Skip to content
You can now search across every topic, entity and event.What's new
European Tech Sovereignty
16JUL

CAIDA leak: US clouds barred from EU public data

3 min read
09:32UTC

CNBC reported on Thursday 7 May 2026, and gHacks confirmed on Tuesday 12 May, that CAIDA's leaked scope bars Microsoft, AWS and Google Cloud from processing financial, judicial and health data on behalf of EU public-sector clients. Private-sector procurement is excluded entirely.

TechnologyDeveloping
Key takeaway

CAIDA as leaked is a public-sector procurement rule; the enterprise cloud market it covers represents the smaller share.

CNBC reported on Thursday 7 May 2026, and Germany's gHacks confirmed on Tuesday 12 May, that the Cloud and AI Development Act's leaked scope will bar US cloud providers from processing financial, judicial and health data on behalf of European Union public-sector clients 1. CNBC's reporting names three targeted hyperscalers: Microsoft, Amazon Web Services (AWS) and Google Cloud. The leaked outline excludes private-sector procurement entirely.

The public-sector-only scope means roughly 70 per cent of EU cloud revenue, the enterprise market the three hyperscalers dominate, sits outside the restriction. Ministries, regulators and other public-sector buyers face the procurement floor; enterprises remain free to keep AWS, Azure and Google Cloud. The shape of CAIDA as leaked is therefore a contracting rule for the slice of the market Brussels directly controls, not a competition rule that reshapes the European cloud market at large.

The leaked outline does not address the status of S3NS, the Thales-Google joint venture rated at the second tier on The Commission's Sovereignty European Assurance Level scale (SEAL-2), which sits inside the Commission's existing €180m sovereign-cloud framework . S3NS's continued eligibility under CAIDA is the file's most-watched detail at adoption. CISPE (the Cloud Infrastructure Services Providers in Europe trade body) shipped a rival pass-fail badge in April ; whether CAIDA inherits the multi-tier SEAL approach, adopts the CISPE binary, or introduces a third framework will signal whether Brussels is repeating its own April compromise or correcting for it. Neither the CAIDA text nor a leaked draft has been published; the scope is sourced from Commission officials speaking to CNBC, not from a circulated document.

Deep Analysis

In plain English

Imagine the EU government saying: 'US companies can no longer store our courts' records, hospitals' patient data, or tax information on their servers.' That is roughly what CAIDA does, but only for government agencies, not private companies. For context, about 70 per cent of cloud services used in Europe are supplied by three US companies; Microsoft, Amazon, and Google. CAIDA affects only the government slice of that market. European cloud providers like Scaleway and OVHcloud stand to win public-sector contracts when governments switch suppliers.

Deep Analysis
Root Causes

The public-sector-only scope reflects a structural constraint in EU trade law: the EU-US Trade and Technology Council framework, reaffirmed in 2025, contains a mutual commitment against 'unjustified' digital trade barriers. A restriction on private enterprise cloud services would fall directly within the USTR Section 301 criteria that triggered a parallel investigation into French digital services taxes in 2020, and Commission legal advisers would have flagged that risk as deal-breaking.

A secondary driver is the GAIA-X governance failure: the GAIA-X project, designed to provide a European multi-cloud framework applicable to both public and private sectors, produced a certification hierarchy without a private-sector mandate attached. CAIDA fills the public-sector gap that GAIA-X's voluntary model could not close.

What could happen next?
  • Consequence

    CAIDA adoption forces EU member states to develop European cloud procurement criteria for financial, judicial, and health data contracts; the first affected renewals are likely to arise in 2027-2028.

    Short term · 0.75
  • Risk

    The USTR Section 301 final determination, due 24 July 2026 (ID:3073), may classify CAIDA's public-sector cloud restriction as a digital trade barrier warranting retaliatory tariffs on EU goods, creating a Brussels-Washington standoff in the same week as the DMA Google decision.

    Immediate · 0.55
  • Precedent

    The S3NS SEAL-2 carve-out question — whether a Google-joint-venture product qualifies under CAIDA's public-sector ban — will establish whether sovereignty certifications can be used to launder US CLOUD Act exposure.

    Short term · 0.7
First Reported In

Update #5 · Brussels' 27 May package, two days before G7

gHacks· 17 May 2026
Read original
Causes and effects
This Event
CAIDA leak: US clouds barred from EU public data
The leak sets a procurement floor on US hyperscalers rather than a market transformation; roughly 70 per cent of EU cloud revenue sits outside the restriction.
Different Perspectives
Trump administration
Trump administration
Washington defends the MATCH Act as closing a loophole that lets ASML's DUV tools reach Chinese fabs indirectly, dismissing the Dutch Cabinet's June complaint of being treated with disregard. Officials expect the bill's progress through Congress to keep the DUV cross-subsidy question live regardless of ASML's Q2 numbers.
Bruegel
Bruegel
Brussels-based economists argue this week's deliverables, specialist fab aid and a digital euro that restricts no US firm, prove Europe's sovereignty agenda advances only where it meets no American resistance. They expect the leading-edge fabrication gap and dependence on US frontier AI models to persist absent a policy that directly confronts a named US interest.
German federal government
German federal government
Berlin welcomes the €659m tranche funding jobs across North Rhine-Westphalia, Schleswig-Holstein, Hesse and Bavaria, on top of the ESMC Dresden fab already under construction on TSMC-shipped tooling. Officials treat power and analogue capacity as the achievable near-term win while Dresden remains Germany's only bet on leading-edge logic.
House of Commons Science, Innovation and Technology Committee
House of Commons Science, Innovation and Technology Committee
The committee's 7 July report found the UK has "no coherent strategic framework" for sovereign technology and warns it "risks being cut off at whim", citing the June order that barred foreign access to Anthropic's Fable 5 and Mythos 5 as the trigger case. It expects no domestic hyperscaler or foundry response before the gap widens further.
European Commission
European Commission
The Commission cleared €659m in German state aid on 14 July, taking cumulative Chips Act support to roughly €14.2bn, and let the digital-euro mandate reach trilogue after ECON's floor-vote shortcut was overturned. Brussels presents both as sovereignty delivered, without addressing that neither funds leading-edge logic fabrication.
ASML
ASML
ASML raised FY2026 guidance to €43-45bn on 15 July and, for the first time since Q1, dropped the export-control hedge from its release even with the MATCH Act live in Congress. Fouquet frames the order book, 86 systems against 67 in Q1, as strong enough to outrun the DUV dispute rather than evidence it has cooled.