Skip to content
You can now search across every topic, entity and event.What's new
Russia-Ukraine War 2026
13JUL

CAIDA leak: US clouds barred from EU public data

3 min read
10:28UTC

CNBC reported on Thursday 7 May 2026, and gHacks confirmed on Tuesday 12 May, that CAIDA's leaked scope bars Microsoft, AWS and Google Cloud from processing financial, judicial and health data on behalf of EU public-sector clients. Private-sector procurement is excluded entirely.

ConflictDeveloping
Key takeaway

CAIDA as leaked is a public-sector procurement rule; the enterprise cloud market it covers represents the smaller share.

CNBC reported on Thursday 7 May 2026, and Germany's gHacks confirmed on Tuesday 12 May, that the Cloud and AI Development Act's leaked scope will bar US cloud providers from processing financial, judicial and health data on behalf of European Union public-sector clients 1. CNBC's reporting names three targeted hyperscalers: Microsoft, Amazon Web Services (AWS) and Google Cloud. The leaked outline excludes private-sector procurement entirely.

The public-sector-only scope means roughly 70 per cent of EU cloud revenue, the enterprise market the three hyperscalers dominate, sits outside the restriction. Ministries, regulators and other public-sector buyers face the procurement floor; enterprises remain free to keep AWS, Azure and Google Cloud. The shape of CAIDA as leaked is therefore a contracting rule for the slice of the market Brussels directly controls, not a competition rule that reshapes the European cloud market at large.

The leaked outline does not address the status of S3NS, the Thales-Google joint venture rated at the second tier on The Commission's Sovereignty European Assurance Level scale (SEAL-2), which sits inside the Commission's existing €180m sovereign-cloud framework . S3NS's continued eligibility under CAIDA is the file's most-watched detail at adoption. CISPE (the Cloud Infrastructure Services Providers in Europe trade body) shipped a rival pass-fail badge in April ; whether CAIDA inherits the multi-tier SEAL approach, adopts the CISPE binary, or introduces a third framework will signal whether Brussels is repeating its own April compromise or correcting for it. Neither the CAIDA text nor a leaked draft has been published; the scope is sourced from Commission officials speaking to CNBC, not from a circulated document.

Deep Analysis

In plain English

Imagine the EU government saying: 'US companies can no longer store our courts' records, hospitals' patient data, or tax information on their servers.' That is roughly what CAIDA does, but only for government agencies, not private companies. For context, about 70 per cent of cloud services used in Europe are supplied by three US companies; Microsoft, Amazon, and Google. CAIDA affects only the government slice of that market. European cloud providers like Scaleway and OVHcloud stand to win public-sector contracts when governments switch suppliers.

Deep Analysis
Root Causes

The public-sector-only scope reflects a structural constraint in EU trade law: the EU-US Trade and Technology Council framework, reaffirmed in 2025, contains a mutual commitment against 'unjustified' digital trade barriers. A restriction on private enterprise cloud services would fall directly within the USTR Section 301 criteria that triggered a parallel investigation into French digital services taxes in 2020, and Commission legal advisers would have flagged that risk as deal-breaking.

A secondary driver is the GAIA-X governance failure: the GAIA-X project, designed to provide a European multi-cloud framework applicable to both public and private sectors, produced a certification hierarchy without a private-sector mandate attached. CAIDA fills the public-sector gap that GAIA-X's voluntary model could not close.

What could happen next?
  • Consequence

    CAIDA adoption forces EU member states to develop European cloud procurement criteria for financial, judicial, and health data contracts; the first affected renewals are likely to arise in 2027-2028.

    Short term · 0.75
  • Risk

    The USTR Section 301 final determination, due 24 July 2026 (ID:3073), may classify CAIDA's public-sector cloud restriction as a digital trade barrier warranting retaliatory tariffs on EU goods, creating a Brussels-Washington standoff in the same week as the DMA Google decision.

    Immediate · 0.55
  • Precedent

    The S3NS SEAL-2 carve-out question — whether a Google-joint-venture product qualifies under CAIDA's public-sector ban — will establish whether sovereignty certifications can be used to launder US CLOUD Act exposure.

    Short term · 0.7
First Reported In

Update #5 · Brussels' 27 May package, two days before G7

gHacks· 17 May 2026
Read original
Causes and effects
This Event
CAIDA leak: US clouds barred from EU public data
The leak sets a procurement floor on US hyperscalers rather than a market transformation; roughly 70 per cent of EU cloud revenue sits outside the restriction.
Different Perspectives
Turkey
Turkey
Turkey, a major buyer of Russian diesel cargoes, loses that access under Moscow's first producer-binding export ban, in force from 8 July to 31 July. Ankara hosted the same week's NATO summit pledging EUR 70bn to Ukraine, sitting on both sides of the fuel-and-alliance ledger.
NATO
NATO
NATO leaders meeting in Ankara on 7 and 8 July pledged EUR 70bn in equipment, assistance and training for Ukraine across 2026, with a 2027 sustainment commitment and a $40bn Drone Edge counter-drone initiative. European allies now fund the vast majority of that package, filling the gap left by Washington's idled crude waiver.
India
India
India's state refiners continued buying discounted Urals crude as June's price fell to $63.18 a barrel, insulating New Delhi from the OFAC waiver gap still constraining Western buyers. Indian refiners could pick up diesel-export share as Russia's producer-binding ban shuts out its former customers.
China
China
China's independent refiners kept importing discounted Urals crude through June as the price fell to $63.18 a barrel, down 26% month-on-month per CREA. Beijing has said nothing on Moscow's new diesel ban, leaving Chinese refiners a likely beneficiary if Turkish and Brazilian buyers seek replacement cargoes.
United States
United States
No successor licence has been issued since General License 134C lapsed on 17 June, leaving a 26-day gap, the longest of the war, in the Russian crude waiver. Washington's silence is tightening the channel without any stated decision, as Treasury weighs whether to let it die.
Ukraine
Ukraine
Ukraine's long-range strike campaign shifted from refineries to seaborne fuel tankers crossing the Sea of Azov, cutting tracked vessel traffic 55% between 30 June and 11 July, per Starboard Maritime Intelligence. The shift targets Russia's export revenue directly rather than just domestic supply, adding pressure alongside the collapsing Urals price.