Is EURO-3C Europe’s Path to Cloud Sovereignty?

Looming over the internet lasers and firestarting phones companies were touting at Mobile World Congress in Barcelona this month, was a more nebulous but much larger announcement: a pan-European cloud called EURO-3C.

EURO-3C’s backers – Spanish telecoms giant Telefónica, dozens of other European companies, and the European Commission (EC) – aim to fill a gap. U.S.-based cloud giants dominate in the EU, and European policymakers want their growing portfolio of digital government services on a “sovereign cloud” under full EU control.

But the EU lacks a real equivalent to the likes of AWS or Microsoft Azure. Indeed, any effort to build one will inevitably run up against the same U.S. cloud giants.

Just four U.S.-based hyperscalers – AWS, Microsoft Azure, Google Cloud, and IBM Cloud – together account for some 70 percent of EU cloud services. This is despite the fact that the 2018 U.S. CLOUD Act allows U.S. federal law enforcement – at least in theory – to compel U.S.-based firms to hand over data that’s stored abroad.

But those hypothetical risks to digital services have become more real as transatlantic relations have soured under the second Trump administration. The U.S. has openly threatened to invade an EU member state and sanctioned a European Commissioner for passing legislation the White House dislikes.

After the White House sanctioned the Netherlands-based International Criminal Court in February 2025, Court staffers claimed Microsoft locked the Court’s chief prosecutor out of his email (Microsoft has denied this). Around the same time, the U.S. reportedly threatened to sever EU ally Ukraine’s access to crucial Starlink satellite internet as leverage during trade negotiations.

“The geopolitical risk isn’t just the most extreme form of a doomsday ‘kill switch’ where Washington turns off Europe’s internet,” Stéfane Fermigier of EuroStack, an industry group that supports European digital independence. “It is the selective degradation of services and a total lack of retaliatory leverage.”

What, then, is the EU to do? France offers an example. Even before 2025, France implemented harsh restrictions on non-EU cloud providers in public services – providers must locate data in the EU, rely on EU-based staff, and may not have majority-non-EU shareholders. Now, EU policymakers are following France’s lead.

In October 2025, the EC issued a two-part framework for judging cloud providers bidding for public sector contracts. In the first part, the framework lays out a sort of sovereignty ladder. The more that a provider is subject to EU law, the higher its sovereignty level on this ladder. Any prospective bidder must first meet a certain level, depending on the tender.

Qualifying bidders then move to the second part, where their “sovereignty” is scored in more detail. Using too much proprietary software; over-relying on supply chains from outside the EU; having non-EU support staff; liability to non-EU laws like the CLOUD Act: all hurt a bidder’s score.

The framework was created for one tender, but observers say it sets a major precedent. Cloud providers bidding for state contracts across Europe may need to follow it, and it may influence legislation on both national and EU-wide levels.

Who, then, will receive high marks? At the moment, the answer is not simple. The EU cloud scene is quite fragmented. Numerous modest EU providers offer “sovereign cloud” services – such as Scaleway, OVHcloud, and Deutsche Telekom’s T-Systems – but none are on the scale of AWS or Google Cloud.

Inertia is on the side of the U.S. cloud giants, who can invest in their infrastructure and services on a far grander scale than their European counterparts. Some U.S. providers now offer cloud services they say comply with the Commission’s “cloud sovereignty” demands.

Some European observers, like EuroStack, say such promises are hollow so long as a provider’s parent company is subject to the likes of the CLOUD Act, and loopholes in the Commission’s process remain open. An AWS spokesperson told Spectrum it had not disclosed any non-US enterprise or government data to the U.S. government under the CLOUD Act; a Google spokesperson said that its most sensitive EU offerings “are subject to local laws, not US law”.

Even if a project like EURO-3C can offer a large-scale alternative, the US cloud giants have another sort of inertia. Many developers – and many public purchasers of their services – will need convincing to leave behind a familiar environment.

“If you look at AWS, you look at Google, they’ve created some super technology. It’s very convenient, it’s easy to use,” says Arnold Juffer, CEO of the Netherlands-based cloud provider Nebul. “Once you’re in that platform, in that ecosystem, it’s very hard to get out.”

Martyna Chmura, an analyst at the Bloomsbury Intelligence and Security Institute, a London-based think tank, sees some EU developers taking a mixed approach. “Many organizations are already moving toward multi-cloud setups, using European or sovereign providers for sensitive workloads while still relying on hyperscalers for certain services,” she says.

In that case, the EU’s top-down demands may encourage developers to use EU providers for sensitive applications – like government services, transport, autonomous vehicles, and some industrial automation – even if it’s inconvenient in the short term, or if it causes even more fragmentation of the EU cloud scene. “Running systems across different platforms can increase integration costs and make security and data governance more complicated. In some cases, organisations could lose some of the efficiency and cost advantages that come from using large hyperscale platforms,” Chmura says.

“Overall, the EU appears willing to accept some of these trade-offs,” Chmura says.