On 3 June, after three delays, the European Commission published its Tech Sovereignty Package (TSP), a set of measures which are likely to shape the EU’s digital infrastructure and its governance for the next decade. Here, ARTICLE 19 sets out our high-level analysis of the package and provides initial recommendations.
The package consists of two legislative proposals (the Chips Act 2.0 and the Cloud and AI Development Act, or CADA), a non-binding Open Source Strategy, and a Strategic Roadmap on Digitalisation and Artificial Intelligence in Energy.
Within it, ARTICLE 19 is primarily engaging with the CADA. Many of our initial concerns, as outlined in our public response to the initial call for input in 2025, remain pertinent to this updated version. Our concern about the impact of cloud and AI sits within ARTICLE 19’s broader work on digital markets, digital infrastructure and the concentration of power in the hands of Big Tech, as well as technology-enabled human rights violations.
ARTICLE 19 welcomes several of the TSP’s core elements. The ‘sovereignty’ risk assessment introduces structured deliberation to minimise cloud dependencies. These assessments strive to ‘stem the risks from the EU’s reliance on third countries for cloud computing services’. The CADA creates a structured process for mapping dependencies and weighing democratic values against cost and performance criteria. Furthermore, the push to embed open source in public procurement could shift the conditions under which institutions make technology choices that currently entrench the power of Big Tech. The commitment to lower barriers to civil society participation in standards bodies’ work is long overdue.
These are real gains. But they sit alongside three structural problems that the package, as currently drafted, fails to address.
Deregulation dressed as sovereignty
The package cannot be read in isolation from the Commission’s wider simplification agenda. The Digital Omnibus, presented as part of the same political project, introduces targeted amendments that weaken the AI Act and the GDPR. The stated logic is “simplification”. The effect is a rollback of rights protections built into European Union law through democratic processes, presented as a sovereignty win.
Against the larger political backdrop of the EU’s ongoing deregulation push, the TSP worryingly repackages the deregulation of AI and data protection as a matter of sovereignty. This amounts to ‘sovereignty-washing’. Rights protection is not an obstacle to EU technological independence but its precondition. Rights-respecting governance is the one comparative advantage no other technology power is currently competing on. The Commission should therefore debate the Omnibus as the deregulatory measure that it is and decouple it from the sovereignty agenda entirely.
A sovereignty framework designed for ‘like-minded partners’
The Cloud and AI Development Act establishes four levels of ‘sovereignty assurance’ (or ‘risks’) for cloud services. This is meant to reduce EU public sector dependence on cloud providers controlled from outside the EU,and to protect critical activities from third-country interference. However, only at the highest, Level 4, can Big Tech solutions be excluded. The other levels allow non-EU providers to qualify.
The political consequence of this tiered design is that the framework’s most stringent restrictions, the level at which third-country (Big Tech) providers are genuinely excluded, apply only to a narrow band of activities. In the Commission’s own words, the package is designed to keep ‘most of our market open to like-minded partners’.
In practice, this means that for the bulk of public sector cloud use, services controlled from outside the EU may still qualify, so long as the home jurisdiction is judged to be sufficiently aligned. In other words, the assurance framework is not built to displace US hyperscalers from European public infrastructure. It is built to determine the terms on which they continue to participate, with only a limited set of activities ring-fenced at the highest assurance level.
This policy choice is driven by current geopolitical realities rather than rights protection standards, and it should be named for what it is. CADA is not built to displace US hyperscalers from EU public infrastructure. It is built to set the conditions on which the same handful of companies can continue to participate. For most cloud use across the EU public sector, in other key institutions like public media and for individual people living in the EU, problematic dependency on hyperscalers will remain the default.
A supply-side package that leaves incumbents untouched
The TSP’s central bet is that building more European capacity will rebalance the market. Our work resisting the Amsterdam Microsoft data centre, leased wholesale by one hyperscaler, despite being designed for a diverse set of local players, suggests otherwise.
Tripling EU data centre capacity, as the TSP aspires to, without conditions on who operates or controls it, risks publicly subsidising the expansion of incumbent infrastructure providers. It also misdiagnoses the problem. Even if the capacity gap the Commission assumes were correct, and recent research suggests this is not consistently true across the EU, more data centres would not address what makes hyperscalers a problem.
The real issue lies in integrated ‘production environments’: one-stop ecosystems of platforms, databases, developer tools, and productivity suites that public institutions and SMEs across Europe are already deeply embedded in. New European server capacity, or aspirational open-source language, will not displace that grip on its own.
The EU has the instruments to address structural gatekeeping of dominant providers: among others, the Digital Markets Act (DMA). The TSP references it only as background and never activates it. This is a missed opportunity, as diversification without competition enforcement and contestability will not dislodge incumbents. It will simply pour public money into their pockets.
What needs to change before adoption?
The window before TSP’s formal adoption is the moment to act. The Commission should decouple the Digital Omnibus from the sovereignty agenda, mandate fundamental rights impact assessments alongside the ‘sovereignty’ risk assessment, condition public investment in data centre capacity on tenancy commitments, and activate the DMA as a core instrument, rather than background context, to avoid dependencies across the EU digital public infrastructure.
A sovereignty agenda worth its name protects people, not just supply chains. The window to make that the package’s central commitment is open. It will not stay open for long.