Europe wants to become an AI continent. Fair enough. But it will not get there by turning the cloud into a customs checkpoint.
The European Commission’s new European technological-sovereignty package deserves close attention in Washington, Brussels, and boardrooms on both sides of the Atlantic. Announced June 3, the package aims to strengthen Europe’s capacity in semiconductors, artificial intelligence, cloud computing, open source, and digitized energy infrastructure.
Those are worthy goals. Europe is right to care about resilience, cybersecurity, and whether its firms and public institutions can use advanced digital tools securely. But good objectives do not rescue bad instruments.
For present purposes, the centerpiece is the proposed Cloud and AI Development Act, or CADA. The Commission says CADA would support cloud and AI research, speed data-center deployment, and create a single EU framework to assess cloud and AI “sovereignty.” The ambition is no small thing: Europe wants to at least triple data-center capacity within five to seven years, expand cloud and AI adoption in public and strategic sectors, and reduce reliance on non-EU providers.
The package also includes Chips Act 2.0, an open-source strategy, and an energy-sector digitization roadmap.
These initiatives should be evaluated as proposals, not faits accomplis. CADA and Chips Act 2.0 still must proceed through the EU’s ordinary legislative procedure, with the European Parliament and Council acting as co-legislators. That means amendments, political bargaining, and, ultimately, either a more balanced transatlantic approach or a more deeply protectionist one.
The coming consultation and legislative process therefore matter. This is precisely the stage at which economically grounded criticism can do the most good.
From Security Standards to Nationality Tests
CADA’s most troubling feature is its sovereignty-assurance framework. The Commission’s public description identifies four levels. Level 1 turns on whether data processing and storage occur in the EU. Level 2 requires providers to demonstrate independence from third countries and transparency across the software supply chain. Level 3 requires EU ownership and control, along with additional criteria, such as personnel citizenship—though the Commission may recognize third-country providers. Level 4 requires full transparency and control over the software supply chain, with no third-country interference.
That language may sound administratively tidy. In economic terms, it looks more like a ladder whose upper rungs were built for European firms.
A U.S. cloud provider is not merely being asked to satisfy cybersecurity, reliability, or technical-performance standards. It is being asked to negate the legal consequences of being a U.S. firm. The CLOUD Act requires covered providers to comply with lawful U.S. process for data within their possession, custody, or control, regardless of whether the data are stored inside or outside the United States.
European officials may dislike that feature of U.S. law. They may reasonably treat it as a sovereignty concern. But using it to demote U.S. firms within a procurement or assurance framework is a market-access condition in all but name.
That distinction matters. A neutral security rule asks whether a provider can protect data, maintain resilience, prevent intrusions, document access controls, comply with lawful process, and protect customers from unauthorized disclosure. A nationality-inflected sovereignty rule asks who owns the provider, which legal system may reach it, where its personnel sit, and whether a third country can be said to exert legal influence.
The former measures performance. The latter sorts firms by political identity.
That shift is especially problematic because cloud is a scale market. Hyperscale cloud is not a local utility that lawmakers can duplicate by aspiration. It requires enormous capital investment, energy access, engineering talent, global service reliability, cybersecurity expertise, specialized hardware, developer ecosystems, and continuous innovation.
Steering public- and critical-sector demand away from the most capable providers because they are American would impose an invisible tax on European users. That tax may not appear on the face of the statute. It will show up in higher costs, weaker services, delayed AI deployment, and lower productivity.
The Protectionist Playbook, Updated for the Cloud Era
The Information Technology and Innovation Foundation’s (ITIF) Aegis Project offers a useful framework for understanding the problem. Aegis starts from a simple proposition: America’s leading technology companies are not incidental to U.S. economic power and national security. They are among the principal means by which the United States maintains technological leadership in a world where China pursues state-directed innovation mercantilism.
The project’s Non-Tariff Attack Tracker catalogs policies around the world that are framed as neutral domestic regulation but, in practice, weaken U.S. technology firms, extract value from them, or tilt markets toward national champions.
ITIF describes such measures as anticompetitive market distortions (ACMDs): “government-imposed policies or practices that distort from open trade, competition on the merits, and property rights protections.” Economic research on ACMDs—supported by econometric modeling and pioneered by trade-policy expert Shanker Singham—finds that such distortions misallocate capital, skew risk-taking, reduce productivity and innovation, and ultimately slow economic growth.
CADA’s sovereignty tiers fit this pattern. They are not tariffs. They do not explicitly say that U.S. cloud providers are unwelcome in Europe. In fact, the Commission stresses that much of the market will remain open to international partners.
But competition can be distorted without formally closing the border. If the most valuable public-sector and critical-infrastructure opportunities depend on independence from non-EU legal jurisdictions, EU ownership and control, EU personnel, or the absence of third-country influence, U.S. firms are not competing on the same terms as local firms. They are competing after regulators have imposed a handicap.
ITIF’s analysis of EU cloud-service restrictions identifies similar dynamics in related contexts. Cloud-certification schemes, digital-sovereignty requirements, data-localization mandates, and jurisdictional restrictions can function as de facto barriers to U.S. providers, even when participation remains formally voluntary.
This is a familiar behind-the-border trade problem. It rarely announces itself as protectionism. Instead, it arrives dressed as resilience, autonomy, privacy, procurement integrity, or cybersecurity. If the practical effect is to shift demand from globally competitive U.S. firms to less competitive domestic alternatives, the economic substance is protectionist.
Security Is Not a Passport
The strongest defense of CADA is that Europe has legitimate reasons to worry about legal and geopolitical dependence. That much is true. No serious observer should dismiss concerns about cyber risk, supply-chain fragility, or state access to sensitive data.
The question is not whether Europe may regulate for security. The question is whether the chosen regulatory proxy improves security at a reasonable cost.
On that score, nationality is a crude—and often misleading—proxy. A European-owned provider may have weaker cybersecurity practices than a U.S. provider. A U.S. provider may offer stronger encryption, more transparent compliance processes, better incident response, and more robust auditing than a local competitor.
Likewise, a provider organized under European ownership may still depend on non-European chips, open-source components, cloud tools, developer libraries, or security vendors. Digital infrastructure is not sovereign because a corporate charter is European. It is secure because its architecture, governance, controls, and incentives produce security.
The relevant policy question is one of comparative institutional performance: Which rule addresses the asserted problem at the lowest social cost?
A performance-based security standard targets risk directly. It can require encryption, logging, access controls, incident disclosure, independent audits, redundancy, supply-chain transparency, and enforceable commitments to customers. A nationality- or jurisdiction-based test targets risk indirectly, and often poorly. It excludes or downgrades firms that may be best able to satisfy the underlying security objective while privileging firms that satisfy a political criterion.
The error costs are substantial. In dynamic technology markets, regulations that divert demand from efficient suppliers can weaken investment incentives, slow technology diffusion, and shield incumbents or favored entrants from competitive pressure. That is not a recipe for European competitiveness. It is a recipe for a smaller, more expensive, and less innovative digital ecosystem.
There is also a rule-of-law concern. Public-procurement criteria should be administrable, transparent, and tied to the actual risks that justify them. A sovereignty ladder invites discretionary judgments about control, interference, legal exposure, and the recognition of third-country providers. Those judgments can easily become political bargaining chips.
A firm that satisfies demanding technical standards may still find itself in a lower tier because its parent company is organized under a disfavored jurisdiction. That is not competition policy; it is industrial administration.
Once procurement officials begin treating national origin as a signal of trustworthiness, moreover, that signal rarely remains confined to the most sensitive workloads. Risk categories tend to expand. Exceptional rules have a habit of becoming ordinary practice.
The predictable response from affected firms will be costly corporate engineering. Providers may create local subsidiaries, special governance structures, contractual firewalls, joint ventures, or bespoke sovereign-cloud offerings to satisfy formal requirements. Some of those arrangements may make sense for particular customers. When regulation mandates or privileges them, however, they consume resources that could otherwise go toward product improvements, stronger security, lower prices, or new services.
The cost does not stop with compliance departments. Customers bear it through higher prices, and the broader economy bears it through slower diffusion of better technology.
You Can’t Build an AI Continent on Anti-Cloud Policy
CADA also sits uneasily with Europe’s own AI ambitions. The Commission wants Europe to become an “AI continent.” That aspiration depends on cloud capacity, data-center deployment, advanced semiconductors, developer tools, model-training infrastructure, and a deep bench of complementary services.
For now, U.S. firms lead in many of those areas. One can regret that fact, explain it, or try to narrow the gap. Pretending it away is not an industrial strategy.
A policy that channels strategic demand away from U.S. hyperscalers may appear to create room for European challengers. In the short run, though, it risks raising input costs for the very firms and public agencies that need AI most.
Cloud services are general-purpose inputs. They do not merely affect cloud-provider profits. They affect hospitals, manufacturers, universities, logistics firms, software startups, financial institutions, energy companies, and public administrations. Making those inputs worse or more expensive reduces economy-wide productivity.
Nor is this just a European problem. The United States and Europe face a shared strategic challenge from China’s state-directed technology model. Fragmenting the transatlantic technology stack weakens the allied position. It reduces scale, complicates interoperability, undermines standards cooperation, and diverts political energy from the more important task of disciplining predatory or mercantilist conduct by strategic rivals.
If democratic allies build regulatory walls against each other, China need not build all the walls itself.
Chips Act 2.0 illustrates the same tension. The Commission says the new initiative will strengthen Europe’s semiconductor industry, support design and production, speed permitting, stimulate demand, and deepen strategic partnerships. Many of those goals are sensible.
But semiconductor capacity is not built in isolation from U.S. firms. American companies design, develop, supply, and invest across the European semiconductor ecosystem. If EU technology sovereignty becomes a preference for European ownership rather than an effort to build resilient allied capacity, it will undermine the investment and cooperation Europe needs.
Competition Policy or Competitor Policy?
There is a deeper concern. Current market shares and existing dependencies can tempt regulators to treat successful foreign firms as a problem to be managed rather than as engines of competition and innovation.
That temptation has surfaced repeatedly in European digital policy. The Digital Markets Act and related initiatives often begin with the premise that large U.S. technology firms are too powerful and then translate that judgment into regulatory obligations governing product design, data use, interoperability, contracting, and business models.
To be sure, there are signs that EU courts are placing greater emphasis on evidence, proportionality, dynamic competition, and rigorous legal reasoning when reviewing European Commission antitrust and digital-regulation decisions. CADA should be judged by those same standards.
Dynamic competition asks a different question from static market-share analysis: Which rules are most likely to maximize innovation, investment, entry, and productivity over time?
That framework does not assume that today’s largest suppliers deserve permanent market positions. But neither does it assume that regulators can improve outcomes by steering demand toward politically preferred suppliers. The goal should be competition on the merits.
If a European cloud provider offers better security, lower costs, stronger service, or superior compliance, it should win customers. If a U.S. provider offers those advantages, it should win customers. Public procurement should not become a vehicle for industrial favoritism masquerading as sovereignty.
The risk is not merely that U.S. firms lose business. The greater risk is that European users lose access to best-in-class tools and that European innovators must build on a less capable technological foundation.
The costs of that choice compound over time. Lower-quality cloud services slow AI adoption. Slower AI adoption weakens productivity growth. Weaker productivity growth reduces the fiscal and political capacity needed to invest in genuine resilience.
Protectionism marketed as sovereignty can leave Europe less sovereign in the ways that matter most.
Sovereignty Without Protectionism
There is a constructive alternative. Europe can pursue resilience without discrimination. It can define security requirements in technological and contractual terms rather than nationality-based ones.
For example, it can require providers to disclose supply-chain dependencies, submit to independent audits, maintain EU-based redundancy, support customer-controlled encryption, report government-access requests where lawful, and provide robust exit and portability tools. It can reserve the most sensitive national-security workloads for narrowly defined sovereign environments without turning broad public-sector procurement into a buy-European program.
For its part, the United States should take European concerns seriously while making clear that discriminatory market-access conditions are unacceptable. Diplomacy should come first. The goal is not to turn every regulatory disagreement into a trade war.
At the same time, as ITIF’s recent Section 301 report argues in the broader EU context, the United States should be prepared to identify, document, and respond to discriminatory policies that burden U.S. technology firms. Serious negotiations are more likely when both sides understand that behind-the-border discrimination carries consequences.
A transatlantic bargain should be possible. The United States and Europe could work toward mutual assurances on lawful access, transparency surrounding government requests, cybersecurity certification, procurement neutrality, cloud portability, and trusted-vendor criteria that distinguish allies from strategic adversaries.
They could also coordinate semiconductor incentives and AI-infrastructure investments so that public subsidies reinforce allied supply chains rather than fragment them. That approach would strengthen resilience without sacrificing competition.
The key is to avoid turning legitimate sovereignty concerns into a general license for industrial policy. Europe’s problem is not that American cloud firms are too capable. Europe’s problem is that too many of its own firms, agencies, and institutions have been slow to adopt digital technologies effectively.
Punishing the suppliers most capable of helping close that gap is an odd way to solve it.
Don’t Mistake Sovereignty for Strength
The Commission’s technology package remains only a proposal. That is good news. It means policymakers still have time to separate genuine resilience measures from protectionist market design.
CADA’s sovereignty-assurance framework, as currently described, raises serious concerns because it risks turning legal jurisdiction and corporate ownership into decisive competitive criteria. That would burden U.S. providers, reduce European access to leading cloud and AI infrastructure, and weaken the transatlantic technology ecosystem at precisely the wrong moment.
Europe should build. It should invest. It should streamline permitting, expand energy capacity, support research, and accelerate technology adoption. It should also protect sensitive data and critical infrastructure.
But it should pursue those goals through performance-based, evidence-based, and nondiscriminatory rules. Strategic autonomy should mean the ability to choose among excellent technologies from trusted allies, not an obligation to prefer a less capable domestic alternative because it carries the right passport.
If the European Union wants to become an AI continent, it should resist the temptation to become a regulatory island.
The path to technological sovereignty runs through competitiveness, not protectionism.
