legislative proposals: the Cloud and AI Development Act (CAIDA) and the Chips Act 2.0, along with an Open Source Strategy and a Strategic Roadmap for Digitalization and AI in the energy sector. These initiatives come amid growing transatlantic tensions and concerns about the possibility of a “kill switch” that could disrupt digital services, as well as fears that US providers might share data with their government under laws like the Cloud Act or FISA, even when data centers are on European soil.

CAIDA: Four Levels of Cloud Sovereignty

The Cloud and AI Development Act (CAIDA) aims to triple data center capacity over the next five to seven years by easing deployment restrictions. But its most disruptive aspect is the sovereignty criteria it would impose on European public bodies when contracting cloud services for sensitive workloads.

CAIDA establishes four levels of criteria for providers. The basic level requires that the data center infrastructure be located and operated within the region, something many US providers already meet. Higher levels incorporate stricter requirements on provider ownership, full software stack control, and advanced cybersecurity certifications. According to Commission estimates, 70% of European public sector workloads fall into level 1, 20% into level 2, 9% into level 3, and only 1% (the most sensitive) would require level 4.

This gradual approach allows public administrations to continue using providers like AWS, Azure, or Google Cloud for most of their operations, but reserves the most critical contracts for providers meeting the highest sovereignty standards. For European tech companies, this opens a window of opportunity, especially in the segment of implementing generative AI in workflows, where data sovereignty is a differentiating factor.

Chips Act 2.0 and the Boost to European Semiconductors

The Chips Act 2.0 is the continuation of the 2023 legislation and aims to strengthen semiconductor production capacity in Europe. This updated version not only maintains the goal of doubling Europe's chip market share but also adds a focus on research and stimulating demand for processors manufactured in the EU. The measure is key to reducing dependence on Taiwan and the US for a component essential to AI and cloud computing.

The success of this initiative will depend on Europe's ability to attract investment and talent. Companies like Nvidia, with its Nemotron 3 Ultra model, are already setting the pace for enterprise AI, but the EU wants the chips powering these systems to also be designed and manufactured in Europe. The combination of CAIDA and Chips 2.0 could create an ecosystem where data and hardware remain under European control.

Implications for Businesses and IT Professionals

For IT managers in European companies, this legislative package implies a review of cloud procurement strategies. Although the measures focus on the public sector, it is likely that the private sector will also adopt similar criteria to align with sovereignty trends. Meta's bet on contextual AI and the development of enterprise agents based on large volumes of data reinforce the need for infrastructures that guarantee privacy and regulatory compliance.

Additionally, security remains a priority. The advanced cybersecurity certifications required at the higher levels of CAIDA will force providers to raise their standards, benefiting all organizations using these services. For security teams, this translates into the need to drastically improve enterprise security alert tuning to combat cyberattacks in an increasingly regulated multicloud environment.

The Path to Adoption

The legislative proposals must be negotiated by the European Parliament and the Council of the European Union before adoption, a process that could take months or even years. However, the direction is clear: Europe wants to be a sovereign technological player, not just a market for foreign products. Meanwhile, companies must prepare for a scenario where the origin of data and infrastructure will be a key competitive factor.

In Virkkunen's words, “Europe wants to be in a position to make its own decisions.” And with this package, it takes the first steps to achieve that, although the path is full of challenges, such as those already faced by VMware under Broadcom, where the provider consolidation strategy may clash with new sovereignty requirements.

Original source: ComputerWorld. Analysis and adaptation by ForgeNEX.