CADA’s Test: Can Europe Reduce Hyperscaler Control Over Cloud and AI?

Can Europe Outsmart the Hyperscalers? What CADA Means for Cloud and AI

  • TL;DR
  • Europe recognizes a strategic problem: heavy reliance on non‑EU cloud and AI infrastructure creates political and operational exposure. (European Commission estimates point to dependence figures in the high tens of percent for critical technology and cloud services.)
  • The Cloud and AI Development Act (CADA) plus a push to triple datacentre capacity aim to reduce dependence, but the package mixes useful tools with shortcuts that risk entrenching the very hyperscalers it intends to displace.
  • Business leaders should act now: eliminate single‑vendor lock‑in, demand enforceable procurement standards, fund EU alternatives, and insist on environmental and planning safeguards for new datacentres.

The strategic problem: dependence that can be weaponised

Europe’s digital backbone still runs largely on foreign rails. European Commission figures and related analyses estimate that much of the EU’s technology stack and a substantial share of cloud computing come from non‑EU providers. That concentration creates a lever for geopolitical influence or disruption. When platforms, export controls, or sanctions can cut access or change terms overnight, governments and businesses face operational risk, reputational damage, and sudden compliance headaches.

Real events have crystallised the risk: commercial services have been restricted after sanctions; major platform operators have shaped public debates and even logistics in conflict zones; and national security directives have required firms to limit access to advanced AI models. For companies deploying AI for business—customer analytics, automated decisioning, logistics optimization—the implication is stark: dependencies can be switched into controls.

What CADA proposes — and where it falls short

CADA (the Cloud and AI Development Act) is Brussels’ centrepiece for the digital sovereignty push. Key elements include a cloud provider ranking that steers public‑sector workloads toward higher‑assurance suppliers and a set of procurement tools designed to reserve the most sensitive operations for providers meeting stricter sovereignty criteria.

Those procurement levers are important. A credible cloud provider ranking can raise the bar on auditability, data residency, encryption, personnel vetting, and export‑control compliance. But CADA’s most stringent assurance tier applies to a narrow slice of public spending. Equally important: enforcement of these rules is delegated to member states. That decentralised model risks uneven application—especially where local governments value foreign investment or tax revenue tied to large cloud contracts.

Europe’s heavy reliance on US tech is not only an economic issue but a threat to independence, resilience and security.” — Max von Thun, Open Markets Institute Europe (paraphrase)

Datacentre acceleration zones: speed without safeguards?

To reduce capacity bottlenecks, the Commission wants to roughly triple EU datacentre capacity within five to seven years and create “datacentre acceleration zones” that fast‑track approvals. Fast infrastructure build‑out sounds sensible on its face: more capacity means more choice, potentially lower costs, and better latency for local users.

But rushed approvals can weaken environmental review, community consultation, and planning standards. Without criteria that prevent dominance by very large providers—such as nationality, company‑size limits, or transparency obligations—acceleration zones could simply scale the market power of hyperscalers (AWS, Microsoft Azure, Google Cloud) who already have the balance sheet advantage to race in.

The governance gap: a deploy‑first mindset vs a European vision

Beyond procurement and capacity lies the larger question of AI governance. Much of the existing debate leans toward a “deploy‑first, fix‑later” mentality: roll out capabilities, iterate on safety, and rely on market players to innovate and patch problems post‑deployment. That playbook has driven rapid innovation, but it also hands the standards‑setting agenda to whoever controls the largest deployments.

“Digital sovereignty also means having an independent vision for technology design and deployment; simply swapping ownership without changing the playbook won’t make Europe sovereign.” — Max von Thun (paraphrase)

True digital sovereignty requires more than making sure servers sit inside EU borders. It requires choices about architecture (federation vs. centralisation), product design (privacy‑first defaults, explainability), and who sets safety norms. If the EU accepts deployment norms shaped by US firms and policy, Europe risks becoming a rule‑taker: adapting instead of defining global norms for AI governance.

What this means for business leaders

For CIOs, procurement directors, and CEOs the implications are immediate and actionable.

  • Vendor lock‑in is now a geopolitical risk: contracts that hand over data, keys, or operations to a single hyperscaler can translate diplomatic friction into business disruption.
  • Regulatory whiplash is likely: fragmented enforcement across member states creates compliance complexity. Firms should prepare for different procurement standards and audit regimes across EU markets.
  • Infrastructure growth can bring local blowback: community opposition to datacentre projects, environmental costs, and water‑use controversies can delay deployments and damage brand reputation.

Practical moves that reduce risk and preserve agility:

  • Adopt interoperable, vendor‑agnostic architectures: containerisation, modular microservices, and well‑defined APIs make it easier to migrate workloads.
  • Control the keys: keep encryption key management and identity provisioning under enterprise or EU‑based custody where possible.
  • Contract for portability and exit: require data export formats, migration support, and penalties for lock‑in in procurement contracts.
  • Invest in hybrid and edge strategies: a mix of public cloud, private cloud, and on‑premises resources reduces single‑point exposure.
  • Support EU open models and federated data efforts: funding and piloting regional AI models and data infrastructures creates alternatives over the medium term.

For specific decision‑makers

  • CIOs: enforce vendor‑agnostic design, standardise telemetry and logs, and run regular export‑and‑restore drills.
  • Procurement heads: build CADA‑aware RFP templates that include sovereignty criteria, portability clauses, and environmental commitments.
  • Policy‑minded executives: engage with trade associations and national regulators to advocate for harmonised enforcement and environmental safeguards for datacentres.

Concrete policy and operational recommendations

Policymakers and business leaders should pair urgency with structural thinking. A short list of priorities:

  • Centralise or harmonise enforcement: move from purely member‑state enforcement to a stronger EU coordination mechanism that reduces regulatory arbitrage.
  • Use procurement strategically: reserve the highest assurance tier for truly critical workloads and use staged procurement to grow European suppliers into those roles.
  • Fund alternatives: invest in EU‑funded foundational models, open stacks, and a pan‑European data infrastructure that prioritises interoperability and reuse.
  • Set transparent acceleration criteria: make datacentre acceleration zones conditional on clear environmental standards, transparency about operators, and limits that prevent single‑player dominance.
  • Measure progress with metrics: publish targets for supplier diversity, onshore compute capacity, and timelines for migrating sensitive public workloads.

Risk snapshot

  • High risk: vendor lock‑in disrupting critical public services after geopolitical action or sanctions.
  • Medium risk: uneven enforcement across member states creating market fragmentation and compliance complexity.
  • Medium risk: environmental and social backlash from rapid, poorly governed datacentre expansion.
  • Low to medium risk: gradual ceding of standards‑setting power if Europe does not articulate an independent AI governance model.

Key takeaways

  • Digital sovereignty is about control over design, deployment, and governance—not just server locations.
  • CADA introduces useful procurement tools and a cloud provider ranking, but the highest safeguards are narrowly scoped and enforcement will be uneven unless central oversight is strengthened.
  • Tripling datacentre capacity is necessary to reduce bottlenecks, but acceleration zones must include environmental, transparency and anti‑concentration safeguards.
  • Businesses must act now to reduce vendor lock‑in, adopt interoperable architectures, and press for harmonised enforcement to avoid regulatory fragmentation.

Frequently asked questions

How exposed is Europe to political leverage via US tech?

Significant. Real‑world instances—service restrictions tied to sanctions and national security directives limiting AI model access—show that dependence on non‑EU platforms can be converted into leverage quickly.

Does CADA deliver true digital sovereignty?

Partially. It provides procurement tools and a cloud provider ranking, but the strictest protections cover only limited spending categories and enforcement is left to member states, creating space for uneven application.

Will datacentre acceleration zones reduce dependence on hyperscalers?

Not automatically. Without explicit safeguards—such as limits on operator concentration, transparency obligations, and environmental conditions—the zones risk scaling existing market leaders rather than diversifying the supply base.

What should business and policy leaders prioritise now?

Adopt vendor‑agnostic architecture, fund EU model and data infrastructure development, insist on harmonised enforcement across the EU, and demand environmental and planning safeguards for infrastructure expansion.

Where to from here

Brussels has started the right conversation. Turning ambition into resilience requires marrying speed with structural change: enforceable procurement rules, a credible industrial policy for European alternatives, and clear environmental and governance standards for new infrastructure. For business leaders, this moment is a call to harden systems against geopolitical shocks while pushing for the harmonised rules and investments that will make true digital sovereignty possible.

0