1MAR

CAIDA leak: US clouds barred from EU public data

3 min read

19:00UTC

CNBC reported on Thursday 7 May 2026, and gHacks confirmed on Tuesday 12 May, that CAIDA's leaked scope bars Microsoft, AWS and Google Cloud from processing financial, judicial and health data on behalf of EU public-sector clients. Private-sector procurement is excluded entirely.

← Back to Pentagon produced no evidence for Iran war Jump to analysis ↓

ConflictDeveloping

Key takeaway

CAIDA as leaked is a public-sector procurement rule; the enterprise cloud market it covers represents the smaller share.

CNBC reported on Thursday 7 May 2026, and Germany's gHacks confirmed on Tuesday 12 May, that the Cloud and AI Development Act's leaked scope will bar US cloud providers from processing financial, judicial and health data on behalf of European Union public-sector clients ¹. CNBC's reporting names three targeted hyperscalers: Microsoft, Amazon Web Services (AWS) and Google Cloud. The leaked outline excludes private-sector procurement entirely.

The public-sector-only scope means roughly 70 per cent of EU cloud revenue, the enterprise market the three hyperscalers dominate, sits outside the restriction. Ministries, regulators and other public-sector buyers face the procurement floor; enterprises remain free to keep AWS, Azure and Google Cloud. The shape of CAIDA as leaked is therefore a contracting rule for the slice of the market Brussels directly controls, not a competition rule that reshapes the European cloud market at large.

The leaked outline does not address the status of S3NS, the Thales-Google joint venture rated at the second tier on the Commission's Sovereignty European Assurance Level scale (SEAL-2), which sits inside the Commission's existing €180m sovereign-cloud framework . S3NS's continued eligibility under CAIDA is the file's most-watched detail at adoption. CISPE (the Cloud Infrastructure Services Providers in Europe trade body) shipped a rival pass-fail badge in April ; whether CAIDA inherits the multi-tier SEAL approach, adopts the CISPE binary, or introduces a third framework will signal whether Brussels is repeating its own April compromise or correcting for it. Neither the CAIDA text nor a leaked draft has been published; the scope is sourced from Commission officials speaking to CNBC, not from a circulated document.

Deep Analysis

In plain English

Imagine the EU government saying: 'US companies can no longer store our courts' records, hospitals' patient data, or tax information on their servers.' That is roughly what CAIDA does, but only for government agencies, not private companies. For context, about 70 per cent of cloud services used in Europe are supplied by three US companies; Microsoft, Amazon, and Google. CAIDA affects only the government slice of that market. European cloud providers like Scaleway and OVHcloud stand to win public-sector contracts when governments switch suppliers.

Deep Analysis

Root Causes

The public-sector-only scope reflects a structural constraint in EU trade law: the EU-US Trade and Technology Council framework, reaffirmed in 2025, contains a mutual commitment against 'unjustified' digital trade barriers. A restriction on private enterprise cloud services would fall directly within the USTR Section 301 criteria that triggered a parallel investigation into French digital services taxes in 2020, and Commission legal advisers would have flagged that risk as deal-breaking.

A secondary driver is the GAIA-X governance failure: the GAIA-X project, designed to provide a European multi-cloud framework applicable to both public and private sectors, produced a certification hierarchy without a private-sector mandate attached. CAIDA fills the public-sector gap that GAIA-X's voluntary model could not close.

What could happen next?

Consequence
CAIDA adoption forces EU member states to develop European cloud procurement criteria for financial, judicial, and health data contracts; the first affected renewals are likely to arise in 2027-2028.
Short term · 0.75
Risk
The USTR Section 301 final determination, due 24 July 2026 (ID:3073), may classify CAIDA's public-sector cloud restriction as a digital trade barrier warranting retaliatory tariffs on EU goods, creating a Brussels-Washington standoff in the same week as the DMA Google decision.
Immediate · 0.55
Precedent
The S3NS SEAL-2 carve-out question — whether a Google-joint-venture product qualifies under CAIDA's public-sector ban — will establish whether sovereignty certifications can be used to launder US CLOUD Act exposure.
Short term · 0.7

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: Australia's Protective Security Policy Framework (PSPF), first applied in 2016 and progressively tightened through 2022, restricted US and Chinese cloud providers from Australian government classified data in a series of incremental steps rather than a single comprehensive law.

The phased approach allowed Canberra to test sovereign-cloud supply before mandating it, and the public-sector restriction did not extend to private enterprise. CAIDA's public-sector-only scope mirrors this sequencing logic almost exactly.

Counter-parallel: India's Draft Data Centre Policy of 2020 attempted a public-plus-private restriction on data localisation and was withdrawn after US and EU trade pressure within 18 months, demonstrating that a broader scope triggers faster and more effective trade-policy retaliation than a narrowly scoped public-sector restriction.

The €7bn annual EU public-sector cloud market affected by CAIDA's restriction is split roughly one-third each among Microsoft Azure, Amazon Web Services, and Google Cloud, giving each provider roughly €2.3bn of at-risk EU public revenue. That figure represents less than 2 per cent of each hyperscaler's global revenue but is strategically significant as a reference customer class that anchors enterprise sales cycles.

The European sovereign-cloud market is forecast to triple from $7bn in 2025 to $23bn by 2027 . Scaleway, OVHcloud, and StackIT are the primary direct beneficiaries of public-sector contract reallocation. The S3NS-Thales-Google joint venture sits at SEAL-2 in the existing sovereign framework , and CAIDA's final text will determine whether SEAL-2 qualifies as compliant or falls below the threshold.

Consensus view: The European Centre for International Political Economy (ECIPE) and Open Forum Europe both assess that limiting CAIDA to public-sector data is a deliberate political compromise designed to pass the College of Commissioners vote: a private-sector restriction would have drawn a formal US Section 301 counter-designation and potentially killed the package before adoption.

Counter-view: The China Academy of Information and Communications Technology (CAICT) argues the public-sector scope is not a compromise but a strategic sequencing decision: Brussels intends to demonstrate enforcement effectiveness in the public sector before extending restrictions to private enterprise in a future legislative cycle, following the DMA model of successive platform expansions.

Key tension: Whether the public-sector-only scope is a stable settlement that satisfies European sovereign-cloud ambitions, or an unstable halfway position that satisfies neither US cloud providers (who still face a procurement ban) nor European sovereignty advocates (who wanted enterprise coverage).

First Reported In

Update #5 · Brussels' 27 May package, two days before G7

gHacks· 17 May 2026

Read original →

Causes and effects

This Event

CAIDA leak: US clouds barred from EU public data

The leak sets a procurement floor on US hyperscalers rather than a market transformation; roughly 70 per cent of EU cloud revenue sits outside the restriction.

Led to

Brussels adopts CADA, narrows its scope

Leaked scope (ID:3369) barring financial and health data was narrowed in the adopted text to national security and defence workloads only.

Occurred 3 Jun 2026

Read story →

Different Perspectives

Markets

Brent crude rose 2.2 per cent to $96.34 on 10 June, reversing a 7 per cent weekly decline built on deal optimism, as the overnight exchange repriced the Strait of Hormuz risk premium in a single session. The move reflects transit-risk repricing rather than supply shock: Iran's exports had already collapsed to below 300,000 barrels per day.

Pakistan

Pakistan's Naqvi channel, the only mediation track carrying both civilian and military buy-in, was stress-tested by live ordnance within 48 hours of the 6-7 June Tehran visit. Whether Washington informed Islamabad of the imminent strike plan while Naqvi was in Tehran remains undisclosed, putting the channel's neutrality under scrutiny.

Kuwait

Kuwait hosted the third Iranian strike on its soil since the 3 June airport drone attack, with Ali Al Salem airbase targeted in the three-country salvo. Its recent $1.98 billion Anduril Anvil counter-drone purchase signals it is rearming rather than reconsidering its hosting posture.

Bahrain

Bahrain absorbed the IRGC barrage via PAC-3 intercepts with its magazine already at 87 per cent depletion and no resupply before 2027. Sounding air-raid sirens over Manama, it faced the intercept burden with the thinnest defensive stack in the Gulf coalition.

Jordan

Jordan reported all five incoming missiles intercepted with no injuries and no damage, a clean defensive performance that strengthens Amman's case for staying in the Western coalition without escalating its own posture. It now sits on Iran's target list for the first time despite not being a party to the Abraham Accords confrontation.

Iran / IRGC

Foreign Minister Araghchi posted on X that US forces should 'leave our region if you want to be safe' and framed the exchange as a US defeat, while the IRGC claimed 21 targets hit and an F-35 hangar destroyed. The claims serve a domestic and Arab-audience framing rather than a verified battle-damage assessment.