Europe is discovering that it does not own the infrastructure that runs its defense. United States hyperscalers, principally Amazon Web Services, Microsoft Azure, and Google Cloud, control roughly 70 to 80 percent of the European cloud market, and by the Commission’s own reckoning the EU-based share has fallen from around 29 percent in 2017 to roughly 15 percent by 2022. For commercial workloads that is a competitiveness problem. For weapons management, logistics, and intelligence, it is a national security one. Brussels has finally noticed, and a multi-billion-euro push to reclaim control is now underway. The harder question, and the one this piece is about, is where sovereignty actually breaks. It is not the data centre. It is the layer of software running on top of it, and that is the ground on which the next decade will be won or lost.

The Architecture of Dependence

Cloud computing has moved from off-site storage to the nervous system of modern defense. It powers real-time intelligence analysis, supply-chain logistics, command-and-control, and automated weapons systems. The legal exposure that comes with outsourcing it is not theoretical. Under the US Clarifying Lawful Overseas Use of Data (CLOUD) Act, Washington asserts extraterritorial jurisdiction: any US-based corporation must comply with a warrant for data regardless of whether that data sits in Virginia, Frankfurt, or Paris. The point was made under oath before the French Senate in June 2025, when Anton Carniaux, Microsoft France’s director of public and legal affairs, was asked whether he could guarantee that French state data would never reach US authorities without French approval. His answer: “No, I cannot guarantee it.” Physical data localization, it turned out, is not the same as sovereignty.

The Kill Switch, Quantified

The risk has a name, the “kill switch,” and as of April 2026 it has numbers. The Brussels think tank Future of Technology Institute (FOTI) found that more than three-quarters of European states rely on US providers for sensitive defense functions, from weapons management to logistics to personnel systems. It rated 16 countries at high risk, including Germany, the United Kingdom, Poland, and the Baltic states, and seven more, France, Italy, Spain, and the Netherlands among them, at medium risk. Austria was the only government to have begun a system-wide shift away.

What makes the FOTI framing more useful than the usual alarm is its precision about the mechanism. A kill switch is not a single button. It is either a CLOUD Act subpoena or a sanctions order that bars a US provider from shipping updates, patches, and support. The consequence is gradual, and therefore easy to underrate: by one Swedish estimate the institute cites, even a locally hosted “sovereign” cloud would keep running for only about 30 days before its licenses lapsed and it degraded into uselessness. Air-gapping does not save a system that still depends on a foreign maintenance pipeline. That detail, not the imagery of a flipped switch, is the real exposure.

How Europe Got Here

The dependency was bought, not imposed. Through the early 2010s Europe chose near-term cost efficiency over strategic autonomy while US hyperscalers built global scale its underfunded rivals could not match, then accepted a decade of “sovereign washing”: US servers in Frankfurt or Paris with the code, keys, and control still bound to American parents. The artificial intelligence boom only deepened it.

Brussels Moves, on Paper

The response is finally structural, rather than punitive. On 3 June 2026 the Commission unveiled its Tech Sovereignty Package, built around the proposed Cloud and AI Development Act (CADA), which would give digital sovereignty an enforceable definition and steer public bodies toward high-assurance sovereign systems for workloads tied to public order and national safety. The caveat matters: CADA is a proposal, not law. It has to clear the European Parliament and the Council, and it is precisely the instrument that industry lobbying is working to soften. Treating it as settled is a mistake.

What already exists, and already has teeth, is the scoring system underneath it. The Commission’s Cloud Sovereignty Framework, published in October 2025, grades providers from SEAL-0 to SEAL-4 across eight weighted objectives, with supply chain the heaviest at 20 percent. It was applied for the first time in April 2026, when a €180 million sovereign-cloud tender was awarded to four European consortia, with SEAL-2 set as the floor. CADA would put that same framework on a statutory footing.

The ladder explains the whole contest. SEAL-2, data sovereignty, is reachable with European operations and contracts. SEAL-4, a full EU supply chain from chips to software, is effectively closed to US hyperscalers because of the CLOUD Act, no matter where their servers sit. Everything interesting happens in the gap between.

Sovereignty on the Ground

Some establishments are not waiting for CADA. The Austrian Armed Forces migrated roughly 16,000 workstations from Microsoft Office to open-source LibreOffice, with its cyber directorate framing the move around keeping sensitive data in-house; separately, Austria’s Federal Ministry of Economy moved about 1,200 staff to Nextcloud. The Dutch Ministry of Defence is building a sovereign military cloud with KPN and Thales in a dedicated national data centre. And in May 2026 seven European champions, Airbus, ASML, Ericsson, Mistral AI, Nokia, SAP, and Siemens, formed the European Tech Creators coalition, pressing Brussels to back builders over regulation. These are real moves. Set against the three-quarters of the continent’s defense estate still tethered to US providers, they are also still the exception.

Where Sovereignty Actually Breaks

Here is the part the headlines miss. Europe is not short of cloud infrastructure. OVHcloud, the largest domestic provider, runs an ANSSI-certified SecNumCloud platform and a dedicated defense unit; Scaleway serves developer and AI workloads; Germany’s StackIT (owned by the Schwarz Group behind Lidl and Kaufland), IONOS, the cost-focused Hetzner, and Deutsche Telekom’s T-Systems fill out a credible roster. On raw compute, storage, and Kubernetes, these providers are competitive today, and three of them reached SEAL-3 in the April tender.

The lock-in lives one layer up. What keeps an enterprise or a ministry tied to a hyperscaler is rarely the virtual machines; it is the proprietary managed and AI services built on top, the equivalents of AWS Lambda or Google BigQuery, plus the frontier models bundled with compute credits. That layer has no European substitute deep enough to migrate to, which is exactly why hybrid ventures cluster at SEAL-2 and why SEAL-4 is so hard to reach. Even Austria, the one government that has shifted wholesale, still runs its open-source stack on non-European chips, which is why the top rung belongs to no provider and why the silicon underneath is the hardest part of the climb. The contested ground, and the place worth Europe’s scarce capital, is not another data centre. It is the sovereign software and compute layer: the managed-services stack, and the models and silicon underneath it. That is why Mistral, Europe’s AI standard-bearer, valued at €11.7 billion with ASML as its largest shareholder and reportedly raising at close to €20 billion, matters more to this story than any hosting contract. A continent can localize its servers and still rent its capabilities. Sovereignty is decided in software.

One boundary on the argument is worth naming. This is sovereignty in the legal and software sense; physical resilience is a separate axis. Concentrating a nation’s most sensitive workloads into a single sovereign data centre trades a legal vulnerability for a kinetic one, a tradeoff made concrete by the recent pattern of strikes on critical infrastructure, and one that deserves its own treatment rather than a footnote here.

The Case for the Hybrids

The strongest objection to all of this is not nationalist sentiment; it is pragmatism, and it deserves a fair hearing. Pure-European stacks cannot match hyperscaler capability today, which is the entire reason ventures like Bleu (Orange and Capgemini on Microsoft Azure), Delos Cloud (SAP’s Azure-based vehicle for the German public sector), and S3NS (Thales and Google Cloud) exist. The industry’s case, argued by groups like DOT Europe, is that the test should be governance, not nationality: with shared standards, contractual accountability, and real oversight, a partnership with a US provider can be made trustworthy, and firms like SAP and Nokia already sit inside critical infrastructure worldwide on exactly those terms. Forcing full decoupling, on this view, risks stranding European agencies on inferior tooling and cutting them off from the AI frontier, when partnership could deliver capability and the roughly €176 billion of data-centre investment Europe needs by 2031 faster than autarky ever could.

It is a serious argument, and it fails on the one fact the FOTI report nails down. A hybrid that still depends on US updates and patches carries the same 30-day exposure the entire exercise is meant to remove. Governance clauses do not survive a sanctions order that severs the maintenance pipeline. That is why the EU’s own cloud-industry body, CISPE, called the inclusion of S3NS in the tender an “own goal,” and why hybrids top out at SEAL-2. They buy capability and time. They do not buy sovereignty, and treating the bridge as the destination rebuilds the original vulnerability under a European label.

The Empire Adapts

The incumbents understand this better than anyone, and they are not resisting so much as absorbing. The pivot is compliance through approximation: AWS’s European Sovereign Cloud, backed by a €7.8 billion investment in Germany through 2040 and marketed as able to keep running even if severed from the US, alongside Microsoft’s Bleu and Delos and Google’s S3NS. Each locates data in Europe and hands day-to-day operation to local staff, while the core orchestration and code stay proprietary, which is what caps them at the lower SEAL levels. In parallel, the lobbying runs through Brussels via industry associations pressing to dilute CADA before it becomes binding. The strategy is coherent: meet the letter of sovereignty, keep the substance, and bundle next-generation models with compute credits generous enough that switching never quite makes sense. A newer vector is quieter still: rather than win one ministry at a time, the hyperscalers now wire entire investor portfolios onto their AI in a single stroke. In June 2026 Google Cloud signed the Swedish private-equity group EQT to roll its Gemini Enterprise platform across more than 300 of EQT’s portfolio companies at once. One signature moves hundreds of European enterprises onto a US AI stack, with no sovereign alternative in the room.

What This Means for Capital

For investors and founders, the headline is not the dependency, which is priced in, but the shape of the opportunity the SEAL ladder draws. The April tender topped out at SEAL-3, which means the highest rung, a full EU stack from chips to software with legal immunity, is occupied by no one. That empty rung is the thesis. It is unreachable for the hyperscalers, whom the CLOUD Act caps near the bottom, and out of reach for today’s European champions, who are strong on infrastructure but have no sovereign answer at the layers above it. Four bets sit in that gap. The first, and the only one that is a moat rather than a feature, is confidential computing and sovereign key management: hardware-enforced encryption and external key control that make a foreign legal order technically void rather than merely contested, the single thing that survives FOTI’s 30-day clock. The second is the sovereign platform layer, the managed and AI services that sit above raw compute and where lock-in actually forms, because that is the layer with no European substitute deep enough to migrate to. The third is compute and silicon, the hard end of SEAL-4 and the reason the ASML and Mistral axis matters. The fourth is the unglamorous but mandated business of migration and SEAL-compliance tooling, the software that actually pries a ministry off Azure.

Defense is the entry point, not the afterthought. A civilian agency can hide behind a hybrid; a defense buyer cannot leave a live command system one sanctions order from going dark, which gives defense the highest willingness to pay and the lowest tolerance for the SEAL-2 fudge. That makes it the natural beachhead for the technical-sovereignty layer: sell to defense first, then expand into regulated civilian markets once the stack is proven.

The demand side is unusually favorable, because the response is being legislated into existence and underwritten by public money, from the SAFE instrument and the European Investment Bank to national promotional banks. In May 2026 the EU went further, handing its largest-ever growth vehicle, the €5 billion Scaleup Europe Fund, aimed at deep tech and dual-use and at keeping champions from raising abroad, to a single manager: the same EQT now wiring its portfolio onto Google Cloud’s AI. That coincidence is the bet-breaker in one transaction. Capital does not buy sovereignty, because the people allocating it default to the American stack like everyone else, so the gap closes only if the money carries conditions, a SEAL floor on what funded companies are allowed to build on, rather than flowing out the back door onto Gemini and Azure. The hybrids are lobbying to have SEAL-2 accepted as sovereign enough; if the floor settles there, the public money entrenches the dependence it was meant to break, and the empty rung stays empty.

The Bottom Line

Regulation is necessary and insufficient. Defining sovereignty and grading providers does not build a data centre or write a line of replacement code, and the binding constraint was never localization, which Europe can already do, but the software and compute layer, which it largely cannot. The likeliest outcome is a widening split: Austria, the Netherlands, the Baltics, and France keep moving, while Germany and the laggards stall on cost and habit. The real question is not whether Europe localizes its servers. It is whether the frontier, the models, the silicon, and the software layer on top, gets built in Europe or rented from American firms under a European label. Until it is built, the kill switch stays in someone else’s hand, and FOTI has now put a clock on exactly how long it would take to turn.

This piece reflects publicly reported information as of June 2026. It is commentary, not investment or legal advice.