EU Tech Sovereignty Package: Google pushes back on cloud rules
Key Takeaways
- Europe's Tech Sovereignty Package targets 80% reliance on non-EU tech providers with €120B in chip investment and plans to triple data center capacity
- Google Cloud warns that proposed Union Assurance Levels could exclude global providers regardless of security measures they implement
- The EU insists sovereignty means strategic choice, not protectionism, but U.S. firms see potential market barriers
The European Commission's Tech Sovereignty Package, unveiled June 3, 2026, has drawn a formal response from Google Cloud, which warns that key provisions could isolate the EU market and exclude trusted global partners. At stake: Europe's cloud infrastructure, AI development, and semiconductor supply chains.
Google's Giorgia Abeltino, Head of Government Affairs for EMEA, published the company's position this week. The core complaint: the proposed Cloud and AI Development Act (CADA) creates certification tiers that would limit or bar non-EU providers based on geographic criteria alone, regardless of the security controls those providers actually implement.
What does the EU Tech Sovereignty Package actually propose?
The package is Brussels' answer to a structural problem. The EU currently depends on non-EU technology providers for roughly 80% of key digital infrastructure. That dependence, the Commission argues, creates vulnerabilities in hospitals, energy grids, and government services.
The response comes in three parts. Chips Act 2.0 targets €120 billion in semiconductor investment by 2035. A €2 billion commitment over seven years backs European open-source startups and skills. And CADA aims to triple Europe's data center capacity within five to seven years while setting new sovereignty standards for cloud services used by governments.
The package also includes measures on interoperability to address vendor lock-in and an open-source strategy for public sector technology. These elements have drawn less controversy. The fight is about the Union Assurance Levels.
Why is Google pushing back on the certification tiers?
CADA proposes four Union Assurance Levels (UALs) that would standardize sovereignty requirements across member states. Google's objection: criteria at each tier would limit or exclude global providers based on where they're headquartered, not on the actual security mitigations they offer.
Google points to its existing sovereign cloud infrastructure as evidence that technical controls can satisfy European requirements without geographic exclusion. Its Cloud External Key Manager, for instance, lets customers maintain encryption keys outside Google's infrastructure entirely. The company claims this creates a technical barrier to unauthorized access, with or without EU headquarters.
Through partnerships with S3NS in France, Thales and T-Systems in Germany, PSN in Italy, Clarence in Luxembourg, and Telefónica in Spain, Google says it already delivers services meeting national sovereignty frameworks. The S3NS offering qualified for SecNumCloud 3.2, which Google describes as Europe's highest sovereignty regulatory bar.
Is this sovereignty or protectionism?
The debate splits along predictable lines. European industry advocates and groups like Gaia-X praise the push for strategic independence. U.S. firms and analysts see industrial protectionism dressed in security language.
“Technological sovereignty does not mean protectionism. Europe remains grounded in openness, partnership, and fair competition, but we must be in the position to make our own choices.”
— Henna Virkkunen, Executive Vice-President for Tech Sovereignty
Google's counterargument: sovereignty should empower end-users with more choice, not less. The company urges legislators to adopt the approach from the proposed Industrial Accelerator Act, which maintains collaboration with trusted non-EU partners under a default presumption that they can operate as EU origin, backed by trade rules and regulatory backstops.
What happens next for European cloud regulation?
The package now moves through the EU legislative process. Google says it will work cooperatively with EU institutions to provide input on practical implementation. But the company's public positioning makes clear it wants substantive changes to CADA's certification framework.
The outcome matters beyond Europe's borders. If the EU sets a template where cloud sovereignty requires domestic ownership or control, other jurisdictions may follow. If technical controls and partnership models satisfy regulators, global cloud providers keep their access. The €120 billion in semiconductor investment will flow either way. The question is who gets to compete for the cloud and AI infrastructure contracts that follow.
Related coverage of Google's evolving relationship with European data regulations
Frequently asked questions
Frequently Asked Questions
What is the EU Tech Sovereignty Package?
A June 2026 European Commission initiative targeting the EU's 80% dependence on non-EU tech providers. It includes Chips Act 2.0 (€120B semiconductor investment), €2B for open-source development, and the Cloud and AI Development Act (CADA) to expand data center capacity and set sovereignty standards.
What are Union Assurance Levels in CADA?
Four proposed certification tiers that would standardize cloud sovereignty requirements across EU member states. Critics argue the criteria at each level would exclude global providers based on headquarters location rather than actual security measures.
Does Google Cloud already meet European sovereignty requirements?
Google claims its partner-led solutions, particularly S3NS in France, have qualified for SecNumCloud 3.2, described as Europe's highest sovereignty regulatory standard. The company operates sovereign cloud partnerships in France, Germany, Italy, Luxembourg, and Spain.
When will the EU Tech Sovereignty Package take effect?
The package was unveiled June 3, 2026, and now enters the EU legislative process. CADA's goal is to triple European data center capacity within five to seven years.
How much is Europe investing in semiconductor sovereignty?
Chips Act 2.0 targets €120 billion in next-generation semiconductor investment by 2035, plus €2 billion over seven years for European open-source startups and infrastructure.
Logicity's Take
Google's response reveals a calculation: if CADA passes with geographic exclusions intact, the company's European partnerships become stranded assets rather than compliance solutions. But the EU has leverage here. With 80% external dependence, European institutions have strong negotiating position. Expect a compromise where technical controls plus local partnerships satisfy most tiers, with full exclusion reserved only for the most sensitive government systems. Neither side benefits from a complete break.
Need Help Implementing This?
Logicity helps technology leaders track regulatory changes and assess compliance strategy. Contact our research team for briefings on EU digital policy and cloud sovereignty requirements.
Source: Cloud Blog
Huma Shazia
Senior AI & Tech Writer
Related Articles
Browse all
Robotaxi Companies Are Hiding How Often Humans Take the Wheel
Autonomous vehicle firms like Waymo and Tesla are under scrutiny for refusing to disclose how often remote operators step in to control their self-driving cars. A Senate investigation reveals major gaps in transparency, raising safety and accountability concerns.
Wisconsin Governor Throws a Wrench in Age Verification Plans
Wisconsin Governor Tony Evers has vetoed a bill that would have required residents to verify their age before accessing adult content online, citing concerns over privacy and data security. This move comes as several other states have already implemented similar age check requirements. The veto has significant implications for the future of online age verification.
Apple's App Store Empire Under Siege: The Battle for the Future of Tech
The long-running feud between Apple and Epic Games has reached a boiling point, with Apple preparing to take its case to the Supreme Court. The tech giant is fighting to maintain control over its App Store, while Epic Games is pushing for more freedom for developers. The outcome could have far-reaching implications for the entire tech industry.
Tesla's Remote Parking Feature: The Investigation That Didn't Quite Park Itself
The US auto safety regulators have closed their investigation into Tesla's remote parking feature, but what does this mean for the future of autonomous driving? We dive into the details of the investigation and what it reveals about the technology. The National Highway Traffic Safety Administration found that crashes were rare and minor, but the investigation's closure doesn't necessarily mean the feature is completely safe.
