EU: Europe’s cloud problem is not capacity, it’s control

Digital 11 min read
EU: Europe’s cloud problem is not capacity, it’s control - Digital

Credit: Hanna Barakat & Cambridge Diversity Fund | betterimagesofai.org | creativecommons.org/licenses/by/4.0/

In response to the European Commission’s call for evidence on the Cloud and AI Development Act (CADA), ARTICLE 19 submitted a detailed policy response questioning some of the core assumptions underpinning the Act. In our submission, we urged the Commission to reframe its approach around governance rather than infrastructure expansion. Here is what we argued, and why it matters. 

The Cloud and AI Development Act (CADA) is a new European Commission legislative proposal and an anchor intervention of the EU’s Technology Sovereignty Package, due to be published on Wednesday, 3 June.  

CADA frames the EU ‘digital sovereignty’ ambitions as an infrastructure problem. It proposes to dramatically expand EU data centre capacity, develop European cloud alternatives, and introduce procurement rules steering public sector bodies towards EU-based providers for sensitive and strategic use cases. The underlying assumption is that building more capacity and reducing dependence on non-European providers will translate into meaningful European control over digital infrastructure.

The European Commission is right to treat cloud and AI infrastructure as a strategic priority. But strategy without governance is just investment. And in a highly concentrated market, ungoverned investment will predominantly benefit the incumbents it was meant to displace. CADA has a choice: it can be remembered as the Act that built more server racks, or as the Act that began to bring democratic governance to infrastructure that European societies can no longer function without. 

It is from this vantage point, at the intersection of freedom of expression, digital markets, and digital infrastructure, that ARTICLE 19 engages with CADA. The stakes of getting this Act right are not primarily economic. They are democratic. Cloud concentration is already producing governance failures that the Act does not acknowledge. These include cascading outages that silence media and public services simultaneously; infrastructure providers that can unilaterally switch off digital services for European individuals and institutions alike with no accountability; and a slow institutional drift. 

As Interim Director of Global Team Digital, Dr. Corinne Cath, stated:

“Without strong human rights foundations, more data centre capacity simply provides more facilities for current incumbents to control and coerce European politics, while at the same reducing trust in European institutions, at a time of growing conflict and political polarisation.”

This is not a hypothetical concern. Residents, environmentalists, and local groups across Europe are already pushing back against data centre expansion. From rural Ireland to the outskirts of Amsterdam, they are citing energy consumption that strains local grids, water use in water-stressed regions, land occupation, and the use of these facilities in serious human rights violations. In some places the resistance has slowed or stopped development entirely. Public trust in Artificial Intelligence (AI) itself is fragile and contingent on assurances about accountability, environmental cost, and who ultimately benefits; assurances that have not yet been credibly given. This popular resistance is not a niche movement. It is a signal that the current trajectory lacks democratic legitimacy among Europeans.  

The wrong diagnosis 

ARTICLE 19’s submission starts by questioning a premise central to CADA: that Europe lacks data centre capacity. This claim is not sufficiently evidence-based. Research suggests the opposite is true. Where genuine gaps exist, they sit not in server racks. They can be found in the software and platform offerings where Amazon, Microsoft, and Google have built integrated ecosystems. These are so deeply embedded in how organisations operate that switching is less a technical decision than a political one, often requiring complex institutional change.  

What Europe does lack is competitive software ecosystems, effective governance, adequate regulation of anti-competitive practices by the three dominant US hyperscalers (Amazon Web Services, Microsoft Azure, and Google Cloud), and the political-economic incentives to address those issues. 

The Act’s primary focus on expanding physical data centre infrastructure addresses the one aspect of the cloud’s ‘factory’ where Europe already seems to be competing effectively. It does so while overlooking the proprietary platform and software dependencies at higher layers where American hyperscalers are truly dominant. Building more European server racks will not reduce organisational lock-in, curb market concentration, or protect democratic institutions from the governance risks that concentrated cloud dependency creates. Irrespective of whether it is from American or Chinese giants, or potential European competitors. It will, however, increase the existing risks that concentrated cloud dependency creates. 

The actual problem has three dimensions 

ARTICLE 19 urges the Commission to reframe CADA around three interconnected challenges: artificial scarcity and market concentration at the infrastructure level; software dependency at the platform and software and application level; and governance and market failures that threaten freedom of expression, institutional independence, and democratic accountability. We also urge the Commission to listen to what Europeans are telling them: that the desirability of more data centres and AI is far from self-evident, and that democratic legitimacy requires engaging with that popular scepticism rather than overriding, or simply ignoring, it. 

  1. The first is artificial scarcity at the infrastructure level. There are worries about dominant cloud providers engaging in certain practices, including speculative capacity reservation and opaque pricing. These need to be further researched, as such practices can create the appearance of scarcity where genuine shortage may not exist. Regulatory intervention here requires transparency and market reform, not more construction.
  2. The second is software dependency and market concentration at the platform and application level. Organisations that rely on proprietary managed services, identity systems, and databases provided by hyperscalers face switching costs so high that the concept of exit becomes theoretical. This lock-in is where hyperscaler dominance is most deeply entrenched and most consequential for institutional independence. 
  3. The third is governance failure. The Act currently treats governance and risks as an afterthought. But the risks to freedom of expression, public interest media, and democratic accountability that flow from concentrated cloud dependency cannot be managed by infrastructure investment alone. They require explicit governance requirements, procurement reform, and mandatory impact assessments. 

Where Europe could actually lead 

Europe has a genuine comparative advantage that the current CADA framing fails to recognise. Competing with the United States or China on the volume of server racks is a race Europe cannot and should not try to win. Competing on governance quality, rights protection, and democratic accountability is a race no one else is running. The hyperscalers have optimised for scale and revenue. They have not optimised for the conditions under which free media functions (see our research here), public institutions retain their independence, or those directly affected by data centres retain meaningful control over the infrastructure shaping their lives.

That is precisely where Europe could lead, if it chooses to. 

What we are calling for 

ARTICLE 19’s submission makes seven concrete recommendations: 

  • Strategically use existing regulatory tools to verify the assumptions underlying infrastructure investment, particularly around capacity and utilisation rates, before committing public funds to expansion. 
  • Mandate infrastructure transparency by requiring cloud providers to publish detailed capacity utilisation data, including geographic distribution and pricing, and prohibit anti-competitive practices such as speculative capacity reservation. 
  • Establish a European Digital Resources Exchange, a public marketplace for basic cloud infrastructure modelled on the EU’s energy market liberalisation. 
  • Create a European open-source cloud services initiative, funding the transformation of existing open-source software into enterprise-ready alternatives, particularly for identity management, managed databases, and storage, using government procurement as an anchor client. 
  • Reform public procurement frameworks to allow public institutions to prioritise resilience, rights protection, and exit capability alongside price and performance. 
  • Mandate cloud dependency risk assessments, requiring organisations providing essential services to map dependencies, maintain exit capabilities, and avoid single-provider concentration. 
  • Establish public mission preservation requirements, mandating that public institutions assess cloud arrangements against their foundational responsibilities before migration. 

The full submission is available here. We welcome engagement from policymakers, civil society organisations, and researchers working on these questions. 

The current analysis is based on information that has been publicly available following the call for input for CADA. We look forward to reviewing the new version of the CADA and the broader Technology Sovereignty Package, which we will analyse in detail once it is published, as we continue our work to make global digital infrastructure human rights-respecting.