Skip to content
You can now search across every topic, entity and event.What's new
Iran Conflict 2026
16MAY

CAIDA leak: US clouds barred from EU public data

3 min read
12:41UTC

CNBC reported on Thursday 7 May 2026, and gHacks confirmed on Tuesday 12 May, that CAIDA's leaked scope bars Microsoft, AWS and Google Cloud from processing financial, judicial and health data on behalf of EU public-sector clients. Private-sector procurement is excluded entirely.

ConflictDeveloping
Key takeaway

CAIDA as leaked is a public-sector procurement rule; the enterprise cloud market it covers represents the smaller share.

CNBC reported on Thursday 7 May 2026, and Germany's gHacks confirmed on Tuesday 12 May, that the Cloud and AI Development Act's leaked scope will bar US cloud providers from processing financial, judicial and health data on behalf of European Union public-sector clients 1. CNBC's reporting names three targeted hyperscalers: Microsoft, Amazon Web Services (AWS) and Google Cloud. The leaked outline excludes private-sector procurement entirely.

The public-sector-only scope means roughly 70 per cent of EU cloud revenue, the enterprise market the three hyperscalers dominate, sits outside the restriction. Ministries, regulators and other public-sector buyers face the procurement floor; enterprises remain free to keep AWS, Azure and Google Cloud. The shape of CAIDA as leaked is therefore a contracting rule for the slice of the market Brussels directly controls, not a competition rule that reshapes the European cloud market at large.

The leaked outline does not address the status of S3NS, the Thales-Google joint venture rated at the second tier on the Commission's Sovereignty European Assurance Level scale (SEAL-2), which sits inside the Commission's existing €180m sovereign-cloud framework . S3NS's continued eligibility under CAIDA is the file's most-watched detail at adoption. CISPE (the Cloud Infrastructure Services Providers in Europe trade body) shipped a rival pass-fail badge in April ; whether CAIDA inherits the multi-tier SEAL approach, adopts the CISPE binary, or introduces a third framework will signal whether Brussels is repeating its own April compromise or correcting for it. Neither the CAIDA text nor a leaked draft has been published; the scope is sourced from Commission officials speaking to CNBC, not from a circulated document.

Deep Analysis

In plain English

Imagine the EU government saying: 'US companies can no longer store our courts' records, hospitals' patient data, or tax information on their servers.' That is roughly what CAIDA does, but only for government agencies, not private companies. For context, about 70 per cent of cloud services used in Europe are supplied by three US companies; Microsoft, Amazon, and Google. CAIDA affects only the government slice of that market. European cloud providers like Scaleway and OVHcloud stand to win public-sector contracts when governments switch suppliers.

Deep Analysis
Root Causes

The public-sector-only scope reflects a structural constraint in EU trade law: the EU-US Trade and Technology Council framework, reaffirmed in 2025, contains a mutual commitment against 'unjustified' digital trade barriers. A restriction on private enterprise cloud services would fall directly within the USTR Section 301 criteria that triggered a parallel investigation into French digital services taxes in 2020, and Commission legal advisers would have flagged that risk as deal-breaking.

A secondary driver is the GAIA-X governance failure: the GAIA-X project, designed to provide a European multi-cloud framework applicable to both public and private sectors, produced a certification hierarchy without a private-sector mandate attached. CAIDA fills the public-sector gap that GAIA-X's voluntary model could not close.

What could happen next?
  • Consequence

    CAIDA adoption forces EU member states to develop European cloud procurement criteria for financial, judicial, and health data contracts; the first affected renewals are likely to arise in 2027-2028.

    Short term · 0.75
  • Risk

    The USTR Section 301 final determination, due 24 July 2026 (ID:3073), may classify CAIDA's public-sector cloud restriction as a digital trade barrier warranting retaliatory tariffs on EU goods, creating a Brussels-Washington standoff in the same week as the DMA Google decision.

    Immediate · 0.55
  • Precedent

    The S3NS SEAL-2 carve-out question — whether a Google-joint-venture product qualifies under CAIDA's public-sector ban — will establish whether sovereignty certifications can be used to launder US CLOUD Act exposure.

    Short term · 0.7
First Reported In

Update #5 · Brussels' 27 May package, two days before G7

gHacks· 17 May 2026
Read original
Causes and effects
This Event
CAIDA leak: US clouds barred from EU public data
The leak sets a procurement floor on US hyperscalers rather than a market transformation; roughly 70 per cent of EU cloud revenue sits outside the restriction.
Different Perspectives
Oil market and P&I insurers
Oil market and P&I insurers
Brent cleared $87 intraday only once CENTCOM's blockade became physical rather than declared, even though P&I Clubs had already excluded Hormuz war risk a week earlier on 7 July: capital hedged ahead of enforcement, but prices moved only after it.
UAE reporting
UAE reporting
UAE reporting placed the Omani tanker deaths at one seafarer against the International Maritime Agency's count of two, the first time in this war that a Gulf state's casualty figures have diverged from an international monitor's.
Jordan
Jordan
Iranian strikes reached Jordan again on 14 July as part of the Gulf-wide retaliation for the Hormuz blockade, extending the conflict's geographic footprint to a state with no direct stake in the strait itself.
Bahrain
Bahrain
Bahrain sounded air-raid sirens on 14 July during Iran's Gulf-wide retaliation, the same day CENTCOM's blockade order and fourth night of strikes pushed the conflict's physical reach into the wider Gulf littoral.
Kuwait
Kuwait
Kuwait intercepted Iranian missiles and drones on 14 July as Tehran's blockade retaliation reached Gulf states beyond Iran's immediate shoreline, confirming Kuwaiti airspace now sits inside Iran's retaliatory envelope.
Oman
Oman
Oman absorbed the war's first tanker casualties in its own waters on 14 July, with two supertankers disabled and seafarers killed, putting the sultanate's shipping lanes directly in the path of the blockade fight for the first time.