28APR

CAIDA leak: US clouds barred from EU public data

3 min read

09:13UTC

CNBC reported on Thursday 7 May 2026, and gHacks confirmed on Tuesday 12 May, that CAIDA's leaked scope bars Microsoft, AWS and Google Cloud from processing financial, judicial and health data on behalf of EU public-sector clients. Private-sector procurement is excluded entirely.

← Back to Iran writes Phase 1; Washington still has no pen Jump to analysis ↓

ConflictDeveloping

Key takeaway

CAIDA as leaked is a public-sector procurement rule; the enterprise cloud market it covers represents the smaller share.

CNBC reported on Thursday 7 May 2026, and Germany's gHacks confirmed on Tuesday 12 May, that the Cloud and AI Development Act's leaked scope will bar US cloud providers from processing financial, judicial and health data on behalf of European Union public-sector clients ¹. CNBC's reporting names three targeted hyperscalers: Microsoft, Amazon Web Services (AWS) and Google Cloud. The leaked outline excludes private-sector procurement entirely.

The public-sector-only scope means roughly 70 per cent of EU cloud revenue, the enterprise market the three hyperscalers dominate, sits outside the restriction. Ministries, regulators and other public-sector buyers face the procurement floor; enterprises remain free to keep AWS, Azure and Google Cloud. The shape of CAIDA as leaked is therefore a contracting rule for the slice of the market Brussels directly controls, not a competition rule that reshapes the European cloud market at large.

The leaked outline does not address the status of S3NS, the Thales-Google joint venture rated at the second tier on the Commission's Sovereignty European Assurance Level scale (SEAL-2), which sits inside the Commission's existing €180m sovereign-cloud framework . S3NS's continued eligibility under CAIDA is the file's most-watched detail at adoption. CISPE (the Cloud Infrastructure Services Providers in Europe trade body) shipped a rival pass-fail badge in April ; whether CAIDA inherits the multi-tier SEAL approach, adopts the CISPE binary, or introduces a third framework will signal whether Brussels is repeating its own April compromise or correcting for it. Neither the CAIDA text nor a leaked draft has been published; the scope is sourced from Commission officials speaking to CNBC, not from a circulated document.

Deep Analysis

In plain English

Imagine the EU government saying: 'US companies can no longer store our courts' records, hospitals' patient data, or tax information on their servers.' That is roughly what CAIDA does, but only for government agencies, not private companies. For context, about 70 per cent of cloud services used in Europe are supplied by three US companies; Microsoft, Amazon, and Google. CAIDA affects only the government slice of that market. European cloud providers like Scaleway and OVHcloud stand to win public-sector contracts when governments switch suppliers.

Deep Analysis

Root Causes

The public-sector-only scope reflects a structural constraint in EU trade law: the EU-US Trade and Technology Council framework, reaffirmed in 2025, contains a mutual commitment against 'unjustified' digital trade barriers. A restriction on private enterprise cloud services would fall directly within the USTR Section 301 criteria that triggered a parallel investigation into French digital services taxes in 2020, and Commission legal advisers would have flagged that risk as deal-breaking.

A secondary driver is the GAIA-X governance failure: the GAIA-X project, designed to provide a European multi-cloud framework applicable to both public and private sectors, produced a certification hierarchy without a private-sector mandate attached. CAIDA fills the public-sector gap that GAIA-X's voluntary model could not close.

What could happen next?

Consequence
CAIDA adoption forces EU member states to develop European cloud procurement criteria for financial, judicial, and health data contracts; the first affected renewals are likely to arise in 2027-2028.
Short term · 0.75
Risk
The USTR Section 301 final determination, due 24 July 2026 (ID:3073), may classify CAIDA's public-sector cloud restriction as a digital trade barrier warranting retaliatory tariffs on EU goods, creating a Brussels-Washington standoff in the same week as the DMA Google decision.
Immediate · 0.55
Precedent
The S3NS SEAL-2 carve-out question — whether a Google-joint-venture product qualifies under CAIDA's public-sector ban — will establish whether sovereignty certifications can be used to launder US CLOUD Act exposure.
Short term · 0.7

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: Australia's Protective Security Policy Framework (PSPF), first applied in 2016 and progressively tightened through 2022, restricted US and Chinese cloud providers from Australian government classified data in a series of incremental steps rather than a single comprehensive law.

The phased approach allowed Canberra to test sovereign-cloud supply before mandating it, and the public-sector restriction did not extend to private enterprise. CAIDA's public-sector-only scope mirrors this sequencing logic almost exactly.

Counter-parallel: India's Draft Data Centre Policy of 2020 attempted a public-plus-private restriction on data localisation and was withdrawn after US and EU trade pressure within 18 months, demonstrating that a broader scope triggers faster and more effective trade-policy retaliation than a narrowly scoped public-sector restriction.

The €7bn annual EU public-sector cloud market affected by CAIDA's restriction is split roughly one-third each among Microsoft Azure, Amazon Web Services, and Google Cloud, giving each provider roughly €2.3bn of at-risk EU public revenue. That figure represents less than 2 per cent of each hyperscaler's global revenue but is strategically significant as a reference customer class that anchors enterprise sales cycles.

The European sovereign-cloud market is forecast to triple from $7bn in 2025 to $23bn by 2027 . Scaleway, OVHcloud, and StackIT are the primary direct beneficiaries of public-sector contract reallocation. The S3NS-Thales-Google joint venture sits at SEAL-2 in the existing sovereign framework , and CAIDA's final text will determine whether SEAL-2 qualifies as compliant or falls below the threshold.

Consensus view: The European Centre for International Political Economy (ECIPE) and Open Forum Europe both assess that limiting CAIDA to public-sector data is a deliberate political compromise designed to pass the College of Commissioners vote: a private-sector restriction would have drawn a formal US Section 301 counter-designation and potentially killed the package before adoption.

Counter-view: The China Academy of Information and Communications Technology (CAICT) argues the public-sector scope is not a compromise but a strategic sequencing decision: Brussels intends to demonstrate enforcement effectiveness in the public sector before extending restrictions to private enterprise in a future legislative cycle, following the DMA model of successive platform expansions.

Key tension: Whether the public-sector-only scope is a stable settlement that satisfies European sovereign-cloud ambitions, or an unstable halfway position that satisfies neither US cloud providers (who still face a procurement ban) nor European sovereignty advocates (who wanted enterprise coverage).

First Reported In

Update #5 · Brussels' 27 May package, two days before G7

gHacks· 17 May 2026

Read original →

Causes and effects

This Event

CAIDA leak: US clouds barred from EU public data

The leak sets a procurement floor on US hyperscalers rather than a market transformation; roughly 70 per cent of EU cloud revenue sits outside the restriction.

Led to

Brussels adopts CADA, narrows its scope

Leaked scope (ID:3369) barring financial and health data was narrowed in the adopted text to national security and defence workloads only.

Occurred 3 Jun 2026

Read story →

Different Perspectives

Oil markets / Lloyd's of London

Brent fell to near $87.33 on 80 per cent deal-probability pricing, but Lloyd's has not de-listed Hormuz from its war-risk register and shipping diversions continue at 139 vessels. Insurance markets are lagging futures: physical risk remains while financial markets have spent the good news before the paper exists.

India

Modi is expected to raise the deaths of three Indian sailors in the 11 June CENTCOM strike on the MT Settebello with Trump at G7 sidelines, the first non-party leader to put the blockade's human cost into a formal bilateral. New Delhi is also a major Iranian oil buyer whose import volumes the sanctions-relief terms will govern.

Israel (Netanyahu)

Netanyahu stated Israel is not party to the deal on 12 June; Defence Minister Katz ruled out the Lebanon withdrawal Iran's draft demands, inserting a third blocker the US-Iran negotiating channel cannot resolve. Israel's position tethers Hormuz reopening to a Lebanon settlement Washington has not brokered.

Pakistan (mediator, Sharif/Naqvi)

Sharif declared a final agreed text on 12 June before either principal confirmed it, running two Tehran visits in under a week without securing a written IRGC or Khamenei response. Islamabad's incentive to claim a diplomatic win outpaces its standing to deliver either capital's signature.

Iran foreign ministry (Araghchi)

Araghchi declared digital signing within days while setting dilute-in-Iran as a non-negotiable red line on the 440.9 kg HEU stockpile, a standing Tehran position he cannot override without authorisation from Khamenei, reachable only by courier. The FM track is sprinting to close before the IRGC reasserts control.

Trump administration / CENTCOM

Vance called the deal still TBD on 12 June while CENTCOM downed Iranian drones over Hormuz for a second consecutive night and the White House register stayed blank. Washington holds the ship-out position on HEU and has not signed an Iran instrument in over 100 days of conflict.