11JUN

CAIDA leak: US clouds barred from EU public data

3 min read

09:17UTC

CNBC reported on Thursday 7 May 2026, and gHacks confirmed on Tuesday 12 May, that CAIDA's leaked scope bars Microsoft, AWS and Google Cloud from processing financial, judicial and health data on behalf of EU public-sector clients. Private-sector procurement is excluded entirely.

← Back to IRGC declares Hormuz shut; US strikes again Jump to analysis ↓

ConflictDeveloping

Key takeaway

CAIDA as leaked is a public-sector procurement rule; the enterprise cloud market it covers represents the smaller share.

CNBC reported on Thursday 7 May 2026, and Germany's gHacks confirmed on Tuesday 12 May, that the Cloud and AI Development Act's leaked scope will bar US cloud providers from processing financial, judicial and health data on behalf of European Union public-sector clients ¹. CNBC's reporting names three targeted hyperscalers: Microsoft, Amazon Web Services (AWS) and Google Cloud. The leaked outline excludes private-sector procurement entirely.

The public-sector-only scope means roughly 70 per cent of EU cloud revenue, the enterprise market the three hyperscalers dominate, sits outside the restriction. Ministries, regulators and other public-sector buyers face the procurement floor; enterprises remain free to keep AWS, Azure and Google Cloud. The shape of CAIDA as leaked is therefore a contracting rule for the slice of the market Brussels directly controls, not a competition rule that reshapes the European cloud market at large.

The leaked outline does not address the status of S3NS, the Thales-Google joint venture rated at the second tier on the Commission's Sovereignty European Assurance Level scale (SEAL-2), which sits inside the Commission's existing €180m sovereign-cloud framework . S3NS's continued eligibility under CAIDA is the file's most-watched detail at adoption. CISPE (the Cloud Infrastructure Services Providers in Europe trade body) shipped a rival pass-fail badge in April ; whether CAIDA inherits the multi-tier SEAL approach, adopts the CISPE binary, or introduces a third framework will signal whether Brussels is repeating its own April compromise or correcting for it. Neither the CAIDA text nor a leaked draft has been published; the scope is sourced from Commission officials speaking to CNBC, not from a circulated document.

Deep Analysis

In plain English

Imagine the EU government saying: 'US companies can no longer store our courts' records, hospitals' patient data, or tax information on their servers.' That is roughly what CAIDA does, but only for government agencies, not private companies. For context, about 70 per cent of cloud services used in Europe are supplied by three US companies; Microsoft, Amazon, and Google. CAIDA affects only the government slice of that market. European cloud providers like Scaleway and OVHcloud stand to win public-sector contracts when governments switch suppliers.

Deep Analysis

Root Causes

The public-sector-only scope reflects a structural constraint in EU trade law: the EU-US Trade and Technology Council framework, reaffirmed in 2025, contains a mutual commitment against 'unjustified' digital trade barriers. A restriction on private enterprise cloud services would fall directly within the USTR Section 301 criteria that triggered a parallel investigation into French digital services taxes in 2020, and Commission legal advisers would have flagged that risk as deal-breaking.

A secondary driver is the GAIA-X governance failure: the GAIA-X project, designed to provide a European multi-cloud framework applicable to both public and private sectors, produced a certification hierarchy without a private-sector mandate attached. CAIDA fills the public-sector gap that GAIA-X's voluntary model could not close.

What could happen next?

Consequence
CAIDA adoption forces EU member states to develop European cloud procurement criteria for financial, judicial, and health data contracts; the first affected renewals are likely to arise in 2027-2028.
Short term · 0.75
Risk
The USTR Section 301 final determination, due 24 July 2026 (ID:3073), may classify CAIDA's public-sector cloud restriction as a digital trade barrier warranting retaliatory tariffs on EU goods, creating a Brussels-Washington standoff in the same week as the DMA Google decision.
Immediate · 0.55
Precedent
The S3NS SEAL-2 carve-out question — whether a Google-joint-venture product qualifies under CAIDA's public-sector ban — will establish whether sovereignty certifications can be used to launder US CLOUD Act exposure.
Short term · 0.7

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: Australia's Protective Security Policy Framework (PSPF), first applied in 2016 and progressively tightened through 2022, restricted US and Chinese cloud providers from Australian government classified data in a series of incremental steps rather than a single comprehensive law.

The phased approach allowed Canberra to test sovereign-cloud supply before mandating it, and the public-sector restriction did not extend to private enterprise. CAIDA's public-sector-only scope mirrors this sequencing logic almost exactly.

Counter-parallel: India's Draft Data Centre Policy of 2020 attempted a public-plus-private restriction on data localisation and was withdrawn after US and EU trade pressure within 18 months, demonstrating that a broader scope triggers faster and more effective trade-policy retaliation than a narrowly scoped public-sector restriction.

The €7bn annual EU public-sector cloud market affected by CAIDA's restriction is split roughly one-third each among Microsoft Azure, Amazon Web Services, and Google Cloud, giving each provider roughly €2.3bn of at-risk EU public revenue. That figure represents less than 2 per cent of each hyperscaler's global revenue but is strategically significant as a reference customer class that anchors enterprise sales cycles.

The European sovereign-cloud market is forecast to triple from $7bn in 2025 to $23bn by 2027 . Scaleway, OVHcloud, and StackIT are the primary direct beneficiaries of public-sector contract reallocation. The S3NS-Thales-Google joint venture sits at SEAL-2 in the existing sovereign framework , and CAIDA's final text will determine whether SEAL-2 qualifies as compliant or falls below the threshold.

Consensus view: The European Centre for International Political Economy (ECIPE) and Open Forum Europe both assess that limiting CAIDA to public-sector data is a deliberate political compromise designed to pass the College of Commissioners vote: a private-sector restriction would have drawn a formal US Section 301 counter-designation and potentially killed the package before adoption.

Counter-view: The China Academy of Information and Communications Technology (CAICT) argues the public-sector scope is not a compromise but a strategic sequencing decision: Brussels intends to demonstrate enforcement effectiveness in the public sector before extending restrictions to private enterprise in a future legislative cycle, following the DMA model of successive platform expansions.

Key tension: Whether the public-sector-only scope is a stable settlement that satisfies European sovereign-cloud ambitions, or an unstable halfway position that satisfies neither US cloud providers (who still face a procurement ban) nor European sovereignty advocates (who wanted enterprise coverage).

First Reported In

Update #5 · Brussels' 27 May package, two days before G7

gHacks· 17 May 2026

Read original →

Causes and effects

This Event

CAIDA leak: US clouds barred from EU public data

The leak sets a procurement floor on US hyperscalers rather than a market transformation; roughly 70 per cent of EU cloud revenue sits outside the restriction.

Led to

Brussels adopts CADA, narrows its scope

Leaked scope (ID:3369) barring financial and health data was narrowed in the adopted text to national security and defence workloads only.

Occurred 3 Jun 2026

Read story →

Different Perspectives

Oil markets / Lloyd's underwriters

Futures markets priced CENTCOM's strikes-complete statement as a de-escalation signal and pushed Brent down 1.7 per cent to $94.71, even as the IRGC declared Hormuz closed. Lloyd's war-risk premiums held elevated because institutional de-listing requires a UN Security Council resolution that Russia and China have just shown they will block.

Pakistan (mediator)

Interior minister Mohsin Naqvi carried dual civilian and military letters to Mojtaba Khamenei in Tehran on 6-7 June with no public response. The IRGC's Hormuz closure on 11 June shows the corps is acting independently of the channel Pakistan is using, making the mediation structurally unable to produce a binding commitment without direct IRGC access.

Russia and China

Russia and China voted against GOV/2026/40 at the IAEA Board, following through on the blocking position coordinated with Grossi in Geneva on 5 June; both states continue to oppose Western institutional pressure on Iran at every multilateral venue.

E3 and IAEA (UK, France, Germany)

The E3 co-sponsored IAEA resolution GOV/2026/40, adopted 21-3-10 on 10 June, demanding Iran disclose 440.9 kg of unaccounted HEU and admit inspectors to four denied facilities. The 10 abstentions and Russia-China noes leave any Security Council referral without a viable enforcement path.

IRGC / Iran military command

The corps declared Hormuz closed to all traffic on 11 June and claimed two vessels struck, overriding the MoU its own civilian negotiators were pursuing through Pakistan. The closure order used the Persian Gulf Strait Authority apparatus to convert a toll mechanism into a military prohibition.

Trump administration / CENTCOM

CENTCOM completed a second day of strikes on Tehran, Sirik and Minab, rejected the IRGC Hormuz closure as inconsistent with observed transit, and said strikes were complete. Hegseth framed the bombing explicitly as the negotiation: the method is coercive deal-making with no stated pause threshold.