The European Technological Sovereignty Package — released after several delays — includes two legislative proposals: the Cloud and AI Development Act and Chips Act (CAIDA) 2.0 and the Open Source Strategy and Strategic Roadmap for Digitalization and AI in Energy.
CAIDA goals to triple data center capability in the subsequent five to seven years by easing restrictions for deployments across the EU. It also includes rules that, if enacted, would require EU public bodies to satisfy certain sovereignty criteria for cloud service procurement related to certain sensitive workloads.
Amid ongoing trans-Atlantic tensions and a long-time deep reliance on US tech providers, European organizations have grow to be increasingly wary of a “kill switch” that may cut off access to digital services. There are also concerns that US hyperscalers may very well be compelled to share data with US government under the CLOUD Act and Foreign Intelligence Services Act (FISA), even when data centers are positioned in Europe.
The CAIDA proposals include 4 levels of criteria for suppliers; essentially the most basic includes data center infrastructure positioned and operated within the region – something many US cloud suppliers already provide – with stricter rules around supplier ownership, full control over the software stack, and more stringent cybersecurity certification.