EU launches sovereignty package with auditable UAL cloud rules, plus open-source and Chips Act 2.0

The European Commission just launched an “European Technological Sovereignty Package” that aims to turn the fuzzy promise of “digital sovereignty” into something public sector buyers can actually audit. The centerpiece is an auditable, four-level control system called Union Assurance Levels (UALs), which Gartner warns could add yet another layer of complexity for governments trying to buy cloud, AI, chips, and open source software in a hurry. If you are a CIO, procurement lead, or security officer in the region, this matters now because the package is headed toward legislation, which means the rules do not just become policy. They become requirements.

The package also arrives with a very real backdrop: European providers only offer around 15 percent of cloud infrastructure in the region, while dominant American providers sit under US jurisdiction. That reliance is not an abstract risk. The source points to US sanctions on International Criminal Court (ICC) prosecutor Karim Khan, which led to Microsoft services being suspended. Microsoft denied responsibility and said it was the ICC’s decision, but the Dutch press later reported the decision was made under duress, after Microsoft argued its obligations under the sanctions would force it to cut off service to the entire organization unless the ICC removed Khan’s access. In other words, sovereignty is not about branding. It is about whether your provider can legally keep serving you under US-directed pressure.

This is also why the US CLOUD Act of 2018 is such a thorn in the EU’s side. It allows American authorities to compel US-based tech companies to provide requested data, regardless of where that data is stored globally. And the source adds a June 2025 detail that should concentrate executive attention: Microsoft admitted under oath in a French court that it couldn't guarantee digital sovereignty if American authorities demanded access to data held on Microsoft servers on foreign soil. For European buyers, that is a direct challenge to the idea that “data residency” alone can solve jurisdictional risk.

So Brussels is trying to replace “trust us” with a control model. Gartner says the UALs will be based on where the user organization sits across cumulative measures of control, jurisdiction, data processing, supply chain, and security. Critically, the introduction of UALs may cause confusion for providers and buyers because it adds to an already crowded landscape of cloud sovereignty criteria. The source lists several existing frameworks already in circulation: the European Cybersecurity Certification Framework’s Sovereignty Effectiveness Assurance Levels (SEAL), which is non-binding; the German Federal Office for Information Security's (BSI) Cloud Computing Autonomy (C3A) policy, also currently non-binding; and France’s SecNumCloud, an ANSSI binding certification scheme for government procurement. Each one nudges buyers in a slightly different direction. The EU now wants a single auditable structure that can consolidate decisions without letting governments hand-wave compliance.

The Commission frames the objective as resilience and autonomy, with Commission President Ursula von der Leyen saying: “We cannot afford to depend on others for the technologies that keep our hospitals running, our energy grids stable, and our services secure. This is about protecting our citizens, defending our interests, and making our own choices.” The package is described as setting up a “transparent, non-discriminatory blueprint” that lets the EU build resilient, sovereign infrastructures at home while creating a legally sound model for international partnerships and multilateral governance abroad. But even that careful language is likely to annoy the supply market in the short term. Gartner characterizes the package as the EU’s first concrete attempt to implement outwardly focused regulations governing public sector technology procurement. If it holds, future procurement could shift from purely open competition toward a “European preference” model for highly secure workloads.

And the package does not stop at cloud. Another big lever is open source. The new Open Source Strategy aims to scale up open source alternatives across cloud, AI, internet technologies, cybersecurity, and semiconductors. It includes investments in skills, support for open source startups, and improvements to long-term maintenance and security for Europe’s open source digital infrastructure. It also introduces procurement guidelines and best practices designed to increase use of open source alternatives to proprietary software in the public sector stack. Gartner’s separate paper calls this a fundamental shift: open source is no longer only about cost and innovation. For the EU, it becomes “a mechanism to ensure transparency, auditability, and independence from external control,” increasingly backed by EU-led funding to sustain critical open source components, including long-term maintenance and security. In market terms, Gartner expects open source components to underpin core platform layers in sovereign environments, which implies a move toward industrialized open source capabilities: governance, security, long-term support, and integration into enterprise-grade delivery models.

Finally, the EU wants to pull a third rope: chips. The revamped Chips Act 2.0 is designed to end Europe’s reliance on advanced chips below 10 nanometers by prioritizing EU facilities. The source is careful to distinguish it from the US CHIPS and Science Act, which in 2022 allocated a $52.7 billion federal package to boost the American semiconductor industry and reduce reliance on East Asian vendors. Chips Act 2.0, in contrast, aims to cut red tape and simplify state aid applications to accelerate chip factory development, while joining support between R&D and manufacturing.

Taken together, the Technological Sovereignty Package builds a “stacks” view of digital sovereignty as formal EU policy, spanning chips, datacenters, cloud, AI, and open source. That could trigger a second wave of governments to prioritize European digital sovereignty after early leaders like France, Germany, and the Netherlands. Before anything becomes law, the European Parliament and the Council of the European Union will negotiate the proposals, and the source notes the process will likely provoke the US tech industry and potentially the Trump administration. The EU has previously stood by plans under the Digital Services Act and Digital Markets Act, and if it does something similar here, suppliers may have to respond to a reshaping of tech buying across Europe, with spillover effects for all tech buyers in and beyond the region.

For executives watching from the private sector, the strategic takeaway is simple: public sector procurement is often the “first adopter” that later becomes the market default. If governments start purchasing based on auditable jurisdictional controls, supply chain, and security requirements defined in the same legislative language across cloud, AI, chips, and open source, the vendor landscape will reorganize around compliance capability, not just performance.