EUROPEAN COMMISSION

Brussels, 3.6.2026

SWD(2026) 502 final

COMMISSION STAFF WORKING DOCUMENT

IMPACT ASSESSMENT REPORT

Accompanying the document

Proposal for a
REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

establishing a framework of measures for strengthening Europe’s cloud and AI ecosystem (Cloud and AI Development Act)

{COM(2026) 502 final} - {SEC(2026) 502 final} - {SWD(2026) 503 final}

Table of contents

1.Introduction: Political and legal context

1.1.Political context

1.2.Legal context

2.Problem definition

2.1.Problem context

2.2.What are the problems?

2.3.What are the problem drivers?

2.4.How likely is the problem to persist?

3.Why should the EU act?

3.1.Legal basis

3.2.Subsidiarity: Necessity of EU action

3.3.Subsidiarity: Added value of EU action

4.Objectives: What is to be achieved?

4.1.General objectives

4.2.Specific objectives

5.What are the available policy options?

5.1.What is the baseline from which options are assessed?

5.2.Description of the policy options

5.3.Options discarded at an early stage

5.4.Possible combination of options

6.What are the impacts of the policy options?

6.1.Economic impact

6.2.Social impact

6.3.Environmental impact

7.How do the options compare?

7.1.Effectiveness

7.2.Efficiency

7.3.Coherence

7.4.Subsidiarity and proportionality

7.5.Sensitivity analysis

7.6.Comparison per criteria

8.Preferred option

8.1.Outcome of comparison of policy options

8.2.Application of the “One In One Out” (OIOO) Approach

9.How will actual impacts be monitored and evaluated?

Annex 0 - Endnotes

Glossary

1.Introduction: Political and legal context

Today, cloud computing and AI are more than enablers of innovation. They have become the driving forces reshaping industry, public service, and daily life in the EU. The cloud provides the backbone necessary for all to access and deploy digital solutions efficiently, while AI unlocks unprecedented opportunities for automation, data-driven decision-making, and personalised services. A strategic approach to their uptake is thus essential for a competitive, secure, sovereign and future-ready EU. Annex 8 explains the technical terms used in this assessment such as the notion of cloud and AI computing services, which, in the context of this assessment, means offering computing resources for the running (inference) of AI systems.

1.1.Political context

The Draghi report on the future of European competitiveness I recognised the importance of sufficient access to cloud services and of increasing computational capacity in the EU, particularly for the EU’s ability to develop and adopt AI II . The Competitiveness Compass calls for the EU to provide sufficient cloud and data infrastructure required for AI leadership, as enablers of competitiveness III . The Economic Security risk assessment on AI technologies identified dependencies on a limited number of foreign cloud providers and frontier AI providers as significant vulnerabilities in the European AI ecosystem IV . The Cloud and AI Development Act (CADA) is a headline digital policy initiative listed in the Mission letter to EVP Virkkunen, alongside a single EU-wide cloud policy for public administrations and public procurement V . The Competitiveness Compass calls for action in Europe to provide sufficient cloud and data infrastructure required for AI leadership, as enablers of competitiveness VI . Furthermore, the AI Continent Action Plan VII announces the goal of tripling the EU’s data centre (DC) capacity within the next five to seven years and emphasises that sovereignty and operational autonomy need a greater reliance on highly secured EU-based cloud capacity. The Digital Decade Policy Programme (DDPP) sets the target of 75% of EU businesses adopting cloud services and of 10 000 edge nodes being rolled out by 2030 VIII .

The European Parliament’s own-initiative report (tabled for plenary since June 2025) on European technological sovereignty and digital infrastructure voices concerns about the EU's excessive dependence on non-European actors in critical areas like cloud infrastructure. It calls on the Commission to introduce the CADA to strengthen European data infrastructure, promote European cloud service providers (CSP), build a European single market for cloud and AI, and propose a definition for sovereign cloud and its scope of application IX . In its conclusions of December 2025 on European Competitiveness in the Digital Decade, the Council calls for CADA to include common criteria for sovereign cloud services, allowing for addressing market transparency and risks associated with dependencies, including extraterritorial effects of legislation adopted by third countries for highly critical use cases X .

Several non-EU countries have adopted policy initiatives to develop AI computing capacity, including DCs. In the US, building on a long tradition of supporting their cloud sector with policies XI and large public contracts XII , the July 2025 AI Action Plan XIII massively boosts US DC capacity and cloud services. An Executive Order on accelerating federal permitting of DC infrastructure XIV establishes nation-wide fast-track procedures, lowers environmental protections, and makes federal land available for DC build-out. The Executive Order on promoting the export of the American AI Technology Stack establishes federal support for full-stack AI export packages bundling AI-optimised computer hardware, DC storage, cloud services, and networking, which will be exclusively sold in US-providers-only packages XV . China launched the infrastructure project “Eastern Data, Western Computing” in 2022, coordinating DC construction by concentrating facilities in the West of the country. This led to a surge in government procurement of DCs XVI . In July 2025, the UK proposed AI Growth Zones to better equip the UK for running training and inference and support UK companies in developing sovereign, sustainable and secure compute technologies and services XVII . The UAE pursues investments in renewable energy, power transmission, and hyperscale-ready infrastructure to expand its DC capacity XVIII .

1.2.Legal context

The EU lacks a framework to foster the strategic investment in computing capacity beyond AI Factories and Gigafactories 1 . The DDPP XIX only sets a deployment target for edge nodes, but not for DCs. The legislative framework for DCs focuses on enhancing their sustainability through transparency measures without explicitly incentivising deployment. The Energy Efficiency Directive (EED) XX establishes an annual sustainability reporting and lays the basis for a rating scheme. The Taxonomy for Sustainable Finance enhances transparency on DC sustainability for financial market participants XXI . DCs must comply with minimum performance and information rules of the Ecodesign Regulation XXII . While DC projects are not subject to mandatory environmental impact assessments based on EU rules, such assessments are often required by Member States 2 . The upcoming Industrial Accelerator Act will create clusters for accelerating industrial activity for the manufacturing sector, from which DCs will not benefit. Other EU initiatives target key input factors for DC deployment: the upcoming Digital Networks Act XXIII will improve connectivity; the Grids Package XXIV will ensure that electricity grids can serve growing demands, with focus on improving permitting, planning but also providing tools to accelerate grid connections procedures via a dedicated guidance on grid connections; the Savings and Investments Union XXV will improve access to capital in the EU. While these frameworks can benefit DC deployment, they are not tailored to the sector’s specific needs. The upcoming Regulation on accelerating and streamlining environmental assessments establishes a toolbox with provisions for faster environmental assessments, applicable to strategic sectors when sectoral legislations refer to it, something that CADA will leverage for DC projects.

Similarly, the EU lacks a framework for incentivising the uptake of European cloud and AI computing services and for ensuring security of supply. The DDPP sets high-level adoption targets 3 , and the Apply AI strategy XXVI supports AI adoption in strategic sectors, but without concrete measures geared at European services. Other existing frameworks address market practices: the Data Act XXVII regulates cloud switching and interoperability. The Digital Markets Act XXVIII considers cloud services as core platform services where providers can be designated as gatekeepers and subject to specific obligations 4 . The Digital Networks Act will address the scenario where a CSP operates a connectivity network. The AI Act XXIX sets out risk-based rules for providers and deployers of AI systems and general-purpose AI models, fostering trustworthy AI but without addressing computing. Other frameworks address cybersecurity: the Cybersecurity Act (CSA) XXX , currently under review, enables the adoption of an EU-wide cybersecurity certification scheme for cloud services 5 and addresses supply chains by tackling high-risk vendors but without addressing public procurement. The Digital Operational Resilience Act XXXI targeting financial entities, and the NIS2 Directive XXXII defining sectors of high criticality, require entities like CSPs to implement risk management and other security measures. The use of cloud and AI computing services in the public sector is horizontally governed by the Public Procurement framework, currently under revision, which enshrines transparency, equal treatment, open competition and sound procedures as well as respect for EU’s international commitments XXXIII . However, these initiatives fall short of addressing sovereignty considerations in this sector.

2.Problem definition

The analysis conducted identified two key problems that warrant policy attention. This chapter presents these problems in detail, exploring their underlying root causes structured around four main problem drivers. It further assesses the associated risks and potential consequences should these issues remain unaddressed. To better define and characterise the identified problems, it is useful to first examine the competitive dynamics in the cloud computing market and the functioning of cloud service demand and supply, as a critical contextual element.

2.1.Problem context

Cloud computing emerged in the early 2000s in the United States, with Amazon Web Services (AWS) being established in 2002 and commercial cloud offers from AWS, Google and others becoming popular from 2008 onwards. The early 2010s set the stage for the massive adoption of cloud services XXXIV , which accelerated further in subsequent years. The global cloud and data infrastructure market grew by around 35% per year since 2016 XXXV , with expected growth rates above 20% for subsequent years. In the EU, this high-growth environment led the share of enterprises buying cloud services to increase from 18% in 2014 to 53% in 2025, with adoption almost tripling in a decade; for large firms, the figure exceeds 80% XXXVI . This rapid growth in market demand can be linked to three major trends:

·The digitalisation of the economy and a structural shift from on-premises IT models: businesses across sectors have migrated from traditional on-premises infrastructure to cloud solutions, considered to offer lower upfront costs, more flexibility and a richer ecosystem of services in a single interface. Part of this cloudification has also been supply-driven, as providers pushed from installed licences to cloud subscription models 6 . Major CSPs, massively supported by system integrators, expanded their service portfolios, pricing models and migration programmes in ways that created and deepened the demand for cloud services. This initial trend from on-premises to infrastructure-as-a-service (IaaS) has seen a second wave towards more advanced platforms deployed as platform-as-a-service (PaaS) and software-as-a-service (SaaS). The growing weight of PaaS and the shift towards AI (mostly deployed as SaaS) has been a key market dynamic in the last years and remains so to date.

·The emergence of new cloud native digital services: demand has increased with the rise of cloud-native platforms such as social media, video and music streaming, and a broad range of SaaS applications such as Customer Relations Management tools.

·Artificial Intelligence and data-driven business models: the diffusion of AI, advanced analytics and data-intensive applications have increased demand for compute power, often requiring processing capacity close to end-users to meet low-latency requirements, thus reinforcing the shift towards cloud and edge solutions.

From 2017 to 2021, the European cloud market expanded rapidly, notably during Covid-19, which increased the use of digital services and boosted demand for cloud computing across the EU. However, most of the incremental demand was captured by US hyperscalers, whose share rose from around half to two-thirds of the market, while European providers’ collective share nearly halved XXXVII . During this period, European CSPs were predominantly national or regional players serving domestic markets. They reacted to foreign competition by either specialising in use cases with stronger data sovereignty and privacy demands XXXVIII or by developing partnerships with the hyperscalers 7 , rather than matching the broad footprint of US providers. This was the case too of European Telco providers who ventured into cloud services, but mostly partnering with US CSPs, becoming de facto resellers. The 2021 European industrial technology roadmap for the next generation cloud-edge offering, prepared by key European players, argued that the European digital market was “fragmented into local realms, individually lacking the critical mass for players to scale and compete” with the US and China XXXIX . Despite strong revenue growth, the market share of European providers declined. By contrast, large US providers have been able to benefit given their early, large-scale deployment of cloud offerings, which put them in a position to capture this market growth. This was made possible by three elements.

Firstly, US CSPs were able to build on an early growth driven by US government adoption. In 2013, the Central Intelligence Agency awarded a USD 600 m contract to AWS XL , followed by the award of a fifteen-year multi-billion-dollar contract for the development of the “Commercial Cloud Enterprise” to AWS, Google, IBM, Microsoft and Oracle. The Department of Defence awarded additional sizeable contracts to these providers for developing secure cloud services or enabling the migration to the cloud of agencies like DARPA 8 . These early and large-scale public contracts ensured fixed revenues and allowed these providers to grow their portfolio, often with particularly secure services resulting from the stringent requirements of the US administration. These providers carried their first-mover advantage to Europe demand for cloud services was just emerging XLI , driving early European cloud users to turn to US providers 9 . As well, in the shift from on-premises to cloud solutions, hyperscalers extensively used partner networks. By offering dedicated training and skill certifications, they engaged in partnerships with consulting firms and resellers, through which they could rapidly expand in local markets XLII .  

Secondly, the absence of a thriving tech industry in the EU prompted US CSPs to leverage their domestic advantage by partnering with large global technology companies when expanding into the European market. Indeed, figures show that cloud adoption in the EU is driven by companies working in the ICT sector XLIII , which are often not European and tend to buy the same cloud services as they buy domestically, i.e. US CSPs. Some examples: Netflix, which serves more than 50% of the European video-on-demand market, relies exclusively on AWS for its core cloud infrastructure XLIV ; the Amazon (retail) Marketplace serves as an anchor customer for AWS, its own cloud services offering.

With respect to market dynamics, competition in cloud services, like other capital-intensive network industries, is characterised by distinct supply and demand side elements.

On the supply side, cloud markets are defined by considerable sunk costs associated with data centre deployment, with long investment times and substantial economies of scale and scope. These characteristics tend to benefit large providers which can fund expensive compute capacity and distribute costs across a wide customer base and a diverse service portfolio. When looking at infrastructure, high fixed costs constitute a major barrier to entry. The cloud and AI infrastructure market is capital-intensive: building and equipping data centres requires large upfront investment, and providers are able to secure financing if they expect sufficient demand and market share gains. Differences in deployment procedures among Member States create transaction costs within the single market, affecting the profitability of new projects. These costs are more easily absorbed by larger providers but remain prohibitive for smaller firms. Access to funding is also slower and more complex for small enterprises. By contrast, AWS, Microsoft and Google were able to collectively invest around EUR 12 bn in European infrastructure in 2020 alone, marking a 20% increase compared to the previous year XLV . This investment capacity was underpinned by vertically integrated businesses and diversified revenue streams. The French Autorité de la Concurrence, in its 2023 opinion on cloud services, emphasised that hyperscalers benefit from “conglomerate” structures, i.e. their presence in multiple digital markets allows them to develop credit systems and discounts using their market power to accelerate cloud growth. Similarly, a more recent work by the OECD on competition in the cloud market notes that hyperscalers are best equipped to mitigate the risks of aggressive cloud expansion by “portfolio diversification or cross-subsidising losses” 10 . On the innovation side, the asymmetry with European players is also evident. The EU Industrial R&D Investment Scoreboard showed that by 2018-2020 Amazon, Alphabet and Microsoft were among the top global corporate R&D investors, each spending in the order of billions of dollars per year. In the same period, Europe’s largest R&D spenders were concentrated in the automotive and pharmaceutical sector, while European cloud providers like OVHcloud were small companies with revenues in the hundreds of millions and modest R&D budgets XLVI . This disparity in innovation spending, combined with hyperscalers large capital expenditures, projected to reach USD 335 bn in 2025 XLVII , has given them an important advantage over smaller providers to offer broader service portfolios and integrated ecosystems.

On the demand side, customer choices are shaped by two key factors: the value placed on flexibility and the breadth of services available through single platforms operating seamlessly. On these two key factors, hyperscalers have been better placed than European providers from the start. Although European cloud offerings encompass a diverse range of services, customers need to collaborate with multiple providers to match the quality and breadth of services offered by leading global cloud providers. End-users desire simplicity and have grown accustomed to one-stop shops delivering everything from Infrastructure-as-a-Service (IaaS) to Software-as-a-Service (SaaS) on a global scale, a level of integrated service that hyperscalers readily supply. In contrast, European providers typically have more limited catalogues, often focused on specific infrastructure or industry niches, making it challenging to secure substantial, multi-country enterprise deals. In several European industries, value chains are organised around networks of smaller providers that combine their specialised products across the single market, supported by common standards and technical specifications. This was achieved in the telecom sector after the introduction of the GSM standard. However, a similar market structure has not materialised in the cloud sector. As mentioned above, instead of pooling resources and federating, European providers decided to (i) build partnerships with US hyperscalers, (ii) focus on a specific region, or (iii) specialise in a single layer of the cloud stack, e.g. IaaS or Saas offerings, rather than offering a comprehensive portfolio. By contrast, US hyperscalers deliver an integrated, end-to-end service, operating as “IT supermarkets” XLVIII . The French competition authority clearly noted that hyperscalers’ large ecosystem of offers implies that, for several workloads, competition takes place “for the market” rather than “on the market” as customers tend to choose a single supplier able to cover their entire needs. 

The repercussions of these competition dynamics result in a rigidity when it comes to switching providers and considering alternative offers. Leading providers impose complex pricing structures, egress fees and restrictive licensing terms. When switching providers, customers face high costs stemming from egress charges, the use of proprietary data formats or APIs and long-term contracts XLIX , i.e. different forms of vendor lock-in L . Even if a better or cheaper provider exists, customers may therefore not switch, weakening competitive pressures and resulting in alternative providers struggling to attract customers due to factors outside of their control 11 . The Dutch competition authority’s cloud market study concludes that users encounter technical hurdles to portability and incur significant financial costs for data transfer, which collectively make switching providers challenging and effectively lock users into the chosen cloud provider for lengthy periods, contributing to market consolidation LI . Moreover, once a provider becomes the ‘default’ or ‘safe choice’, the customer starts creating the tooling and culture around this provider, resulting in inertia as an effective blocker of new incumbents. In this context, EU providers struggle to attract customers away from well-established US providers. The challenges described above, along with difficulties in partnering with system integrators, consultancies and intermediaries to promote European solutions, have collectively contributed to the gradual erosion of market share for EU CSPs.

Last but not least, there are signals of new opportunities for European providers to gain market shares. AI adoption, the third demand driver identified above, is bringing change to the market landscape, and competitive positions could change. While US providers are already well established mostly thanks to their integrated offers, European providers might still find opportunities to capture growth, especially in relation to more specialised, sector-specific offers, where their proximity to customers and ability to provide safeguards in terms of data localisation and integrity are important. The Apply AI strategy adopted by the Commission is a signal in that direction. AI has the potential to alter industry business models, with cloud and AI services extending beyond basic IT commodity functions to become integral parts of a company’s competitive edge. Furthermore, the issue of sovereignty, exacerbated by geopolitical considerations, has gained prominence and could be an opportunity for European cloud and AI providers. According to Gartner LII  the sovereign cloud IaaS market is forecast to grow at a yearly rate of 38% in the next five years, with developments in terms of moving away from global cloud providers and new business migrating to a sovereign cloud environment. The positioning of European cloud and AI providers as sovereign is, however, today hindered by a lack of clarity and lack of harmonisation in the market in terms of how sovereign services are defined.

2.2.What are the problems?

2.2.1.Problem 1 - Limited and geographically concentrated availability of computing capacity in the EU 

AI is driving an unprecedented demand for computing capacity, not only for the High-Performance Computing (HPC) capacity required to train models, but also for the capacity to enable inference, fine-tuning and service integration LIII . The European AI market is projected to exceed EUR 300 bn by 2030 LIV , growing at more than 26% between 2025 and 2030 12 . Beyond AI, adoption of cloud computing and other digital services continues to accelerate, adding further pressure on the available computing capacity 13 . In 2025, uptake of new DC capacity in Europe 14 is expected to reach a new high of 854 MW 15 , exceeding new supply for the third consecutive year LV . Vacancy rates in major EU DC hubs have declined to historical lows, and the share of co-location capacity that is pre-leased 16 before becoming operational continues to rise. These are clear signs of high demand LVI . 

Across the EU27, the expansion of data centre capacity is not keeping pace with this rapidly growing demand. Despite increased investment LVII and installed capacity expected to reach 12.4 GW in 2025 17 , available supply remains insufficient, resulting in an estimated gap of almost 3 GW relative to current demand. 

Moreover, the existing capacity is concentrated in a limited number of established hubs, mostly in Northern and Western Member States: in 2025, Germany (Frankfurt), France (Paris), the Netherlands (Amsterdam) and Ireland (Dublin) account for 65% of the EU27 DC market 18  ( Figure 1 19 ). These locations have historically provided more favourable factors for DC deployment, e.g. strategic geographic location, proximity to end users, and connectivity to other world regions. Ireland, for example, is geographically positioned as a gateway between Europe and the US, with extensive undersea fibre-optic cable networks. This makes it an ideal location for low-latency transatlantic data transfers for US CSPs serving European markets from overseas. Ireland’s low corporate tax rate and supportive government policies have attracted significant foreign direct investment, particularly from US tech companies. These companies, including the cloud hyperscalers, have established major operations in Ireland, contributing to the rapid expansion of nearby data centre infrastructure 20 .  

Figure 1. Data centre capacity across EU 27 MS in 2025

Source: Technopolis et al. (2025) LVIII

Expressed per 100 000 inhabitants, overall capacity amounts to 2.75 MW per 100 000 people and is concentrated in a few Member States, with Ireland, the Netherlands, Denmark, Sweden, Finland and Luxembourg standing out (

Figure 2 ).

Figure 2. Data centre capacity per 100 000 people across EU 27 MS in 2025

Source: Technopolis et al. (2025) LIX

In addition, the EU lags behind other regions in both scale and ownership of digital infrastructure (see Figure 3). In 2022, Europe had approximately 1 MW of installed data centre capacity per 100 000 people, while the US had 12 MW LX . The situation persists today: despite similar GDPs, in 2025 the EU accounts for only 20% of global installed data centre capacity compared to the US (42%) LXI .

Figure 3. Comparison of GDP and data centre capacity for leading markets in 2025

Source: Technopolis et al. (2025) LXII

The existing capacity gap and strong geographical concentration point to structural inefficiencies in the allocation of resources in the market for data centre capacity, with effects already visible today:

The limited supply has led to rising prices for existing capacity, negatively affecting businesses which rely on such capacity. Since 2022, average asking prices in the European colocation markets have increased by 51% for 100 kW leases LXIII . New co-location capacity is often leased to large service providers: Amazon Web Services (AWS), Microsoft, Google 21 . By 2028, they are expected to drive 65% of the demand for DCs in Europe, an increase of 12% during the same timeframe LXIV . This reinforces the competition dynamics discussed above: when most of the new capacity is effectively reserved by a handful of players, they can shape where and how new infrastructure is built, secure access to suitable sites and further capitalise on economies of scale. Already today, vacancy rates in Europe’s top DC markets are at a record low of 7.4% LXV . Due to a lack of available space, co-location providers are expected to raise prices in 2025 by 10% in leading DC markets LXVI . The negative effects on businesses’ ability to access capacity are particularly pronounced in regions with a high concentration of DCs, where businesses are faced with higher prices.

As noted above, geographic concentration puts a strain on affected regions: in Ireland, DCs accounted for 22% of electricity demand in 2025, up 5% from 2015. The resulting grid stress has led local TSOs to enact a de facto moratorium for new DC applications in Dublin due to fears of overloading the grid and compromising energy security LXVII . Municipalities in Noord-Holland have also enacted several moratoria on building new DCs, the latest one in 2023 in Amsterdam LXVIII . In the case of Dublin, the moratorium has reportedly stalled EUR 8-10 bn in planned DC investments. The effects of grid stress also impact other user groups 22 . In Luxembourg, the plans for a large DC by Google have been subject to a review of its energy grid planning that includes a new connection to Germany LXIX because local electricity generation was not sufficient. This situation, with the saturation of existing infrastructure, has further slowed deployment, raised energy system pressures and diverted investment, rather than leading to an efficient redistribution of capacity across the Union.  

While cloud and AI computing services can be technically delivered cross-border, regions with a low DC presence are also disadvantaged by this geographic imbalance, as exemplified by the higher prices in regions with low DC presence LXX . Moreover, the lack of nearby computing capacity drives up latency, limiting the availability and quality of low-latency services, thus placing local end-users at a competitive disadvantage compared with regions that have better access to DC capacity 23 (see also section 2.3). It also points to under exploited investment opportunities if comprehensive business cases can be built around these cases. Over time, this can slow digital transformation in the affected Member States and weaken overall competitiveness within the Digital Single Market. Stakeholders have also warned that this limited availability of computing capacity in the EU acts as a barrier for the development and uptake of cloud and AI computing services: for instance, Mistral AI has warned that a lack of DC capacity could become a roadblock for developing and applying AI models in Europe LXXI . Current market dynamics risk reinforcing existing concentrations, increasing regional disparities and limited access to computing resources for business and public authorities outside main hubs.

2.2.2.Problem 2 - Dependence on cloud and AI computing services supplied by non-European 24  providers 

The European cloud services market is growing significantly. It was worth around EUR 70 bn in 2022 and is estimated to reach over EUR 200 bn by 2028 LXXII . In 2024, the European Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) market was dominated by three US companies, the so-called hyperscalers ( Table 1 ). Worldwide, AWS held a market share of 32% in Q2 2024, Microsoft 23% and Google Cloud 12%. No other provider held more than 4% LXXIII .

In Europe, those three providers account for around 70% of the market, while the largest European providers (SAP and Deutsche Telekom) each serve 2% LXXIV . The European cloud market has grown, but the market share of European providers has decreased from 29% in 2017 to 15% in 2022 and has since remained stable LXXV . A recent study for the European Parliament reaches the same conclusion, noting that US firms dominate all major software layers, including cloud, and that European providers account only for a small share of the infrastructure market LXXVI . Despite European providers playing an important role in some Software as a Service market segments, non-EU providers dominate in important fields, such as office automation and productivity software 25 .

Table 1. Market leaders for cloud services (IaaS, PaaS and hosted private cloud revenues), Q2 2024

Hyperscalers thrive in the European cloud market thanks to their global scale, significant financial resources, and overall ecosystem gravity, composed of integrated digital ecosystems LXXVII , partnership programmes and marketplaces, among others.

On the supply side, this problem impacts European providers of cloud and AI computing services in terms of foregone commercial opportunities. Astères approximates their magnitude by estimating that EU companies’ annual purchases of cloud software add EUR 264 bn to the US economy LXXVIII . On the demand side, this problem impacts private and public sector users of cloud and AI computing services. Some reports suggest that, by relying so strongly on a small number of providers, users pay more for their cloud and AI computing services than by relying on alternatives 27 . In its most basic form, this dependence can lead to significant economic costs. Without alternative, users are defenceless in light of price increases. This is illustrated by Broadcom’s acquisition of VMWare (a provider of leading virtualisation technology, for which little European alternatives exist), which resulted in unilateral licensing changes and price increases of 800% to 1500% according to users 28 . More generally, there is evidence suggesting that the dependence on non-European providers may cause European users to over-pay, with some reports suggesting that European providers offer digital resources at lower prices 29 and with lower egress charges.

European AI computing service providers lag their global competitors LXXIX , also due to their competitive disadvantage in accessing computing service providers LXXX .

Dependence also introduces significant tail risks: where users rely on a small number of providers, cloud outages can have far-reaching consequences, including business interruptions, and substantial financial or data losses LXXXI . Strong reliance on a small set of providers also means that a single failure can simultaneously affect several critical services, as seen in the recent Crowdstrike incident or AWS outages LXXXII . It also limits the EU’s operational autonomy and system resilience as these providers may be exposed to third-country policies restricting service access, for example in the context of sanctions or economic coercion. This risk recently materialised in the suspension of service provision to the Chief prosecutor of the International Criminal Court, on whom the US had previously imposed sanctions LXXXIII . This case illustrates the challenges which exposure to third-country policies can cause to operational autonomy and system resilience in the EU. Another illustrative example is the planned takeover of the Dutch cloud provider Solvinity by the US IT company Kyndryl LXXXIV . Solvinity offers cloud services to the IT company of the Dutch administration, including the back-end of digital wallet, used by 16.5 million Dutch citizens to verify their identities in order to get access to the tax administration and other departments. A non-European policy affecting the provision of Kyndryl’s services in the EU would thus cause disruption for 90% of Dutch citizens. Threats to operational autonomy and of data access are particularly concerning in highly critical use cases relying on cloud and AI computing services LXXXV . For example, their use in healthcare, defence and certain public sector services often involves the processing of highly sensitive data. Service interruption in these sectors can have significant adverse effects on the EU economy and society. Some public sector actors are undertaking steps to limit exposure to such risks. For example, the Dutch parliament called on the government to reduce its reliance on US cloud services LXXXVI , and France mandates sensitive data to be exclusively stored and processed using SecNumCloud certified services 30 provided either solely by EU providers or Joint Ventures between EU undertakings and US CSPs (see section 2.3.4 ). This issue was also recently illustrated by the postponement of Finland’s electoral management system cloudification 31 , previously awarded to AWS, and France’s switch from US solutions to open source equivalents to serve public sector video conferencing needs 32 . The European Central Bank requires banks to use hybrid architectures and a multi-cloud approach LXXXVII . The US requires Federal Agencies to use only cloud services authorised under the Federal Risk and Authorization Management Program (FedRAMP) 33 . While dependence is widely considered as a critical risk to service continuity and operational autonomy, and demand for sovereign cloud solutions is growing 34 , a coherent framework to address this challenge is still lacking at EU level.

Dependence on US providers also exposes EU user data to extraterritorial laws and potential US government access resulting from the US Clarifying Lawful Overseas Use of Data (CLOUD) Act 35  in the context of criminal proceedings, or Section 702 of the US Foreign Intelligence Surveillance Act 36 . Access can be granted unilaterally, without the involvement of EU judicial or public authorities. In a sworn testimony before the French Senate, a representative of Microsoft affirmed that the company could not guarantee that French data would not be transmitted to US authorities, even in the absence of explicit authorisation LXXXVIII . Any data managed by a US-headquartered provider or its subsidiaries is potentially exposed, including sensitive business information, intellectual property, and personal data of EU citizens. Such exposure, especially of sensitive business or public data, can raise significant concerns when considering strategic entities, public authorities, and high-profile individuals. More generally, a lack of trust in cloud and AI computing services is slowing down European users’ adoption of other digital services LXXXIX . This lack of trust is also caused by technical aspects such as not having control over the supply chain, not being able to carry out audits and penetration testing, or the uncertainty of where the data is located XC .

2.3.What are the problem drivers?

The two identified problems are closely interlinked, as they relate to consecutive stages of the same value chain, with a clear supply-demand relationship: cloud and AI computing services require adequate underlying infrastructure, while data centre investments rely on expected demand for such services. Problem 1 concerns the physical infrastructure layer, involving data centre operators, utilities, local authorities and investors. Problem 2 relates to the downstream market for cloud and AI computing services, characterised by distinct market structures, competitive dynamics and regulatory frameworks. Accordingly, the analysis of the root causes behind these two problems is presented separately, while acknowledging their interdependence. Four underlying drivers are identified: one specific to Problem 1, two specific to Problem 2 and one common driver that affects both problems.

Problem 1 relates to the limited and geographically concentrated distribution of compute capacity in the EU. It stems from two underlying factors: one related to market dynamics and the other to regulatory fragmentation. On the first one, first-mover advantage of non-EU providers reinforced by path dependency and network effects has led to market entry barriers that limit the scale and scope of EU cloud and AI computing service providers (PD1), thus hindering the deployment of capacity in the EU territory. As for the second factor, regulatory fragmentation and bottlenecks of a different nature have further slowed down the expansion of data centres (PD2), reducing international investors’ interest, and thus contributing to the limited computing capacity, while also reinforcing geographical imbalances.

Problem 2 concerns the dependence on cloud and AI computing services supplied by non-European providers. Like problem 1, it is driven by the lack of scale and scope of EU cloud service providers (PD1), which makes reliance on non-European providers inevitable. The limited public sector uptake of cloud and AI computing services supplied by European providers (PD3), even in segments where local presence is essential, further hampers the creation of a large, unified demand for such services. This weakens EU providers’ ability to invest, which results in foregone economic opportunities and deepens dependence. Finally, the absence of clarity around the concept of sovereign cloud and AI computing services (PD4) keeps European providers from commercially leveraging sovereignty as a distinguishing factor for themselves, further contributing to the problem.

Figure 4. Problem tree

2.3.1.Problem Driver 1 (PD1): Lack of scale and scope of European cloud and AI computing service providers

An important driver behind the limited and geographically concentrated availability of EU-native computing capacity and services is rooted in the comparatively small scale of European providers relative to global hyperscalers, as a result of the rapid development of the data centre and cloud sector in the EU. Notably between the years 2017 and 2021, this led to a significant market concentration around only a few non-European market incumbents well-placed to respond to the growing demand at scale which was out of reach for their European competitors.

As discussed under section 2.1, historically, the earlier cloud computing services were developed in the United States. Their early scale advantage reinforced their position as the world’s leading data centre hub XCI , which US providers leveraged for global service provision. Hyperscalers invested aggressively in infrastructure, and building networks of data centres connected via submarine cables that enabled data flows into European markets XCII . This first-mover advantage reinforced their leadership in the continent, setting a high entry and growth barrier for European providers. 

Hyperscalers leveraged their scale to standardise services, invest in innovation and accumulate the financial resources to deploy compute capacity globally: today the AWS cloud spans 117 availability zones (AZs) within 37 geographical regions XCIII . By comparison, OVHcloud has 37 AZs XCIV . Due to their comparatively higher scale and financing advantages XCV , the ongoing expansion of data centre capacity in the EU is driven by non-European CSPs XCVI . As demand for local capacity grows, hyperscalers are able to secure land and grid access for their own data centres and (pre)lease large amounts of co-location data centre space, thus becoming anchor tenants for larger sites, while European CSPs struggle to access the same resources for developing digital infrastructure XCVII and are relegated to residual capacity under less attractive conditions. This is visible in the geography of Europe’s data centres: the FLAPD hubs (Frankfurt, London, Amsterdam, Paris and Dublin) comprise over 60% of operational capacity and around half of the new and planned capacity is mainly driven by hyperscalers pre-leasing and committed projects XCVIII . Scale and scope advantages of large providers reinforce the convenience of building in existing hubs.

Faced with these market dynamics, most European providers remain smaller, specialised and nationally fragmented, lacking the scale, scope or cross-border integration to deliver comparable cloud services. Comparatively lower revenues reduce their ability to invest in infrastructure expansion or innovation XCIX . Google, for example, spent USD 9.6 bn on DCs across the globe in Q3 2025 only C . The capital expenditure of OVHCloud for the entire financial year 2025 amounts to EUR 361.4 m with EUR 51 m devoted to infrastructure and networks CI . Taken together, these factors (a) reinforce the structural advantage of large non-EU providers in securing key resources at scale, (b) further constrain the ability of European providers to expand, and (c) contribute to the current shortage and spatial concentration of computing capacity in a few established hubs, leaving significant areas of the Union under-served in terms of local compute.

The lack of scale and scope of European cloud and AI computing service providers is also closely linked to the second problem, i.e. the dependence on cloud and AI computing services supplied by non-European providers.

As mentioned under section 2.1, hyperscalers leverage bundles of services to operate as “walled gardens” meeting “all” customer needs, often within their own closed marketplaces CII . The convenience of accessing all cloud-related services from a single provider is a key driver for customer choice CIII . AWS and Microsoft Azure each have 200+ services across their portfolios, and Google Cloud delivers 100+ specialised offerings available at their proprietary marketplaces. The absence of a comprehensive vendor-neutral marketplace creates an imperfect information environment about available services and their characteristics and negatively affect the comparability of services across providers and general awareness of users about the services offered by smaller, including European, providers (discovery problem). End-users desire simplicity and have grown accustomed to one-stop shops delivering everything from Infrastructure-as-a-Service (IaaS) to Software-as-a-Service (SaaS) on a global scale, a level of integrated service that hyperscalers readily supply. Customers may therefore make suboptimal choices because they cannot easily compare offers. Imperfect information constitutes a failure in the market for cloud and AI computing services and reduces competitive pressure on incumbents.

Hyperscalers also offer dedicated professional training 37 and certification programmes 38 , including through partnerships with key IT consultants and system integrators tailoring hyperscaler tools to specific customer needs CIV  that re-sell or promote their services CV . This has led to high transaction costs of leaving the hyperscalers ecosystems and a form of skills lock-in 39 .

Lock-in practices and the absence of technical interoperability further bolster the hyperscalers’ market position by making it less likely for customers to switch to another provider 40 . In a market characterised by network effects and high switching costs CVI , the initial choice of cloud and AI computing service provider limits future possibilities for diversification. This has posed high entry barriers for ‘late’ entrants, notably European ones 41 . Large providers leverage their strong position in the cloud market to attract customers with low entry prices, for example through cloud credits 42 , but also to expand into the emerging market of AI computing services CVII , through tying and bundling practices - linking together new AI applications with existing cloud products - and preferential access to computing power CVIII . Their extensive service portfolio is also a competitive advantage for attracting AI companies as customers since they rely on the advanced offering of large providers to provide better usability.

European providers do not offer the same breadth of services. OVHcloud and Scaleway, for example, offer around 80 services CIX whereas the US hyperscalers, such as Amazon, offer around 200. Annex 13 provides a comparative analysis of a sample of service of European vs American, demonstrating that EU providers usually cover well core IaaS and PaaS services but also highlight the actual gaps which tend to be more specific. These relate mainly to native AI/ML platforms, serverless, and integrated analytics pipelines where European providers have not yet reached hyperscaler maturity. 

A smaller catalogue of services does not equate to lower quality, as argued later in this section. Gap analyses show that European providers offer equivalent quality in their services to those offered by the hyperscalers 43  but with rather a more limited integration: To obtain access to a similar breadth of services as those offered by a single hyperscaler, a customer must combine solutions from multiple providers CX – each requiring different skills 44 , using different tooling, and employing different operational procedures. In the absence of tools that easily enable such combination of resources, such as cloud brokers 45 , customers must invest their own resources to integrate services from different providers through custom developments. 

A broader and a better integrated catalogue offers an advantage to US providers but this comes with a caveat. The latest Eurostat data shows that the services EU enterprises actually rely on most are email, office software, file storage, database hosting, and compute power 46 , which are core IaaS workloads: virtual machines, managed databases, object storage, and nowadays also PaaS, with managed Kubernetes (orchestration). This points to the fact that customers seldom use a service catalogue to its full extent, something confirmed through interviews with European CIO public and private organisations, as well as by reports that find that only few customers use a large breadth of services from hyperscalers. 47

Another factor for the low adoption of European offers is the limited visibility of said offers, as exemplified by market reports which rarely mention European providers CXI . All this places a high commercial barrier to greater uptake of European cloud and AI computing services.

The hyperscalers’ size also allows them to better overcome barriers for offering their services across the EU 48 . Consequently, European providers often focus on highly specialised market segments, such as the treatment of sensitive workloads requiring high-quality and secure services CXII . For example, the Polish provider CloudFerro supports space-related use cases such as the ESA Civil Security programme and CODE-DE, a German Copernicus Data and Exploitation Platform. Italy’s leading provider Aruba provides the country’s eID services. The general high quality of services is highlighted, for example, by the recognition of OVHCloud and Scaleway in Gartner’s list of best Strategic Cloud Platform Services CXIII . Nevertheless, European CSPs are typically geared towards their home market. For example, OVHcloud generates 48% of its revenues in France compared to 29% in other European countries and 26% in the rest of the world. Similarly, IONOS generated 56% of its revenue in 2024 in Germany, as compared to only 8% in Spain, 5% in France, and 3% in Poland as the next biggest markets in the EU 49 . This phenomenon is even more pronounced in the Italian market. 89.7% of Aruba customer base is in Italy, followed by only 0.6% in Spain and 0.5% in France 50 . In 2021, the European Alliance on Industrial Data, Edge and Cloud gathering all main European cloud providers pointed out their lack of ability to exploit the Single Market and offer their services across borders efficiently as one of the main barriers to scaling up and being able to compete with non-European providers 51 . This, paired with the absence of effective interoperability mechanisms across services or solutions that allow for a federation of cloud resources among CSPs, prevents European providers from achieving economies of scale (see also section 2.2.2 ).

Taking the considerations above, and under the same market conditions, US hyperscalers have been able to thrive in the EU while their local competitors have not. The hyperscalers are able to exploit massive economies of scale, integrated ecosystems with default interoperability across services and high capital expenditure, which allow them to offer cheaper and broader services. Due to their global scale and capital, hyperscalers are able to spread compliance costs across the different national markets over a large revenue base, amortizing them across scale so the average compliance cost per unit of revenue (e.g. service) falls with scale. Conversely, European providers remain sub-scale and confined to niche segments, focused mainly on their own national markets and legal regimes. The services offered by EU providers, while equal in innovation and quality, are not as integrated as the services offered by the hyperscalers nor they benefit from a large ecosystem gravity, which prevents demand from pooling into contracts large enough to justify more investments. Due to the sub-scale, compliance costs for EU providers remain higher, which may slow them the release of advanced features that would allow them to meet the expectations of customers operating in certain critical markets.

The outcome is a Single Market failure: in a genuinely unified market, all providers should be able to scale across borders with relatively uniform rules, standards, and buying channels, allowing efficient firms to grow and compete on equal footing. However, persistent regulatory and contractual heterogeneity and fragmentation (see also next sections), as well as siloed demand, mean that the EU’s market remains de facto segmented, so network effects and economies of scale accrue disproportionately to already scaled non-EU incumbents rather than enabling EU-based providers to reach competitive size.

2.3.2.Problem Driver 2 (PD2): Bottlenecks slowing down data centre expansion

The second driver concerns bottlenecks and regulatory fragmentation, which have contributed to slowing the expansion of data centre deployment, reducing attractiveness of Europe for investors and as a result contributed to limited computing capacity and persistent geographic imbalances.

Companies seeking to build data centres in the EU are faced with a fragmented policy and regulatory environment 52 . For example, Germany’s Energy Efficiency Act imposes Germany-specific obligations on data centres related to the use of renewable energy and heat recovery 53 . In the Netherlands, stricter rules are applied on new facilities in the Amsterdam region as opposed to other parts of the country 54 . In Poland, different permits are needed for different types of data centres 55 . Bulgarian zoning regulations altogether lack an adequate category for data centres. In the context of infrastructure buildout, the most relevant bottlenecks and frictions are found in permitting, availability of suitable land, grid access, and access to capital.

Permitting procedures for infrastructure development – which encompass zoning and land allocation, building permits, utilities and grid connection authorisations, and environmental permitting – involve multiple, often inconsistent layers of national and local regulations with multiple uncoordinated stakeholders and non-centralised processes. DCs are often not mentioned in national or municipal planning regulations, creating uncertainty and requiring additional rezoning processes in some jurisdictions CXIV . Permitting regimes typically ignore the strategic dimension of DCs for the EU economy, notably their enabling role for the EU uptake of digital solutions. Most jurisdictions require environmental review, ranging from basic assessments to full Environmental Impact Assessments that further lengthen the permitting process CXV . In most Member States, permitting involves repetitive requests and lengthy timelines, which can be aggravated by community opposition and appeals 56 .

The example of Germany illustrates well how and why permitting has emerged as a bottleneck for data centre deployment in light of the recent significant increase in demand for data centre capacity (see section 2.1.1). Germany’s central location in Europe and its proximity to business users have made it a major data centre hub, despite comparatively long timelines for permitting. Early investments have resulted in strong path dependency and network effects, with new capacity continuing to cluster around established hubs despite rising congestion costs, grid limitations, and regulatory barriers. However, with demand for data centres growing, permitting is now a bottleneck holding back the fast expansion of data centre capacity that would be necessary to reduce the capacity gap. Illustrative cases in Ireland and Luxembourg show how administrative delays caused 57 data centre projects to be cancelled or delayed. In response, Member States or regions have adopted policies to accelerate DC deployment, for example by offering transparent planning procedures (Denmark), pre-designating areas (France), naming DC projects as of “strategic economic interest” (Spain at regional level), enabling parallel rather than sequential permitting (Germany), encouraging DCs to locate within existing industrial areas (Finland) or through tax incentives for DC operators (Sweden). While these acceleration measures facilitate short-term capacity expansion at national level, they contribute further to the regulatory fragmentation across the Single Market.

Another factor slowing down data centre expansion is land availability, the difficulty for DC operators to identify suitable sites. DC sites must display specific characteristics in terms of access to utilities (energy, water) and connectivity, making suitable real estate scarce. Connectivity is a particularly relevant pull factor for selecting appropriate sites for DC deployment 58 , thus reinforcing concentration in existing hubs CXVI . Land scarcity is aggravated by large cloud service providers acquiring land and reserving energy capacity, without building DCs on the site CXVII . 

Energy availability. With respect to energy needs, different modelling approaches indicate that DC energy consumption is foreseen to grow at an average annual rate of 13% between 2023 and 2030, twice the 2018-2023 growth rate CXVIII . Energy prices in Europe are two to three times higher than in the US and China, as shown in the table below, while they amount for 40-50% of DCs’ operational costs, creating a competitive disadvantage for the EU CXIX .

Table 2. Industrial electricity prices (€/kWh – all data 2025, except China 2024)

Access to energy grid constitutes an important bottleneck in the construction of DCs 62 . In parts of Europe, grid constraints have resulted in moratoria on new DC connections, especially close to established hubs CXX . Connecting a DC to the grid can take between 3 and 10 years, depending on the Member State: around 3-5 years in emerging markets (Italy or Spain) and 7-10 years in established hubs (Frankfurt, Amsterdam, Paris or Dublin), with some projects experiencing delays of up to 13 years due to grid congestion 63 CXXI . In the case of brownfield sites where there is a previous power grid connection, this interval is highly reduced CXXII , but these sites can be insufficient to meet the needs of large DC projects. To overcome grid interconnection delays, DC operators are increasingly considering producing their own energy, with a dedicated microgrid. In some cases, such energy production could be based on gas turbines CXXIII , which would significantly increase their scope 1 greenhouse gas emissions 64 . 

Another bottleneck holding data centre expansion at the necessary speed is limited access to capital: over the past five years 58% of global DC investment occurred in the US with a record in 2023 CXXIV , with Europe accounting for a smaller share CXXV . AI computing infrastructure can be ten to thirty-times more expensive than general-purpose DCs CXXVI , requiring massive capital investment. The EU’s fragmented financing landscape lacks the depth of an integrated capital market. Compared to the US, the UK CXXVII and China CXXVIII , European investors have treated DCs as a niche market rather than a distinct asset CXXIX . In addition, many parameters affect the bankability of DC projects 65 such as the size of the operator, permitting and access to grid. Combined with Europe’s fragmented capital markets 66 and the high risk associated with smaller EU CSPs, notably outside the FLAPD markets, these challenges slow down capital mobilisation for DCs.

In parallel to these bottlenecks across EU markets, water availability can be a critical factor for DC deployment for DCs that use cooling technologies which rely on water. With evaporative cooling techniques, a 1-megawatt DC can use up to 25.5 m litres of water annually CXXX , a potential issue in water-stressed locations CXXXI . While this is not a systematic investment bottleneck in Europe compared with other constraints 67 , its importance in site selection and environmental assessments highlights the need to consider water risk as a relevant aspect of future infrastructure planning.

In responding to this unprecedented demand growth, the factors highlighted above are holding the EU back from swiftly building the computing capacity needed to respond to the increase in demand, including for socially valuable infrastructure. The identified bottlenecks have historically not weighed as heavily as today: the demand for data centres has surged with the growing role of digital services and, more recently, with the advent of AI, which also require data centres located closer to users. This results not only in a capacity gap but also in the reinforcement of geographic imbalances, driven by regulatory fragmentation and the risk of regulatory arbitrage. This driver can be considered a coordination failure among investors, energy system operators, and public authorities, coupled with regulatory failures, as a result of fragmented practices and divergent regulations. The first hinders effective communication of where new capacity could yield the greatest net benefits, while individual regulations have created obstacles to the proper functioning of the internal market, increasing compliance costs and preventing the cross-border scaling for smaller operators. Even though larger companies face the same rules, they are able to internalise such costs and regulatory heterogeneity given their global scale.

2.3.3.Problem Driver 3 (PD3): Limited public sector uptake of cloud and AI computing services supplied by European providers and diverging procurement practices

This driver is innately linked to PD1. While some analysts CXXXII argue that the dependence on non-European cloud and AI computing services stems from the limited scale and scope of these services (PD1), others argue that the scale and scope of these services can only grow based on stable anchor customers CXXXIII .

As discussed in relation to PD1, the initial growth of today’s largest cloud and AI computing service providers was fuelled by public contracts. Similar opportunities did not emerge for European providers. Generally, public sector cloud uptake and corresponding spending on cloud and AI computing services is relatively low. Looking at 2024 publicly available data from the portal of Tenders Electronic Daily, approximately 3.13% of ICT awards were dedicated to cloud and AI computing services. Out of all award notices published on the portal in 2024, 0.34% were related to cloud and AI computing services. Budgetary constraints and a shortage of a digitally skilled workforce to build their own private cloud constructs 68 make public authorities dependent on cloud and AI computing services from external providers CXXXIV . The systematic uptake of cloud and AI computing services by the public sector is still a relatively recent phenomenon. For example, Italy only set up its Polo Strategico Nazionale to provide public administrations with access to cloud infrastructure in 2022 CXXXV  and Germany launched its government cloud in March 2025 CXXXVI . While all Member States have developed national AI strategies and 21 of them have in place dedicated cloud policies, Member States vary widely in terms of maturity in the uptake of cloud services or in how they allocate and report public funding associated with these initiatives 69 . In some Member States, public procurement practices impede the procurement of pay-per-use cloud and AI computing services as they cater more towards fixed-price contracts CXXXVII . Beyond pricing modalities, the lack of harmonised approaches to procuring cloud and AI computing services creates difficulties in developing and evaluating call for tenders 70 . Moreover, the approach to using cloud and AI computing services laid down in cloud strategies and policies varies significantly, even within the same public entity and does not always include risk assessments 71 . Where they do purchase cloud and AI computing services, an increasing number of public sector entities relies on services provided by non-European companies 72 , sometimes concluding direct partnerships 73 . For example, Finland's State Treasury uses Oracle and Microsoft Azure, Denmark's state public services use OpenStack's private cloud, Belgium's public authorities use a hybrid G-cloud, which runs on the clouds by IBM, Microsoft and Oracle, and the Dutch Tax Office uses Microsoft Azure CXXXVIII . Similarly, the Flemish government recently partnered with Microsoft CXXXIX . Some public tenders directly refer to services from leading cloud and AI computing service providers 74 . A 2026 study by FOTI, the Future of Technology Institute, shows the pervasiveness of non-European providers also in the defence sector 75 . This results in foregone economic opportunities for European CSPs and closes off one avenue for obtaining the stable public contracts that have allowed US CSPs to scale (see PD1).

While the described barriers to public sector cloud adoption affect public sector demand for all service providers, they have particularly pronounced effects on comparatively smaller European providers which do not have the resources to navigate diverging approaches to public procurement, and that prevent them from the benefits of the Single Market (regulatory failure). Moreover, budgetary and human resources constraints 76 as well as a lack of awareness for alternative solutions drive the public sector towards the purchasing of integrated service packages from large incumbents CXL (see PD1). At the same time, public sector organisations voice strong concerns related to the possible loss of operational autonomy and control over the data and associated infrastructure 77 . Different national approaches have emerged to identify what constitutes a sovereign cloud provider and leveraging public procurement, as evidenced for example by the recent Franco-German sovereignty task force 78 . Similarly, there are multiple and diverging national cybersecurity certification schemes, as described in section 2.2.1 of the report, with some of them integrating a sovereignty dimension, demonstrating a clear fragmentation in the internal market (systemic failure – fragmentation of the internal market). While potentially effective in pursuing individual Member States’ policy objectives with respect to their enhanced autonomy, different national efforts come at the cost of increased regulatory fragmentation. This undermines the ability of comparatively smaller providers to easily navigate the European cloud market and offer their services across borders, including to public procurers. As discussed in the Draghi report, “multiple different national rules in public procurement generate high ongoing costs for cloud providers. The net effect of this burden of regulation is that only larger companies – which are often non-EU based – have the financial capacity and incentive to bear the costs of complying 79 .”

This limited public sector uptake of cloud and AI computing services has spillover effects on the modernisation of public services. The adoption of cloud and AI is also a driver of public sector modernisation, as it enables administrations to move away from often fragmented, legacy IT systems toward more flexible, scalable, and interoperable digital infrastructures. By leveraging cloud and AI, public authorities can deploy new applications faster, improve service reliability, and respond more effectively to changing policy needs or crises. They also facilitate data sharing across departments and levels of government, supporting more integrated and user-centric public services. In addition, they reduces the burden of maintaining on-premises infrastructure, allowing resources to be redirected towards core missions. Overall, cloud and AI adoption underpins a shift toward a more agile, efficient, and digitally capable public administration.

Finally, cloud and AI-savvy public authorities are increasingly embracing OSS CXLI , thanks to its overall lower total cost of ownership but their benefits remain to be scaled. While OSS deployed on EU-based data centres addresses some concerns over confidentiality of data and enables custom-built solutions, it entails some difficulties regarding time, skills and lack of easily re-usable public procurement award criteria (regulatory failure – administrative burden). This is exacerbated by public authorities lacking a common approach to open source, notably when agreeing to coordinated developments 80 , or to the sharing and maintenance of existing code 81 . Additionally, many of the open source components widely used in today’s services and applications are maintained by single individuals and small teams, creating critical points of failure (see the log4j case, mostly maintained by one individual and which is considered the second most commonly exploited vulnerability CXLII ). Thus, while open source offers more transparency by releasing code openly for more eyes to review and faster bug discovery, it requires constant and expert monitoring to avoid that vulnerabilities are exploited by malicious actors.  

2.3.4.Problem Driver 4 (PD4): Absence of clarity around the concept of sovereign cloud and AI computing services

In the absence of an agreed definition and criteria to evaluate sovereignty, users are left without the necessary information to assess whether a service is sovereign or not. At the same time, providers are left without a reliable opportunity to distinguish themselves commercially.

‘Sovereignty’ is often used in the ICT domain without a commonly accepted definition. Literature defines it as “possessing the ability and competences to have reliable access to a technology it deems critical for its own system, without any structural, uncontrollable dependency from third countries” CXLIII . Currently, non-European service providers, including US-based CSPs, are at the forefront of offering sovereign-branded solutions for the EU market based on diverse characteristics. For example, AWS European Sovereign Cloud guarantees data residency in Europe with physical and logical separation from other regions and operation entirely run by EU residents CXLIV . Oracle’s EU Sovereign Cloud locates customer support, DC support, and DC operations fully in the EU and ensures management by a dedicated EU entity CXLV . An alternative approach takes the form of joint ventures, such as Bleu (partnership between Capgemini and Orange offering Microsoft services) CXLVI or Clarence (joint venture between Proximus and LuxConnect based on Google technology) CXLVII .

The price of sovereign cloud offers over traditional ones is subject to diverse points of view, something not surprising given their recent arrival to the market. An analysis carried out by BCG 82  estimates that listed prices are 10% to 30% higher compared to the public cloud. According to BCG, “Google Sovereign Cloud is priced 10% to 20% over the public cloud, while Oracle EU Sovereign Cloud charges a 15% to 30% price premium”, whereas “Microsoft Azure Government carries a 15% to 25% price premium”. An empirical comparison of AWS pricing between the sovereign cloud offers and the eu-central-1 region (Frankfurt) of 6 AWS cloud services in January 2026 using AWS’ provided calculator shows that the average price premium for the previously mentioned sovereign services is of 15% 83 . Against these observations, European service providers, possibly because sovereignty in the EU is easier for them to reach, declare in bilateral interviews that their prices should not be affected by sovereignty requirements and could even be lower than non-EU non-sovereign services. Real observed prices in actual competitive tenders, to which this assessment had access in confidence, show price differences ranging from +12% to -10% for the same level of sovereign service.

This can also be observed for “sovereign AI”: For example, Oracle advertises AI solutions running on its sovereign cloud as “sovereign AI” CXLVIII , and OpenAI announced agreements with Germany as well as the UK Ministry of Justice, on the expansion of UK sovereign AI capabilities CXLIX . The descriptions of these offers often also refer to high levels of cybersecurity. However, a technically cybersecure service may still be exposed to non-EU laws requiring the provider to grant data access to third-country authorities or to third-country policies intended to limit service supply. Moreover, the processing of data in the EU does not in itself prevent the control over the software by a non-EU entity 84 .

The above-mentioned sovereignty claims are currently made without demonstrating the safeguarding of operational autonomy and the protection of data against foreign interference or access (see section 2.2.2 ). This imperfect information environment implies a failure in today’s market for cloud and AI computing services leading to an information asymmetry as users do not have a reliable means of verifying whether a service is truly sovereign or not 85 . At Member State level, existing schemes on cloud cybersecurity certification sometimes contain a sovereignty dimension. For example, the French SecNumCloud aims to ensure the ‘sovereignty of CSPs’ based on strict technical cybersecurity requirements and non-technical – sovereignty - criteria. The adoption of SecNumCloud by cloud services remains rather low, and most European customers are unaware of the benefits in the services provided by European CSPs, despite an increased use of the notion of sovereignty to market their offers CL .However, in the absence of clarity around the concept, this has not yet translated into meaningful commercial advancements CLI .

Thus, the lack of such a clear common understanding and enforceable criteria for sovereignty along with the solutions adopted by different Member States is resulting in further fragmentation of the Single Market. Announcements such as AWS investment of EUR 7.8 bn in an EU sovereign cloud CLII indicate that today’s incumbents are likely to capture the nascent market for sovereign cloud and AI computing services. In the absence of clarity on what constitutes a sovereign service, the definition will de facto be set by today’s leading providers in a way that further enshrines today’s dependence.

2.4.How likely is the problem to persist?

The problems can be expected to become increasingly acute. Despite continued investment in DCs, the gap between supply and demand of computing capacity will likely grow. The current timeline for DC deployment is likely to remain complex as rising demand puts additional strain on the already lengthy permitting processes.

Member States’ national policies to attract DCs and accelerate their deployment will likely persist, complexifying the European market for operators and creating geographical imbalances regarding the deployment of DCs towards certain regions. Considering the importance of low latency, this will lead to unequal opportunities for businesses across the EU, notably in central and southern Europe where latency performance can fall short of AI or IoT solutions execution requirements CLIII . Ultimately, insufficient access to computing capacity will limit businesses' ability to integrate AI into their operations, negatively affecting their competitiveness CLIV .

While lowering operating costs will incentivise DC operators to adopt energy efficient technologies, the industry’s demand for energy will continue to grow. Without strategic energy planning and a focus on sustainable infrastructures, DC expansion will particularly challenge existing DC hubs and regions with high strain on natural resources, at the risk of crowding out electrification objectives in other sectors and generating increasing public opposition CLV . The ongoing revision of the infrastructure planning under the TEN-E Regulation (2022/869) has a potential to reduce the scale of the problem.

Considering these factors, the expansion of DCs in the EU will continue, but at a slower pace than needed to meet growing demands. This will continue to raise prices, a trend already noticeable for colocation and access to GPU capacity in Europe CLVI . This shortage of suitable computing capacity may even lead EU businesses to move overseas CLVII or delay the deployment of low-latency services to the detriment of EU’s economic growth. Consequently, the provision of cloud and AI computing services to EU customers will continue relying on infrastructure located outside of the EU. Given the preference of many users for keeping their data in the EU, this bottleneck will slow down the adoption of cloud and AI computing services in the EU.

Today’s stable market share of 15% for European CSPs shows no indication of change, despite a growing market CLVIII . The largest European CSPs may be able to solidify their position as national players, but their smaller customer base will hinder their capacity to invest, scale up and innovate. Conversely, hyperscalers will continue to innovate and grow into the AI market, with their solutions becoming indispensable, particularly for startups and SMEs and in MS where European CSPs lack a commercial presence. Current trends suggest that US dominance in development and adoption of AI technologies, with China catching up, will persist CLIX . European businesses and public authorities will continue to rely on US AI providers to the detriment of European service providers struggling to work at the frontier.

Dependence on hyperscale cloud and AI computing service providers, particularly for highly critical use cases, will continue to expose data to third-country access and carry risks to service continuity, endangering operational autonomy.

3.Why should the EU act?

3.1.Legal basis

Article 114 of the Treaty on the Functioning of the European Union (TFEU) empowers the EU to adopt measures aimed at improving the functioning of the internal market through the approximation of the provisions laid down by law, regulation or administrative action in Member States. These measures can take the form of a Regulation or a Directive. National approaches to expanding DC capacity risk creating a fragmented landscape on DC deployment and potentially a regulatory race to the bottom in sustainability and permitting requirements. Diverging public procurement practices for cloud and AI computing services and diverging sovereignty criteria may prevent providers from fully benefitting of the internal market. If EU intervention takes the form of a legislative proposal, it can be based on Article 114 TFEU.

Article 173(3) TFEU is the basis for enhancing the EU’s competitiveness and innovation capacity. It enables measures to accelerate industry’s adaptation to structural changes; encourage an environment favourable to initiatives and to the development of undertakings throughout the EU, particularly small and medium-sized undertakings and favourable to cooperation between undertakings; and foster better exploitation of the industrial potential of policies of innovation, research and technological development. The lack of computing capacity in the EU negatively affects the competitiveness of industry, keeping it from leveraging the full potential of adopting AI, particularly those that rely on low latency. By increasing the availability of compute capacity, this initiative aims to strengthen Europe’s competitiveness and innovation capacity. If it takes the form of a legislative proposal, it can thus also be based on Article 173(3) TFEU.

Should the legislative proposal include elements associated with both improving the functioning of the internal market as well as addressing the competitiveness of the Union’s industry, the proposal would take form of a single act, building on the legal basis provided for under Articles 114 and 173(1) TFEU, to ensure a coherent approach to address, in different ways, the need for strengthening of the Union’s cloud and AI ecosystem.

3.2.Subsidiarity: Necessity of EU action

Article 5(3) TFEU stipulates that action at EU level should be taken only when the envisaged objectives cannot be sufficiently achieved by Member States alone and, due to the scale or effects of the proposed action, can be better achieved at EU level.

The development of computing capacity in the EU currently takes place along national lines. Each Member State operates under a distinct framework, with different processes and requirements for DC deployment, reflecting local conditions and needs. However, as mentioned above, national policies for DC acceleration risk further fragmentation and race-to-the-bottom with respect to sustainability. Moreover, an increasing number of low-latency applications require close computing capacity. More generally, the EU faces an acute shortage of computing capacity, a problem that risks negatively affecting its competitiveness and requires EU-level action to maintain a regulatory and investment environment that is easy to navigate for DC operators and investors, including across borders.

Closing this capacity gap and allowing European businesses and public administrations to leverage compute capacity while ensuring sustainability requires action at EU level. The dependence on cloud and AI computing services supplied by non-European providers has the same root causes across the EU and affects businesses and public administrations in all Member States. European service providers face difficulties to scale up across the EU, for example due to different national trustworthiness standards, particularly in public procurement. Divergent national procurement practices complexify the market for European providers and the underlying situation of imperfect information is a market failure requiring an EU-level response. Calls for EU-action to address these challenges were also made in the public consultation 86 .

3.3.Subsidiarity: Added value of EU action

EU action would have a clear added value in addressing the problem of limited and geographically concentrated availability of computing capacity. By providing a common approach to accelerating DC deployment, it would enable the coherent planning and deployment of computing capacity in a geographically balanced way, while avoiding a race to the bottom and reducing regulatory complexity for investors and DC operators. The EU is uniquely positioned to ensure that investment and acceleration policies reflect collective priorities and avoid fragmentation. EU-level action would ensure that all businesses and public administrations can access sufficient compute capacity to meet their needs and is a prerequisite for Europe to become an AI continent.

In addressing the dependence on cloud and AI computing services supplied by non-European providers, EU action would deliver benefits that exceed what Member States could achieve individually, especially in addressing the underlying market failures of imperfect information. This would improve the functioning of the internal market and enable cloud and AI computing service providers to grow beyond their national markets.

4.Objectives: What is to be achieved?

4.1.General objectives

The general objective of the intervention is to ensure the functioning of the internal market for cloud and AI computing services and to secure the conditions necessary for the Union’s competitiveness and strategic autonomy.

4.2.Specific objectives

Specific objective 1 (SO1): Increase computing capacity deployed in the EU through innovative and sustainable technologies. By 2030, the EU should at least triple its current DC capacity, prioritising energy-efficient technologies in at least 80% of new installations. As demand continues growing, this should be considered an intermediate objective so that by 2035, the computing capacity in the EU should meet its needs.

Specific objective 2 (SO2): Ensure attractive conditions for the deployment of sustainable and innovative computing capacity 87 . While SO1 is aimed at the deployment of capacity, this SO targets the conditions for investment and deployment. By 2030, operators should be able to obtain all permits to build and run a DC in less than 18 months throughout the EU, including access to land, permits for energy access, and connectivity – which are also a major attention point for investors.

Specific objective 3 (SO3): Decrease the overall reliance on non-European cloud and AI computing services. By 2035, this intervention should increase the market share of European cloud and AI computing service providers in the European market to 30%. Strengthening the Union’s strategic autonomy requires reducing dependencies and ensuring that European users have credible European alternatives to non-European incumbents. A stronger European supply base improves the Union’s capacity to act autonomously and enhances long-term resilience, competitiveness, and security of supply.

Specific objective 4 (SO4): Contribute to the protection of public order by enhancing the resilience of supply of cloud and AI computing services, in particular in the public sector. By 2035, 100% of the highly critical use cases in the public sector should be operated using sovereign cloud and AI computing services to ensure data confidentiality, operational autonomy and prevent harms that could undermine public order. Highly critical use cases are those of a particular systemic importance and that underpin essential functions or involve the processing of sensitive data. Ensuring that, for them, data is protected, and service continuity is guaranteed is a key element of attaining strategic autonomy. That is why these use cases are a priority for the move towards services whose provision is outside of the reach of third-country policies that could result in data access or interruptions to service continuity, i.e. sovereign services 88 .

Figure 5. Illustrative summary of the problems, drivers and objectives associated with this initiative

5.What are the available policy options?

5.1.What is the baseline from which options are assessed?

The baseline scenario assumes that today’s policies and regulations continue. Annex 9 presents the underlying assumptions.

For the limited availability of computing capacity in the EU (P1), the baseline scenario considers the projection of EU DC capacity in the absence of additional intervention in the period 2025-2036. Growth in the EU’s total installed compute capacity, measured in DC IT load, is projected to reach around 42 GW by 2036, growing yearly by 12% over this period, yet demand for computing capacity is expected to increase by 13% over the same period, creating a structural capacity gap of 19 GW as seen in Figure 6 below, across all capacity growth scenarios 89 . 

Figure 6. Evolution of the gap between data centre demand and supply

Source: Technopolis et al. (2025) CLX

DC acceleration policies and regulatory framework remain non-harmonised across Europe. Some Member States would develop national strategies to make specific locations more attractive for DC operators. Outside of these possible strategies, bottlenecks such as lengthy permitting processes would persist and capacity expansion is expected to follow existing market trends, i.e. concentrated around existing hubs. Permitting delays, grid-connection queues and land-use restrictions would persist, with localised alleviation through national reforms. The Commission would continue pursuing greater transparency on the environmental performance of DC, notably under the EED and the upcoming review of the Taxonomy for Sustainable Finance. Industry may set additional sustainability targets, e.g. under the Climate Neutral Data Centre Pact. Electricity grid constraints would become a binding factor in several Member States by the early 2030s as total DC demand surpasses 200 TWh. Under current conditions, the International Energy Agency has estimated that around 20 % of announced projects worldwide are expected to experience significant delay or downsizing CLXI . Public investment would remain focused on high-performance compute infrastructure for the training of large AI models (AI Factories, Gigafactories). Under policy option 0, the EU’s compute supply increases in absolute terms but lags well behind other regions, as shown in Figure 7 below. North America and Asia-Pacific expand faster, increasing their share of global compute. This trend risks constraining AI model training and cloud workloads within the EU, particularly for SMEs and public sector users.

Figure 7. Forecast of data centre capacity in the EU-27 vs ROW from 2025 to 2030

Source: Technopolis et al. (2025) CLXII

For the dependence on cloud and AI computing services supplied by non-European providers (P2), the baseline scenario considers that the market share of European service providers (15%) will remain stable despite the opportunities that a growing market can offer. The Policy 0 scenario reflects continued efforts under the Data Act to ensure cloud switching or parallel use of several providers. Given the recent adoption of the Data Act, its full effects will take time to materialise. The standard clauses recommended will allow for an easier switching of cloud services, whose consequences will be observable as they are progressively adopted. For the interoperability aspects, the effects are expected to take longer to materialize given the low number of existing open specifications and harmonized standards addressing the issue, that would become of mandatory application for providers following the mechanisms envisioned in the Act. The Data Act empowers the Commission to further standardization requestions and the adoption of open specifications compliant with the Data Act and that are published at a later stage. Pursuant to the recently launched investigation, a potential designation of large CSPs as gatekeepers under the Digital Markets Act may further open the market CLXIII . The revision of the CSA could enhance the security and resilience of ICT supply chains including for cloud and AI computing services. The IPCEI-CIS will continue to support the participating European providers in the development of a multi-tenant cloud-to-edge software paradigm. The activities of the European Alliance on Industrial Data, Edge and Cloud will continue to enhance cooperation among European providers. The Commission would pursue investment in OSS, such as Simpl, or the Open Internet Stack. While these may positively affect the uptake of cloud and AI computing services, they should be balanced against the problems and drivers spelled out in section 2. Without a common understanding of what a sovereign service entails, providers can promise a sovereign service to customers without clarity on its substance. This could lead to continuous uncertainty for service providers and users, particularly in the public sector. The absence of an EU-level cloud cybersecurity certification scheme is already resulting in national approaches, fragmenting the internal market. Finally, the ongoing parallel work on the Capital Markets Union strategy should address the question of availability of private capital more structurally. Against this backdrop, the baseline considers three scenarios of how the market share and revenues of European service providers will evolve in the period 2025 - 2036 without additional measures:

Table 3. Baseline scenario for Problem 2

The 15% baseline assumes European cloud providers maintain their current market share through a combination of modest revenue growth from rising customer interest in sovereignty and specialized use cases, offset by persistent structural barriers including vendor lock-in effects, hyperscaler bundling strategies, and the integration challenges that prevent easy switching. The 10% pessimistic scenario reflects the resumption of the downward trend observed until 2022: as US hyperscalers dramatically accelerate investment in cloud and AI services, creating capabilities European providers cannot match, existing regulatory protections fail to meaningfully reduce lock-in or enable genuine data portability, while aggressive bundled pricing and occasional provider failures erode enterprise confidence in European alternatives. By contrast, the 17% optimistic scenario envisions a more favourable environment where stronger existing regulations ensure genuine interoperability between cloud platforms, reliable data portability safeguards reduce switching friction, and clearer security standards boost customer trust, enabling European providers to convert sovereignty conscious customers such as the public sector and expand into segments currently dominated by hyperscalers.

5.2.Description of the policy options

This section structures the policy options by problems as identified in section 2. The options for problem 1 combine measures of different regulatory intensity and different calibrations of EU versus national delivery. The options for problem 2 are presented along a gradient of intensity of the intervention. Problem 1 and 2 interplay with each other since they concern successive steps of the same value chain, and a supply-demand relationship naturally exists: cloud and AI computing services can only be delivered if the underlying infrastructure exists. Conversely, DC operators only invest based on the expected uptake of their future capacity. The policy options are nevertheless dealt with separately as they correspond to very different realities (physical world vs. dematerialised services), contain policy measures of a different nature and mostly concern different stakeholders. Problem 1 concerns the provision of physical infrastructure (data centres, land availability, permitting, grid connection, connectivity, etc.) mainly involving data centre operators (i.e. colocation providers and, CSPs when they operate their own infrastructure), utilities, local authorities and investors. Conversely, problem 2 concerns the market for cloud and AI computing services, which is shaped by very distinct market and competition dynamics. These two markets are governed by distinct regulatory and economic mechanisms, which call for different sets of measures. This approach has allowed to assess the impacts of measures focusing on each of the two problems separately, i.e. infrastructure-related constraints vs market dynamics in the delivery of services, while still recognising their interdependence.

5.2.1.Policy Options to address the limited and geographically concentrated availability of computing capacity in the EU

Table 4. Overview of the first set of policy options, responding to Problem 1

Figure 8. Illustration of policy options to address the limited availability of computing capacity

PO1-A could be combined with both PO1-B and PO1-C. However, PO1-B and PO-C are designed as mutually exclusive. PO1-B packages measures that put Member States in the driving seat, whereas PO1-C places the implementation at the EU-level. See also section 7.7.

Policy Option PO1-A: Enhancing the existing collaborative framework

This policy option strengthens existing collaborative mechanisms between Member States, EU institutions, industry stakeholders and research bodies to support DC expansion. It addresses the identified regulatory and coordination failures through soft measures. Participation and adherence to produced guidelines would remain voluntary.

·Policy Measure 1 (PM1) creates a new working group for DC operators in the existing Alliance for Industrial Data, Edge and Cloud, enabling exchange of best practices on deployment, and regular institutionalised dialogue between DC operators, Member State representatives and European CSPs. The working group would be chaired by a representative of the DC industry, with the Commission providing the secretariat.

·Policy Measure 2 (PM2) establishes a broader forum for public-private stakeholders (DC operators, TSOs, connectivity providers, equipment manufacturers, and local authorities), enabling coordination and dialogue on DC projects and on the integration of innovative solutions in DCs. It would be convened by the Commission and can build on existing ad hoc DC grid integration roundtables.

·Policy Measure 3 (PM3) consists of adopting EU-level guidelines for deploying sustainable DCs. These would go beyond best practices on energy efficiency CLXIV and would offer guidance on deploying a sustainable DC. They would include recommendations on identifying suitable land for deployment. Leveraging the forum created under PM2, the guidelines would be co-developed by its participants and subject to periodic review.

This option is a soft way of addressing PD2 (bottlenecks slowing down data centre build-out) While they do not directly change factors like permitting or access to energy, they intend to make them less of a bottleneck by establishing direct links between the actors that are crucial for driving data centre build-out and improving information flows between them (e.g. between data centre operators and TSOs on grid capacity needs). The exchange of best practices among data centre operators will help the industry better navigate the deployment environment in the EU and guidelines will help industry identify, for example, the areas in which data centre deployment may unfold more quickly due to available grid capacity. Beyond specific projects, the interactions between relevant parties would feed into guidelines for data centre deployment – a collection of best practices to be leveraged for faster data centre build-out across the EU. This option would improve the connection between European CSPs (existing Alliance members) and key data centre players (future Alliance members under this option). This would improve opportunities for European CSPs to access data centre capacity or participate directly in the build-out.

The existing Cloud Alliance is a vibrant community of cloud companies which collaborate around projects of common interest and are generally eager to extend membership up/downstream, i.e. to DC operators and their equipment manufacturers. As part of the public consultation, 85% of business respondents (n=52) supported the development of EU guidelines.

Policy Option PO1-B: Legislative and financial intervention enforced nationally

This second policy option consists of legislative and financial intervention implemented at national level, where the EU-level intervention is limited to a coordination role.

·Policy Measure 4 (PM4) obliges Member States to designate a national facilitator for all DC projects. Member States would be free to designate as facilitator the entity that suits the task best within their own national structures, for example a service within their central administration or an agency. The facilitator would accompany the applicants from start to finish of the DC project for all authorisations relevant to DC rollout, i.e. planning and building permits, environmental assessments, water and heat use authorisations, and grid connections. Where needed, the facilitator would escalate issues for rapid resolution and interact with the designated facilitator in another Member State if needed for a specific DC.

·Policy Measure 5 (PM5) on the basis of a national data centre strategy, obliges Member States to identify suitable areas to fast-track the deployment of DCs. The identification process would follow commonly defined EU-level criteria and ensure that the area displays the necessary characteristics for DC deployment, e.g. connectivity and guaranteed existing or future grid availability. Within these areas, Member States would be required to enact – based on their choice - measures for accelerated DC deployment, beyond administrative acceleration for environmental screenings and communicate clearly on the applicable procedures and criteria. This could include a particular end use for the Data Centre such as being part of a broader digital ecosystem implementing the Apply AI objectives of the Union. The toolbox established in the new Regulation on speeding-up environmental assessments would be leveraged for designated areas, to allow them to benefit from the additional favourable provisions in environmental assessments. In designating the area and designing the related acceleration measures, Member States would receive support from an EU-level coordination hub. Established within the Commission, the hub will offer technical assistance to Member States. The designation of acceleration zones could include an EU-level mechanism to attract smaller users of collocation capacity. Where such status exists in the national context and beyond environmental assessments, DCs would receive favourable status in administrative procedures as projects of highest national significance. In identified suitable sites, Member States would be bound to the target of reaching a maximum timeline of 18 months for all relevant permits beyond environmental assessments 90 . Some fast-track areas would be reserved to DCs that are of a particular added value to the EU, for examples based on their innovation or sustainability performance (measured in line with the upcoming rating scheme under the EED) or because of the users they will serve. Accordingly, access requirements in terms of sustainability would be defined at EU level but would leave freedom to Member States to add criteria.

·Policy Measure 6 (PM6) consists of the possibility of Member States to voluntarily grant public support in line with applicable State aid rules to particularly innovative and sustainable DC projects located in the fast-track areas of PM5 (as with PM5, the sustainability performance would be in line with the EED’s rating scheme). Public support could take the form of tax incentives and consider rewarding DCs which contribute positively to grid flexibility and stability.

·Policy Measure 7 (PM7) sets an EU-wide DC capacity target which Member States must collectively reach by 2035 and an EU-level monitoring of the progress towards reaching the target. The capacity target would be formulated in MW of DC capacity and would aim to close the compute capacity gap while monitoring of capacity growth in underserved regions, thereby fostering a more geographically balanced distribution of such capacity over time. The monitoring would be integrated into the existing digital decade cycle which would result in an annual report on progress – both at EU and Member State level.

This policy option would help overcome the identified bottlenecks currently slowing down data centre deployment (PD2): The identification of suitable sites for DC deployment is a time-consuming and cumbersome step usually undertaken solely by DC investors who work on the basis of incomplete or inaccessible data (e.g. there’s no publicly accessible repository of areas with electricity availability). The national facilitator would help data centre operators navigate permitting requirements and help relevant authorities process requests as efficiently as possible. Rather than altering permitting procedures and changing local requirements, this option addresses regulatory complexity by making it more navigable for data centre operators and ensuring fastest possible treatment within fast-track areas. The designation of fast-track areas would help data centre operators identify suitable land. These measures would also aim to improve transparency and coordination around zoning and grid access to facilitate more contestable access to key inputs. Through the option for national funding, this option allows the de-risking of investments in strategic data centre projects, helping overcome access-to-capital issues. This can prove particularly beneficial for European providers to gain access to data centre capacity or participate in the build-out themselves, which can boost the scale and scope of services provided by Europeans (PD1).

Respondent views on Policy Option PO1-B. Feedback from DC operators from the public consultation (n=30 respondents) on measures under this policy option:

There has been noticeable support in the Call for Evidence (CfE) for measures within PO1-B. Most companies and business associations favour simplification of permitting requirements, introducing a national facilitator for DC projects, and fast-track mechanisms. Some respondents suggested faster grid connection and the creation of special DC deployment areas established at national level.

Policy Option PO1-C: Legislative and financial intervention enforced at EU-level

This third policy option introduces binding acceleration measures enacted at EU-level and supported with EU funding.

·Policy Measure 8 (PM8) identifies the key EU-level R&D funding challenges to the development of energy- and resource-efficient and secure DC technologies, including advanced cooling, renewable energy and storage integration, and AI-based optimisation tools 91 . While a fictitious amount is set for modelling purposes, the initiative would not mention a specific amount, thus not pre-empting the MFF discussions.

·Policy Measure 9 (PM9) creates the possibility, without prejudice to the outcome of the negotiations on the next MFF proposal, for strategic DC deployment projects to be supported by Union programmes, funds and financial instruments, in accordance with the objectives set out in the regulations establishing those funds and programmes, in particular those implementing the EU’s vision for an AI continent / Apply AI. The Cloud and AI Development Act would specify binding EU-level criteria in accordance with which strategic projects would be identified by the EC. As with PM8, a fictitious amount is used for modelling, while the initiative would only be declarative.

·Policy Measure 10 (PM10) empowers the Commission to designate suitable areas for accelerated DC deployment following EU-level criteria and in consultation with Member States experts within an EU DC Acceleration Board. This Board would be created as a dedicated committee (comitology). Permit granting for DC projects would follow EU-wide rules and require approval from the Board. For these areas, Member States would be required to enact a set of acceleration measures prescribed at EU level. The toolbox established in the new Regulation on speeding-up environmental assessments would be leveraged for DC projects deployed in these areas, to benefit from the additional favourable provisions in environmental assessments.

By centralising the designation of areas and processes for accelerated deployment under an EU expert body, this policy option would tackle the bottlenecks to DC expansion (PD2). Direct funding for the development of sustainable DC technologies and support to DC integrating such technologies would increase sustainable capacity. In terms of substance, this option has roughly the same thrust as PO1-B, but with EU-level decision-making and the use of EU funds for R&D and the deployment of strategic data centres. While open to all data centre operators, this option will also benefit European cloud and AI service providers where they themselves seek to build data centres or rent newly created co-location capacity. The measures thus also contribute to addressing the lack of scale and scope of EU cloud service providers (PD1) whose ability to scale, as described in section 2.2.1., is – among other factors – restricted by their limited infrastructure presence and the high costs of expanding it.

In response to the CfE, several companies, business associations and a Member State expressed support for R&D funding at national and EU level. Respondents generally showed strong support for measures that would advance the energy efficiency performance of data centres. In the questionnaire (n=243), 70% of respondents supported funding for R&D of energy-efficient technologies.

5.2.2.Policy Options to address the dependence on cloud and AI computing services supplied by non-European providers 

Table 5. Overview of the second set of policy options responding to problem 2

PO2-A packages measures which require EU action but without binding effects. PO2-A can be implemented together with both PO2-B and PO2-C. PO2-B represents an increasing level of EU involvement. PO2-C strengthens this further and covers binding measures. PO2-B and PO2-C are not per se mutually exclusive but some measures in PO2-C represent a different gradient of intervention from similar measures in PO2-B. Figure 9  illustrates how individual measures from each PO build on each other, making them mutually exclusive. The relationship between the options below and the identified problem drivers is discussed jointly at the end of this section.

Policy Option PO2-A: Supporting measures to increase transparency and visibility of sovereign cloud and AI computing services

This policy option aims at establishing a common understanding of the notion of sovereignty for cloud and AI computing services and increasing their visibility on the market. It is complemented by a flanking measure to ensure the participation of European providers in the development of interoperability standards.

·Policy Measure 11 (PM11) establishes a harmonised Union-level framework for sovereign cloud and AI computing services. AI systems (which are products and not services) are not concerned by the measure, as they are already subject to the AI Act. Acknowledging that different use cases require varying degrees of ‘sovereignty’, the framework provides for four levels of sovereignty assurance. Services not meeting any of the conditions would not be classified with any sovereignty level but would obviously remain available in the market. 

To be considered ‘sovereign level 1’, a service must meet the following cumulative criteria:

(I)the service provider must be established in the Union; and

(II)the service must be fully operated from computing infrastructure, personnel and assets located in the Union (meaning the EEA); and

(III)customer data, including metadata and telemetry data, is in the EU unless the customer explicitly requires otherwise; and

(IV)the service provider demonstrates that it complies with state-of-the-art cybersecurity standards; and

(V)if technical and operational support is outsourced to third-party providers outside of the Union, necessary measure are put in place to ensure that would not compromise the provider’s operational autonomy; and

(VI)there is full transparencey around the use of subcontractors, for which the cloud service provider assesses that they meet Union legal obligations; and

(VII)where the cloud service provider is subject to the control of a third country or a third country entity, it must be able to prove that the laws and government practices in that country do not require the provider to tell that country's authorities about software vulnerabilities before those vulnerabilities have been publicly discovered

These requirements would allow service providers with a parent company headquartered outside of the Union to be considered as ‘sovereign level 1’.

To be considered ‘sovereign level 2’, a service must meet the following cumulative criteria:

(I)the service provider and subcontractors must be established in the Union; and

(II)the service must be fully operated from computing infrastructure, personnel and assets located in the Union; and

(III)provide available personnel complying with additional personnel screening and Union citizenship requirements, if the customer determines that imposing these additional requirements is necessary; and

(IV)the service provider must be controlled by a legal entity in the Union. Alternatively, if the service is controlled by a third-country legal entity, it must demonstrate that it has in place the necessary technical, legal and organisational measures necessary to prevent third-country governmental access and transfer of data stored in the Union, to prevent or refuse any request from a third-country government, ensure that the control of the third-country or third-country entity is not exercised in a manner that restricts the provider’s ability to deliver the service, and to prevent the service disruption and/or degradation of the service by a third-country government 92 ; and

(V)the data generated by using the audited service shall not be re-used for the training or fine-tuning of an AI system operated by an entity outside the EEA and in any case are not transferred outside the Union; and

(VI)the customer data, including metadata and telemetry data, remain in the Union unless the customer explicitly requests otherwise; and

(VII)the service must demonstrate a high level of cybersecurity by being certified at least at level ‘substantial’ under the European Cybersecurity Certification Scheme for Cloud Services (EUCS)  93 ; and

(VIII) the service provider must demonstrate a high degree of control over the software components that underpins the service. This notably implies that there exists a list of identified dependencies related to the provision of the service, and where the software components are provided by a third-country entity, the relevant code of the security relevant components of the service stack can be audited, and there exists a migration plan in the event a vendor fails or a third-country imposes restrictions; and

(IX)if the subcontractors are from a third country or a third country entity, appropriate measures in place to demonstrate the absence of control; and

(X)operational and technical support, including outsourcing, are initiated and performed exclusively within the Union; and

(XI)where the cloud service provider is subject to the control of a third country or a third country entity, it must be able to prove that the laws and government practices in that country do not require the provider to tell that country's authorities about software vulnerabilities before those vulnerabilities have been publicly discovered

These requirements would allow service providers controlled by a third-country or third-country entity to be considered as ‘sovereign level 2’, but on the basis of some organisational efforts. Service providers owned and controlled by a legal entity in the Union would face less difficulties in complying with these criteria.

To be considered ‘sovereign level 3’, a service must meet the following cumulative criteria:

(I)the service provider and subcontractors must be established in the Union; and

(II)the service must be fully operated from computing infrastructure and assets located in the Union; and

(III)members of the board, executive team and personnel operating the service are Union nationals, located in the Union, and are security cleared where appropriate; and

(IV)the service provider must be owned and controlled by a Union legal entity and the subcontractors are not subject to the control of a third country or a third-country entity. A cloud computing service subject to the control of a third country or a legal entity established in a third-country can still be audited against the audit criteria where the third country has implemented specific safeguards that ensure that there is no risk of unauthorised access to Union data or possible disruption of service quality or continuity; and

(V)the data generated by using the audited service shall not be re-used for the training or fine-tuning of an AI system operated by an entity outside the Union and in any case are not transferred outside of the Union, and

(VI)the customer data, including metadata and telemetry data, remain in the Union unless the customer explicitly requests otherwise; and

(VII)the service must demonstrate a high level of cybersecurity by being certified at least at level ‘substantial’ under the European Cybersecurity Certification Scheme for Cloud Services (EUCS); and

(VIII)the service provider must demonstrate a high degree of control over the software components that underpin the service (software stack). This notably implies that there exists a list of identified dependencies related to the provision of the service, and where the software components are provided by a third-country entity, the relevant code of the security relevant components of the service stack can be audited, and there exists a migration plan in the event a vendor fails or a third-country imposes restrictions; and

(IX)operational and technical support, including outsourcing, are initiated and performed exclusively within the Union and by Union citizens, and by third parties that are not subject to the control of a third country or third country entity; and

(X)where the cloud service provider is subject to the control of a third country or a third country entity, it must be able to prove that the laws and government practices in that country do not require the provider to tell that country's authorities about software vulnerabilities before those vulnerabilities have been publicly discovered.

These requirements would not allow service providers whose parent company is headquartered outside of the Union to be considered as ‘sovereign level 3’.

To be considered ‘sovereign level 4’, a service must meet the following cumulative criteria:

(I)the service provider, and subcontractors must be established in the Union; and

(II)the service must be fully operated from computing infrastructure and assets located in the Union; and

(III)members of the board, executive team and personnel operating the service are Union nationals, located in the Union, and are security cleared where appropriate; and

(IV)the service provider must be owned and controlled by a Union legal entity and the subcontractors involved in the provision of the service are located in the Union, owned and controlled by a Union legal entity; and

(V)the data generated by using the audited service shall not be re-used for the training or fine-tuning of an AI system operated by a third-country legal entity and in any case are not transferred outside of the Union; and

(VI)the customer data, including metadata and telemetry data, remain exclusively in the Union; and

(VII)the service must demonstrate a high level of cybersecurity by being certified at least at level ‘high’ under the European Cybersecurity Certification Scheme for Cloud Services (EUCS); and

(VIII) the service provider must demonstrate effective control over the software components that underpin the service (software stack) by demonstrating that a third country or a third country entity does not have excessive control over the software lifecycle. This notably implies that the relevant code of the service stack can be audited and that effective control of the code exists by a Union legal entity; and 

(IX) operational and technical support, including outsourcing, are initiated and performed exclusively within the Union and by Union citizens, and by third parties that are not subject to the control of a third country or third country entity; and

(X)where the cloud service provider is subject to the control of a third country or a third country entity, it must be able to prove that the laws and government practices in that country do not require the provider to tell that country's authorities about software vulnerabilities before those vulnerabilities have been publicly discovered

These requirements would not allow providers headquartered outside of the Union to be considered as ‘sovereign level 4’.

These criteria above deal with sovereignty. Cybersecurity and sovereignty are closely related and are complementary. However, they do not focus on the same aspects nor pursue identical objectives. The Commission, through its own tendering for EUR 180 m of sovereign cloud services, was able to test the feasibility of such definitions established in different levels and could verify that it can be implemented.

·Policy Measure 12 (PM12) foresees the adoption of guidelines on the harmonised EU-level criteria for sovereign cloud and AI computing services defined under PM11 to help implementation. These guidelines would be adopted by the Commission, addressing expectations towards providers and users about what constitutes a sovereign service.

·Policy Measure 13 (PM13) addresses information asymmetries through awareness raising for the sovereignty common understanding and other measures. In particular, an annual week-long EU-organised conference on digital sovereignty, bringing together academic institutions, researchers, and overall public and private stakeholders to foster collaboration in cloud and AI innovation and the development of sovereign cloud and AI computing services. The EU-organised awareness raising efforts would centralise the currently scattered efforts of private sector entities to enhance the visibility of sovereign services and create a forum for providers to connect with prospective buyers from the private and public sector.

·Policy Measure 14 (PM14) sets up measures ensuring the effectiveness of the interoperability provisions of the Data Act: A Commission-led coordination group with Member States and industry to drive progress on the development of interoperability standards. This would serve as a preparatory step to the standardisation requests which the Commission can issue under the Data Act. In addition, the measure creates a hook for possible financial support, in the context of the next MFF (but without prejudging the outcome of such negotiations), for EU industry participation in EU standardisation organisations to ensure that the perspective of smaller European service providers is represented when these organisations work on a standardisation request issued under the Data Act.

In response to the CfE, many European companies favoured a harmonised sovereignty criteria at EU level. Public authorities showed strong support for the development of operational sovereignty criteria. Some companies and business associations, especially located outside the EU, stressed that such criteria should not exclude providers merely based on headquarters location.

Policy Option PO2-B: Voluntary framework for advancing sovereign cloud and AI computing services

This option contains measures which go beyond defining and making more visible sovereign services. They create a legislative framework for identifying such services, leaving its use voluntary. The measures also target the broader uptake of a more diverse set cloud and AI computing services in the public and private sector.

·Policy Measure 15 (PM15) would recommend Member States to carry at least one sovereignty risk assessment and repeat it at least every four years but more frequent if deemed necessary. The purpose of the sovereignty risk assessment is to identify which public sector use cases within a Member State require the use of which sovereignty level as described under PM11. The sovereignty risk assessment would assess, inter alia, the risks induced by the access to such data by a third-country authority or third-country legal entity; or the risk of possible service disruption due to dependence on a single or limited number of third-country services providers.

On the basis of dedicated discussions conducted with 3 different public authorities representing about 200 NIS2-Annex 1 contracting authorities, operating at regional, national and European level (out of an estimate of 6 400 NIS2 entities across the EU), this assessment assumes that the matching of sovereignty levels to public sector demand follows the following pattern: 70% of use cases would require a sovereignty level 1; 20% for level 2; 9% for level 3; and 1% for level 4. Even though the scheme is novel and does not correspond to existing frameworks, this assessment fits with broad orders of magnitude that can be inferred from existing analyses conducted in several Member States that have introduced risk assessments for their public sector clouds, such as France, Poland 94 or Italy 95 .

This approximation is anchored in the idea that a layered and progressively more demanding criteria is designed to tackle a progressively smaller amount of use cases. For instance, a water supply public company might have separate IT systems to deal with non-critical use cases, but fewer to manage critical systems.

Table 6. Illustrative distribution of criticality of IT systems within a fictitious public sector water company

In concrete terms, France’s SecNumCloud, the closest scheme to this sovereignty framework, was developed acknowledging that there is demand for even higher levels of sovereignty for the most sensitive use cases, estimated at 10% of all public sector use cases (which here correspond to sovereignty level 3 and level 4). Conversely, out of the remaining use cases (90% of all public sector use cases), the scheme was designed to address approximately only ⅕ to ¼ of them (that is approximately 18% to 22.5% of all public sector use cases). While the individual criteria under SecNumCloud are not the same, the compound effect of level 2 criteria under CADA allows the same type of providers (having implemented the same type of mitigating measures) to qualify for this level. The proportion of 20% (rounded up mean value of 18% and 22.5%) was therefore retained as a first approximation for the proportion of all public sector use cases where conformity with level 2 would be required.

Critical use cases, defined as the use cases whose disruption would affect operational autonomy or public order, correspond to use cases covered by level 2, 3 and 4, so 30%. The risk assessment would have to consider the reality of the supply market to avoid unrealistic outcomes, such as mandating the use of services that don’t exist (yet) in the market. The measure targets critical use cases, not individual public authorities, but it is likely that Member States would focus on the public sector entities of high criticality (as defined in NIS2 annex 1), which amount to 6 400 throughout the EU, an amount retained in this assessment where such data point is needed. This figure results from the amount of NIS 2 entities in Europe (160 000 96 ), from which 20% are essential entities under Annex I 97 , from which 20% are assumed to be public entities: 160 000 * 20% * 20% = 6 400 NIS2 Annex 1 public sector entities. 

To facilitate appropriate and coherent sovereignty risk assessments, the European Commission would develop guidelines for Member States to conduct such assessments and provide a sample risk assessment methodology (note that these guidelines concern the conduct of risk assessments and differ from PM12, which consist in explaining the different levels of sovereignty). For Member States to have up-to-date information about the market conditions of cloud and AI sovereign solutions, the Commission would also produce market monitoring reports that will point Member States to possible gaps in the coverage of some services.

The Member State would be recommended to reflect the outcome of the risk assessment in applicable public tenders, unless duly justified.

While PM11 only puts forward the definition of sovereignty levels, PM15 goes further by putting forward a framework through which the respective levels of sovereignty can be assessed. Verifying compliance against sovereignty level 1 would be based on self-assessments conducted by the service provider. Cloud computing service providers qualifying as SMEs would not be required to undergo the validation by the national competent authority.Verifying compliance of service against sovereignty level 2-3-4 would be done through third party’s auditors and verified by national competent authorities designated by Member States.. The competent authorities will then verify the audit report, opinion and evidence and will provide the decision that would allow the service provider to participate in procurement procedures across the Union that are limited to the respective assurance level. Other Member States shall be notified of the draft decision, to which they can object within 60 days. If continued objections occur, the Commission will adopt a binding decision.

The competent authorities should also register the audit approval in a Union repository, maintained by the Commission. The repository of sovereign cloud and AI computing services will be a public list of audited sovereign cloud and AI computing services that verifiably comply with the sovereignty requirements. The benefits are for providers and users alike: providers will enhance their visibility and users their market research.

To cater for market evolutions, the sovereignty criteria of all levels and evaluation methodology would be modifiable by comitology. This evaluation methodology would help third party auditors in their assessment of the service and ensure full harmonisation in the way different auditors conduct their assessment and for Member States to ensure that the procedures have been followed.

The outcome of the audit would be valid across the Union, with a recourse possibility for providers and Member States. Other Member States and the European Commission shall also have the possibility to request clarifications about certifications granted by other MS. The assessment would be renewable following the same evaluation methodology.

This measure is primarily designed to contribute to the protection of public order by enhancing the resilience in the public sector, which is SO4. Nevertheless, European providers would face less costs and efforts to meet sovereignty conditions. When it comes to meeting the criteria to demonstrate sovereignty level 1 and 2, EU providers can more readily substantiate that they are not affected by third-country policies affecting data access or limiting service continuity. As well, level 3 and level 4 sovereignty can only be served by service providers owned and controlled by EU entities. This implies that PM15 will also contribute to decreasing the overall reliance on non-European cloud and AI computing services, which is SO3.

·Policy Measure 16 (PM16), with a view to support the EU added value provided by public procurement of cloud and AI computing services, this measure establishes a set of voluntary non-price award criteria for the public procurement of cloud and AI computing services. The criteria should be of ancillary and non-decisive value in view of the overall tender and are to be included, voluntarily, by contracting authorities in the procurement of cloud and AI computing services that are not off the shelf, standardised or commercially available services. These criteria will earn additional points to tenderers that demonstrate: 

(I)That the tenderer contributes to reinforcing the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union 

(II)That the tenderer has integrated Union technologies, including the uptake of research and development results stemming from EU-funded research and development programs;

(III)That the innovation required to deliver the service being procured is conducted in the Union or in a third country that contributes to the development of a European cloud and AI ecosystem;

(IV)That the service is delivered, to the greatest extent feasible with regard to market availability or technical requirements, through critical [computing, storage and networking] hardware components designed in the Union or manufactured in the Union, or both, or, where this is not feasible, through hardware components from a country or countries that contribute to strengthening security of supply and developing a European cloud and AI ecosystem;

·Policy Measure 17 (PM17) establishes a voluntary public sector cloud federation of EU institutions, bodies and agencies, Member States and other public sector bodies. Members of the federation would be allowed to share the DC services, cloud and AI computing services which they own and control. This measure requires the Commission to create a platform providing a brokering service. The Commission and the Member States would adopt the required non-functional service level agreements (e.g. uptime) and the harmonised technical specifications.

·Policy Measure 18 (PM18) creates a vendor-neutral cloud and AI training programme to upskill workers in the single market, particularly addressing the interconnection between these services and their underlying technologies. This implies developing curricula and certification mechanism and funding the institutions delivering the training. The initiative would be declarative, without financial commitments.

Among public authorities that replied to the public consultations, 77% support mechanisms to allow the federation of cloud and AI computing services between public administrations within and across Member States. In terms of EU-level action, 53% of total respondents support the inclusion of a criterion ensuring sovereignty, autonomy, resilience and availability to help public administrations in their procurement process. This measure was supported by 77% of public authorities. 85% were in favour of guidelines with standard criteria for procuring cloud and AI computing services. Several respondents expressed support for skills training programs in both the public and private sectors.

Policy Option PO2-C: EU-coordinated procurement and support framework for sovereign cloud and AI computing services

This option leverages PO2-B (and by extension one element from PO2-A, see Figure 9 ) to foster the uptake of cloud and AI computing services in the public and private sector, with a higher level of EU intervention and mandatory requirements for the public sector.

·Policy Measure 19 (PM19): First, with a view to reducing critical dependencies, this measure makes the use of the non-price award criteria under PM16 mandatory. When procuring cloud and AI computing services for which the EU has been assessed as dependent, contracting authorities would be obliged to apply the award criteria established under PM16.

Second, Member States would have to draft an action plan to explain how they intend to use public procurement, notably through pre-commercial procurement and procurement of innovation instruments, to increase the uptake of highly innovative cloud and AI computing services from small-cap companies, notably start-ups and scale-ups. As a follow-up, the uptake of such services, would be monitored through a centralised, Commission-led monitoring exercise. This would avoid the need for separate reporting obligations and create synergies with other measures within this Policy Option that are aimed at assessing the market presence of EU providers (cf. PM21). PM19 will contribute to decreasing the overall reliance on non-European cloud and AI computing services, which is SO3.

·Policy Measure 20 (PM20) aims to encourage the share and, reuse of open source assets by the public sector. Under this measure, public authorities are encouraged to promote the use of open standards and available open source solutions where these demonstrate comparative merit to proprietary solutions and reuse digital assets, including code, configurations, and documentation, developed by other public administrations rather than commissioning similar solutions from scratch, thereby eliminating duplication of efforts and redundant expenditure on functionally similar solutions; and to share software into a common repository, ensuring that investments made by public administrations in the EU contributes to a pool of collectively maintained sovereign solutions.  

Therefore, first, this policy measure requires Member States to take the necessary measures to encourage the use of open standards and open source software by public sector organisations taking into consideration aspects such as functionalities, total cost, user-centricity, cybersecurity or other relevant justified objective criteria.

Second, public organisations will have to consider making the software for which they hold rights publicly available on an open source repository connected to the EU OSS catalogue maintained by the Commission. The released software should put in place the appropriate safeguards to protect security or intellectual property rights. To ensure the quality and security of publicly released code, open source repositories will have clear governance and operational mechanisms, such as quality assurance (e.g. DevOps) and the continuous assessment of the cybersecurity posture of the components (e.g. static and dynamic security testing) complemented by a Software Bill of Materials. The release of software as open source shall not be made in the case in which the cost of doing it would be disproportionate, there is a risk to the security of information systems of the Union or there is public order restriction.

Third, this measure includes the creation and maintenance of Open Source Programme Offices (OSPOs) within the public sector to support the implementation and management of open source software. To facilitate the cooperation among these OSPOs, the Commission will establish a Network of OSPOs.

·Policy Measure 21 (PM21) consists of two elements. First, it turns what is only a Recommendation under policy measure 15 into a binding requirement for Member States. 

Member States shall carry at least one sovereignty risk assessment and repeat it at least every four years but more frequent if deemed necessary. The purpose of the sovereignty risk assessment is to identify which public sector use cases within a Member State require the use of which sovereignty level as described under PM11. The sovereignty risk assessment would assess, inter alia, the risks induced by the access to such data by a third-country authority or third-country legal entity; or the risk of possible service disruption due to dependence on a single or limited number of third-country services providers. On the basis of dedicated discussions conducted with 3 different public authorities representing about 200 contracting authorities, this assessment is based on the finding that the matching of sovereignty levels to public sector demand follows the following pattern: 70% of use cases would require a sovereignty level 1; 20% for level 2; 9% for level 3; and 1% for level 4. Even though the scheme is novel and does not correspond to existing frameworks, this assessment fits with broad orders of magnitude that can be inferred from existing analyses conducted in several Member States that have introduced risk assessments for their public sector clouds, such as France, Poland 98 or Italy 99 . This approximation is anchored in the idea that a layered and progressively more demanding criteria is designed to tackle a progressively smaller amount of use cases. For instance, a water supply public company might have separate IT systems to deal with non-critical use cases (e.g. procurement, stock management, inventory, helpdesk, billing system, workforce management, fleet management, etc), but fewer to manage critical systems (e.g. water monitoring system). For instance, France’s SecNumCloud, the closest scheme to this sovereignty framework was developed acknowledging that there’s demand for even higher levels of sovereignty, estimated at 10% (which here correspond to level 3 and level 4), and that for the remaining 90%, SecNumCloud was designed to cover 1/5 to 1/4 of the use cases, so somewhere in between 90% * 1/5 = 18% and 90% * 1/4 = 22.5%. While the criteria for SecNumCloud and level 2 differ, this figure is nevertheless retained as a first approximation. 

Critical use cases, defined as the use cases whose disruption would affect operational autonomy or public order, correspond to use cases covered by level 2, 3 and 4. The risk assessment would have to consider the reality of the supply market to avoid unrealistic outcomes, such as mandating the use of services that don’t exist (yet) in the market.

The measure targets critical use cases, not individual public authorities, but it is likely that Member States would focus on the public sector entities of high criticality (as defined in NIS2 annex 1), which amount to 6 400 throughout the EU, an amount retained in this assessment where such data point is needed. This figure results from the amount of NIS 2 entities in Europe (160 000 100 ), from which 20% are essential entities under Annex I 101 , from which 20% are assumed to be public entities: 160 000 * 20% * 20% = 6 400 NIS2 Annex 1 public sector entities.

To facilitate appropriate and coherent sovereignty risk assessments, the European Commission would develop guidelines for Member States to conduct such assessments and provide a sample risk assessment methodology (note that these guidelines concern the conduct of risk assessments and differ from PM12, which consist in explaining the different levels of sovereignty). For Member States to have up-to-date information about the market conditions of cloud and AI sovereign solutions, the Commission would also produce market monitoring reports that will point Member States to possible gaps in the coverage of some services.

The Member States would have to determine which public authorities are required to procure specific levels of sovereignty and make this mandatory at national level, ensuring that procurement aligns with the risk assessment, unless duly justified.

While PM11 only puts forward the definition of sovereignty levels, PM15 goes further by putting forward a framework through which the respective levels of sovereignty can be assessed. Cloud computing service providers qualifying as SMEs would not be required to undergo the validation by the national competent authority. Verifying compliance against sovereignty level 1 would be based on self-assessments conducted by the service provider itself, while assessing the compliance of the service against sovereignty levels 2-3-4 would be performed through independent third party’s auditors and verified by national competent authorities designated by the Member States. The competent authorities will then verify the evidence provided by the service providers, the audit report and opinion and will provide a decision: acceptance, rejection or request for further information. If positive, the competent authority of the establishment of the service provider shall notify other MS for objections, which the evaluating competent authority will have to take into consideration for the final decision. This decision will allow the service provider to participate in procurement procedures across the Union. In the case of continued objections, the Commission will assess it and adopt a binding decision to settle the dispute. If the evaluating competent authority determines that there is not enough information to take a decision, it shall request the provider for additional information. Finally, in the case of a rejection, the cloud service provider will have the possibility to recourse, which the evaluating competent authority will have to take into account for the final decision.

Competent authorities should also register the audit approval in a Union repository, maintained by the Commission, as well as on the Digital Wallet of the service provider. The repository of sovereign cloud and AI computing services will be a public list of audited sovereign cloud and AI computing services that verifiably comply with the sovereignty requirements. The benefits are for providers and users alike: providers will enhance their visibility and users their market research.

To cater for market evolutions, the sovereignty criteria of all levels and evaluation methodology would be modifiable by comitology. This evaluation methodology would help third party auditors in their assessment of the service and ensure full harmonisation in the way different auditors conduct their assessment and for Member States to ensure that the procedures have been followed.

This measure is primarily designed to contribute to the protection of public order by enhancing the resilience in the public sector, which is SO4. Nevertheless, European providers would face less costs and efforts to meet sovereignty conditions. When it comes to meeting the criteria to demonstrate sovereignty level 1 and 2, EU providers can more readily substantiate that they are not affected by third-country policies affecting data access or limiting service continuity. As well, level 3 and level 4 sovereignty can only be served by service providers owned and controlled by EU entities. This implies that PM21 will also contribute to decreasing the overall reliance on non-European cloud and AI computing services, which is SO3.

Second, private sector essential entities listed under Annex I of NIS 2 are encouraged to integrate into the cybersecurity risk assessment they already conduct, the assessment of the risks stemming from their use of cloud and AI computing services. This includes an analysis of the laws applicable to the computing service and the extraterritorial reach of such laws; the risks associated to the possible unauthorised third country government access to and transfer of data; the risks associated to service continuity and quality; the operational dependency and possible loss of autonomy.

·Policy Measure 22 (PM22) establishes a voluntary framework for EU-level public procurement of cloud and AI computing services for EU institutions, bodies and agencies, and Member States public sector organisations. The intention of the joint procurement framework is to enable participants to procure with a common voice. The joint procurement framework would complement Member States’ existing procurement practices. This measure is about creating a framework enabling joint procurement, but the participating contracting authorities are left with the power to decide the details of what they ultimately want to procure. This measure builds on the common platform under PM17. It will allow aggregation of demand for innovative solutions, allowing the EU to do what the US has done with a lot of success in the past, i.e. award large contracts which support early innovation and uptake (see PD1) and mitigate the lack of stable contracts holding European providers back from scaling up (see PD3).

·Policy Measure 23 (PM23) creates a support scheme for SMEs to support through consultancy the adoption of cloud and AI computing services by SMEs, including European CSPs. While technically independent, this measure presents synergies with PM18. As with other measures that imply funding, this does not pre-empt the next MFF.

·Policy Measure 24 (PM24) would imply that the Commission sets up an online toolbox for the private sector service providers to easily identify software tools, in particular open source ones, with the specific aim to help them in complementing their service offering. This toolbox would create visibility for lesser known tools and serve as a final repository for the outcome of projects funded by European programmes.

Overall, all the categories of respondents showed strong support for measures that would promote open source, including to achieve sovereignty. Most EU citizens, public authorities and academic institutions would favour an obligation to release the code developed with public money in open source repositories, as well as a common EU open source licensing schema. Public authorities showed strong support for a marketplace for cloud and AI computing services. In terms of EU-level action to prevent unlawful access to data, several public authorities favoured common criteria to help them during the procurement process to identify highly critical use cases. Several companies also supported this. Over 60 position papers received through the CfE stressed the importance of public procurement, including joint procurement and the strategic role the public sector could play as an anchor client.

Figure 9. Illustrations of Policy Options to address the dependence on cloud and AI computing services supplied by non-European providers

In relation to the identified problem drivers, the above-mentioned measures are expected to intervene as follows: PM11 & PM12 would allow users of cloud and AI computing services to reliably identify the level of sovereignty of a service. PM15 and PM21 add a sovereignty risk assessment for the public sector to identify its sovereignty needs. These measures directly address PD4 (absence of clarity around the concept of sovereign cloud and AI computing services), with growing degrees of intensity. As European providers of cloud and AI computing services can be considered to be in a good starting position for meeting the benchmark of sovereignty, and because of the public sector’s particular interest in relying on sovereign services, these measures also address PD3 (limited public sector uptake of cloud and AI computing services supplied by European providers) – with PM19 and PM21 being the most direct. PD3 refers in particular to the lack of stable contracts for European CSPs, which would be mitigated through PM15 and, more directly, through PM21 and PM19. PM13, PM18, PM23 and PM24 enhance the visibility and usability of services provided by a more diverse set of cloud and AI computing service providers, including European ones. They make it more likely for users, including the public sector, to choose these solutions (meaning a contribution to tackling PD3) and contribute to addressing the factors summarised under PD1 (lack of scale and scope of EU cloud service providers). PM14 contributes to interoperability, thus addressing PD1 (enhanced interoperability is a way of arriving at more integrated service offerings and lower the threshold for users to combine multiple offerings from European providers). PM16 and PM19, allows for the recognition of an EU-added value in public procurement and PM15 and PM21 will shed light on sovereignty vulnerabilities in the public sector, likely to result in a growing turn towards sovereign, including European services and thus addressing PD1 (more public contracts can be expected to help European providers grow the scale and scope of their service offer). PM17 and PM22 will boost public sector uptake, including to the benefit of European providers. They can thus be seen as addressing PD3. PM22 would allow aggregation of demand for innovative solutions, allowing the EU to do what the US has done with a lot of success in the past, i.e. award large contracts which support early innovation and uptake (see PD1). PM20 boosts the public sector’s use of/contribution to open source, creating opportunities for smaller players, because open source allows for a faster development of new solutions and allows new ideas to challenge existing market silos. It thus contributes to both PD3 and PD1. PM24 addresses the information imbalance currently affecting the cloud market by allowing for better visibility of smaller providers and comparability across provider ecosystems.

5.2.3.Relationship between policy options and policy measures

Table 7. Overview of the Policy Options and links with the Problems, Problem Drivers, and Specific Objectives

* SO1: Increase computing capacity deployed in the EU through innovative and sustainable technologies

SO2: Ensure attractive conditions for the deployment of sustainable and innovative computing capacity

PD1: Lack of scale and scope of European cloud and AI computing service providers

PD2: Bottlenecks slowing down data centre expansion

*SO3: Decrease the overall reliance on non-European cloud and AI computing service providers

SO4: Contribute to the protection of public order by enhancing the resilience of supply of cloud and AI computing services, in particular in the public sector

PD1: Lack of scale and scope of European cloud and AI computing service providers

PD3: Limited public sector uptake of cloud and AI computing services supplied by European providers

PD4: Absence of clarity around the concept of sovereign cloud and AI computing services

5.2.4.Relationship between Problem Drivers and Policy Measures

Table 8. Aspects of the Problem Drivers addressed by the Policy Measures

5.3.Options discarded at an early stage

·Mandating the digitalisation of permitting processes for DCs throughout the EU. While the Inter-institutional Better Regulation encourages to consider the digitalisation of processes when defining policies, digitalising the permitting process is intuitively perceived as something better tackled in a horizontal measure covering the whole spectrum of industrial installations rather than through a sectoral basis.

·Introducing measures on tackling the lack of grid capacity: As the issue with the lack of available grids capacity in certain locations is not unique to DCs, and grid access is regulated by energy legislation, option introducing sector specific measures to tackle lack of grid capacity was discarded. Ensuring grids will be in place and ready to uptake future loads is dealt by on a horizontal level under the European Grids package.

·Options to directly improve the availability of private capital have been discarded. First, because the policy measures under PO1-A/B/C, by simplifying and accelerating the deployment of DCs, are already conducive to an improved investment landscape.

·Creation of a national central and public repository where Member States can include all relevant information on areas designated for DC deployment. This option is discarded as it would favour real estate speculation and overall bring little benefit for DC investors.

·Common Procurement Vocabulary (CPV) i.e. standardised tender vocabulary at EU-level for procuring cloud and AI computing services for a more precise monitoring of public sector capacity and demand. The existing CPV codes do not include a specific entry for cloud and AI computing services and are instead classified as ICT services or ICT infrastructure. This option is discarded as adding such a code would require a full re-think of the codes related to the procurement of ICT in general, something that is beyond the scope of this intervention.

·The set up of an agency to implement several of the PMs laid down in this assessment, such as the operating the coordination hub from PM5, operating the broker from PM17, conducting the procurements from PM22 or running the marketplace from PM24. This option was discarded at an early stage as perceived as institutionally difficult to deliver.

·In the context of PM15/21, reverse the logic of the sovereignty framework where it would fall on contracting authorities to trigger sovereignty audits in the context of public tenders and only if a similar service is not already audited (as currently the case under FedRAMP). This option has been discarded as it would limit the number of services under levels 2, 3 or 4, at least initially, and create an artificial barrier for providers to have their services assessed against the sovereignty framework. It also delays procurement procedures where a new service needs to go through the whole evaluation process.

5.4.Possible combination of options

As discussed above, the first set of PMs are grouped by their regulatory nature and governance level, i.e. non-regulatory vs regulatory and national vs EU action. PO1-A focuses only on soft, non-regulatory instruments, whereas PO1-B and PO1-C are of a regulatory nature, enforced at national and EU level respectively. As such, some combinations of measures are mutually exclusive, e.g. PM4 and PM5 (national regulation under PO1-B) cannot coexist with PM10 (EU-level regulation under PO1-C) as they address at different levels the bottlenecks to expand DC capacity in the EU. However, other measures under PO1-B and PO1-C can be complementary, for example potential public support for DCs (PM6) could align with EU-level instruments, such as those under PM8 and PM9, creating a multi-level financing framework to addresses a critical dependency from the EU. Similarly, all or selected elements of PO1-A (e.g. guidelines, forum) could be combined with either PO1-B or PO1-C to enhance regulatory action with soft support. The deployment targets to monitor the expansion of capacity in the EU under PM7 could also be adopted independently of PO1-B, either in combination with PO1-A, PO1-C or in the context of the forthcoming review of the Digital Decade Policy Programme.

By contrast, PO2-A/B/C follow a deliberately incremental approach to intervention along sovereignty and federation of public resources (see section 5 and annex 4 for details). The related PMs are not designed to be combined with one another, but rather reflect the degree of intervention, with the higher levels of intervention building on the mechanisms established in the preceding one. As best visualised in the graph at the end of section 5.2.2, PM15 builds on PM11; in turn, PM21 builds on PM15. PM19 builds on PM16. Similarly, PM22 builds on PM17. Finally, PM23 has clear synergies with PM18. The remaining PMs, i.e. PM12, PM13 and PM14 under PO2-A are stand-alone measures that could be retained independently

6.What are the impacts of the policy options?

This section summarises the main expected economic, social and environmental impacts of each Policy Option (PO) compared to the baseline. The assessment draws on multiple data sources, including stakeholder consultations (interviews and surveys) and desk research in the context of the supporting study. To the extent possible, the impacts are quantified based on available assessments or modelling. Where dedicated modelling/monetisation was not possible due to the lack of data, a qualitative assessment was performed, drawing on existing studies and input from stakeholders, to ensure transparency on the full range of potential effects. A sensitivity analysis is provided in section 7.5 to indicate the potential range of error and uncertainty for selected key estimates. Where central values were not sufficiently informative, or relied on an excessive number of assumptions, illustrative ranges are provided to inform of the expected consequences and impacts of the proposed measures. Annexes 3, 4 and 12 provide further details on the methodological approach, detailed tables and estimates.

In addition, it is worth mentioning that this assessment found practical experience in the public procurement for sovereign cloud services conducted by the European Commission. The tender was launched in October 2025, as part of Commission’s efforts to strengthen the digital sovereignty posture of the European Union Interinstitutional Bodies and Agencies. Even though they exist in different contexts, the sovereign non price award criteria used in the tender has some resemblance to the proposed sovereignty framework in PM15/PM21 102 .

6.1.Economic impact

This section describes first the expected direct, quantifiable economic impact of the policy options on key identified stakeholders, i.e. industry, including SMEs, public authorities, and the European Commission. As part of the analysis, an assessment of wider economic effects is then provided, including impacts on innovation and technological sovereignty. This impact is assessed mainly based on literature, desk research and stakeholder evidence.  

6.1.1.Impact on industry, including SMEs and private sector essential entities

The impact of the policy options on industry was assessed based on the quantifiable expected costs and benefits for key business stakeholders. First, improving the availability of computing capacity in PO1-A, PO1-B, PO1-C, directly impacts DC operators and other enterprises building DCs. Second, reducing the dependence on cloud and AI computing services provided by non-EU cloud and AI service providers in PO2-A, PO2-B, PO2-C, is expected to have a direct impact on cloud and AI computing service providers, on the public sector and on private sector essential entities in accordance to Annex I of NIS2. This section outlines the quantifiable and expected direct costs and benefits for these stakeholders in present value over the next 10 years, while section 6.1.5 presents the anticipated wider economic effects that the proposed measures could have. The detailed explanations for the assumptions behind these estimates can be found in Annex 4, sections 2 and 3 103 .

Adjustment and administrative costs for data centre operators. PO1-A would only foresee adjustment costs for DC operators’ stemming from their participation in the new Alliance Working Group (PM1), forum for exchanges (PM2) and from their potential uptake and discussion of the guidelines on building sustainable DCs (PM3). These costs have been estimated as ranging between EUR 8-18 m. Under PO1-B, 400 estimated DC operators and CSPs active in building data centres are expected to face one-off administrative costs to comply with the conditions to access fast-track areas (PM5), i.e. preparing the application file, completing standardised templates and submitting evidence of compliance with areas conditions. The total costs for this activity are estimated between EUR 1-3 m at present value over 10-years. Operators are also expected to face adjustment costs to adapt new projects for DC build out and comply with the related requirements. These adjustment costs are estimated to be approximately between EUR 6 and 26 m for these stakeholders over the assessment period. The participation in a potential funding scheme under PM6 would also generate administrative costs to account for the staff time spent on preparing applications to benefit from funding. Under PM7, businesses would face minor administrative costs to respond to surveys and/or provide additional information for reporting on DC capacity. Total costs under this option for data centre operators are thus estimated between EUR 7 and 31 m. Under PO1-C, similar activities would occur at EU level. Companies participating in EU funding programmes (PM8, PM9) would face administrative costs for preparing and managing proposals. 20 proposals every two years have been estimated for such purposes, leading to costs ranging between EUR 1 and 3 m. As in PO1-B, providers would also be expected to face both administrative and adjustment costs to access the areas and benefit from accelerated DC deployment under PM10. These costs have been estimated to range between EUR 5 and 25 m, catering for some uncertainty in the effort dedicated to such administrative and adjustment activities. The total value of costs for DC operators and CSPs active in building data centres are thus estimated to range between EUR 7 and 27 m under this option (discounted values over the 10-year assessment period).

Adjustment and administrative costs for cloud and AI computing service providers. Under PO2-A, cloud and AI computing service providers would face adjustment costs, estimated as additional effort to discuss the new guidelines (PM12), participating to the annual conference (PM13) and in setting up and participating to the coordination group for standards development (PM14). These activities are expected to generate total costs for providers ranging between EUR 16 and 19 m. Most of these costs would derive from PM13, where 300 participants have been accounted for. Under PO2-B, recurrent adjustment costs for providers would emerge mainly from complying voluntarily with the sovereignty risk assessment framework (PM15). These are estimated at service level because the audit procedure would apply to individual cloud and AI computing services, i.e. providers incur costs for each service that undergoes an audit. These costs emerge from the one-off effort required to meet the necessary legal, organisational and technical conditions to reach the sovereignty assurance levels 2-4, undergo third-party audit, and pay audit and renewal fees. Recurrent audit-related administrative costs are also expected in subsequent years. Moreover, EU-based cloud and AI computing service providers are expected to incur one-off adjustment costs to comply with the non-price award criteria (PM16), e.g. rewarding EU-based R&D&I for innovative services, by altering their systems and processes to be able to participate in public procurement procedures. Additional administrative costs have been estimated as providers prepare their bids. Summing these costs leads to total costs ranging from EUR 67 m to EUR 160 m. Under PO2-C, the measures are estimated to generate similar administrative and adjustment costs for providers as PO2-B, but more services (600 compared to 150 in PO2-B) are expected to undergo third-party audits to participate in public procurement procedures (PM21). This leads to higher costs for cloud and AI service providers across the EU that are estimated to range between EUR 233 and EUR 484 m. As above, these adjustment costs are personnel related, i.e. the effort needed to modify the providers’ policies and procedures and adjust the legal and organisational safeguards to be able to meet the criteria under sovereignty assurance levels 2-4.

On top of this, private sector essential entities identified under Annex 1 of NIS2 would have to incur administrative costs to include non-technical risks in their risk assessments, i.e. adding sovereignty elements on their existing risk assessment activities. These costs could range between EUR 486 m and 2.6 bn, i.e. corresponding to the effort required per entity (from a minimum of 20 to a maximum of 110 days) and taking into account 25 600 private entities operating in sectors of high criticality across the EU.

Economic benefits and cost savings for data centre operators. PO1-A would be expected to generate direct cost savings, via improved information and administrative burden reductions. Although voluntary, the new guidelines (PM3) would contribute to increase clarity, simplify procedures and reduce the incidence of mistakes, saving time for operators during the pre-operation phase of building a new DC, modelled as a central 10-day time saving. When multiplied by the expected number of facilities that could benefit from this time and consequent cost saving, the guidelines would generate discounted savings ranging between EUR 1 and 3.5 m over the assessment period. PO1-B would bring the largest direct economic impact for DC operators, modelled through a Net Present Value approach which compared the baseline permitting duration with the accelerated scenario to estimate the economic value of bringing constructions and commercial operations of a DC facility forward in time. Based on the evidence collected, the project facilitator for DC roll-out (PM4) combined with access to fast-track areas (PM5) are expected to reduce uncertainty on investment locations by excluding non-viable sites and decrease time to market for DC projects by on average 14 months. Under the baseline scenario, the total time to build a DC, i.e. from planning to entry into operation, was estimated at 32 months on average across the EU. This time is expected to decrease by 6 months from 2027 onwards due to the project facilitator and by an additional 8 months due to streamlined access to fast-track areas 104 . The estimated NPV gain is also associated with the expected reduction in PUE foreseen under this measure, as only the most sustainable DCs would be able to benefit from the fast-tracking. Therefore, the expected improvements in energy efficiency, modelled as a declining PUE, would also contribute to reducing operating costs over time. Over the 10-year assessment, this option could result in discounted economic benefits ranging between EUR 8 and 27 bn, considering the uncertainty related to these time savings and their compounded impact on project value. Under PO1-C, similar direct economic benefits are foreseen for operators thanks to the EU-level identification of fast-track areas (PM10). Based on discussions with industry and following the validation by the sector in the targeted workshop, these savings are expected to be less consistent than under PO1-B, with an EU-level management of fast-track areas expected to produce time-savings of 3 months. This would in turn still generate consistent economic benefits that would range between EUR 5 and 12 bn over the 10-year period.

Figure 10 shows the potential evolution of DC supply under each policy option and the expected reduction in the gap against projected demand in the baseline scenario 105 . 

Figure 10. Forecasted evolution of data centre capacity (GW) under each PO, with respect to the baseline

Source: Technopolis et al. (2025) 106 CLXV

Cost savings for cloud and AI computing service providers. Under PO2-A, administrative cost savings for providers would mainly stem from the use of the guidelines (PM12), saving time for operators during procurement, modelled as a modest 0.5 days saved per tender procedure, leading to total costs savings that could range between EUR 2 and 15 m (10-year, NPV). Under PO2-B, providers would face recurrent cost savings from the introduction of a clear and predictable sovereignty risk assessment framework across several Member States (PM15). Instead of responding to different requirements, controls or evidence requests from individual public authorities, service providers would benefit from a common audit procedure and recognised assurance levels with savings ranging from EUR 5 to 16 m per service, under an assumption that the provider operates in 3 to 10 markets. This would reduce duplication and simplify procurement procedures, while reducing costs related to tender documentation. Over time, this is expected to lower compliance costs and make it easier for providers to offer the same audited services to a wider public sector market. This is expected to lead to total benefits for providers ranging between EUR 200 and 700 m, when discounted across 10 years. Under PO2-C, direct costs savings would stem from the same mechanism explained above, but extended to all MS, and an increased number of services being audited by providers under PM21, compared to PM15, leading to total expected benefits ranging between EUR 2 and 5.1 bn, including those savings coming from savings of 1 to 3 working days per bid when drafting specifications by using standard non-specific award criteria (PM19). In the case of PO2-C, savings in the audit process would range from EUR 8 to 25 m per service, assuming each provider run its business in 5 to 15 member states.

Impact on SMEs. Though large businesses dominate the DC, cloud and AI markets, many SMEs in the EU still play a relevant role, particularly providers of cloud and AI services. Thus, the initiative is considered “relevant” for SMEs. Annex 6 contains the SME test. Given the lack of quantitative data, the impact on SMEs is assessed qualitatively below.

PO1-A would generate value for SMEs with improved access to information and clearer frameworks, notably through the guidelines. Early visibility and clarity on applicable requirements and collective voicing of SMEs would reduce costs linked to information asymmetries and coordination failures. As smaller operators, SMEs are disproportionately affected by complex permitting procedures and would benefit from administrative simplification. In PO1-B streamlined procedures are expected to reduce legal and consultancy expenses and would accelerate timelines, lowering entry barriers, reducing administrative costs and opening opportunities for SMEs in the DC value chain. The impacts of PO1-C on SMEs align to those of PO1-B, though EU-level approval might be perceived as more “distant”, raising language considerations of such mechanism. In addition, public funding for R&D and innovation would enhance SME participation in advanced projects without requiring large upfront capital. Public funding for strategic deployment projects would improve SMEs’ access to contracts for large-scale projects, either directly or within a consortium. PO2 would impact SMEs as providers of cloud and AI computing services, but also as consumers of these services. Under PO2-A, the non-prescriptive EU criteria of sovereign cloud and AI computing services and the guidelines would reduce administrative burdens on SMEs while increasing clarity and transparency for sovereign services. The annual conference on EU digital sovereignty would allow SMEs to showcase their services and raise concerns collectively at lower costs. SMEs would also be the greatest beneficiaries of the interoperability measures as it simplifies the re-use of existing technology they lack. Under PO2-B, the sovereignty audit procedure with validity throughout the EU would reduce verification costs, especially for SMEs offering their services in critical sectors to public administrations in different Member States, albeit facing more burdensome compliance costs, voluntary public procurement criteria favouring specific characteristics could boost SME participation. Additionally, a vendor-neutral training would provide SMEs with a highly qualified workforce, capable of using and developing advanced cloud and AI solutions. PO2-C would entail the greatest direct and indirect net benefits for SMEs. The validity of audit reports across the EU would allow SMEs’ services would allow them to extend their commercial offers otherwise hindered. Beyond, remaining costs include funding programmes participation, which is also expected to enhance SMEs’ competitiveness. Open source access would reduce entry barriers, where solutions are evaluated on their merits. Encouraging open source would not disadvantage proprietary solutions where these genuinely represent the option on the best-value for money, but this would need to be properly demonstrated. Similarly, for companies, notably SMEs whose business models are built around the delivery of open source solutions and related services, this measure would provide them with the opportunity to present their solutions on equal terms removing barriers that have historically limited open source participation in public procurement procedures.Similarly, financial support would include improved funding rates for SMEs, and the service toolbox would help smaller providers find complementary solutions to their service offering. Ultimately, this would foster SMEs’ access to innovation, seeking to increase their competitiveness and reduce their upfront costs. The SME cloud and AI adoption scheme would bring direct economic gains for SMEs applying cloud and AI technologies through improved competitiveness, and indirect gains for IT SMEs offering consultancy, reinforcing the ecosystem to drive a broader SME digital transformation.

SMEs’ views on Policy Measures. Feedback from the public consultation shows the following:

Table 9. SMEs and large companies views on Policy Measures

*17 SMEs replied to the public consultation questionnaire

** 49 Large companies replied to the public consultation questionnaire

6.1.2.Impact on public authorities

Costs for public authorities. In PO1-A, costs for authorities are estimated to be modest and would be limited to their participation in the forum (PM2) as well as to their contribution to drafting the guidelines (PM3), leading to total expected costs ranging between EUR 1 and 2 m over 10 years, assuming one authority representative per MS would participate in each activity. Under PO1-B, authorities are expected to face adjustment and administrative costs to establish and operate the project facilitator (PM4) 107 and identify areas for fast-track deployment as part of their national strategies for data centre deployment (PM5). This would lead to an estimated cumulative cost over 10-years ranging between 4 and 8 m per national authority. Additional costs are estimated for setting up and managing a potential support programme for strategic DC roll-out (PM6). Finally, authorities would face minor enforcement costs for periodic checks to verify data on compute capacity as well as the implementation of national data centre strategies under PM7. The option is expected to generate total costs for 27 national authorities ranging between EUR 106 m and 236 m over ten years. In PO1-C, authorities are expected to incur adjustment costs to adapt to the EU-level DC fast track platform (PM10), including the appointment of national representatives to the new board and periodic provision of data for identifying suitable fast-track areas. This is expected to generate costs ranging between EUR 84 and 90 m over ten years. Under PO2-A, the measures would generate modest adjustment costs for national authorities. The EU-level criteria of sovereign cloud and AI computing services (PM11) are expected to generate adjustment costs related to the review of national procurement templates, while guidelines (PM12) are expected to generate costs in relation to their adoption and prior consultation process. This would lead to total expected costs for authorities ranging from EUR 14 to 15 m in discounted terms over 10 years. Under PO2-B, authorities would face increasing costs regarding the sovereignty risk assessment scheme (PM15), the award criteria (PM16), participation in the public sector cloud federation (PM17). First, authorities would face one-off adjustment costs to carry out the sovereignty risk assessment to map sovereignty assurance levels to cloud and AI computing services used in the public sector. They would face recurrent costs for their periodic renewals and for revision of the audit reports (PM15). These are relatively modest and estimated in a range of EUR 25 to 99 m. Under this measure, contracting authorities could consider using the sovereignty framework for their procurement decisions. See the box below for the assessment of the potential costs for public authorities related to porting and migrating cloud services. Under this option, since the measure is not mandatory, a smaller group of public authorities has been considered to use the sovereignty framework. The intervention could accelerate the porting of a limited subset of critical cloud applications to sovereign levels 3-4. Based on this, the anticipated porting is assumed to concern only between 1% and 6% of the relevant application base, resulting in discounted costs ranging from EUR 620 m to EUR 4 bn, over three years from 2030. Minor costs are estimated for authorities voluntarily updating their procurement templates with the new procurement criteria (PM16). The platform for public sector cloud federation is expected to generate the costs ranging between EUR 170 to 260 m in discounted terms. Summing all these activities leads to total costs under this option to range between EUR 820 m and 4.4 bn. PO2-C foresees costs previously described but scaled upwards as well as new ones. For the former, elements include both the one-off and recurring costs for the sovereignty risk assessment scheme, reflecting the higher number of public authorities that would perform them compared with PM15. Under PM15, around 150 audited services are expected to be verified by 2036, while under the mandatory approach in PM21 this figure is projected to rise to 600 in the same period, which is broadly consistent with benchmarks such as FedRAMP. Also, in the case of PM15, given the voluntary nature of the scheme, only a limited number of Member States would perform the risk assessment and the consequent verification of audited services. Under this option, the mandatory nature of PM21 assumes that all MS would prepare the personnel and the infrastructure to run the scheme. Hence, the changes of PM15 and PM21 would need to be seen in combination: increase in the number of authorities adapting their processes to perform the sovereignty risk assessment and an increase in the number of audit reports to be verified. Therefore, under this option, the cost for authorities assumes that the policy intervention would accelerate the porting of the limited subset of critical applications across the full population of 6 400 public entities considered in scope. This would result in total discounted costs of around EUR 3 to 15 bn, over the same period. Under PM19, authorities would also face some costs to update their procurement templates with the new procurement criteria, alongside minor effort to draft an action plan or light touch strategic note outlining how they intend to use public procurement to increase the uptake of highly innovative cloud and AI computing services. PM20, which aims to boost open source in public administrations is expected to produce several costs for public authorities, i.e. related to (i) the creation and maintenance of the Open Source Programme Offices (OSPOs), (ii) setting up open source repositories and governance mechanisms defining contribution, review, and acceptance procedures, (iii) the continuous maintenance and set-up of additional repositories, (iv) the activities needed to release code as open source and (v) the comparative assessments of proprietary and open source solutions for their procurement procedures. While currently public authorities may not have this knowledge in-house, the initial comparative assessments and the set-up of the repositories may require certain investment in staff training and in the development of training evaluation capacity in the contracting authorities. However, these administrative costs are expected to be mitigated thanks to the deployment of the Open Source Programme Offices (OSPO). OSPOs, as part of their role in their technical, legal, procedural and strategic – related tasks, may provide contracting authorities with standardised evaluation frameworks, scoring methodologies or advisory support thereby sharing expertise costs across the public sector rather than requiring each authority to develop this capacity independently. Finally, in PM22 for the public sector cloud federation, national public authorities will have the same costs as described for PM17 above, as it builds on top of it. These measures would result in total costs for public authorities amounting to a range of EUR 4 to 18 bn for this option.