A new four tier legal framework called Union Assurance Levels, attached to every government cloud contract, asks European public sector buyers to declare on the record how much US legal exposure they will accept.
When Microsoft cut off the International Criminal Court's chief prosecutor from his email in February 2026 because of US sanctions, European officials had a concrete example of what they had been warned about for years. Microsoft initially said the decision was the ICC's, but Dutch press reported that the company had invoked its own US sanctions obligations to justify the cutoff. The episode crystallized the gap between marketing claims of digital sovereignty and the legal reality of US jurisdiction over American cloud providers.
That gap is what the European Commission's new European Technological Sovereignty Package is designed to close, and it does so by reaching past diplomats and lawyers into the procurement office. The package, outlined in a Council document dated the week of 2026-06-07, bundles four overlapping initiatives: a sovereign cloud framework, an AI strategy, a "Chips Act 2.0" for advanced semiconductors, and a new Open Source Strategy. Together they represent the Commission's first attempt to make "sovereignty" a measurable, legally enforceable category rather than a procurement aspiration.
The mechanism at the center of the cloud piece is a four-tier auditable control framework called Union Assurance Levels, or UALs, enforced under the proposed Cloud and AI Development Act, or CADA. Every public-sector cloud contract above a threshold would have to declare, on the record, where the data is stored, which legal jurisdiction governs it, who can access it, how the supply chain is controlled, and how security is verified. CADA would give the Commission the power to set and enforce those tiers. UALs would be the language in which the contract is written. As The Register's Lindsay Clark reported, the package does not invent a sovereign cloud from scratch. It puts existing, voluntary frameworks on a legal footing. Sovereignty Effectiveness Assurance Levels (SEAL) under the European Cybersecurity Certification Framework, the German federal cybersecurity agency's Cloud Computing Autonomy (C3A), and France's SecNumCloud are already in play. What changes is the enforceability.
The precipitating fact is not abstract. In June 2025, Microsoft told a French court, under oath, that it could not guarantee digital sovereignty if US authorities demanded access to data held on its foreign servers. The admission was a direct acknowledgement that the 2018 US CLOUD Act, a US federal law that compels American companies to hand over data stored on foreign servers when ordered by a US court, overrides the contractual promises cloud vendors sell to European customers. Combined with the February ICC episode, it gave the Commission something it had previously lacked: a documented, on-the-record demonstration that voluntary frameworks were not enough. European providers still supply only about 15 percent of the region's cloud infrastructure. The rest is dominated by US hyperscalers, the largest American cloud providers, operating under US legal jurisdiction regardless of where the servers physically sit.
Gartner, the analyst firm that has tracked the package, frames the scale of the bet differently. The EU's plan to triple datacenter capacity inside Europe over five to seven years, a characterization of Council and Commission plans rather than a single verbatim target, runs alongside the new compliance burden. Gartner warned, via The Register, that UALs will land on a "crowded landscape" already populated by SEAL, C3A, and SecNumCloud, and that the result will be confusion for both providers and the public-sector buyers who must choose between them. The complexity critique is legitimate. Adding tiers on top of tiers is not the same as removing US-jurisdiction exposure, and "compliance as theater" is a real risk if UALs become a procurement checkbox rather than a substantive test.
For a public-sector chief information officer in Berlin, Paris, or Tallinn, the practical effect is that the next cloud contract will read differently. A hospital tender will be asked to specify, in writing, which jurisdiction governs patient records under the tier selected. A defense procurement will need to declare supply-chain control at the level the chosen UAL requires. A municipality that has been buying from whichever hyperscaler offered the best price will, under CADA as proposed, have to record the sovereignty trade-off it is making and accept liability for the choice. The CIO is not being asked to build a sovereign cloud. The CIO is being asked to make sovereignty a line item in the contract.
The Commission is also betting that demand-side procurement rules can industrialize the supply side. The Open Source Strategy, the third pillar of the package, directs public-sector buyers toward open-source stacks in cloud, AI, internet technology, cybersecurity, and semiconductors, and ties new funding to long-term maintenance and security of those projects. Chips Act 2.0 sets a target of advanced chips below 10 nanometers built in the EU, with simplified state aid and red-tape relief for fabs. Both are responses to a structural finding: that European sovereignty in any single layer is incomplete if the layers beneath it remain imported.
Gartner predicts, again as reported by The Register, a "second wave" of European governments prioritizing digital sovereignty after early leaders France, Germany, and the Netherlands, and a shift from open competition toward a "European preference" model for highly secure workloads. Commission President Ursula von der Leyen, in announcing the package, framed sovereignty as the protection of hospitals, energy grids, and services from foreign dependence. The phrasing is political. The operative question is whether UALs, CADA, the Open Source Strategy, and Chips Act 2.0 survive the legislative process intact, and whether the Commission can translate a four-tier compliance framework into a procurement culture that treats jurisdiction as a first-class variable rather than a marketing claim.
Two things to watch. First, the Parliament and Council negotiations, which will determine whether CADA emerges with binding enforcement teeth or as a softer reporting obligation. Second, the response of US cloud providers and the Trump administration, which has not yet issued a documented reaction but is, by The Register's reading, "bound to provoke" friction. The Commission's bet is that the choice between voluntary frameworks and legally enforceable UALs is no longer theoretical. The Karim Khan email cutoff, and the French-court admission six months later, are the evidence on which that bet is being made.