Commission unveils tech sovereignty package with Chips

Commission unveils tech sovereignty package with Chips 2.0 and CADA, and for once Brussels sounds less like it is hosting a panel and more like it is trying to build an actual doctrine: sovereign cloud tiers, compute capacity, energy strategy, and a real push for European digital sovereignty.

I have heard “digital sovereignty” from European politicians so many times that my brain usually files it under nice words, zero forklifts. A panel in Brussels. A PDF with a gradient cover. One French executive saying strategic autonomy like he is ordering a €14 espresso at Gare de Lyon.

This time, though, something snapped into focus.

When the Commission unveils tech sovereignty package with Chips 2.0 and CADA, the important part is not that Brussels has produced another industrial strategy deck. It is that the Commission is finally saying the quiet part out loud: if your hospitals, grids, and public services run on infrastructure controlled somewhere else, you are not sovereign. You are leasing stability from people whose incentives are not yours.

That is a much harder sentence than “Europe should innovate more.” And a much more useful one.

I am cynical enough about EU policy theater to keep receipts, but this package reads differently. Less compliance cosplay. More doctrine. Less “we convened stakeholders.” More “here are the layers of the stack we cannot afford to outsource forever.”

The EU finally stopped pretending the market would sort this out

The Commission’s 3 June 2026 announcement was unusually blunt, which I appreciated because policy language normally sounds like it was assembled by three consultants and a hostage. Ursula von der Leyen said:

We cannot afford to depend on others for the technologies that keep our hospitals running, our energy grids stable and our services secure.

Good. Finally. Use normal words.

The package has four pillars: Chips Act 2.0, the Cloud and AI Development Act, or CADA, the Open Source Strategy, and the Strategic Roadmap for Digitalisation and AI in Energy. Together, the Commission says, they support Europe’s ambition to become an AI continent and mark a major shift in the EU’s approach to technology.

That phrase usually makes me roll my eyes. This time I think it is fair.

The EU has spent years getting very good at regulating downstream harm. Competition. Privacy. Platform abuse. AI risk categories. All necessary. I am not one of those founder types who thinks every law is oppression because someone asked me to fill out a form. But regulating the mess after the fact is not the same as building upstream capacity. Chips, cloud, compute, power, software dependencies, procurement, permits, that is not compliance. That is statecraft.

And yes, I am very obviously pro-European here. Deeply. A fragmented Europe is charming in museum brochures and terrible at building strategic tech capacity. My nonna would tell me not to get dramatic before lunch, but she also survived enough Italian bureaucracy to know scale matters.

The philosophical shift is the whole story. Brussels is moving from please build more in Europe to if you want Europe’s most sensitive workloads, you play by Europe’s rules. That is not a slogan. That is leverage.

That is also why this package matters more than the usual summit chatter.

CADA is the real headline, and yes, hyperscalers should be sweating a little

Everyone will talk about chips because chips have elite political branding. Hard hats. Factories. Big numbers. Politicians love a fab photo op. But CADA is where the power move is.

According to reporting on the proposal, Henna Virkkunen said:

We want to ensure that our most critical and most sensitive data are stored in Europe.

She also described a four-tier framework for the public sector based on criteria including infrastructure location, control of the software supply chain, and cybersecurity.

That is not random wording. That is the Commission building a trust hierarchy for cloud.

And it lands because the market reality is ugly. More than 70% of Europe’s cloud market is controlled by three non-European hyperscalers. We all know who they are. AWS, Azure, Google Cloud. They are good products. I use them too. This is not about patriotic LARPing or pretending Europeans should choose worse infrastructure because it makes for a nice speech in Strasbourg.

It is about the difference between convenience and resilience.

Once Europe starts saying some workloads are simply too sensitive for foreign influence, the whole debate changes. It stops being about price-per-core and enterprise discounts. It becomes about who can interrupt public life, who sits under third-country legal regimes, who can be pressured in a geopolitical crisis, and who controls the failure points when things go sideways.

That is not paranoia. That is adulthood.

This is also why CADA will be a bloodbath in negotiations. The cloud sovereignty framework is where the package stops being a philosophy essay and starts threatening real market power. If I were sitting in a hyperscaler policy office in Brussels right now, I would be very calm in public and absolutely not calm in private. Lots of “we welcome the dialogue.” Lots of tasteful canapés. Quiet panic.

Commission unveils tech sovereignty package with Chips 2.0 and CADA, but Europe still needs the compute

This is where my optimism runs into the wall of physical reality.

Europe can define sovereign cloud tiers all day. It should. But definitions do not produce compute. They do not conjure data centers, GPUs, transformers, cooling systems, fiber, operators, or enough people willing to answer a 3:12 a.m. alert because something is on fire in a facility outside Frankfurt.

The numbers are rough. EU-based providers’ share of the European cloud market fell from roughly 29% in 2017 to around 15% by 2022. That is not a temporary wobble. That is a structural loss of ground.

The Commission’s answer is ambitious: triple EU data-center capacity over the next five to seven years and build enough capacity by 2035. Great. Europe desperately needs ambition. But ambition is not concrete. It is not grid access. It is not a permit approved before everyone involved retires.

The most brutal detail in the package is buried in the projections. The Commission wants European providers’ share of cloud and AI-compute markets to reach 30% by 2035, up from around 15% today. Sounds bold. Except the Commission’s own optimistic scenario only gets to 17%.

That gap is the whole plot.

I am not saying this to dunk on Brussels. Honestly, I prefer this version of Europe, ambitious, exposed, forced to confront reality, over the old version that hid behind elegant language. But if your target is 30 and your own best-case math says 17, then the press release is not the hard part. The hard part is admitting how much heavier the lift really is.

A founder friend told me over dinner in Milan, after a bottle of wine and an argument that somehow involved industrial policy and pistachio gelato, “Europe always announces the destination before checking if the train tracks exist.” Brutal. Also fair.

Compute is ugly-physical. It lives in land-use fights, environmental reviews, interconnection queues, transformer shortages, local politics, and electricity contracts. If CADA is going to be real, the EU and Member States need to get obsessed with boring bottlenecks. Not inspired by them. Obsessed.

The energy piece is the tell

The most underrated part of this whole package is the part almost nobody outside policy circles will tweet about: the Strategic Roadmap for Digitalisation and AI in Energy.

That is the giveaway. The Commission knows compute policy is now energy policy.

Grazie. At last.

Pretending you can scale sovereign AI infrastructure without a power strategy is like opening a restaurant without checking whether the kitchen has gas. Very European move, by the way. Beautiful concept note. No line capacity.

Europe has already put serious money on the table: €10 billion invested in AI factories, split between the EU and host Member States, and €20 billion committed to AI gigafactories through public-private funding, with a third public. Those are real numbers. Not vibes. Not “ecosystem support.” Real money.

But money is not magic. More compute does not automatically create a healthy stack, competitive software layers, or strategic autonomy. You can spend billions and still end up with prettier dependency.

One line from the policy debate nails it: talent will not go to the factories, the factories must go to the talent. Exactly. Europe has a bad habit of placing strategic infrastructure where it is politically convenient and then acting surprised when talent clusters do not teleport themselves there out of civic duty.

And then there is the unsexy stuff that decides everything: electricity and water. Data centers eat both. If Europe builds sovereign compute on top of fragile energy economics, then all we have done is replace one dependency with another. Congrats, you are now sovereign until the grid operator sneezes.

This part hits close to home for me. I grew up in Italy. I have seen brilliant ideas die in permit queues so slow they make you question whether civilization was a mistake. I love Europe. I am annoyingly pro-Europe. But if the substation permit takes forever, your AI strategy is not a strategy. It is a mood board with a logo.

The smartest part of the package is that it is not just about servers

A lot of people will read this as a data-center story. It is. But the sharper move is elsewhere.

Virkkunen’s sovereignty criteria under CADA include not just infrastructure location, but control of the software supply chain and cybersecurity. That matters because a building in Europe does not equal autonomy if the critical layers above and below it are still exposed. Firmware, orchestration tools, update paths, management software, operational control points, if those remain vulnerable to outside pressure, then the sovereignty claim is mostly decorative.

This is why the Open Source Strategy matters more than it sounds. It is not a cute side quest for developers with too many stickers on their laptops. It is part of the sovereignty logic. The package is trying, at least in theory, to cover the full stack: chips, cloud, software, AI, energy.

That is the right frame.

Europe also needs to avoid creating fresh dependencies around GPU ecosystems and proprietary software layers. This is the trap. You build “sovereign” compute, slap an EU flag on the brochure, and then discover the actual choke points still sit elsewhere. Nice branding. Same vulnerability.

For the highest sovereignty tiers, the requirements get much stricter around cybersecurity assurance and software supply-chain control. In plain English: the upper levels will favor providers with real European operational control, not just a local office and a compliance team that knows how to pronounce “Brussels” correctly.

Bene.

That is a grown-up definition of sovereignty. Not “the server rack is physically nearby.” More like: when systems break, who can fix them, who can shut them off, who can force changes, and who can be leaned on from outside the Union?

That is where sovereignty stops being poetry and starts being architecture.

The real test is whether Europe can act like a union when the bill shows up

Here is where things get less romantic.

Under the proposal, Member States will have to carry out sovereignty risk assessments to decide which public cloud use cases require which level. The Commission sets the harmonized criteria and creates a central register of cloud services with a European assurance level. Very EU design. Shared framework, national execution, and everyone politely pretending coordination is easy.

Still, the breakdown is smarter than critics will admit. The Commission estimates that 70% of public-sector use cases would require level 1 sovereignty, 20% level 2, 9% level 3, and 1% level 4. That matters because it kills the lazy argument that Brussels wants every boring admin workload locked inside some autarkic digital monastery. Most use cases stay at the lower end.

And no, the package does not instantly ban US hyperscalers from Europe. They can generally meet level 1 requirements. Some non-European firms may qualify for level 2 if they can show enough insulation from third-country interference. But at the top levels, the bar gets much tougher. Again, that is the point. If something is highly critical to public order, foreign influence risk stops being an acceptable default setting.

The most important line in the whole thing might be this: by 2035, 100% of highly critical public-sector use cases should rely on sovereign cloud services and computing for AI.

That is not a guideline. That is doctrine.

And doctrine is expensive.

This is where Europe has to decide whether it actually believes its own rhetoric. Because sovereignty is not just a matter of announcing categories and giving speeches about values. It means buying European when it is less convenient. Funding European capacity before it is obviously mature. Speeding up permits. Fixing procurement. Coordinating across countries that still love acting like tiny empires whenever budgets get awkward.

I am also talking about the usual euroskeptic reflex here. The anti-Brussels theater gets very stupid very fast once the issue is hospitals, grids, public administration, and critical AI workloads. Fragmentation now has a strategic cost. A real one. Every delay, carve-out, and vanity “national champion” project that ignores the Single Market adds friction in exactly the places where the US and China already have scale.

You cannot spend years talking about Europe on stage and then block European coordination when the invoices arrive. That is not patriotism. That is cosplay with procurement consequences.

A few years ago, I would have described the EU as a world-class referee for technologies built somewhere else. Smart rulemaker. Weak builder. This package does not fully fix that. Not even close. But it changes the question in a way I think matters a lot: not “how should we regulate AI?” but “who owns the infrastructure of public life?”

That is the right question. Finally.

If this package survives the usual dilution machine in Parliament and Council, we may look back on 3 June 2026 as the day the EU stopped acting like a customer and started acting like a state. Maybe even like a union. The doctrine makes sense. The real question is whether Europeans are ready for what it asks: more spending, faster execution, uglier trade-offs, and fewer excuses.

Because the Commission unveils tech sovereignty package with Chips 2.0 and CADA, sure. Nice headline. The harder part comes next. Will governments actually buy European, permit European, and fund European once the lobbying starts screaming and the spreadsheets get ugly?

Sovereignty is expensive.

Dependency is worse.

Pick your invoice.

Sources

• Primary trending article
• Commission proposes tech sovereignty package to strengthen Europe's digital autonomy and resilience
• European Commission proposes sovereignty risk assessments for public cloud services
• European Commission wants European providers of cloud services to double market share to 30% in Europe
• The EU Cloud and AI Development Act in Depth
• EU Tech Sovereignty Package

Related reading

• Tech Sovereignty Package Turns EU Buying Into Power
• EU AI Act Retreat Shows Lobbying’s Real Leverage
• Defining High-Risk AI Is Europe’s Next Big Battle