The Hague 2025

Young Visions of Peace and Security

ECON

Committee on Economic and Monetary Affairs

Head in the Clouds: as cloud computing becomes an increasingly indispensable tool of government and business, the cloud infrastructure market is currently dominated by US providers such as Amazon and Microsoft, sparking provider dependency, data protection, and national security concerns. How can the EU and its Member States act to ensure strategic autonomy for European cloud infrastructure, limit external dependencies, and ensure data sovereignty that ensures high-performing cloud computing capabilities for its governments and businesses?
Elena Stunda (NL)

Executive Summary 

In today’s increasingly interconnected world, the growing reliance on cloud computing, especially for governments and businesses, raises concerns about data sovereignty, security, and strategic autonomy for the EU. With the rapid expansion of the digital economy and the proliferation of cloud services, the EU faces challenges in reducing dependency on US-based providers which dominate the global market. These providers are subject to foreign jurisdictions like the US CLOUD Act, posing risks to EU data protection laws and sovereignty.

Divergent regulations and a lack of interoperability between national cloud providers create barriers to collaboration and competitiveness. Efforts, such as the GDPR and the EU Cybersecurity Act, aim to protect data and establish high security standards, while initiatives like GAIA-X represent steps toward building a competitive European cloud ecosystem. 

A primary obstacle with these efforts is the lack of large-scale European cloud providers capable of competing with the established dominance of US tech giants. These companies benefit from economies of scale, vast resources for innovation, and global reach, making it difficult for smaller European providers to rival their influence. Furthermore, the diverse regulatory environments across Member States hinder the creation of a cohesive and competitive market, as conflicting national priorities often delay the implementation of unified strategies. Slow public-private collaboration and limited investment in research and development leave the EU vulnerable to external control over critical data infrastructure.

Table Of Contents
  1. Committee on Economic and Monetary Affairs
  2. Introduction 
  3. Key Stakeholders
  4. Fundamental Challenges
  5. Measures in place
  6. Historical context
  7. Outlook

This committee is supported by the Ministry of Economic Affairs

If you prefer to read or print this Topic Overview as a static PDF document, you can download it here.

ECONDownload

Introduction 

The US dominates the global cloud market, with American providers like Amazon Web Services, Microsoft Azure, and Google Cloud accounting for 72% of regional market share.1 This dominance underscores a substantial investment gap, as US cloud providers invest ten times more than their European competitors2, leaving the EU struggling to keep pace. Europe’s reliance on non-EU cloud services raises significant concerns about data sovereignty, privacy protection, and cybersecurity. Furthermore, the US CLOUD Act enables American authorities to access data stored on US-based servers abroad, potentially clashing with the EU’s GDPR and undermining the bloc’s ability to safeguard sensitive information.3

However, critical EU data and digital infrastructure remain under foreign jurisdiction, leaving Europe vulnerable to external legal and political pressures.4 Simultaneously, the lack of competitive European alternatives prevents the EU from achieving strategic autonomy in the digital sphere.5 As dependence deepens, cybersecurity risks and foreign influence over essential operations grow, making it increasingly difficult for the EU to assert control over its digital future. Moreover, with no clear pathway to reducing this external reliance, Europe risks perpetuating its technological dependence in a key sector driving modern economies.

Key Stakeholders

The Directorate-General for Communications Networks, Content and Technology (DG CONNECT)6 plays a pivotal role in shaping and implementing the EU’s digital policies, including those related to cloud computing, data sovereignty, and digital innovation. This body is responsible for advancing the EU’s Digital Single Market strategy7, which promotes the development of sovereign cloud infrastructures across Member States. DG CONNECT oversees funding programs such as the Digital Europe Programme and collaborates with industry stakeholders, Member States, and EU institutions to reduce reliance on non-EU cloud providers and foster the growth of European cloud solutions. Its work also supports initiatives like GAIA-X and the European Cloud Federation, aiming to ensure Europe’s strategic autonomy in the digital space.

The European Data Protection Board (EDPB)8 is responsible for ensuring data sovereignty and compliance with the GDPR as the EU pursues strategic autonomy in cloud computing. By providing guidance on data protection laws, particularly regarding cross-border data flows and data transfers to non-EU countries, the EDPB helps address privacy concerns tied to reliance on foreign cloud providers. It advocates for data localisation and control within the EU to protect personal data and minimise external dependencies. Additionally, the EDPB collaborates with EU institutions, Member States, and industry stakeholders to harmonise data protection standards and support secure, sovereign cloud infrastructure development.

The EU Agency for Cybersecurity (ENISA)9 is a key stakeholder in ensuring the security and resilience of European cloud infrastructure. As the EU’s cybersecurity agency, ENISA develops frameworks, guidelines, and certifications to enhance trust in cloud services while addressing risks tied to dependency on foreign providers. It plays a leading role in the implementation of the EU Cybersecurity Act, promoting the adoption of robust security standards for cloud services. 

US cloud providers, such as Google, Amazon, and Microsoft, are, while not EU-based, critical actors due to their market dominance.10 Their interests lie in maintaining access to the lucrative European market while complying with the GDPR and other regulations. However, their reliance on the US CLOUD Act and concerns about data sovereignty make them frequent targets of criticism. Their significant resources allow them to adapt quickly to EU requirements, but their operations remain constrained by the EU’s push for local alternatives and stricter regulations.

European cloud service providers11, such as OVHcloud by France, T-Systems by Germany, and GAIA-X, are crucial stakeholders in developing alternatives to dominant US-based cloud providers. These companies have a vested interest in ensuring the growth of a sovereign, competitive European cloud ecosystem. However, the lack of singular dominant cloud provider makes it difficult to compete with large providers from the US.

Fundamental Challenges

US-dependency

The US dominates the cloud market, capturing over 65% of spending on cloud infrastructure services.12 Despite the EU’s attempts to join this market, the US is estimated to be investing ten times the amount into these clouds than EU–competitors. This reliance undermines the EU’s strategic autonomy, as critical data and services are hosted by foreign companies subject to non-EU jurisdictions, including the US CLOUD Act13, which permits US authorities to access data stored abroad, even against local laws. This raises concerns about conflicts with EU data protection laws and foreign influence on critical EU operations. The lack of competitive European alternatives exacerbates this dependency, leaving the EU without a clear path to reducing external reliance.

Fragmentation of the European cloud market

The European cloud market remains fragmented, with numerous local providers operating under inconsistent regulations and standards across Member States.14 This disjointed environment prevents the development of a unified, competitive European cloud ecosystem capable of challenging global providers. National-level differences in policies and interests have hindered local initiatives from achieving their full potential. The lack of interoperability and cohesive governance creates inefficiencies and limits cross-border collaboration, leaving the European market fragmented and vulnerable to external competition.

Growing demand for cloud services

The rapid digital transformation of governments and businesses has led to an unprecedented demand for cloud services, placing pressure on existing infrastructure and providers. The European Commission recognises this demand, and wishes to see 75% of European businesses adopting cloud-computing by 2030.15 Governments increasingly rely on cloud computing for public services, e-governance, and critical data management16, while businesses depend on it to enhance scalability, innovation, and competitiveness.17

Figure 1: The growth of Cloud-use within businesses.

Measures in place

The General Data Protection Regulation (GDPR)18 serves as the cornerstone of the EU’s efforts to protect personal data and maintain data sovereignty. Its stringent rules regulate cross-border data transfers and encourage data localisation. The regulation ensures that cloud services operating within the EU comply with robust privacy and security standards, protecting both individuals and organisations. However, challenges remain in enforcing compliance, especially for foreign cloud providers, as some continue to resist full alignment with EU data protection standards, potentially undermining the regulation’s effectiveness.19

The EU Cybersecurity Act20 strengthens the EU’s cybersecurity framework by empowering ENISA and establishing a certification system for ICT products and services, including cloud computing. This certification ensures that cloud providers meet high security standards. The Act aims to enhance the resilience and security of European digital infrastructure, aligning with the EU’s broader goals of strategic autonomy. The Act falls short by making key cybersecurity certifications voluntary, allowing major non-EU providers to operate without fully adhering to EU security standards. This weakens Europe’s digital sovereignty and leaves critical infrastructure vulnerable to foreign influence and security risks.

The GAIA-X initiative21 is a flagship effort to establish a sovereign European cloud ecosystem. It aims to reduce dependency on dominant US cloud providers by fostering collaboration among European stakeholders, including governments, businesses, and research institutions. GAIA-X emphasises interoperability, transparency, and compliance with European values, but faces slow progress, poor coordination among European stakeholders, and competition from US cloud providers.22

VIDEO explaining what Gaia-X is
Watch the video

Historical context

The concept of cloud computing has its roots in the 1960s23, when computing was centralised, and powerful mainframe systems were shared through time-sharing technology.24 Early pioneers envisioned a future where computing resources is offered as a public utility, like the telephone system, laying the groundwork for modern cloud computing.25 By the 1990s,26 virtualisation and internetworking protocols, paved the way for the emergence of the internet and Software-as-a-Service (SaaS).27

The early 2000s saw a breakthrough with Amazon’s launch of Amazon Web Services (AWS) in 2006.28 AWS introduced Infrastructure-as-a-Service (IaaS), allowing the renting of computing resources such as storage and processing power on a pay-as-you-go basis.29 Furthermore, the rapid growth of global cloud service providers, particularly US-based companies, led to an increasing reliance on foreign-hosted data and services. 

A significant legal development in the history of cloud computing came with the Schrems rulings. The Schrems I ruling in 201530, invalidated the Safe Harbor Agreement,31 a framework that allowed companies to transfer personal data from the EU to the US. In 2020, the Schrems II ruling invalidated the Privacy Shield Agreement, further complicating data transfers between the EU and the US for companies using cloud services.32 The rulings prompted companies to adopt stronger data protection mechanisms.33 Throughout this period, Europe also developed the GDPR, which became a cornerstone of EU data protection laws. 34

Figure 2: Case-by-case assessments of foreign protections.
Interactive Timeline of the development of the GDPR
The History of the General Data Protection Regulation
Read more

Outlook

As the EU works to build its digital autonomy, cloud infrastructure remains a key area of focus. With technology advancing rapidly and global power dynamics shifting, the EU will need to find innovative solutions that move beyond the current approach. Achieving European digital sovereignty means promoting competition among local cloud providers and fostering collaboration between Member States, the private sector, and EU institutions to set common standards and build trust.

However, addressing cybersecurity vulnerabilities and aligning regulations to ensuring continued investment in innovation, all while navigating complex relationships with global players like the US, remains difficult. Despite these obstacles, they also present an opportunity for Europe to transform its digital landscape in a way that prioritises its core values: privacy, security, and independence.

How can the EU find the right balance between fostering innovation and safeguarding data protection? Will a pan-European cloud ever be able to compete with US-based giants, or is some level of global cooperation necessary for effective and competitive cloud services? What role should the private sector play in shaping the future of cloud infrastructure, while also ensuring the EU’s high standards for data privacy are met?

FOOTNOTES

  1. Consultancy.eu (2024). European IaaS and PaaS cloud market to double by 2028. Link ↩︎
  2. Filippo Gualtiero Blancato (2023). The cloud sovereignty nexus: How the European Union seeks to reverse strategic dependencies in its digital ecosystem. Link ↩︎
  3. Michael Goldner (2024). How the CLOUD Act Challenges GDPR Compliance for EU Businesses. Link ↩︎
  4. Lusine Vardanyan and Hovsep Kocharyan (2022). Critical views on the phenomenon of EU digital sovereignty through the prism of global data governance reality: main obstacles and challenges. Link ↩︎
  5. The European Commission (2024). The future of European competitiveness (Page 72). Link ↩︎
  6. The European Commission. Communications Networks, Content and Technology. Link ↩︎
  7. Leah Sadoian (2025). The EU’s Strategy for a Cybersecure Digital Single Market. Link ↩︎
  8. The European Data Protection Board. About EDPB. Link ↩︎
  9. ENISA. Who we are. Link ↩︎
  10. Stefan Ionescu (2024). Best cloud computing service of 2025. Link ↩︎
  11. European Alternatives. European cloud computing platforms. Link ↩︎
  12. Mary Zhang. Top 10 Cloud Service Providers Globally in 2024. Link ↩︎
  13. BSA (2021). What is the CLOUD Act? Link ↩︎
  14. Mark Scott and Francesco Bonfiglio (2024). XI. Why Europe’s Cloud Ambitions Have Failed. Link ↩︎
  15. Decision 14.12.2022. “Establishing the Digital Decade Policy Programme 2030”. Link ↩︎
  16. Bernardo Araújo (2024). Cloud Computing in Digital Government: what is it and why is it important? Link ↩︎
  17. Emil Sayegh (2023). How Cloud Computing Revolutionized Business Operations And What Lies Ahead. Link ↩︎
  18. Regulation 2016/679. ‘General Data Protection Regulation’. Link ↩︎
  19. Giulia Torchio (2023). Meta’s ‘Pay or Okay’: Is this the final challenge for EU GDPR? European Policy Centre. Link ↩︎
  20. Regulation 2019/881. ‘The EU Cybersecurity Act’. Link ↩︎
  21. Gaia-X. About. Link ↩︎
  22. Maximilian Hille (2021). Why GAIA-X hasn’t been successful yet. Link ↩︎
  23. Paul Ferrie (2024). A Brief History of Cloud Computing. Link ↩︎
  24. William Arms (2015). Multiprograming, multitasking, and timesharing. Link ↩︎
  25. Simson Garfinkel (2011). The Cloud Imperative. Link ↩︎
  26. Cody Slingerland (2023). The Simple Guide To The History Of The Cloud. Link ↩︎
  27. Colin Baird (2023). On the Evolution of Software as a Service (SaaS). Link ↩︎
  28. Stephen J. Bigelow (2025). The history of cloud computing explained. Link ↩︎
  29. Stephanie Susnjara, Ian Smalley (2024). What is infrastructure as a service (IaaS)? Link ↩︎
  30. ECLI:EU:C:2015:650 ‘Schrems’. Link ↩︎
  31. Samuel Gibbs (2015). What is ‘safe harbour’ and why did the EUCJ just declare it invalid? Link ↩︎
  32. ECLI:EU:C:2020:559 ‘Schrems II’. Link ↩︎
  33. SoSafe (2022). The Privacy Shield decision: What does the Schrems II ruling mean for your organization? Link ↩︎
  34. Ernst Oliver Wilhelm (2016). A brief history of the General Data Protection Regulation (1981-2016). Link ↩︎