Brussels is drawing lines around sensitive public data that US cloud providers may not cross

Something significant is taking shape inside the European Commission, and the US cloud industry is watching closely. Officials familiar with internal discussions told CNBC that the Commission is preparing proposals that would restrict EU member governments from using US cloud providers to process sensitive public sector data. The formal unveiling comes through the Tech Sovereignty Package, expected on May 27, which bundles several measures aimed at reducing Europe’s digital dependence on non-European technology.

The core idea, as one Commission official described it, involves defining specific sectors where government data must sit on European cloud infrastructure rather than platforms operated by companies outside the EU. Financial data, judicial records, and health information processed by public bodies are among the categories under discussion for the highest levels of sovereign cloud requirements. The proposals would not ban US providers from government contracts entirely, but would limit their role depending on how sensitive the data involved actually is.

The political context behind these discussions has sharpened considerably over recent months. Transatlantic relations have deteriorated under the Trump administration, and the US Cloud Act already gives American law enforcement the legal authority to request user data from US companies regardless of where that data physically sits. That combination has pushed European governments to examine, with more urgency than before, whether routing sensitive public data through American platforms carries risks they have been too slow to take seriously.

The momentum toward alternatives is already visible in concrete actions. France launched Visio in January, a government-developed video conferencing tool intended to replace US platforms like Microsoft Teams and Zoom across state services by 2027. In April, the Commission awarded a 180 million euro tender to four European sovereign cloud providers to supply EU institutions and agencies. Both moves point toward a policy direction that the Tech Sovereignty Package would formalize and extend.

The package also includes the Cloud and AI Development Act and Chips Act 2.0, both aimed at encouraging homegrown European solutions across those sectors. Once the Commission presents the package, all 27 member states need to approve it, which means the final shape of any restrictions could still shift considerably during that process.

For US cloud providers currently handling sensitive EU government workloads, the direction of travel is clear enough that waiting for final legislation before planning a response would be a risky strategy.