The European Union wants governments to assess whether their cloud providers pose sovereignty risks and, if so, switch providers within 12 months. The urgency behind the proposal is stark: EU cloud providers’ share of their own market collapsed from 29% in 2017 to just 15% in 2022 and has stagnated since, leaving three non-EU hyperscalers controlling over 70% of European cloud infrastructure. 

Under a proposed Cloud and AI Development Act released on June 3, the European Commission would create a four-tier cloud sovereignty framework, require public authorities to conduct risk assessments, and tie government procurement to EU-defined assurance levels. The proposal also introduces new conditions for foreign cloud providers and measures promoting open-source software and a European public-sector cloud ecosystem.

Sovereignty tiers for cloud providers: The proposal establishes a Union cloud computing sovereignty framework comprising four assurance levels. Providers seeking recognition must apply to a national competent authority, and recognition would be valid across the EU.

The framework creates four classifications:

  • Union Assurance Level 1: Entry-level recognition based on a provider’s self-assessment and an EU statement of conformity.
  • Union Assurance Level 2: Requires an independent third-party audit and compliance with additional sovereignty requirements.
  • Union Assurance Level 3: Requires stricter sovereignty safeguards and independent auditing.
  • Union Assurance Level 4: Highest assurance level intended for the most sensitive public-sector activities.

The proposal adopts a cumulative approach. Providers seeking recognition at a higher level must satisfy all requirements applicable to lower levels. The compliance process differs across the tiers:

  • Level 1 relies on self-certification.
  • Levels 2, 3, and 4 require independent audits.
  • Providers must submit evidence supporting compliance.
  • Regulators can reassess recognised services.
  • The Commission will maintain a central repository of recognised cloud services.

Government risk assessments: The proposal requires Member States and EU institutions to conduct risk assessments to determine which assurance level is appropriate for different public-sector activities. Those assessments must consider:

  • The sensitivity and criticality of data.
  • Risks arising from third-country access to data.
  • Risks to public order.
  • Potential service disruption.
  • Risks to the rights and freedoms of individuals.

Governments must also consider whether a multi-cloud or multi-vendor strategy is appropriate.

The Commission may review the outcome of those assessments. If it concludes that the selected assurance level does not adequately address public-order concerns, it may specify a different assurance level through implementing acts.

Migration and foreign service providers: The proposal also includes migration requirements. Where a risk assessment…


Source link

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Website Upgradation is going on for any glitch kindly connect at [email protected]

 

 

Categorized in:

Blog,

Last Update: June 22, 2026