CCS Guest Blog
European policy on cloud and AI is at an inflection point. The debate has matured beyond slogans to the complex tests that decide whether sovereignty becomes a real capability or remains a badge worn in presentations.
Recent analyses of EU competitiveness argue the bloc faces challenges in productivity and investment, with fragmentation and subscale markets as recurring themes. In a recent analysis of the EU's competitiveness agenda, the Financial Times noted that the main challenges are achieving coherence and scale. To address this, regulation and law must be simplified. Given the pace of AI deployment and infrastructure spending, I believe the European Commission should publish a working definition and test suite to guide near-term decisions.
Here I offer some guidelines to help policymakers translate sovereignty principles into clear tests, procurement levers and certifiable controls, aligned to enable the EU to act effectively. My recommendations are technology-agnostic and are anchored in EU law and procurement practice, allowing buyers and providers to implement strategy in the next 12 to 24 months.
I encourage policymakers to reinforce the position adopted by many EU sovereign cloud providers: define sovereignty in operational terms, connect those definitions to procurement to shape buying decisions and set a tone that promotes competition rather than walling off investment.
Start with Clarity of Purpose: Sovereignty as a Competition Enabler
Convert existing principles into transparent criteria that buyers and suppliers can apply consistently. Sovereignty in cloud computing shouldn't be framed as a veto on foreign technology. It should be a way to improve reliability, security and control and widen the field for European providers, supporting the development of the European economy by creating a local industrial base.
This is consistent with recent industry trends. Acknowledge the role of global players, but remove the ambiguity that allows any provider to claim "sovereign" status without meeting consistent tests. In my view, Europe's long-term resilience is best served when sovereignty requirements are made explicit and non-negotiable, allowing any European or global provider that can meet them to compete fairly.
That balance matters. If we reduce sovereignty to "buy local", Europe risks starving its customers of choice and innovation. If we reduce it to "trust us, we have a sovereign region", there's a risk of entrenching opacity and future lock-in. The middle path is practical: publish the bar, align it to existing EU law and pair it with procurement guidance that rewards providers that meet it. That approach is already reflected in proposals to define cloud sovereignty for the EU and to embed those requirements in public tenders without resorting to bans.
As I set out in a previous article, the EU's aim isn't to exclude non-European providers, but to make the rules auditable and comparable so any supplier that meets them can compete.
Fix the Language: Define Sovereign Cloud in Operational, Auditable Terms
The term "sovereign cloud" is used liberally and inconsistently. That vagueness distorts the market and makes procurement harder than it needs to be. A credible starting point is a definition that spans three domains — data, operations and infrastructure — and that can be verified independently.
In practice, that means requirements such as:
- Data and metadata staying in the EU
- Full jurisdictional control under European and national law
- Customer-managed encryption with external keys
- Domestic legal ownership
- Vetted local operations
- In-region resiliency
- Demonstrable reversibility without undue dependency
These are the building blocks buyers already ask for, captured as a set of tests that anyone can understand and audit.
This is also where the EU can be precise about roles. Not every infrastructure supplier is a cloud service provider, and even fewer meet the threshold for a sovereign provider. A strategic sovereign provider should be able to demonstrate legal and operational independence under European jurisdiction, vertical integration across relevant layers (infrastructure, platform and, where appropriate, software services), auditability against sector rules and sovereign-by-design resilience. Clear distinctions like these reduce "sovereignty washing", help buyers compare like-for-like and avoid conflating technical features with jurisdictional guarantees.
Turn Definitions into Demand by Linking Them Directly to Public Procurement
Definitions only change behaviour when they're used to award contracts. The European Commission can help by issuing guidance that gives procurement teams practical scoring criteria tied to the sovereignty tests described above. This is a useful, near-term lever: tenders can award points for certified jurisdictional control, in-region failover, customer-managed keys and proven exit plans, without mandating a specific architecture or nationality. Although the politics of member states may be debated, execution is straightforward.
As a practical reference point, the European Commission's Directorate-General for Digital Services (DG DIGIT) Cloud Sovereignty Framework now provides a public, working set of criteria for scoring tenders. This is useful as an initial minimum test suite while a fuller EU-level definition and certification mature.
Procurement scoring should also weigh service quality and interoperability alongside sovereignty and resilience, so citizens experience better services, not just stricter rules. If rules like the Financial Data Access framework raise sovereignty concerns, exclusion should be a last resort. Criteria-based access tied to auditable controls will do more to protect data and preserve competition. This is the same pro-competition pattern that worked in open banking: lower switching costs and normalized portability allowed established providers and challengers to compete on service.
In parallel, accelerate clarity on certification — whether through an evolved EU Cloud Certification Scheme or a staged labelling approach — so buyers can see who meets which tier and on what evidence. The aim is speed with comparability, not a monolithic scheme that freezes the market. This should be delivered in a way that streamlines administrative load during the EU's simplification drive.
To avoid accretion, sovereignty labels should have time-boxed attestations and scheduled reviews. They should be harmonized and pragmatic, so that certification doesn't add unnecessary cost, and include an explicit path to retire or slim controls that don't measurably improve security or portability.
A simple way to keep this grounded is to publish a public registry of offerings that meet each tier, with test results or independent attestations. Buyers get comparability, providers see a clear path for investment and claims of sovereignty can be checked.
In time, a standard EU definition and a mutually recognized label, delivered under an appropriate mandate (for example, through the EU Agency for Cybersecurity), could reduce cross-border friction and allow justified national overlays.
The policy lever is procurement, the trust mechanism is certification and the outcome is a more competitive market for European options. This will result in lower fragmentation costs for suppliers to enter the market or for buyers to identify relevant providers, as certification becomes the standard benchmark in EU member states that all providers must meet.
Be Candid about Scale and Design for It
A recurring sensitive point is whether Europe can achieve scale with a long tail of smaller providers, as fragmentation can be a barrier to competition.
European policy can create space for scale by encouraging joint ventures with transparent governance, aligning energy-grid incentives with sovereign capacity that meets the tests, and simplifying access to cross-border funding mechanisms.
Sovereignty can be realized more easily in some architectural set-ups than in others. But the goal isn't to privilege one model: the market must support more than one credible route to sovereign capability.
A wider perspective on competitiveness reinforces this, as the recent Financial Times analysis also argues. When rules reduce market fragmentation and make it easier to compare capacity across borders, investors can back larger, more-efficient platforms without sacrificing jurisdictional control.
CCS Insight's survey findings support this view. Respondents told us they reward providers that make integration easy and costs predictable, with cost flexibility, trust and an integration framework emerging as the top selection factors. In an upcoming article, I'll translate these policy levers into practical checks that reduce lock-in, keep AI in a single sovereign baseline and make certification comparable across borders. Make sure to subscribe here to receive the insight directly to your inbox.