The European Union unveiled the Cloud and AI Development Act on June 3, aiming to regulate cloud providers used by governments and address sovereignty risks. The law mandates public authorities to assess their cloud providers and switch within 12 months if risks are found. This comes amid a sharp decline in EU cloud providers’ market share, which fell from 29% in 2017 to 15% in 2022, with three non-EU hyperscalers now controlling over 70% of European cloud infrastructure, according to medianama.com.
The proposal introduces a four-tier cloud sovereignty framework requiring providers to apply for recognition through national competent authorities, with recognition valid EU-wide. The tiers range from Level 1, based on self-assessment and an EU conformity statement, to Level 3, which demands stricter sovereignty compliance and independent audits. The law also sets new conditions for foreign cloud providers and encourages open-source software and a European public-sector cloud ecosystem, as detailed in the Cloud and AI Development Act document available on medianama.com.
This legislation aims to reduce dependency on non-EU cloud providers and enhance data sovereignty for European governments. The dominance of three foreign hyperscalers over 70% of the market highlights the urgency of this move. By establishing clear assurance levels and procurement rules, the EU seeks to bolster its cloud infrastructure resilience and promote local providers, aligning with broader digital sovereignty goals seen in other regulatory efforts within the bloc, according to medianama.com.
The European Commission will oversee the implementation of the framework, with national authorities responsible for provider recognition. Providers must comply with the new rules to maintain eligibility for government contracts. The proposal’s impact will be closely monitored as governments begin risk assessments and adjust procurement practices under the new law, as outlined in the Cloud and AI Development Act released on June 3, medianama.com reports.