Summary

  • The EU’s Cloud and AI Development Act restricts its highest sovereignty tier — the only level that bars U.S. hyperscalers from public-sector contracts — to a narrow segment of procurement, structurally protecting the vast majority of European cloud spending for incumbents like AWS and Microsoft Azure.
  • Cada delegates enforcement to individual EU governments, several of which have documented financial dependencies on U.S. technology investment that create incentives toward weak implementation, replicating what critics describe as GDPR’s “systematic underenforcement” pattern.
  • The package’s datacenter acceleration zones include no criteria on company nationality or market position, risking further entrenchment of the U.S. hyperscalers already dominating Europe’s cloud market.
  • The Commission’s AI posture, according to the Open Markets Institute Europe’s analysis, defers to a Silicon Valley deployment-first paradigm rather than establishing an independent European framework, raising questions about whether the alignment represents ideological capture or strategic concession shaped by structural dependency.

The European Commission’s digital sovereignty package, centered on the Cloud and AI Development Act, was published last week as a response to what the Commission itself acknowledges is an 80-percent non-EU technology dependency and 70-percent non-EU cloud computing dependency. A critical assessment by Max von Thun, director of Open Markets Institute Europe, published in The Guardian, argues that the package’s structural design — its narrow scope, decentralised enforcement, uncritical AI posture, and nationality-blind infrastructure provisions — directs advantage toward the same concentrated power centres the package nominally challenges.

The narrow tier and the structural distribution of advantage

The package’s provider-ranking system creates multiple assurance levels for cloud firms handling public-sector data. Only the strictest tier — reserved for a narrowly defined segment of procurement involving national security and law enforcement data — would bar U.S. hyperscalers from bidding. Von Thun characterized that segment as “only a small fraction of overall European cloud spending.” The Commission has not publicly quantified the tier’s scope.

The financial implication is directional: the largest flows of European government cloud expenditure remain structurally available to AWS, Microsoft Azure, and Google Cloud. European-based competitors such as France’s OVHCloud see their potential advantage confined to the thin top slice of sovereign-sensitive procurement, limiting the revenue growth needed to challenge hyperscaler economies of scale. The critical structural parameter — the width of the highest-tier restriction — was set at a level that preserves incumbent market share.

Decentralised enforcement and the Irish precedent

Cada assigns operational enforcement to individual EU member states rather than to a centralised EU authority. Several member states receive substantial tax revenue and investment from U.S. technology firms; Ireland is the most frequently cited example. Ireland’s Data Protection Commission has drawn sustained criticism from privacy advocates over the pace and scale of its GDPR enforcement against large U.S. technology companies. Von Thun characterized this as “systematic underenforcement” attributable to “financial dependence on big tech’s investments and tax payments.”

An analytical framework that considers fear, greed, and institutional inertia as drivers of regulatory behaviour identifies multiple pressures on enforcement capitals. Ireland, the Netherlands, and Luxembourg — all hosts to major U.S. tech investment — face incentives to retain foreign direct investment and associated tax receipts, avoid U.S. diplomatic or economic retaliation, and minimize costly enforcement actions against well-resourced corporate respondents. The Commission achieves a sovereignty law that projects political purpose while the operational enforcement risk is distributed across capitals whose incentives may not align with the law’s stated objectives.

The precedent is not hypothetical. The GDPR experience, where Ireland’s DPC became the de facto lead supervisory authority for the largest U.S. technology firms operating in Europe, has been extensively documented. European Parliament members, the European Data Protection Board, and civil-society organizations have raised concerns about the adequacy and pace of Irish enforcement across multiple legislative sessions. Cada’s delegation mechanism replicates this structural arrangement for cloud sovereignty.

Acceleration zones and the sovereignty-entrenchment paradox

The package commits to tripling Europe’s datacenter capacity over five to seven years. Cada requires every EU member state to establish designated zones intended to accelerate datacenter permitting, including shortened environmental and planning reviews and a binding 12-month approval timeline.

Von Thun identified a structural contradiction: the zones include no criteria on company nationality or market position. Without such filters, the zones provide the same permitting acceleration to U.S. hyperscalers — which already dominate Europe’s cloud market — as to any European-based entrant. The mechanism designed to build European capacity risks “further entrenching the US hyperscalers that dominate Europe’s cloud market,” von Thun wrote.

The zones also raise what von Thun described as “serious concerns about transparency, democratic accountability and sustainability.” Public opposition to datacenter construction has intensified across Europe, driven by concerns about water usage, energy consumption, and the impact on household electricity bills. In the Netherlands, moratoriums on new datacenter construction have been imposed in several municipalities. In Ireland, local authorities have rejected applications from major hyperscalers. The acceleration zones would override or compress these review processes by regulatory fiat.

The tension is structural rather than incidental. A sovereigntist drive for rapid infrastructure expansion cannot be reconciled with the precautionary demand for thorough democratic and environmental review without one paradigm conceding its core premise. The Commission has not synthesized these frameworks; it has selected a blend that prioritizes speed of construction over the conditions — including nationality filters — that would direct capacity growth toward European incumbents.

The AI posture and the absence of an independent European framework

Von Thun’s critique of the package’s AI dimension identifies what he characterized as a deference to the deployment-first philosophy associated with U.S. technology firms and the Trump administration. The proposals, he wrote, “fail to engage critically with AI’s potential benefits, risks and technical limitations, and instead simply take the positive impact of AI as a given without providing much evidence.”

The analytical significance extends beyond policy preference. U.S. firms benefit from a European regulatory environment that adopts their framing of AI as an end in itself requiring rapid deployment, because a fundamentally different European safety, accountability, or ethical framework would impose compliance costs and constrain market access. The Commission, in von Thun’s assessment, “largely defers to the AI vision proposed by U.S. big tech firms” rather than establishing an independent European rubric.

The loss falls on European constituencies that might have preferred a public-interest AI model. The Commission forgoes the opportunity to define technology policy on its own terms, remaining what von Thun described as “a decision-taker rather than a decision-maker.” Pope Leo XIV’s recent encyclical Magnifica Humanitas — which states that where “technological development advances without a corresponding ethical and social progress, the result may be an increase in means without a growth in humanity” — represents an alternative humanistic frame that the package does not substantively engage.

Von Thun characterized the same deployment-first logic as informing broader Commission technology strategy, including “rushed plans to weaken EU data privacy and AI safety rules” in pursuit of competitiveness with the United States.

Four competing paradigms, unresolved

Technology-policy scholarship identifies multiple frameworks through which digital sovereignty can be understood. Silicon Valley’s techno-optimist paradigm treats AI as inherently beneficial, equating speed of deployment with progress and regulation as friction to be minimized. The European precautionary paradigm, rooted in the EU’s treaty-embedded precautionary principle under Article 191 of the Treaty on the Functioning of the European Union, demands evidence of benefit, risk assessment, and democratic accountability before adoption. A European sovereigntist paradigm prioritizes reducing foreign dependency through domestic capacity, even when that requires weakening environmental reviews — as the datacenter zones propose. A humanistic ethical paradigm, articulated in Magnifica Humanitas, warns against the expansion of technological capacity without corresponding ethical progress.

The Commission’s package straddles the sovereigntist and techno-optimist frames — fast-tracking datacenters without nationality filters, pursuing AI adoption without an independent ethical rubric — while leaving the precautionary and humanistic frames marginalized. The result is a package that projects sovereignty language while preserving market structures favorable to U.S. incumbents.

Dependency as constraint or as choice

A more structural reading holds that the package’s limitations may reflect not policy failure but the practical limits of negotiating from a position of dependency. The Commission’s own figures — more than 80-percent non-EU technology reliance, 70-percent non-EU cloud reliance — describe a starting condition in which genuine independence is not immediately achievable.

The case of Beti Hohler, a Slovenian national serving as a judge at the International Criminal Court, illustrates the dependency’s operational reality. After the Trump administration sanctioned Hohler for her ICC work, her access to Apple’s app store, Amazon, Airbnb, Booking, Visa, Mastercard, and PayPal was terminated. Her credit cards and accounts with U.S. companies were cut off. Hohler described herself and colleagues as living in “constant uncertainty.”

Von Thun cited additional instances: Elon Musk’s use of his ownership of X and Starlink to influence European public debate and the war in Ukraine; the U.S. government’s order to Anthropic restricting foreign nationals’ access to its most advanced AI models on security grounds. The hypothetical scenarios von Thun posed — Washington cutting off European access to advanced chips during a trade dispute, exploiting control of social media and cloud infrastructure for surveillance or electoral influence — describe dependencies that are structural rather than merely commercial.

If the geopolitical frame has been selected by constraint rather than preference, the narrow sovereignty tier and decentralized enforcement may represent the only politically viable path — a concession extracted from the costs of challenging U.S. market access. But accepting dependency as a fixed condition rather than a condition to be changed forecloses the central question von Thun posed: “Brussels fails to recognise that digital sovereignty isn’t just about who owns or controls your technology. It’s also about having an independent vision for how that technology is designed, developed and deployed.”

Whether the Commission’s alignment with Silicon Valley’s worldview represents genuine ideological absorption or a strategic concession shaped by structural dependency remains the question the package leaves unanswered. The distinction determines whether the package’s limitations are failures of design or features of a constrained negotiation.

Analytical techniques used in this piece

This analysis applies the methods below. Each links to a short, plain-English explainer you can read and reuse.

Cui Bono — Who Benefits
Asks who gains and who pays from a state of affairs, decision, or claim.
Dialectical Analysis
Holds thesis against antithesis and works toward a higher synthesis.
Worldview Cartography
Maps the clashing worldviews underlying a dispute.
Incentives
People respond to the rewards a system actually pays out — often not the ones it intends.