The background in relation hereto is that in recent years the EU has become aware of vulnerabilities linked to dependence on a limited number of global technology actors, particularly from the US and China. US cloud companies account for around 70 per cent of the European cloud market, and US actors also operate a large proportion of the large-scale infrastructure underpinning it. These dependencies have raised issues concerning information security, supply chains, export restrictions, jurisdictional control and the possibility of third countries indirectly influencing European players.
The package contains two proposals for regulations, i.e., the Cloud and AI Development Act (“CADA”) (cloud services) and the Chips Act 2.0 (semiconductors), as well as The EU Open Source Strategy and the Strategic Roadmap for Digitalisation and AI in the Energy Sector.
Through CADA, the Commission aims to strengthen Europe’s cloud and AI capabilities, support research and innovation, simplify the conditions for the expansion of data centres, and introduce a common EU framework for assessing cloud and AI sovereignty. The proposal for the Chips Act 2.0 builds on the EU’s existing semiconductor policy and aims to increase capacity in advanced semiconductor technology, strengthen security of supply, speed up authorisation processes and create better incentives for investment and the industrial use of European chips. The EU Open Source Strategy aims to strengthen Europe’s open digital ecosystem by promoting the development, scaling up, use and long-term maintenance of open technologies. Strategic Roadmap for Digitalisation and AI in the Energy Sector complements the package and aims to link digital infrastructure with the energy system’s transition.
The package should also be viewed in the context of the EU’s existing digital regulatory framework and policy initiatives, such as the Digital Decade, the Affordable Energy Action Plan, the AI Act, The AI Continent Action Plan, as well as Mario Draghi’s report ‘The future of European competitiveness’ and the Competitiveness Compass.
The Tech Sovereignty Package places greater emphasis on capacity, control and industrial development, rather than merely the regulation of digital markets and risks. It also builds on the Commission’s broader competitiveness agenda, including the ambition to become an ‘AI Continent’ and investments in AI factories, AI gigafactories and European computing capacity. Together with these initiatives, the package aims to create a framework to strengthen Europe’s digital independence, resilience and competitiveness.
The four components of the package are summarised below.
Cloud and AI Development Act (CADA): Regulatory framework for sovereign cloud services and digital capacity building
At the heart of the package is the proposed Cloud and AI Development Act (CADA), which aims to scale up EU-based cloud and AI infrastructure. According to the Commission, the EU’s dependence on a limited number of cloud service providers from countries outside the EU constitutes a significant vulnerability for the Union’s critical digital infrastructure and a risk to its digital autonomy and resilience. To address these challenges, CADA, for example, combines measures such as increased data centre capacity and support for innovation with new frameworks for cloud and AI sovereignty. The Regulation will be of particular importance to cloud service providers, data centre operators, AI developers, public sector procurers of such services, and businesses whose operations depend on critical digital infrastructure in Europe.
One of the key ambitions of the proposal is to triple the EU’s data centre capacity within five to seven years, with the aim of ensuring the Union has sufficient capacity by 2035 at the latest. To achieve this, CADA is establishing a framework known as the ‘Cloud and AI Leadership Initiatives’, the purpose of which is to promote research, innovation and large-scale capacity building within the EU’s cloud and AI ecosystems. This initiative covers a broad spectrum of objectives, including: (i) more energy- and resource-efficient data centre technology; (ii) greater autonomy over the cloud stack; (iii) the development of frontline, physical and industrial AI; (iv) the use of AI in the public sector; (v) a platform for AI agents; and (vi) collaborative European industrial models. Member States will also be required to adopt national cloud and AI strategies that are in line with these objectives.
In addition to the objective of increasing data centre capacity, the proposal introduces an EU framework for cloud sovereignty built around four so-called ‘Union assurance levels’. Cloud service providers must meet these assurance levels in order to provide services to public sector bodies. The requirements become progressively stricter from Level 1 to Level 4, and the levels are determined on the basis of criteria such as control over the service, control over the supply chain, how data is processed, the location of the infrastructure, and cybersecurity. Providers seeking Level 1 accreditation carry out a self-assessment of compliance, whilst Levels 2–4 require an independent third-party audit. Contracting authorities whose activities are deemed to be of importance to public order, in sectors such as energy, health, defence and the judiciary, will be obliged to procure only services that have achieved at least Level 2. Both Member States and EU institutions are required to carry out individual sovereignty risk assessments to determine the appropriate security level for different use cases within the public sector.
The proposal thus allows for national variations in the application of the EU’s cloud sovereignty framework, rather than prescribing a fully harmonised approach. According to the draft, the Commission is granted the power to adopt implementing acts requiring private companies in sectors covered by the EU’s overarching cybersecurity legislation – the revised Network and Information Systems Directive (NIS2) – to carry out similar assessments.
Chips Act 2.0: An updated EU strategy for the semiconductor ecosystem
Semiconductors are a vital component of digital development, found in everything from wearables and cars to military and healthcare equipment. With the ever-accelerating integration of advanced digital technologies, specifically AI, global demand for semiconductors has also risen significantly. The semiconductor sector is therefore now regarded as a cornerstone of the EU’s economic stability, technological sovereignty and security.
This strategic importance is accompanied by growing concern over global geopolitical tensions, where the manufacture and supply of semiconductors not only constitute a national asset but also represent a vulnerability should, for example, supply bottlenecks arise.
Against this backdrop, an initial European Chips Act was adopted as early as 2023. Although this has been regarded as leading to concrete and significant results – such as the mobilisation of private and public investment, as well as a co-ordination and crisis management mechanism – both capacity gaps and structural vulnerabilities remain.
The proposal for the Chips Act 2.0 sets out two overarching objectives. Firstly, to increase the competitiveness of European semiconductors with a view to further strengthening technological sovereignty and resilience. Secondly, to strengthen the EU’s crisis preparedness in order to ensure its security of supply and economic security. This will be achieved through supply-side measures – an area on which the original Chips Act already focused – as well as through demand-side measures.
Some of the more concrete measures proposed to help stimulate demand include the introduction of so-called ‘Demand Accelerators’. This means that the Commission and the Member States will be able to encourage the use of semiconductors designed or manufactured within the Union, particularly in strategic sectors such as the cloud, automotive, aerospace, telecoms and defence industries. This can be achieved, amongst other things, by the Commission developing joint technical roadmaps and supporting collaboration platforms and design partnerships. Measures are also proposed in the area of public procurement, such as supporting cross-border joint procurement arrangements, and in the area of innovation procurement, with the aim of pooling demand and making investments more efficient. The establishment of a ‘Demand Forum’ is also proposed, intended as a meeting place between suppliers and potential users where the latter are given the opportunity to explain their needs and desired specifications, with the aim of gathering demand signals and highlighting what is on offer.
On the supply side, it is proposed to continue improving and developing pilot projects for the creation and development of new semiconductor technologies and design concepts, and to accelerate the further industrialisation of successful projects of this kind.
Furthermore, it is proposed to introduce a new category of so-called ‘strategic projects’ – semiconductor projects which the Commission may recognise as strategic if, amongst other things, they meet requirements to create significant added value for the Union, are carried out by domestic companies, and have a cross-border dimension. It is proposed that these strategic projects, together with European semiconductor initiatives, should benefit from faster administrative authorisation processes, with a maximum duration of 12 months, and that Member States should centralise and co-ordinate authorisation applications. The Commission also proposes the introduction of the ‘European Semiconductor Regions of Excellence’ label, which the Commission may award to regions that meet the criteria for having a strategic vision. In practice, this aims to attract international investment to these areas.
The EU’s Open Source Strategy: from a technical alternative to a tool for sovereignty
The EU Open Source Strategy places open source technology at the heart of Europe’s pursuit of digital independence. Open source is no longer seen merely as a technical alternative at European level but, rather, as a strategic building block for digital sovereignty. In this context, open source acts as a cross-cutting tool: semiconductors, the cloud, AI, digital identity and public digital infrastructure all depend on software, standards and reusable components which the EU wishes to be able to control and further develop to a greater extent on its own terms. The Commission also describes the strategy as a means of reducing dependencies across the entire technology stack.
The strategy has four overarching objectives.
To promote the development and adoption of open source alternatives that reflect the EU’s values.
To provide guidance and best practice on public procurement and to strengthen the Commission’s own use of open source.
To build a vibrant open source ecosystem through support for businesses, developer communities, improved governance, security and skills.
To promote the EU’s open-source solutions internationally and integrate them more effectively into standardisation processes.
Open source is highlighted as a means of reducing vendor lock-in and strengthening transparency, interoperability and European control over digital systems. For the public sector, this affects procurement, licence management and assessments of security, continuity and long-term manageability. The Commission emphasises the need for procurement guidance and fairer assessment of open source solutions. At the same time, open source does not guarantee technological sovereignty: without long-term funding, security maintenance and a European industrial base, dependencies may persist. The strategy thus focuses on governance, critical dependencies, the Open Source Maintenance Instrument and long-term management. Through the so-called Digital Commons European Digital Infrastructure Consortium (DC-EDIC), which enables Member States to jointly develop, deploy and operate cross-border digital infrastructure, open, interoperable solutions are to be developed and reused across borders.
A strategic roadmap for digitalisation and AI in the energy sector
The fourth and final component of the package is the Strategic Roadmap on digitalisation and AI in the energy sector, which links the objective of accelerating the Union’s digitalisation and AI-based solutions with the Union’s climate and energy targets. The roadmap highlights two parallel challenges. On the one hand, there is the opportunity to use digitalisation and AI to make energy systems more efficient, reduce costs and, in the long-term, create a more competitive industry, provide financial relief to households and build a more resilient energy system. On the other, the rapid growth of digital infrastructure, particularly data centres, risks placing an increased strain on electricity grids, with potential implications for energy prices, the demand for water resources and consumers’ access to the electricity grid. At the same time, the report highlights the potential of AI systems to create a more flexible, data-driven and resilient energy system in which consumers, industry and grid operators can better respond to price signals, optimise consumption and participate in flexibility markets.
The roadmap is based on three pillars:
The sustainable integration of data centres into the energy system, including through tripartite agreements between data centre operators, energy providers and public authorities. This also includes the introduction of a forthcoming EU system for the sustainability classification of data centres.
Accelerating the use of digital and AI solutions by promoting grid-enhancing technologies, smart meters and AI models to enable grid planning, forecasting and the management of bottlenecks.
Establish an EU framework to facilitate the sharing of energy data across the EU’s internal borders, both for primary use, i.e., the operational exchange of data between identified stakeholders, and for secondary use, such as for research and the training of AI models.
These three elements are also complemented by horizontal initiatives relating to cybersecurity and the fight against hybrid threats, trust, skills provision and international co-operation. The measures in the roadmap are scheduled to be implemented by 2030 at the latest; in the meantime, starting this year, the Commission will convene an annual forum on the digitalisation of the energy sector, which will serve as a monitoring and co-ordination mechanism to assess progress, identify remaining obstacles, disseminate best practice and identify new developments that may warrant further action.
Comment
The Technology Sovereignty Package is ambitious in both its scope and approach. Unlike previous EU initiatives in the digital sphere, which have mainly focused on regulating markets and risks, the package instead emphasises capacity, control and industrial development.
It should therefore not be understood as a single piece of legislation, but, rather, as a strategy spanning infrastructure, industrial policy, public procurement and energy, characterised by the recognition that digital dependence constitutes a strategic vulnerability.
Reactions to the proposals have so far been few but mixed, and the criticism levelled at them is largely directed at the package’s failure to live up to its stated purpose. In the debate, TechPolicyPress has described the Tech Sovereignty Package as a failure in relation to the goal of reducing dependence on Big Tech. The criticism focuses on the fact that the package contains a fundamental contradiction: it seeks to promote competitiveness, sustainability and sovereignty simultaneously, yet defines sovereignty primarily in geographical terms – that is, as a matter of purchasing AI and cloud services provided within Europe, regardless of who ultimately owns the provider. The crucial distinction in CADA is that the regulatory framework requires ‘control’ but not European ownership. This means that US cloud providers can qualify even at the strictest security level, provided that their European subsidiaries are formally separated from the parent company and that customer data, staff, infrastructure and governance remain within Europe. The loophole for Big Tech is thus that a foreign parent company can retain ownership as long as the European entity meets the regulation’s localisation and control requirements. Despite the package’s stated ambition to strengthen Europe’s digital independence, critics note that the proposal fails to address the public sector’s actual dependence on US suppliers – on the contrary, it risks cementing and expanding this dependence.
Both support and criticism have been voiced from other parts of the business community and industry organisations. Several reactions have been largely positive towards the package’s fundamental direction, albeit with clear reservations regarding implementation and balance. DIGITALEUROPE, the trade association for the European technology industry, in contrast to the above, welcomes the CADA proposal and describes it as “a good starting point for a common European standard for sovereignty and security”. The organisation emphasises that Europe needs a uniform standard of the kind already adopted by other major economies, whilst at the same time highlighting the continuing need for stronger demand-side measures and the importance of focusing on scaling up.
Bruegel also welcomes digital sovereignty as a sound objective to strive for, but criticises the package for representing a protectionist shift that mimics the US and China through state subsidies, local procurement rules and domestic preference. According to Bruegel, such measures risk raising prices, lowering quality, distorting the market, disadvantaging smaller countries and provoking retaliatory measures; furthermore, making nationality a security indicator unnecessarily closes off the market.
Since the success of the US and China rests on cheap energy, capital and large markets, Bruegel’s authors advocate instead that the EU should harness the competition within the single market and implement structural reforms, rather than embarking on a path of isolationism. According to critics, preventing European companies from using foreign suppliers seems to make little sense as long as there are no competitive European alternatives.
Next steps
The proposal will now proceed through the ordinary legislative procedure. The next step is consideration by the Council and the European Parliament, followed by trilogue negotiations between the European Parliament, the Council and the Commission before a political agreement can be reached and the legislative acts formally adopted. Under the interinstitutional roadmap “One Europe, One Market”, the target dates for adoption have been set for the second quarter of 2027 for the Chips Act 2.0 and for the fourth quarter of 2027 for the Cloud and AI Development Act. It remains to be seen how quickly the process will proceed and to what extent the proposal will be amended during the negotiations. The proposals are not without controversy, as the negotiations are expected to touch on issues such as European technological sovereignty, public procurement, cloud and AI infrastructure, semiconductor supply, state aid, energy capacity and relations with third-country suppliers. At the same time, measures such as the previous – though now partially revoked – US decision to block other countries’ access to Anthropic’s new Mythos model could accelerate the legislative process.