From Framework to Impact: Policy Recommendations to Turn CAIDA into a Lever for Operational Digital Sovereignty

Founded in 2010 in Nantes, France, Clever Cloud has established itself as a prominent player in the European cloud computing landscape, specializing in innovative Platform as a Service (PaaS) solutions. Our core mission is to empower developers by providing a reliable, scalable, and secure infrastructure that enables seamless application development, deployment, and management. Clever Cloud is firmly committed to the principles of digital sovereignty, European values while advocating for a resilient and strategically autonomous digital ecosystem. We believe that Europe must prioritize its digital ecosystem to ensure that businesses and public authorities can operate independently without reliance on inadequate non-European solutions. Our expertise, underscored by a workforce composed of over 70% developers and engineers, positions us as a company of experts dedicated to both technical excellence and strong ethical European values.

As an active participant in the European legislative framework, Clever Cloud engages with critical initiatives aimed at enhancing Europe’s digital sovereignty. We contribute to the development of key frameworks such as the Digital Markets Act (DMA), the EU Cybersecurity Act and of course the forthcoming EU Cloud and AI Development act among others… Our involvement in organizations like Eurosmart, European Alliance for Industrial Data, Edge & Cloud, France Digitale, the Open Internet Project, and CISPE reflects our commitment to advocating for robust European certification schemes and ensuring that the cloud infrastructure respects and protects user rights. Through partnerships with leading European technology firms while preserving market freedom. In fact, we are building a cohesive digital ecosystem that fosters innovation, real free competition while preserving individual freedoms. Our dedication to creating and contributing to open-source projects further demonstrates our belief in collaboration as a means to strengthen Europe’s digital sovereignty.

A Welcome and Pioneering First Step Towards Effective Digital Sovereignty Grounded in European Capabilities

Jean Monnet famously observed that people tend to accept change only when it becomes necessary and recognise necessity only in times of crisis.

On 3 June 2026, the European Commission unveiled the Cloud and AI Development Act (CAIDA), marking an important and timely step towards addressing one of Europe’s most pressing strategic challenges: ensuring that the Union can rely on secure, resilient, competitive and genuinely European digital infrastructure.

In the realm of the Tech Sovereignty Package, the proposal forms part of a broader effort to strengthen Europe’s technological sovereignty and industrial capacity across cloud, data centres and artificial intelligence. It introduces a common framework built around four EU-harmonised assurance levels for cloud services and seeks to provide a more structured response to the risks arising from excessive dependence on a limited number of non-European providers.

Clever Cloud welcomes this initiative as an important and timely step towards strengthening Europe’s digital sovereignty.

For the first time, cloud infrastructure, data governance, platforms, algorithms and artificial intelligence are addressed not merely as technical layers or procurement items, but as strategic assets underpinning Europe’s competitiveness, resilience, public services and democratic autonomy. The way Europe designs, procures and governs its digital infrastructure cannot be guided solely by short-term convenience or by the market power of a handful of dominant non-EU providers. It must also reflect the Union’s values, strategic interests and long-term capacity to act.

CAIDA sends a strong signal: Europe is not destined to remain a follower or a consumer of technologies designed and governed elsewhere. It has the capacity to become an innovator and a leader again, by designing, building and operating the critical digital infrastructure that will underpin its competitiveness, public services and democratic autonomy.

The proposed assurance-level framework is a particularly important development. By moving away from a binary understanding of “sovereign” versus “non-sovereign” cloud, CAIDA introduces a more mature and operational approach: one based on documented, auditable and verifiable criteria. This is essential. Sovereignty must no longer be something providers can simply claim. It must be demonstrated.

Such a framework can also contribute to restoring the conditions for a more functional cloud market and fairer competition. Digital sovereignty should not be understood as market closure. Rather, it should be understood as the Union’s ability to correct structural asymmetries that currently prevent European providers from competing on fair terms with dominant global players benefiting from massive scale effects, entrenched dependencies and quasi-systemic positions in public procurement.

Clever Cloud also welcomes the proposal’s objective of allocating 25% of innovative public procurement in cloud and AI to innovative SMEs. This is a strong and welcome signal. Since the “Think Small First” principle introduced in 2008, the Union has repeatedly acknowledged the need to better integrate SMEs into industrial policy and public procurement. CAIDA now offers an opportunity to translate that principle into practice and to lay the foundations for a genuine European Small Business Act for cloud and AI.

However, while CAIDA lays the right foundations, it must now be strengthened throughout the legislative process.

The proposal is entering the ordinary legislative procedure, and its ultimate impact will depend on the amendments adopted by the co-legislators, as well as on subsequent implementing acts, delegated acts, audit methodologies, the interpretation of assurance levels, the mapping with existing certification schemes, and the criteria used to designate third countries as “trusted partners”.

Several elements therefore require particular attention.

• First, the treatment of third-country providers must be clarified and tightened. While CAIDA rightly addresses risks associated with foreign-controlled providers, the treatment of US hyperscalers remains a central question. Clever Cloud supports the choice not to adopt a simplistic binary approach to digital sovereignty. However, the conditions under which third-country-controlled providers may access high assurance levels, notably Level 3, must be defined with the highest degree of legal and operational precision.
• On some issues, such as GDPR compliance or the existence of adequacy mechanisms for data transfers under the EU-U.S. Data Privacy Framework, a discussion may be possible. Yet the core sovereignty concerns lie elsewhere: extraterritoriality, potential access by foreign authorities, service interruption or degradation, sanctions, embargoes, technological dependency and effective control. On these matters, trust cannot be presumed. It must be assessed, evidenced, monitored and, where necessary, withdrawn. As a matter of fact, we consider that the proposal primarily targets non european providers especially from China but does not address the issue of US hyperscalers. And this is especially true when it comes to the US Cloud Act or the FISA.
• Second, CAIDA must not become a vehicle for legitimising “sovereign washing”. A cloud service should not be considered sovereign merely because data is hosted in Europe or because a contractual European layer is placed on top of a non-European technological stack. Effective digital sovereignty must be assessed through control, jurisdictional exposure, operational autonomy, auditability, reversibility, continuity of service and dependency management.
• Third, the relationship between CAIDA and existing or forthcoming cloud certification schemes, in particular the European Cybersecurity Certification Scheme for Cloud Services (EUCS), should be made explicit. CAIDA should provide for coherent mapping with relevant certification schemes where requirements overlap, while ensuring that cybersecurity certification is not used as a substitute for sovereignty assessment. EUCS and CAIDA should be complementary: certification may support evidence-gathering, but it should not dilute the distinct sovereignty criteria introduced by CAIDA.
• Fourth, the proposal should better recognise the role of trusted European private providers. The EuroCloud Federation, as currently envisaged, appears primarily designed as a public-public cooperation mechanism. Such cooperation is valuable and should be supported. Yet Europe will not achieve effective digital sovereignty through public infrastructure sharing alone. It must also mobilise qualified, auditable and trusted European private providers capable of delivering innovation, operational excellence, resilience and scale.

The debate is therefore no longer only about defining what a sovereign cloud is. The central question is whether Europe is prepared to take the holistic measures required to make sovereignty effective: through public procurement, auditability, open source, data centre capacity, fair competition, SME participation, technological dependencies, capital control, certification frameworks, migration obligations, critical infrastructure governance and a clear European preference.

Through this position paper, Clever Cloud intends to identify the key priorities needed to ensure that CAIDA becomes not merely a regulatory framework, but a real instrument for effective digital sovereignty grounded in European capabilities, fair competition and technological resilience.

The first step has been taken. Europe must now ensure that it delivers.

1. Reserve Union Assurance Level 3 for European-Controlled Providers

Article 18 introduces a mechanism whereby the Commission may, by means of implementing acts, identify third countries whose cloud computing service providers or providers controlled by legal entities established in those countries may be audited against the criteria for Union assurance level 3.

While this mechanism reflects the proposal’s risk-based and non-binary approach to digital sovereignty, it also raises an important concern regarding the integrity of the assurance-level framework.

Clever Cloud supports a proportionate and differentiated approach. Not all workloads require the same level of assurance, and for low-risk or less sensitive use cases, it may be appropriate to allow providers controlled from trusted third countries to qualify under strict and clearly defined conditions.

However, Union assurance level 3 should represent a higher threshold of sovereignty assurance. It should be the level at which effective European control becomes a structural requirement, rather than a matter of mitigation, contractual safeguards or political designation.

The difficulty lies in the relationship between Article 18 and Article 45 GDPR. Under Article 18, the existence of an adequacy decision under Article 45 GDPR is one of the conditions that may allow the Commission to identify a third country as sufficiently trusted for the purpose of the CAIDA assurance framework. In the case of the United States, the EU-U.S. Data Privacy Framework may therefore create a legal and political pathway for US providers to be treated as providers from a “trusted” third country.

This raises a fundamental contradiction.

The political purpose of CAIDA is precisely to reduce Europe’s exposure to third-country control, extraterritorial legislation and strategic dependency in critical cloud and AI infrastructure. Yet, if Article 18 allows a third country to be recognised as trusted because of a data transfer adequacy framework, providers subject to that country’s legal order could still access Union assurance level 3 despite remaining exposed to extraterritorial legislation, including the US CLOUD Act and FISA.

The issue therefore goes well beyond personal data transfers. Adequacy decisions under Article 45 GDPR may address part of the legal framework applicable to international transfers of personal data. They do not, however, fully address the broader sovereignty risks raised by foreign authority access, sanctions exposure, service continuity, technological dependency, operational autonomy, or effective non-European control.

This concern is not theoretical. Recent transatlantic tensions around EU digital regulation, including US criticism of the Digital Services Act and accusations of “extraterritorial censorship” against European actors, illustrate that digital regulation and technology governance are now matters of geopolitical leverage. They also show that allied status does not eliminate the risk of political pressure, legal conflict or extraterritorial assertion in the digital sphere.

In this regard, CAIDA rightly addresses risks linked to providers controlled from jurisdictions where no adequacy decision, reciprocal market access or trusted cooperation framework exists, such as China. However, the current wording remains less robust when applied to US providers. The EU-U.S. Data Privacy Framework may support part of the adequacy assessment for personal data transfers, but it should not be treated as sufficient to resolve the core sovereignty concerns associated with extraterritoriality, effective control and operational autonomy.

For these reasons, Clever Cloud considers that third-country recognition under Article 18 should not provide a pathway to Union assurance level 3. Such recognition may be appropriate for lower or substantial assurance levels, subject to strict safeguards, but level 3 should remain reserved for providers established in the Union and subject to effective European control.

Policy recommendations

Clever Cloud recommends that third-country recognition under Article 18 should only allow access to Union assurance level 2, not level 3.

Union assurance level 3 should be reserved for providers that are:

• established in the Union;
• subject to effective European control;
• not controlled by a third country or by a legal entity established in a third country;
• protected from foreign legal regimes enabling access, disruption, degradation or coercive influence;
• operationally autonomous within the Union;
• able to demonstrate control over critical infrastructure, personnel, support, management planes, cryptographic material and continuity procedures.

This would preserve proportionality while maintaining the integrity of the framework:

• Level 1: baseline assurance, open where relevant requirements are met;
• Level 2: substantial assurance, potentially open to trusted third-country providers under strict cumulative safeguards;
• Level 3: high sovereignty assurance, reserved for European-controlled providers;
• Level 4: highest sovereignty assurance, reserved for the most critical use cases.

The objective is not to exclude third-country providers from the European market, but to ensure that high sovereignty assurance remains meaningful.

2. Ensure Coherent Mapping Between CAIDA Assurance Levels and EUCS Certification

CAIDA introduces a new framework based on four EU-harmonised assurance levels for cloud services. This is a welcome development, as it provides a structured approach to sovereignty-related risks beyond purely technical cybersecurity considerations.

However, the proposal should further clarify how this new framework will interact with existing and forthcoming European certification schemes, in particular the European Cybersecurity Certification Scheme for Cloud Services (EUCS).

At this stage, CAIDA appears to allow the sovereignty framework to rely on existing certification schemes where relevant. This is useful. Yet the reverse relationship is not sufficiently clear.

A cloud service certified under EUCS should be able to reuse relevant cybersecurity evidence to support assessment under CAIDA where requirements genuinely overlap. However, EUCS certification should not automatically grant a CAIDA assurance level.

Cybersecurity certification and sovereignty assessment are complementary, but they are not equivalent.

EUCS primarily addresses cybersecurity criteria. CAIDA addresses broader sovereignty considerations, including control, jurisdictional exposure, access by foreign authorities, continuity of service, reversibility, dependency risks and effective operational autonomy.

Policy recommendations

CAIDA should explicitly provide for a structured and bidirectional mapping mechanism between CAIDA assurance levels and EUCS certification.

This mechanism should:

• identify which EUCS requirements can be reused as evidence for CAIDA Level 1, Level 2, Level 3 or Level 4;
• clarify which CAIDA sovereignty requirements are not covered by EUCS and must be assessed separately;
• allow cloud service providers to reuse audit and certification evidence across frameworks;
• prevent automatic equivalence between cybersecurity certification and sovereignty recognition;
• allow private entities to rely on CAIDA assurance levels as a voluntary reference framework for procurement, vendor assessment and cloud risk management;
• reduce administrative burden while preserving the integrity of the sovereignty framework.

The guiding principle should be clear:

EUCS may support evidence-gathering for CAIDA, but it must not replace the dedicated assessment of sovereignty criteria.

3. Establish a Structured Accreditation and Audit Framework for Annex II and Annex III under the New Legislative Framework

Article 21 provides that auditing organisations shall assess compliance with the criteria set out in Annex II on the basis of audit evidence listed in Annex III. It also empowers the Commission to adopt delegated acts to amend Annex III by laying down the evidence needed to assess the audit criteria under Annex II.

This provision is important, but insufficient.

Annex II and Annex III will define the practical substance of CAIDA. They will determine what sovereignty means in practice, how it is demonstrated, and what evidence providers must submit to auditors.

These annexes should not be treated as static lists. Sovereignty risks evolve quickly. Extraterritorial legislation, foreign authority access mechanisms, management plane architectures, AI infrastructure dependencies, encryption practices, support models, interoperability requirements and portability constraints are not fixed.

If Annex II and Annex III are not maintained through a structured and transparent process, several risks may arise:

• inconsistent interpretation across Member States;
• divergent audit practices;
• forum shopping by providers;
• outdated evidence requirements;
• weak assessment of emerging risks;
• excessive compliance burden for European SMEs;
• reduced credibility of the assurance-level framework.

The audit ecosystem must also be harmonised. Independent third-party audits will only be trusted if the organisations performing them are competent, independent and accredited under a common European approach.

Policy recommendations

Clever Cloud recommends establishing a structured accreditation and audit framework for CAIDA.

First, the Commission should regularly assess the adequacy, relevance and proportionality of Annex II and Annex III, taking into account technological, legal, geopolitical and market developments.

Second, this review should be supported by a public-private expert mechanism, able to provide input on interpretation issues, emerging risks, audit evidence and necessary updates.

Third, audit organisations should be accredited by national accreditation bodies within the meaning of Regulation (EC) No 765/2008, or an equivalent Union accreditation framework. This would align the audit framework with the logic of the New Legislative Framework and help avoid fragmentation.

The national competent authority should remain responsible for the final recognition decision. However, the underlying audit should be performed by accredited organisations with demonstrated technical, legal and organisational competence.

The accreditation scope should cover the ability to assess:

• effective control;
• jurisdictional exposure;
• Extraterritoriality;
• Ultimate voting control is held predominantly by european entities;
• Data localization
• operational autonomy;
• continuity of service;
• dependency risks;
• reversibility;
• interoperability;
• portability;
• audit evidence quality.

The policy objective should be simple:

Annex II and Annex III must be actively maintained, and audits must be performed by accredited bodies under a harmonised European framework.

4. Establish a Public-Private Cloud Assurance Expert Forum to Support the Interpretation and Evolution of CAIDA

CAIDA introduces a complex and innovative assurance-level framework. Its effectiveness will depend on consistent interpretation, regular updates and practical guidance.

However, the proposal currently lacks a dedicated public-private expert mechanism to support the interpretation of assurance levels, Annex II requirements and the practical implementation of the framework.

This is a critical gap.

The framework will need to address evolving and complex questions: extraterritoriality, effective control, operational autonomy, dependency risks, reversibility, interoperability, portability, audit evidence, trusted partner status and emerging technological threats.

These issues cannot be handled only through static legal provisions. They require continuous dialogue between public authorities, national competent authorities, cloud service providers, cybersecurity experts, auditors, SMEs, users, open-source communities and civil society stakeholders.

Comparable mechanisms already exist in other areas of EU digital policy. The NIS Cooperation Group provides a forum for national authorities. Cybersecurity certification frameworks also rely on cooperation and expert input to support maintenance and interpretation.

CAIDA should follow the same logic.

Policy recommendations

Clever Cloud recommends establishing a Public-Private Cloud Assurance Expert Forum under CAIDA.

This forum should not replace the Commission, Member States or national competent authorities. Its role should be to provide structured technical, market and operational input.

It should support the Commission and national competent authorities by:

• facilitating the exchange of information and best practices;
• supporting the interpretation of Union assurance levels;
• contributing to the interpretation of Annex II and Annex III;
• identifying emerging legal, geopolitical, technical and market risks;
• advising on updates to annexes, guidance, technical specifications and implementing acts;
• supporting the development of private-sector guidance under Article 31;
• contributing to interoperability, portability, reversibility and anti-lock-in requirements;
• ensuring that SMEs and European cloud providers can provide practical input.

The forum should include representatives from:

• European cloud service providers;
• SMEs and mid-cap companies;
• public-sector users;
• private-sector users operating in critical sectors;
• auditing organisations;
• cybersecurity experts;
• standardisation bodies;
• open-source communities;
• data protection experts;
• civil society organisations.

The guiding principle should be:

CAIDA should not rely solely on administrative interpretation. It needs a structured public-private expert mechanism to remain practical, innovation-friendly and resilient to emerging sovereignty risks.

5. The EuroCloud Federation: Include Trusted European Private Providers

The EuroCloud Federation, introduced under Article 34, is one of the key levers through which CAIDA seeks to support public-sector cloud cooperation. It is intended to facilitate the sharing of cloud and data centre services between Union entities and public-sector bodies.

The idea of a deeper public-public cooperation mechanism is useful and should be supported.

However, as currently designed, the EuroCloud Federation appears too limited. It does not include trusted European private providers.

Europe will not build effective digital sovereignty through public infrastructure sharing alone. It must also mobilise qualified, auditable and trusted European private providers capable of delivering innovation, operational excellence, resilience and scale.

A federation limited to public actors risks missing a significant part of Europe’s existing cloud capacity and innovation ecosystem.

Policy recommendations

Clever Cloud recommends that CAIDA better recognise the role of trusted European private providers in or alongside the EuroCloud Federation.

This does not mean turning the EuroCloud Federation into an unregulated commercial marketplace. Rather, it means creating a structured role for European private providers that meet clear sovereignty, auditability and trust requirements.

This could be achieved through:

• a dedicated trusted European private provider framework;
• integration of recognised European cloud providers into EuroCloud-related catalogues;
• procurement channels linked to the EuroCloud Federation;
• public-private capacity pooling mechanisms;
• priority access for providers recognised under high CAIDA assurance levels;
• mechanisms enabling public-sector bodies to rely on trusted European private partners for deployment, operations, scaling and resilience.

The objective should be to combine public-public cooperation with public-private mobilisation.

The guiding principle should be:

“The EuroCloud Federation should not become a closed public-only mechanism. It should help mobilise the full European cloud ecosystem, including trusted European private providers.”

6. Enable Private Entities to Use CAIDA as a Practical Risk Assessment Framework

Article 31 allows private-sector entities operating in sectors of high criticality to carry out impact assessments similar to those required from public-sector bodies.

This is a positive provision. Sovereignty risks do not only affect the public sector. Private companies also process sensitive, critical or strategic data and rely on cloud services for essential operations.

However, Article 31 remains too limited. It should not merely allow private entities to conduct assessments. It should provide them with a practical, harmonised and reusable framework.

Private entities should be able to rely on CAIDA assurance levels for cloud procurement, vendor assessment and risk management. This is especially relevant for companies operating under NIS2, CRA, DORA, GDPR, the Data Act or other sectoral requirements.

For instance, a private company selecting a cloud service for sensitive operational or industrial use cases should be able to use Commission guidance to conduct a sovereignty risk assessment, determine the relevant CAIDA level, and select a service recognised or audited accordingly.

Policy recommendations

Clever Cloud recommends that the Commission issue dedicated guidance for private-sector entities, including SMEs and companies operating in high-criticality sectors, so that all European businesses with legitimate ambitions to process, host or manage critical data can rely on a clear, proportionate and operational framework.

Such guidance should include:

• a methodology for private-sector cloud sovereignty risk assessments;
• practical templates and assessment tools;
• sector-specific examples;
• guidance for SMEs and mid-cap companies;
• mapping between categories of data, business criticality and relevant CAIDA levels;
• suggested mitigation measures;
• guidance on when to use Level 1, 2, 3 or 4;
• guidance on multi-cloud and multi-vendor strategies;
• alignment with NIS2, CRA, DORA, GDPR, the Data Act and sectoral obligations.

Private-sector use of CAIDA should remain voluntary, but the framework should be usable enough to become a trusted market standard.

The guiding principle should be: “Article 31 should become the bridge between CAIDA and the private market”.

7. Turn the 25% SME Procurement Objective into a Genuine European Small Business Act for Cloud and AI

Article 33 introduces one of the most promising provisions of CAIDA: Member States shall pursue the objective that at least 25% of their procurement for cloud computing services and AI systems be awarded to innovative SMEs.

Clever Cloud strongly welcomes this provision, which reflects a measure we have been advocating for since 2010.

It is a significant and rather unexpected step towards translating the long-standing “Think Small First” principle into concrete market outcomes.

However, the current wording remains too weak. A non-binding objective, without clear monitoring, reporting, auditing or enforcement mechanisms, risks remaining purely aspirational.

If CAIDA is to become a genuine industrial policy instrument, Article 33 should be strengthened into a real European Small Business Act for cloud and AI.

Public procurement is one of the European Union’s most powerful market-shaping instruments. It determines which companies can scale, which technologies become de facto standards, and which value chains Europe controls over the long term.

In strategic digital sectors (cloud, AI, cybersecurity, data infrastructure, critical software and digital public services) procurement choices are not neutral. They shape the structure of the market.

A procurement system that structurally favours large incumbents weakens Europe’s innovation capacity. Innovation is often driven by new entrants, SMEs and scale-ups. The broader creative destruction framework, associated with Schumpeter and later developed by economists such as Philippe Aghion, shows that new entrants play a central role in technological disruption, market transformation and productivity growth.

This is particularly important in cloud and AI, where Europe already faces a structural dependency on a small number of non-European hyperscalers.

Policy recommendations

Clever Cloud recommends strengthening Article 33 in three ways.

First, the target should be increased from 25% to 35% for strategic digital and technological procurement.

Second, the target should be made measurable, auditable and reportable. Member States should include in their national strategies clear plans to achieve the target, including measures on lot division, simplified procurement procedures, proportionate eligibility criteria, SME participation in consortia, reduction of administrative burden and prevention of dependency on dominant providers.

The strengthened SME procurement objective should be supported by a more prominent role for the Network of SME Envoys. SME Envoys should help monitor implementation at national level, identify structural barriers to SME participation in cloud and AI procurement, and provide regular input to the Commission on whether Member States are effectively translating the “Think Small First” principle into procurement outcomes. They should also contribute to ex ante evaluations of relevant procurement procedures to ensure that tender design, eligibility criteria, lot structure and administrative requirements are genuinely applicable and accessible to SMEs.

Third, the framework should be extended as a voluntary reference for private-sector procurement, especially in critical sectors where supplier diversity, reversibility and dependency reduction are strategic concerns.

The strengthened objective should explicitly cover:

• cloud computing services, including IaaS, PaaS and SaaS;
• artificial intelligence systems and AI services;
• cybersecurity services and products;
• data infrastructure and data platforms;
• trusted data spaces and health data infrastructure;
• high-performance computing and AI compute resources;
• digital public services;
• critical software and platform technologies.

The Commission should publish an annual scoreboard assessing Member State progress.

The guiding principle should be: “CAIDA should move from an aspirational SME target to a measurable European Small Business Act for cloud and AI.”

8. Introduce a Clear European Preference Objective for Strategic Cloud, AI and Digital Procurement

Article 33 is a welcome first step. By setting an objective that at least 25% of Member States’ procurement for cloud computing services and AI systems should be awarded to innovative SMEs, CAIDA recognises that public procurement must play a stronger role in shaping Europe’s digital and industrial ecosystem.

However, the SME objective should not be the end point. It should be the starting point.

In strategic digital sectors such as cloud, AI, cybersecurity, data infrastructure, digital public services and critical software, procurement choices are not neutral. They determine which providers scale, which technologies become embedded in public administrations, and which value chains Europe controls over the long term.

Today, European public procurement too often reinforces dependency on non-European providers, particularly in cloud and digital infrastructure. This is not primarily the result of a lack of European capabilities. Europe has a strong ecosystem of cloud providers, PaaS specialists, cybersecurity companies, AI and data infrastructure firms, SMEs, scale-ups and mid-sized technology companies. The issue is that procurement frameworks often favour large incumbents, oversized tenders, closed ecosystems and established global providers.

CAIDA should therefore go one step further. In addition to the SME procurement objective, it should introduce a clear European preference objective for strategic cloud, AI and digital procurement.

This should not be understood as a protectionist measure or as a blanket exclusion of non-European suppliers. It should be designed as a transparent, proportionate and rules-based procurement objective, aimed at ensuring that European public demand contributes to the development, scaling and resilience of Europe’s own technological ecosystem.

Policy recommendations

Clever Cloud recommends that CAIDA establish a dedicated European technology participation objective for strategic digital procurement.

For cloud, AI, cybersecurity, data infrastructure and critical digital services, Member States should be encouraged to ensure that a significant share of annual procurement value is awarded to European technology providers.

A target range between 40% and 60% would provide a clear political signal while leaving Member States sufficient flexibility to adapt implementation to market availability, sectoral maturity and operational needs.

This objective should apply at aggregate level, not necessarily at the level of each individual tender. It should be monitored annually, reported by Member States and reflected in national strategies under Article 7.

The objective should cover, in particular:

• cloud computing services, including IaaS, PaaS and SaaS;
• artificial intelligence systems and AI services;
• cybersecurity services and products;
• data infrastructure and data platforms;
• trusted data spaces and health data infrastructure;
• high-performance computing and AI compute resources;
• digital public services;
• critical software, middleware and platform technologies.

To ensure legal certainty and avoid purely formal definitions, eligibility as a European technology provider should be based on objective criteria reflecting effective European control and economic substance.

Relevant criteria could include:

• headquarters and effective establishment in the European Union;
• ultimate voting control located within the Union;
• a majority of shareholders established or resident in the Union;
• at least 51% of R&D activities carried out in Europe;
• at least 51% of the workforce located in Europe;
• top management and strategic decision-making anchored in the Union;
• absence of control by a third-country entity;
• absence of exposure to extraterritorial legal obligations incompatible with Union law;
• compliance with the EU digital and cybersecurity acquis.

The purpose of such criteria is not to create a formal label based only on incorporation. It is to ensure that European preference benefits companies that genuinely contribute to Europe’s technological base, employment, innovation capacity, legal autonomy and operational resilience.

This approach would complement, rather than replace, the SME objective under Article 33. The two objectives should work together:

• The SME objective ensures that innovative smaller providers can access procurement markets;
• The European preference objective ensures that strategic public demand strengthens European technological capabilities more broadly.

Together, they would help transform public procurement from a passive purchasing function into a strategic instrument for digital sovereignty, fair competition and industrial capacity.

The guiding principle should be clear:

In strategic digital technologies, European public procurement should not systematically build non-European industrial capacity where capable European alternatives exist.

Conclusion

CAIDA is a welcome and pioneering first step. It marks an important milestone in recognising cloud, software and AI infrastructure as strategic assets for Europe’s competitiveness, resilience and digital sovereignty.

This first step must now be consolidated. CAIDA should become the key legislative instrument for European digital sovereignty in cloud, software and AI, by making sovereignty operational, measurable and grounded in European capabilities.

Clever Cloud stands ready to contribute to this effort and to make its technical, operational and market expertise available to European institutions, Member States and stakeholders.

The objective is clear: to help build a resilient, sovereign and strategically autonomous European digital ecosystem, capable of supporting innovation, fair competition and long-term technological leadership.