A New Line in the Sand for Government Data Protection
Policymakers are preparing a Tech Sovereignty Package that could redraw the map of public-sector cloud computing. According to officials involved in the discussions, the package will restrict foreign hyperscale providers such as Microsoft, Amazon, and Google from processing highly sensitive government data. This includes health records, financial information, and judicial documents managed by public bodies. The goal is not a blanket ban, but a clear separation between what private businesses can outsource freely and what remains under tighter control. The package is framed as a wake-up call for digital self-reliance, positioning cloud infrastructure as critical public utility rather than just another IT service. For U.S. providers, this marks a sharp regulatory inflection point: long-held assumptions that hyperscale capacity alone wins public contracts are being replaced by requirements anchored in government data protection and EU data sovereignty rules.
Tech Sovereignty Package: Freedom for Business, Constraints for States
The Tech Sovereignty Package draws a deliberate distinction between public and private sectors. Private enterprises will still be free to choose any cloud platform, whether AWS, Azure, or Google Cloud, for their proprietary workloads. The restrictions are reserved for government agencies handling sensitive categories such as health, finance, and legal proceedings. This dual-track approach allows the market-driven advantages of global hyperscalers to continue for commercial clients while tightening control where national interests are most exposed. The package also aligns with parallel initiatives like the Cloud and AI Development Act and a second chips-focused program, forming a broader industrial strategy around digital infrastructure. In practice, this means cloud provider restrictions will increasingly be embedded into procurement rules, security certifications, and data-classification frameworks, forcing public institutions to rethink not only which vendors they use, but how they architect and classify their data from the outset.
Boosting Local Cloud Champions and Rebalancing Market Power
A central aim of the new framework is to bootstrap sovereign cloud offerings and diversify the provider landscape. Officials argue that dependency on a small number of foreign hyperscalers creates strategic and competition risks, especially when combined with lock-in tactics. Competition authorities have already highlighted how two major providers capture 30–40% of cloud spending through practices such as high data egress fees and restrictive licensing that make switching costly and complex. The Data Act, already in force, reinforces this agenda by mandating switching rights, banning penalty fees by 2027, and pushing for standardized APIs. Collectively, these measures open space for regional cloud providers to compete for public-sector workloads that were previously out of reach. However, they also raise questions about whether emerging sovereign clouds can match the performance, integration depth, and AI services of established hyperscalers while still complying with stringent government data protection rules.
The CLOUD Act, Compliance Risk, and Enterprise Cloud Strategy
Driving much of the regulatory push is concern over extraterritorial access to data. The U.S. CLOUD Act of 2018 allows American authorities to compel U.S. companies to hand over data, even when it is stored in data centers located abroad. For policymakers, this clashes with EU data sovereignty rules and amplifies fears that sensitive government information could be exposed through foreign legal processes. U.S. providers counter that they reject invalid requests, require proper warrants, and do not provide direct backdoor access or encryption keys. Yet the perception of legal vulnerability persists, especially for public-sector workloads. For multinational enterprises, the implications extend beyond government contracts. Cloud strategy now has to account for jurisdictional conflicts, vendor lock-in, and data-location mandates. Diversification across multiple clouds becomes not just a resilience measure, but a regulatory hedge against shifting cloud provider restrictions and emerging tech sovereignty package obligations.