4JUN

CAIDA leak: US clouds barred from EU public data

3 min read

11:25UTC

CNBC reported on Thursday 7 May 2026, and gHacks confirmed on Tuesday 12 May, that CAIDA's leaked scope bars Microsoft, AWS and Google Cloud from processing financial, judicial and health data on behalf of EU public-sector clients. Private-sector procurement is excluded entirely.

← Back to Iran's drone finds Kuwait's arrivals hall Jump to analysis ↓

ConflictDeveloping

Key takeaway

CAIDA as leaked is a public-sector procurement rule; the enterprise cloud market it covers represents the smaller share.

CNBC reported on Thursday 7 May 2026, and Germany's gHacks confirmed on Tuesday 12 May, that the Cloud and AI Development Act's leaked scope will bar US cloud providers from processing financial, judicial and health data on behalf of European Union public-sector clients ¹. CNBC's reporting names three targeted hyperscalers: Microsoft, Amazon Web Services (AWS) and Google Cloud. The leaked outline excludes private-sector procurement entirely.

The public-sector-only scope means roughly 70 per cent of EU cloud revenue, the enterprise market the three hyperscalers dominate, sits outside the restriction. Ministries, regulators and other public-sector buyers face the procurement floor; enterprises remain free to keep AWS, Azure and Google Cloud. The shape of CAIDA as leaked is therefore a contracting rule for the slice of the market Brussels directly controls, not a competition rule that reshapes the European cloud market at large.

The leaked outline does not address the status of S3NS, the Thales-Google joint venture rated at the second tier on the Commission's Sovereignty European Assurance Level scale (SEAL-2), which sits inside the Commission's existing €180m sovereign-cloud framework . S3NS's continued eligibility under CAIDA is the file's most-watched detail at adoption. CISPE (the Cloud Infrastructure Services Providers in Europe trade body) shipped a rival pass-fail badge in April ; whether CAIDA inherits the multi-tier SEAL approach, adopts the CISPE binary, or introduces a third framework will signal whether Brussels is repeating its own April compromise or correcting for it. Neither the CAIDA text nor a leaked draft has been published; the scope is sourced from Commission officials speaking to CNBC, not from a circulated document.

Deep Analysis

In plain English

Imagine the EU government saying: 'US companies can no longer store our courts' records, hospitals' patient data, or tax information on their servers.' That is roughly what CAIDA does, but only for government agencies, not private companies. For context, about 70 per cent of cloud services used in Europe are supplied by three US companies; Microsoft, Amazon, and Google. CAIDA affects only the government slice of that market. European cloud providers like Scaleway and OVHcloud stand to win public-sector contracts when governments switch suppliers.

Deep Analysis

Root Causes

The public-sector-only scope reflects a structural constraint in EU trade law: the EU-US Trade and Technology Council framework, reaffirmed in 2025, contains a mutual commitment against 'unjustified' digital trade barriers. A restriction on private enterprise cloud services would fall directly within the USTR Section 301 criteria that triggered a parallel investigation into French digital services taxes in 2020, and Commission legal advisers would have flagged that risk as deal-breaking.

A secondary driver is the GAIA-X governance failure: the GAIA-X project, designed to provide a European multi-cloud framework applicable to both public and private sectors, produced a certification hierarchy without a private-sector mandate attached. CAIDA fills the public-sector gap that GAIA-X's voluntary model could not close.

What could happen next?

Consequence
CAIDA adoption forces EU member states to develop European cloud procurement criteria for financial, judicial, and health data contracts; the first affected renewals are likely to arise in 2027-2028.
Short term · 0.75
Risk
The USTR Section 301 final determination, due 24 July 2026 (ID:3073), may classify CAIDA's public-sector cloud restriction as a digital trade barrier warranting retaliatory tariffs on EU goods, creating a Brussels-Washington standoff in the same week as the DMA Google decision.
Immediate · 0.55
Precedent
The S3NS SEAL-2 carve-out question — whether a Google-joint-venture product qualifies under CAIDA's public-sector ban — will establish whether sovereignty certifications can be used to launder US CLOUD Act exposure.
Short term · 0.7

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: Australia's Protective Security Policy Framework (PSPF), first applied in 2016 and progressively tightened through 2022, restricted US and Chinese cloud providers from Australian government classified data in a series of incremental steps rather than a single comprehensive law.

The phased approach allowed Canberra to test sovereign-cloud supply before mandating it, and the public-sector restriction did not extend to private enterprise. CAIDA's public-sector-only scope mirrors this sequencing logic almost exactly.

Counter-parallel: India's Draft Data Centre Policy of 2020 attempted a public-plus-private restriction on data localisation and was withdrawn after US and EU trade pressure within 18 months, demonstrating that a broader scope triggers faster and more effective trade-policy retaliation than a narrowly scoped public-sector restriction.

The €7bn annual EU public-sector cloud market affected by CAIDA's restriction is split roughly one-third each among Microsoft Azure, Amazon Web Services, and Google Cloud, giving each provider roughly €2.3bn of at-risk EU public revenue. That figure represents less than 2 per cent of each hyperscaler's global revenue but is strategically significant as a reference customer class that anchors enterprise sales cycles.

The European sovereign-cloud market is forecast to triple from $7bn in 2025 to $23bn by 2027 . Scaleway, OVHcloud, and StackIT are the primary direct beneficiaries of public-sector contract reallocation. The S3NS-Thales-Google joint venture sits at SEAL-2 in the existing sovereign framework , and CAIDA's final text will determine whether SEAL-2 qualifies as compliant or falls below the threshold.

Consensus view: The European Centre for International Political Economy (ECIPE) and Open Forum Europe both assess that limiting CAIDA to public-sector data is a deliberate political compromise designed to pass the College of Commissioners vote: a private-sector restriction would have drawn a formal US Section 301 counter-designation and potentially killed the package before adoption.

Counter-view: The China Academy of Information and Communications Technology (CAICT) argues the public-sector scope is not a compromise but a strategic sequencing decision: Brussels intends to demonstrate enforcement effectiveness in the public sector before extending restrictions to private enterprise in a future legislative cycle, following the DMA model of successive platform expansions.

Key tension: Whether the public-sector-only scope is a stable settlement that satisfies European sovereign-cloud ambitions, or an unstable halfway position that satisfies neither US cloud providers (who still face a procurement ban) nor European sovereignty advocates (who wanted enterprise coverage).

First Reported In

Update #5 · Brussels' 27 May package, two days before G7

gHacks· 17 May 2026

Read original →

Causes and effects

This Event

CAIDA leak: US clouds barred from EU public data

The leak sets a procurement floor on US hyperscalers rather than a market transformation; roughly 70 per cent of EU cloud revenue sits outside the restriction.

Led to

Brussels adopts CADA, narrows its scope

Leaked scope (ID:3369) barring financial and health data was narrowed in the adopted text to national security and defence workloads only.

Occurred 3 Jun 2026

Read story →

Different Perspectives

Oil markets and Lloyd's of London

Brent fell to $89.25 on ceasefire probability, not new barrels, with traders voting for Trump's deed over Tehran's denial. Lloyd's has not repriced Hormuz war-risk cover because its trigger requires a UN Security Council resolution or government certification, so tanker insurance costs remain elevated regardless of the spot move.

Pakistan and Qatar mediators

Pakistan's Mohsin Naqvi was in Tehran for his second visit in under a week, using the Pakistan-Qatar channel that delivered April's ceasefire after an identical public-denial cycle. The channel carries both civilian and military buy-in from Islamabad, the only configuration Iran's split command cannot dismiss as a partial signal.

India

India summoned the US Deputy Chief of Mission after three Indian sailors were killed aboard MT Settebello, the first formal grievance from a major non-belligerent directed at US enforcement. Indian seafarers supply roughly 12 per cent of the global maritime workforce; their presence on third-flag Gulf tankers is structurally inevitable regardless of bilateral diplomacy.

Islamic Revolutionary Guard Corps (IRGC)

The IRGC declared Hormuz closed on 11 June while civilian negotiators were on the same mediation channel, then issued no public comment on the MoU framework. Its silence on the framework, rather than any foreign ministry statement, is the operative approval signal; the corps' unilateral Hormuz closure shows it did not treat the diplomatic track as binding on its operations.

Iran foreign ministry (Baghaei)

Esmail Baghaei told IRNA that reports of a finalised deal were 'merely speculation' and that Iran had 'not yet made a final decision'. The denial is structurally identical to Iranian foreign ministry statements during the April ceasefire talks, which produced a binding text within 48 hours of the same language.

Trump administration / CENTCOM

Trump cancelled the third strike day and called the MoU 'very strong' and almost ready to sign, while CENTCOM kept tanker enforcement running in the same 24-hour window. The administration is simultaneously withdrawing the military pressure it claims drove the deal and sustaining the enforcement campaign it is trying to trade away.