EU Weighs Restricting U.S. Cloud Platforms From Processing Sensitive Government Data

The European Commission is considering rules that would limit its member governments' use of U.S. cloud providers to handle sensitive public-sector data, a move that could significantly affect American technology companies operating across the bloc.

Two Commission officials, speaking anonymously because they were not authorized to discuss internal deliberations, confirmed the discussions to CNBC. The proposals are being developed as part of the Commission's broader "Tech Sovereignty Package," which is expected to be formally presented on May 27.

"The core idea is defining sectors that have to be hosted on European cloud capacity," one of the officials said. The official added that cloud solutions provided by companies from third countries, including the United States, could be affected.

The proposals would not ban overseas cloud providers from all government contracts. Instead, they would restrict their use in processing sensitive data at public-sector organizations, with the level of restriction tied to the sensitivity of the data involved, officials said.

Discussions are specifically focused on financial, judicial, and health data processed by governments and public-sector bodies, which officials said would require high levels of sovereign cloud infrastructure under the proposed framework. The discussions do not extend to private-sector companies.

"U.S. cloud providers could face restrictions in certain sensitive and strategic sectors" within EU member states' public bodies as a result of the proposals, one official said.

Once presented by the Commission, the package would require approval from all 27 EU member states. The "Tech Sovereignty Package" will also include the Cloud and AI Development Act and the Chips Act 2.0, both aimed at encouraging homegrown solutions in digital infrastructure and semiconductors.

A Commission spokesperson, responding to a request for comment, said the package was "about Europe waking up and getting its act together," adding that it would "improve opportunities for sovereign cloud offerings, including through public procurement, and support the entry into the market of a more diverse set of cloud and AI service providers."

The deliberations come as transatlantic relations have deteriorated under President Donald Trump's administration, intensifying calls within Europe to reduce reliance on U.S. technology providers. U.S. firms currently dominate the European cloud market.

European governments have also raised concerns about the U.S. Cloud Act of 2018, which permits American law enforcement to request user data from U.S. companies regardless of where that data is physically stored — a provision that has drawn sustained scrutiny from EU officials and privacy advocates.

The push toward digital self-sufficiency has been building for months. In January, France announced the rollout of Visio, a government-developed video conferencing tool it said would be available to all state services by 2027, replacing platforms such as Microsoft Teams and Zoom. The EU itself acknowledged in January that it faced a "significant problem of dependence on non-EU countries in the digital sphere...potentially creating vulnerabilities, including in critical sectors."

In April, the Commission awarded a 180 million euro tender to four European sovereign cloud projects to supply EU institutions and agencies. One of those projects involves a partnership with a joint venture between French aerospace company Thales and Google Cloud.

With the May 27 presentation date approaching, the full scope and binding force of the proposed restrictions remain unsettled, and officials cautioned that talks are ongoing and have not been finalized. How member states receive the package — and whether consensus among all 27 governments can be secured — will determine whether the proposals advance into enforceable regulation.

Disclaimer