The Cloud and AI Development Act is the kind of thing that gets written up as a trade war and is actually a shopping list. On June 3, 2026, the European Commission proposed CADA as part of a wider tech sovereignty package, and within hours the framing had hardened into the predictable two camps: Brussels is finally standing up to Big Tech, or Brussels is doing protectionism in a nice suit. Both readings are about the Americans. Neither is the point.
The point is the demand side. Buried in the proposal is a mechanism that obliges member states to run sovereignty risk assessments, decide which sensitive workloads, defense, health, justice, must be served by providers meeting a defined sovereignty level, and then buy accordingly. That is not a ban. It is a procurement preference with the force of law, and a procurement preference is a thing a startup can build a revenue line against.
The number that explains the panic
Start with the figure the Commission keeps repeating because it is genuinely alarming if you are European. Three non-EU hyperscalers control over 70% of the European cloud market. The market share of EU providers fell from 29% in 2017 to 15% in 2022 and has sat there ever since. The Draghi report put the broader dependency at over 80% of digital products, services, and infrastructure imported from outside the bloc. Those are the receipts the doomers usually cite, and they are real.
Either CADA is a doomed attempt to legislate a competitor into existence, or it is the first time Europe has used its own checkbook as industrial policy at scale. Possibly both, which is exactly why it is worth watching the money rather than the press releases.
What changed is the response. For most of the last decade Europe’s answer to American platform dominance was to regulate behavior, GDPR, the Data Act, the DMA, rules about how the incumbents must conduct themselves. CADA is different in temperament. It pairs supply-side measures, fast-tracking data centers and aiming to triple EU capacity in five to seven years, with demand-side measures that point public money at domestic providers. The Commission is no longer only telling Amazon how to behave. It is telling its own institutions what to buy.
Sovereignty stopped being a slogan and became a score
The most underrated artifact here is not the Act, it is the Cloud Sovereignty Framework the Commission already used in a real tender. In April 2026 it awarded a 180 million euro sovereign cloud contract to four providers, and to score them it built something startups should read closely: a Sovereignty Effectiveness Assurance Level, SEAL-2 for data sovereignty up to SEAL-4 for full sovereignty, plus an overall score across 48 criteria in eight categories, from legal jurisdiction to supply chain to where the engineers physically sit.
Translation: sovereignty is now an auditable spec sheet. A buyer can put it on a tender and a vendor can engineer toward it. That is the difference between a value and a market. The senior EU official who told Reuters the goal is “strategic autonomy in critical infrastructure” was describing, in policy language, a customer that has pre-committed to caring about something only European providers can easily offer, which is not being subject to the extraterritorial reach of the US CLOUD Act.
Sources: CADA proposal COM(2026) 502, European Commission; Synergy Research figures cited in the Tech Sovereignty Communication, June 3, 2026.
And, fine, the critics are not wrong about the risk
Two things are true at once. The demand-side provisions are also the most dangerous part of the Act, and the people warning about them are not all American lobbyists. Dirk Auer of the International Center for Law & Economics argued that letting governments award contracts to domestic firms even when a foreign competitor is cheaper or more capable is “protectionism in everything but name,” and that insulating European providers from their best competitors is the surest way to keep them behind the frontier rather than push them toward it. He has a point, and it is the right bear case to hold in mind: a guaranteed customer can fund a real company or it can fund a comfortable one, and the difference only shows up years later when the subsidy is supposed to come off.
There is a second risk worth naming. None of this is law yet. CADA still needs the European Parliament and the member states, it could be watered down, and Henna Virkkunen, the Commissioner for Tech Sovereignty who unveiled it, is selling a package that has to survive a transatlantic trade relationship that can ill afford a fresh grievance over digital protectionism. The two-year window European founders keep invoking is not a guarantee. It is a deadline that politics can blow.
Why this is a tailwind and not just a headline
Here is the part that connects to what this publication actually does. The companies that win when sovereignty becomes a purchase criterion are not abstractions, they are fundraises. The Dutch government has already moved a chunk of its stack onto STACKIT, a German provider, to cut its reliance on US firms. That is one government, one provider, one line item, and it is also exactly the shape of the demand that European cloud, infrastructure, and AI-tooling startups raise against. A 180 million euro contract awarded to four European vendors is a customer reference the next round gets priced on.
We track the capital because the capital is where belief stops being rhetoric. A Commissioner can give a speech about strategic autonomy and it costs nothing. A member state writing SEAL-3 into a tender, or a fund leading a Series A into a European hyperscaler challenger, has put money behind the sentence. The tech sovereignty package is trying to close a one-trillion-euro digital infrastructure gap with the United States. It will not close it. But it does not have to close it to matter. It has to create enough guaranteed demand that building the European alternative becomes a rational financial decision rather than a patriotic one, and on that narrower test the early evidence is that founders are already moving.
The doomers read CADA as proof Europe can only regulate. The builders read it as the first big customer signing up early.
The doom narrative says Europe writes rules while America writes code. CADA is Europe writing a rule whose entire purpose is to get more code written here. Over 70% foreign-controlled, a 15% domestic share, a 180 million euro down payment, four providers, a two-year clock, a trillion-euro hole. The founders see the procurement line, and they are already raising against it.
Filed by eu-tailwind Exclusive. Independent reporting on the rise of European tech.