EU considers limiting US cloud platforms for sensitive government data

The European Union is pondering new regulations to limit its member governments' reliance on US cloud providers for managing sensitive data, according to insiders connected to the negotiations, CNBC reports.

The European Commission — the executive arm of the EU — plans to introduce its "Tech Sovereignty Package" on May 27. This will include various initiatives designed to strengthen the EU's strategic independence in key digital sectors.

In preparing this package, internal discussions are occurring within the Commission on how to reduce the exposure of sensitive governmental data to cloud services offered by non-EU companies. 

Two Commission officials, who opted to stay anonymous since they weren't permitted to disclose private discussions, shared this information with CNBC.

As the discord with US President Donald Trump's administration has grown, there's been a push for Europe to shift away from US cloud providers—currently leading the European market—toward local solutions for its crucial tasks.

"The main concept involves identifying sectors that should rely on European cloud infrastructures," one of the officials mentioned. They noted that this could impact companies offering cloud services from outside the EU, including the US.

The proposals would not altogether ban foreign companies' cloud services from government dealings but instead restrict their use for processing sensitive data within public sector entities, based on the sensitivity level, as clarified by the officials. Discussions are still underway and pending finalisation.

"US cloud providers might face limitations within certain crucial and sensitive sectors," said one official, particularly affecting public entities in EU countries.

The officials informed CNBC that conversations are ongoing about suggesting that financial, legal, and healthcare data handled by governments and public-sector entities ought to adhere to stringent sovereign cloud architecture.

These discussions do not concern private companies, and the "Tech Sovereignty Package" would not propose regulations regarding their use of cloud services, as stated by one official.

Once the Commission introduces the package, it would require approval from all 27 member countries. 

The "Tech Sovereignty Package" will feature the Cloud and AI Development Act (CADA) and the Chips Act 2.0, intended to foster independent, native innovations and offerings in those domains.

In response, a Commission representative told CNBC that the package symbolizes "Europe's awakening and proactive measures."

They further added that it aims to "enhance prospects for native cloud solutions, including through public tenders, and support the advent of a more varied array of cloud and AI service providers."