The European Union is drafting rules that would bar member governments from using U.S. cloud providers to process sensitive public-sector data, according to osnews.com citing CNBC. The measure, still under internal discussion, could take effect as early as 2027.
Talks began after the European Commission’s cybersecurity arm circulated a confidential policy paper in April 2026, osnews.com reports. Officials from France, Germany and the Netherlands pushed for the clause, arguing that reliance on Amazon Web Services, Microsoft Azure and Google Cloud exposes strategic information to U.S. surveillance laws such as FISA 702. The draft regulation would require all “high-impact” government workloads—tax records, health data and defence contracts—to be hosted only by EU-headquartered firms or joint ventures with majority European ownership.
The proposal lands amid a record €12 billion wave of sovereign-cloud investments by AWS, Microsoft and Google since 2023, according to osnews.com. Comparable restrictions already govern France’s Health Data Hub and Germany’s GAIA-X initiative, but a pan-EU rule would dwarf those precedents. Analysts at Gartner estimate that U.S. hyperscalers currently hold 68 % of the €9 billion EU public-sector cloud market; forced migration could shift roughly €6 billion in annual spend toward OVHcloud, Deutsche Telekom and other regional players.
The Commission will publish a formal legislative text in Q3 2026, osnews.com notes, triggering a six-month consultation with national cybersecurity agencies. Watch for draft amendments from the European Parliament’s ITRE committee in December and a final Council vote scheduled for June 2027. Cloud providers must submit compliance roadmaps within 90 days of enactment or risk exclusion from future EU procurement tenders.