14JUN

CAIDA leak: US clouds barred from EU public data

3 min read

11:42UTC

CNBC reported on Thursday 7 May 2026, and gHacks confirmed on Tuesday 12 May, that CAIDA's leaked scope bars Microsoft, AWS and Google Cloud from processing financial, judicial and health data on behalf of EU public-sector clients. Private-sector procurement is excluded entirely.

← Back to US drops red line; signature still slips Jump to analysis ↓

ConflictDeveloping

Key takeaway

CAIDA as leaked is a public-sector procurement rule; the enterprise cloud market it covers represents the smaller share.

CNBC reported on Thursday 7 May 2026, and Germany's gHacks confirmed on Tuesday 12 May, that the Cloud and AI Development Act's leaked scope will bar US cloud providers from processing financial, judicial and health data on behalf of European Union public-sector clients ¹. CNBC's reporting names three targeted hyperscalers: Microsoft, Amazon Web Services (AWS) and Google Cloud. The leaked outline excludes private-sector procurement entirely.

The public-sector-only scope means roughly 70 per cent of EU cloud revenue, the enterprise market the three hyperscalers dominate, sits outside the restriction. Ministries, regulators and other public-sector buyers face the procurement floor; enterprises remain free to keep AWS, Azure and Google Cloud. The shape of CAIDA as leaked is therefore a contracting rule for the slice of the market Brussels directly controls, not a competition rule that reshapes the European cloud market at large.

The leaked outline does not address the status of S3NS, the Thales-Google joint venture rated at the second tier on the Commission's Sovereignty European Assurance Level scale (SEAL-2), which sits inside the Commission's existing €180m sovereign-cloud framework . S3NS's continued eligibility under CAIDA is the file's most-watched detail at adoption. CISPE (the Cloud Infrastructure Services Providers in Europe trade body) shipped a rival pass-fail badge in April ; whether CAIDA inherits the multi-tier SEAL approach, adopts the CISPE binary, or introduces a third framework will signal whether Brussels is repeating its own April compromise or correcting for it. Neither the CAIDA text nor a leaked draft has been published; the scope is sourced from Commission officials speaking to CNBC, not from a circulated document.

Deep Analysis

In plain English

Imagine the EU government saying: 'US companies can no longer store our courts' records, hospitals' patient data, or tax information on their servers.' That is roughly what CAIDA does, but only for government agencies, not private companies. For context, about 70 per cent of cloud services used in Europe are supplied by three US companies; Microsoft, Amazon, and Google. CAIDA affects only the government slice of that market. European cloud providers like Scaleway and OVHcloud stand to win public-sector contracts when governments switch suppliers.

Deep Analysis

Root Causes

The public-sector-only scope reflects a structural constraint in EU trade law: the EU-US Trade and Technology Council framework, reaffirmed in 2025, contains a mutual commitment against 'unjustified' digital trade barriers. A restriction on private enterprise cloud services would fall directly within the USTR Section 301 criteria that triggered a parallel investigation into French digital services taxes in 2020, and Commission legal advisers would have flagged that risk as deal-breaking.

A secondary driver is the GAIA-X governance failure: the GAIA-X project, designed to provide a European multi-cloud framework applicable to both public and private sectors, produced a certification hierarchy without a private-sector mandate attached. CAIDA fills the public-sector gap that GAIA-X's voluntary model could not close.

What could happen next?

Consequence
CAIDA adoption forces EU member states to develop European cloud procurement criteria for financial, judicial, and health data contracts; the first affected renewals are likely to arise in 2027-2028.
Short term · 0.75
Risk
The USTR Section 301 final determination, due 24 July 2026 (ID:3073), may classify CAIDA's public-sector cloud restriction as a digital trade barrier warranting retaliatory tariffs on EU goods, creating a Brussels-Washington standoff in the same week as the DMA Google decision.
Immediate · 0.55
Precedent
The S3NS SEAL-2 carve-out question — whether a Google-joint-venture product qualifies under CAIDA's public-sector ban — will establish whether sovereignty certifications can be used to launder US CLOUD Act exposure.
Short term · 0.7

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: Australia's Protective Security Policy Framework (PSPF), first applied in 2016 and progressively tightened through 2022, restricted US and Chinese cloud providers from Australian government classified data in a series of incremental steps rather than a single comprehensive law.

The phased approach allowed Canberra to test sovereign-cloud supply before mandating it, and the public-sector restriction did not extend to private enterprise. CAIDA's public-sector-only scope mirrors this sequencing logic almost exactly.

Counter-parallel: India's Draft Data Centre Policy of 2020 attempted a public-plus-private restriction on data localisation and was withdrawn after US and EU trade pressure within 18 months, demonstrating that a broader scope triggers faster and more effective trade-policy retaliation than a narrowly scoped public-sector restriction.

The €7bn annual EU public-sector cloud market affected by CAIDA's restriction is split roughly one-third each among Microsoft Azure, Amazon Web Services, and Google Cloud, giving each provider roughly €2.3bn of at-risk EU public revenue. That figure represents less than 2 per cent of each hyperscaler's global revenue but is strategically significant as a reference customer class that anchors enterprise sales cycles.

The European sovereign-cloud market is forecast to triple from $7bn in 2025 to $23bn by 2027 . Scaleway, OVHcloud, and StackIT are the primary direct beneficiaries of public-sector contract reallocation. The S3NS-Thales-Google joint venture sits at SEAL-2 in the existing sovereign framework , and CAIDA's final text will determine whether SEAL-2 qualifies as compliant or falls below the threshold.

Consensus view: The European Centre for International Political Economy (ECIPE) and Open Forum Europe both assess that limiting CAIDA to public-sector data is a deliberate political compromise designed to pass the College of Commissioners vote: a private-sector restriction would have drawn a formal US Section 301 counter-designation and potentially killed the package before adoption.

Counter-view: The China Academy of Information and Communications Technology (CAICT) argues the public-sector scope is not a compromise but a strategic sequencing decision: Brussels intends to demonstrate enforcement effectiveness in the public sector before extending restrictions to private enterprise in a future legislative cycle, following the DMA model of successive platform expansions.

Key tension: Whether the public-sector-only scope is a stable settlement that satisfies European sovereign-cloud ambitions, or an unstable halfway position that satisfies neither US cloud providers (who still face a procurement ban) nor European sovereignty advocates (who wanted enterprise coverage).

First Reported In

Update #5 · Brussels' 27 May package, two days before G7

gHacks· 17 May 2026

Read original →

Causes and effects

This Event

CAIDA leak: US clouds barred from EU public data

The leak sets a procurement floor on US hyperscalers rather than a market transformation; roughly 70 per cent of EU cloud revenue sits outside the restriction.

Led to

Brussels adopts CADA, narrows its scope

Leaked scope (ID:3369) barring financial and health data was narrowed in the adopted text to national security and defence workloads only.

Occurred 3 Jun 2026

Read story →

Different Perspectives

Qatar (mediator)

Qatari negotiators flew to Tehran on Sunday morning to close remaining gaps between the parties, operating as the primary shuttle channel. Qatar's role is to bridge the civilian-track gap the IRGC veto has left.

IAEA / Rafael Grossi

Grossi replied to Araghchi's 13 June protection-of-materials letter the same day, citing Iran's NPT Safeguards Agreement obligation to declare any nuclear material transfer. With 97 days of lost inspector access and approximately 240 kg unaccounted, Grossi has treaty text and no inspectors on the ground to enforce it.

United Arab Emirates

The UAE state oil company assessed full Hormuz flows will not resume until 2027 even with a fast deal, citing demining, inspection, and insurance timelines. The UAE ambassador to Washington said a simple ceasefire is not enough.

Islamic Revolutionary Guard Corps (IRGC)

The IRGC ran naval exercises in Hormuz during Geneva talks and its political deputy declared Iran was negotiating from a position of strength. The corps has not endorsed the MoU; by amplifying Mashhad protests through Fars, it is framing any deal as conditions it imposed rather than a concession it accepted.

Iran Foreign Ministry / Araghchi

Araghchi's dilute-in-Iran red line was met by the US concession, but his foreign ministry spokesman said Tehran had not taken a final decision and a signing might come in days, not Sunday. Araghchi separately wrote to the IAEA pledging to protect nuclear materials as dilution negotiations advanced.

White House / US negotiating team

Washington accepted dilution inside Iran rather than ship-out, its first substantive material concession in 106 days, the New York Times reported. With the White House register blank and the ceremony slipped a third weekend, the administration has moved its negotiating position without yet producing a document.