The digital kill switch: How Europe plans to free itself from the US cloud

The Tech Sovereignty Package: What Brussels' new mega-law means for us

Europe's digital infrastructure lies in the hands of a few US corporations – a dependency that has long since evolved from an economic problem into a tangible security threat. What happens if foreign governments access the most sensitive European data or even sever the digital lifeline of an entire continent with a "kill switch"? For years, this danger was dismissed as a theoretical scenario until a bombshell confession by Microsoft in the French Senate revealed the harsh reality. Now the European Union is taking decisive action. With the landmark "Tech Sovereignty Package" of June 2026, Brussels is launching a frontal assault on the dominance of Amazon, Microsoft, and Google. The plan: billions in investment, strict sovereignty criteria, and the development of its own independent cloud and AI infrastructure. But the path to digital emancipation is paved with technological lags and massive geopolitical resistance. A deep insight into Europe's late but inevitable liberation.

Who controls the switch on Europe's digital infrastructure?

A question that Europe asked too late

There are statements that only reveal their full meaning in retrospect. One such statement was made on June 3, 2026, when Henna Virkkunen, Vice-President of the European Commission for Technological Sovereignty, presented the so-called Tech Sovereignty Package and said: "We want to make sure that nobody has a kill switch." This refers to the theoretical, but by no means far-fetched, possibility that a foreign government or company could simply shut down, freeze, or access Europe's digital infrastructure – without Brussels, Berlin, or Paris being able to do anything about it.

What sounds like technical alarmism is actually a sobering description of a situation the European Union has been in for years. The three largest cloud providers that support the digital operations of businesses, government agencies, and critical infrastructure in Europe are all based in the United States: Amazon Web Services, Microsoft Azure, and Google Cloud together control around 70 percent of the European cloud market. European providers, most notably SAP and Deutsche Telekom, each account for a mere two percent market share. The rest of the market is taken by smaller US and Asian providers.

These figures don't describe an abstract geopolitical vulnerability. They describe a tangible economic and security dependency that has not improved in recent years, but rather worsened. In 2017, European cloud providers still held 29 percent of the European market. Today, that figure is 15 percent – ​​despite a market volume that has increased sixfold in the same period. While European providers have tripled their absolute revenues, the US hyperscalers have grown faster and have steadily widened the gap.

The Tech Sovereignty Package: What Brussels Really Decided

On June 3, 2026, the European Commission presented its European Technology Sovereignty Package. The package consists of four components: the Chips Act 2.0, the Cloud and AI Development Act (CADA), an open-source strategy, and an energy plan for data centers. Each of these components addresses a specific dimension of Europe's technological dependence – but the most politically and economically far-reaching is undoubtedly the Cloud and AI Development Act.

The CADA aims to achieve three core objectives: firstly, to promote research, development, and innovation in cloud and AI technologies; secondly, to expand data center capacity in the EU, which, according to the Commission, is to be tripled within five to seven years; and thirdly, to introduce a uniform, EU-wide framework for assessing cloud and AI sovereignty. This third point is crucial, as it establishes, for the first time, clear and binding criteria for what constitutes a "sovereign" cloud service within the EU.

At the heart of CADA is a four-tier sovereignty model. At the first tier, it is sufficient that data is stored within the EU – a standard that US hyperscalers can formally meet through their European data centers. At the second tier, it must also be largely impossible for third countries to access the data or block access – a requirement that American providers cannot meet due to the US CLOUD Act. The third tier requires that providers originate from a third country recognized by the EU, while the fourth and highest tier is reserved exclusively for European-controlled providers with full supply chain control.

The strategic logic behind this is as simple as it is far-reaching: Future government contracts in sensitive areas must meet at least the requirements of Tier 2. In practice, this means that data from the defense, justice, healthcare, and law enforcement sectors may no longer be awarded to US hyperscalers. According to Commission estimates, the highest level of sovereignty affects only about one percent of public services—but this one percent encompasses the most sensitive state secrets, intelligence data, and judicial information.

At the same time, the scope of the package must be realistically assessed. It is still a draft that must be approved by both the European Parliament and the Council of Member States. And it primarily binds the public sector, not private companies. Nevertheless, a well-known dynamic applies in regulatory economics: what the state demands today for its most sensitive data will, through spillover effects and pressure along supply chains, become the de facto industry standard tomorrow.

The US CLOUD Act: The Foundation of the Problem

To understand why the tech sovereignty package became necessary, one must understand how the US CLOUD Act works. This law, which came into effect in March 2018 under the first Trump administration, allows US authorities to compel American companies to hand over electronic data—regardless of whether that data resides on servers in the US or abroad. The Clarifying Lawful Overseas Use of Data Act, to give its full name, compels US cloud providers like Amazon, Microsoft, and Google to disclose data in response to legally valid orders, even if that data is stored on European servers.

This extraterritorial reach of US law creates a fundamental legal conflict with European data protection law. Article 48 of the General Data Protection Regulation (GDPR) stipulates that data transfers to third countries may only take place via international mutual legal assistance treaties. From the perspective of the European Data Protection Board (EDPB), the US CLOUD Act is an attempt to circumvent precisely these existing mutual legal assistance treaties. Companies subject to both the CLOUD Act and the GDPR are thus caught in a legal dilemma that has no fully satisfactory solution.

The Dutch National Cyber ​​Security Centre (NCSC) has determined in a detailed legal opinion that this conflict cannot be reduced to simple technical measures. Even if a European company processes all data through a formally European subsidiary of a US corporation, the US parent company can still be considered to own the data – and thus remain subject to the CLOUD Act. Even more intriguing is the NCSC's observation that US authorities could potentially access data through US citizens working for EU companies – without the European employer even being aware of it.

Microsoft's confession: The turning point in the French Senate

What had previously been discussed in legal circles as a theoretical risk was given a face and a voice in June 2025. Anton Carniaux, Chief Legal Officer of Microsoft France, was questioned under oath before the French Senate's investigative commission on June 10, 2025. The rapporteur, Dany Wattebled, posed the crucial question: Could Carniaux guarantee that the data of French citizens entrusted to Microsoft would never be disclosed at the behest of the American government without the explicit consent of the French authorities? The answer, in its brevity, was devastating: No, he could not guarantee that.

Carniaux clarified during the hearing that Microsoft is legally obligated to release the requested data if a formally valid US court order is issued. Even disclosure of these requests to European customers is not guaranteed: Microsoft can only request that the process be forwarded to the customer as far as possible. These statements are significant because they fundamentally undermine the promise of a "sovereign cloud" of European design, which US hyperscalers have been promoting for years. Technical measures such as European data centers, local data storage, and proprietary cryptographic keys do not alter the legal obligation to disclose data when US law applies.

Microsoft's admission is not an isolated incident. Released government documents in the UK reveal that Microsoft has confirmed in writing to Scottish police authorities that it cannot guarantee data sovereignty with Microsoft 365. These official documents demonstrate that this is not a distorted interpretation of the law, but rather the company's own sober assessment. Particularly concerning is the fact that Microsoft has already blocked the account of the Chief Prosecutor of the International Criminal Court – a case that shows how American interests can, in specific instances, arbitrarily override European data security.

France as a pioneering state: When theory becomes politics

Perhaps the most striking response to this structural dependency is coming not from Brussels, but from Paris. In a series of government decisions, France has begun to systematically establish the technological independence of its administration. At the beginning of 2026, the French government imposed a ban on the use of platforms such as Microsoft Teams, Zoom, Google Meet, and Cisco Webex across the entire public administration. Existing licenses are expiring and are simply not being renewed.

The scale of this project is considerable: Around 2.5 million civil servants are to switch from US software to domestic alternatives by the end of the decade. Visio, a European-developed system whose pilot program is already underway, will be used as the videoconferencing solution. In the spring of 2026, the French National Centre for Scientific Research (CNRS) replaced around 34,000 Zoom licenses with Visio – affecting over 120,000 researchers. In April, the government extended the directive to operating systems: A phased migration from Microsoft Windows to Linux on all ministry workstations has been ordered.

The driving force is the state digital agency DINUM, which, as a pioneer, has already migrated all 250 of its workstations to Linux. By autumn 2026, all ministries must submit binding dependency reduction plans. The economic logic behind this is as compelling as the security policy rationale: According to its own calculations, France saves around one million euros per year in licensing costs for every 100,000 users who switch to government solutions. With over two million public sector employees, the annual savings could rise to over 20 million euros – money that could be invested in building European technology providers instead of going to US corporations.

The European Parliament speaks with a rare voice

In the normal political climate of the European Parliament, clear majorities that transcend party lines are rare. The vote of January 22, 2026, was one of the rare exceptions. By a vote of 471 to 68, with 71 abstentions, Parliament adopted a report calling on the EU to structurally overcome its dependence on US technology. The European People's Party, the Social Democrats, the Liberals, and the Greens voted in favor of the resolution. Opposition came only from the fringes: from the Left group and the far-right Patriots for Europe.

This vote has a symbolic dimension that extends beyond the specific content of the resolution. It demonstrates that the issue of digital sovereignty in Europe no longer has the character of an ideological divide – it has become a rare consensus topic, convincing both EPP conservatives and Green MEPs. Parliament explicitly called for a clear definition of sovereign cloud computing within the framework of the regulation on cloud and AI development. In doing so, it politically paved the way for precisely the regulatory framework that the Commission presented a few months later with the CADA.

The market and its forces of inertia: A sober assessment

There is a considerable gap between political aspirations and technological reality, a gap that should not be downplayed. The global cloud market grew to a revenue volume of approximately US$90.9 billion in the first quarter of 2025 alone. AWS holds a global market share of more than 30 percent, followed by Microsoft Azure with around 23 percent and Google Cloud with 11 to 13 percent. In the third quarter of 2025, these three US giants together accounted for 63 percent of the global market. For the full year 2026, investment forecasts from Amazon, Microsoft, Google, and Meta exceed US$600 billion. This is more than three times the entire EU defense budget.

European providers have virtually no answer to these measures. SAP and Deutsche Telekom lead the European field with roughly two percent market share each. They are followed by OVHcloud, Telecom Italia, and Orange with even smaller shares. The research firm Forrester concluded at the end of 2025 that no European company will completely abandon US hyperscalers by 2026. Despite growing concerns, economic constraints remain the decisive obstacle – a complete switch away from AWS, Google Cloud, and Microsoft Azure is simply not realistic in the short to medium term.

This sober assessment is not cynical, but analytically precise. Companies that have built their entire digital infrastructure on US cloud services face significant migration costs, compatibility issues, and the simple fact that European alternatives in many areas—particularly in AI infrastructure and high-performance computing—do not yet offer comparable depth. The German IT industry association Bitkom has calculated that 87 percent of German companies source digital technologies or services from the US or the EU. The US and the EU are neck and neck—an indication of how deeply entrenched US dependence is.

Added to this is the criticism from industry associations. The Computer and Communications Industry Association (CCIA), which represents, among others, US tech companies, described the Cloud and AI Development Act as a "direct directive for discriminatory market fragmentation" and warned that it creates a "dangerous recipe for progressive market protectionism." The German internet association eco also cautioned that levels of sovereignty must be clearly justified, proportionate, and risk-based – and should not function as blanket exclusion mechanisms for non-European providers. These objections are not mere lobbying, but point to real implementation problems: According to the CCIA, Article 18 of the CADA sets an impossible standard – none of the major technology-producing countries, not even the EU itself, currently meets it.

Industry focus areas: B2B, digitalization (from AI to XR), mechanical engineering, logistics, renewable energies and industry

More information here:

• Expert Business Hub

A thematic hub offering insights and expertise:

• Knowledge platform covering global and regional economies, innovation and industry-specific trends
• A collection of analyses, insights, and background information from our key areas of focus
• A place for expertise and information on current developments in business and technology
• A hub for companies seeking information on markets, digitalization, and industry innovations

The geopolitical backdrop: Why Trump initiated it

It would be incomplete to analyze Europe's technological sovereignty offensive without identifying the geopolitical context that is its true catalyst. The policies of the Trump administration have set in motion a process of reflection in Europe that extends far beyond trade policy. US sanctions against investigators of the International Criminal Court, threats against NATO allies, and the Trump administration's general willingness to question multilateral institutions and agreements have transformed the largely academic debate on digital sovereignty into a practical necessity.

Virkkunen herself made it clear that the US CLOUD Act, which allows US authorities access to data stored on European servers, is incompatible with European regulations. She also pointed out that it would be "extremely difficult" for US companies to meet the strictest European sovereignty standards for cloud computing in areas such as defense. This statement is not anti-American rhetoric, but rather a factual description of a legal situation created by two incompatible legal systems.

At the same time, Virkkunen emphasized that the EU does not intend to isolate itself and produce everything domestically. Europe is globally interconnected and will remain so. The goal is not autarky, but rather the identification and elimination of risky dependencies – particularly regarding infrastructures that are crucial for security and the rule of law. This is an important nuance, as it distinguishes the European approach from a simplistic technological nationalism.

The Chips Act 2.0 and the semiconductor problem

Another pillar of the technology sovereignty package is the Chips Act 2.0, designed to complement the original Chips Act of 2023. While the first Chips Act focused on the supply side – namely, the development of semiconductor production capacity – Chips Act 2.0 focuses on the demand side: Member States are to specifically purchase semiconductors from European startups to create a domestic market. Public and private investments totaling €120 billion are considered necessary by 2035.

The backdrop is sobering. The original goal of doubling the EU's share of the global semiconductor market to 20 percent by 2030 is in danger of failing. Europe currently produces only around ten percent of the world's chips. The gap compared to Taiwan, South Korea, and the US is enormous, and building large semiconductor factories requires not only capital but also specialized expertise and supply chains that don't spring up overnight. One strategic project the Commission is considering is a new factory for 3-nanometer semiconductors for AI and advanced chips—a €30 billion project financed by the Commission, member states, and private companies.

Open Source as a strategic tool: More than just a technical detail

The open-source strategy, presented as the third pillar of the technology sovereignty package, is often underestimated in public debate. Yet its strategic logic is particularly consistent. By definition, open-source software eludes the proprietary control of a single vendor. It cannot be unilaterally shut down, restricted by licensing, or equipped with backdoors that remain hidden from a regulatory authority. What the Commission aims to achieve with this strategy is a gradual strengthening of European open-source alternatives in key areas – from operating systems and productivity software to AI models.

France's experience is revealing in this regard: The government's messaging app, Tchap, is already used by over 600,000 civil servants. Open-source alternatives for messaging and file transfer have been introduced for 80,000 employees of the French health insurance system. These pilot projects demonstrate that while the transition to sovereign solutions may involve initial challenges, it is technically feasible – provided there is political will and sufficient transition time.

Economic consequences: Who wins, who loses?

For European cloud providers, the Tech Sovereignty package is undoubtedly an opportunity that has been discussed for years but is only now receiving real regulatory support. OVHcloud operates more than 400,000 servers in 33 of its own data centers on four continents and explicitly positions itself as the leading European cloud provider with complete control over its own value chain. STACKIT, IONOS, and Proact are other providers that could benefit from the new regulatory framework in Germany. Mistral AI from France has established itself as a European AI champion and is likely to receive systematic preferential treatment in public tenders for AI infrastructure services.

For US hyperscalers, the consequences are more nuanced. A complete exclusion from the European market is not on the agenda – the Commission has explicitly stated that such a step would currently be impossible given the market dominance of US providers. What is changing is the eligibility criteria for the most lucrative public contracts. According to Handelsblatt research, the EU Commission also plans to regulate the cloud business of Amazon and Microsoft under the Digital Markets Act – a move intended to structurally limit the hyperscalers' market power.

For European companies as customers and users of cloud services, the decision-making process is more complex. In the short term, significant switching costs arise if they migrate their IT infrastructure from US cloud services to European alternatives for regulatory or strategic reasons. In the long term, however, they reduce their exposure to legal risks, price increases, and geopolitical shocks. Cloud Computing Insider's analysis shows that CIOs should already be preparing an exit plan for scenarios in which the transatlantic data protection agreement is revoked—regardless of whether Washington or Brussels is responsible.

200 billion euros and the question of financing

The Commission estimates the cost of tripling European data center capacity at around €200 billion, primarily to be financed from private sources. By comparison, US tech giants Amazon, Microsoft, Google, and Meta increased their investment spending to over $400 billion in 2025 and plan to invest more than $600 billion in 2026. Thus, Europe intends to create an infrastructure with €200 billion in state-coordinated private investment, while its US counterpart is financed with three times that amount annually. This highlights the structural imbalance facing Europe.

Added to this is the question of feasibility in terms of timing. Data centers are planned, approved, built, and commissioned – a process that, even with accelerated approval procedures and specially established acceleration zones, typically takes several years. The Commission plans to establish such acceleration zones where data centers can be approved more quickly. Whether this will be sufficient to close the gap in a period when AI infrastructure and computing power are becoming crucial strategic resources remains an open question.

What this means in practice: The focus is on ordinary companies

The immediate pressure to act on companies that do not award public contracts and are not directly affected by the new levels of sovereignty is limited. The new rules primarily bind the state. However, anyone who has observed the dynamics of recent years recognizes a clear signaling effect: What applies today to state health, financial, and judicial data will tomorrow be used as a benchmark by banking supervisors, insurance regulators, and industry compliance teams. Companies that operate critical infrastructure, are active in the financial sector, or collaborate with government agencies will not be able to ignore this development.

A realistic picture emerges from an analysis of legal risks. Anyone storing data with US hyperscalers must expect that US authorities can gain access to it upon legally justified orders – even if the data is physically located in Frankfurt or Amsterdam. This is not a hypothetical worst-case scenario, but rather the status quo, documented by Microsoft's own admission. For companies operating under the GDPR, DORA, or other European data protection regimes, this presents a compliance risk that intensifies with increasing regulatory stringency.

Between aspiration and reality: A critical overall assessment

The European Commission's tech sovereignty package is not a breakthrough – it's a start. An important, necessary, and politically significant start, but one that will not resolve Europe's structural deficits in the digital sector within a single legislative cycle. The market dominance of the US hyperscalers is not the result of regulatory errors, but rather the outcome of decades of technological leadership, massive investment, and the simple fact that Amazon, Microsoft, and Google offer better products at competitive prices than their European rivals.

Regulation can set frameworks and shift incentives, but it cannot replace innovation. European cloud providers will only represent a genuine long-term alternative if they can keep pace technologically, scale their infrastructure, and further develop their services. This requires private venture capital, a functioning European single market for digital services, and a regulatory environment that encourages rather than hinders investment. Herein lies one of the major tensions in European technology policy: the same Brussels that aims to promote cloud sovereignty with CADA has, with the GDPR, the AI ​​Act, and the Digital Services Act, erected a regulatory framework that, in some cases, burdens European startups and scale-ups more heavily than their US competitors.

Nevertheless, the direction of the tech sovereignty package is economically and politically sound. The concentration of 70 percent of the European cloud market in the hands of three US companies is not a neutral market decision, but rather a strategic vulnerability. Microsoft's admission that it cannot prevent US access to EU data has publicly documented this vulnerability. The European Parliament's vote of 471 to 68 signals political will. And France's concrete migration of 2.5 million civil servants shows that implementation can begin even with enormous complexity.

The question that remains

Henna Virkkunen's statement encapsulates the core political and economic question of the coming decade: Who holds the switch on the infrastructure upon which Europe's economy, state, and society run? The honest answer today is: essentially three American corporations, bound by US law and their shareholders – not by European rule of law or European interests.

This isn't due to any ill will on the part of these companies. It's the logical consequence of the global triumph of the US tech industry and Europe's simultaneous inability to build a comparable infrastructure. The Tech Sovereignty package is the most serious institutional attempt to date to structurally address this imbalance. Whether it succeeds will depend on whether political will, private capital, and technological innovation in Europe are sufficiently coordinated – and whether Europe takes the time that such a transformation inevitably requires. The power to change this isn't in one person's hands. Not yet.

Xpert.Digital is a data-driven B2B industry hub led by Konrad Wolfenstein . The company acts as an external, quasi-in-house solution for industrial partners, closing operational gaps in marketing, content, and sales – without requiring additional resources on the client side.

More information here:

• The quasi-in-house solution: How Xpert.Digital closes operational gaps in B2B marketing and sales – Smart Content-Driven Business

☑️ Our business language is English or German

☑️ NEW: Correspondence in your native language!

 

I and my team are happy to be available to you as your personal advisor.

You can contact me by filling out the contact form here wolfenstein@xpert.digital:or simply call me at +49 7348 4088 965. My email address is

I'm looking forward to our joint project.

 

 

☑️ SME support in strategy, consulting, planning and implementation

☑️ Creation or realignment of the digital strategy and digitization

☑️ Expansion and optimization of international sales processes

☑️ Global & Digital B2B trading platforms

☑️ Pioneer Business Development / Marketing / PR / Trade Fairs