European Commission considers restricting US cloud services for sensitive EU public data

At a glance:

• The European Commission is drafting rules that could restrict US cloud providers from handling sensitive public-sector data within the EU, targeting healthcare, finance, and the judiciary.
• The proposal is part of the EU's upcoming "Tech Sovereignty Package," expected to be presented on May 27.
• Major US cloud platforms — including Microsoft, Amazon Web Services, and Google Cloud — could see their use curtailed in sensitive European public systems if the rules are adopted.

What the proposal would do

The European Commission is weighing new rules that would limit which cloud service providers can store and manage sensitive categories of public data inside the EU, according to sources cited by CNBC. Under the draft framework, data generated or held by public institutions in sectors such as healthcare, finance, and the judiciary would need to be handled on European cloud infrastructure to a significantly greater degree than today.

The move signals a step beyond existing frameworks like the General Data Protection Regulation (GDPR), which already governs how personal data is processed across EU borders. Rather than focusing on individual privacy rights, the new rules would zoom in on where and by whom public-sector data of strategic importance is physically and operationally managed. If finalized, the restrictions could effectively sideline major non-European providers from some of the most data-sensitive government workloads in the bloc.

Who would be affected

Three dominant US cloud platforms stand to be most impacted: Microsoft Azure, Amazon Web Services, and Google Cloud. All three currently hold significant shares of European public-sector cloud contracts and would face new constraints on which EU government workloads they could support under the proposed rules.

The restrictions would not be universal — they are scoped specifically to sensitive data categories in healthcare, finance, and the judiciary. That means US providers could still operate in less sensitive areas of European public administration and in the private sector. However, the three verticals named represent some of the largest and most strategically important segments of government IT spending across the EU.

The broader push for European tech sovereignty

The proposal is expected to be a centerpiece of the EU's "Tech Sovereignty Package," a policy initiative aimed at reducing Europe's dependence on non-European technology infrastructure. The package is slated to be presented on May 27 and is expected to address not only cloud services but also semiconductor supply chains, digital identity systems, and platform governance.

This latest move follows years of escalating EU regulatory action targeting major US tech firms — from antitrust cases against Google and Apple to the Digital Markets Act, which imposed new obligations on so-called gatekeeper platforms. The cloud-specific rules, however, would mark one of the first times the EU has moved to limit market access based on the geographic origin of a technology provider rather than the behavior of a specific company.

What to watch next

The formal presentation of the Tech Sovereignty Package on May 27 will be the key milestone. At that point, the specific scope of the cloud restrictions — including whether carve-outs or transition periods are included — will become clearer. Industry stakeholders, including the affected US providers and European cloud operators, are expected to lobby heavily on the details during the legislative process.

For enterprises and public-sector organizations across the EU, the rules could accelerate a shift toward European cloud vendors and hybrid or multi-cloud strategies designed to keep sensitive workloads within the bloc. US providers, meanwhile, may need to explore deeper partnerships with EU-based infrastructure firms or invest in local data residency capabilities to maintain their foothold in one of the world's largest single markets.