From Vision to Practice: The EU’s Cloud Sovereignty Framework

By Martyna Chmura | 1 November 2025

Summary

• In October 2025, the European Commission launched a EUR 180m tender for sovereign-ready cloud services, operationalising strict criteria for data autonomy and security in public procurement. 

• The initiative compels both global providers and European firms to comply with enforceable standards, reshaping the competitive and regulatory environment for cloud infrastructure in the European Union (EU). 

• Over the next year, the policy will likely accelerate market fragmentation, increase compliance requirements and set a precedent for digital sovereignty worldwide.

Context

On 10 October 2025, the European Commission issued a EUR 180m call for sovereign cloud service providers to support public institutions and regulated sectors across Europe. This is the first tender to directly implement the Cloud Sovereignty Framework, which mandates measurable standards in data localisation, operational control, legal jurisdiction, transparency, and supply chain security. 

The initiative reflects the EU’s longstanding concerns about foreign surveillance risks, extraterritorial jurisdiction, and dependency on a small number of hyperscale providers. Up to four providers, meeting new minimum compliance levels across sovereignty, sustainability, and security domains, will be awarded contracts to deliver services through the Dynamic Purchasing System over six years. The framework also allows for clear, objective comparison of bids, an approach designed to create a level playing field and mitigate reliance on non-EU operators.

Implications

The new tender signals a shift in procurement and regulatory enforcement, turning the previously abstract EU sovereignty debate into binding operational standards. For technology providers, the most immediate effect is the need to demonstrate compliance with each of the Framework’s sovereignty objectives. This has prompted global hyperscalers such as Amazon, Microsoft, and Google to redesign service offerings with physically and logically separate infrastructures, EU-based personnel, and customer control of encryption keys — all in an effort to satisfy requirements for operational autonomy and legal jurisdiction. At the same time, European and smaller providers are presented with a unique opportunity to challenge incumbent market leaders, provided they can meet the strict technical and legal minimums now defined for tender participation.​

This competitive realignment places upward pressure on compliance costs, as providers must continuously adapt to evolving requirements and may need to maintain parallel systems for the European market. For buyers, especially public agencies and critical sectors, procurement decisions are now directed by compliance with quantifiable metrics rather than trust-based assurances or legacy contracts. Risks associated with “sovereign-washing” — the marketing of superficially compliant global services — are mitigated but not eliminated, as some industry groups have expressed concern that the criteria might still favour well-resourced non-EU players. As a result, policymakers and industry bodies are pursuing certification schemes (such as EUCS) to reinforce the regulatory framework over time.​

Beyond competition and compliance, the broader concern is increased market fragmentation and complexity. Governments and businesses are pursuing multi-cloud and hybrid strategies to avoid vendor lock-in and to mitigate compliance risk, but this raises the bar for integration, skills, and governance. In the longer term, a more resilient European digital infrastructure is within reach, but challenges in market interoperability, cross-border data flows, and procurement remain.​

Forecast

• Short-term (Now - 3 months)

  • Major providers are likely to accelerate compliance announcements and joint ventures, but early technical integration is likely to be disrupted or delayed.

  • Buyers are likely to face uncertainty with a patchwork of sovereignty levels among competing offers, slowing initial adoption.

• Medium-term (3-12 months)

  • There is a realistic possibility that market fragmentation leads to higher costs and operational challenges, especially for SMEs and niche providers.

  • Procurement policies in health, finance, and public administration are likely to shift towards certified sovereign services, but legacy migrations may lag.

• Long-term (>1 year)

  • The EU’s cloud procurement approach has a realistic possibility to serve as a model for other regions, though global standards are highly likely to remain divergent, raising barriers for international compliance and digital trade. 

  • Widespread adoption of certification schemes is likely to drive legal clarity, but enforcement challenges and strategic rivalry with global hyperscalers are highly likely to persist.