The sentence that did the work was Henna Virkkunen’s. At the press conference in Brussels on Tuesday, 3 June 2026, the Executive Vice-President for Tech Sovereignty, Security and Democracy told reporters what the Tech Sovereignty Package was for: “We want to be sure nobody has a kill switch.” Ursula von der Leyen wrapped the politics around it: “We cannot afford to depend on others for the technologies that keep our hospitals running, our energy grids stable and our services secure.”

The instruments behind the sentence were four. A legislative proposal for the Cloud and AI Development Act (CADA) with a sovereignty assessment framework and restrictions on non-EU providers for sensitive government data. A legislative proposal for Chips Act 2.0 raising the EU’s targeted share of global chip production. An Open Source Strategy formalising open source as a structural element of EU digital policy. And a Strategic Roadmap for Digitalisation and AI in Energy. Commissioner Dan Jørgensen, the energy lead, joined Virkkunen on the dais.

The Commission has now done what the Commission can do. The consequential decisions are downstream of this announcement, not upstream.

What CADA actually proposes

The cloud component is the most substantive. CADA proposes a four-level sovereignty assessment in increasing order of structural separation from non-EU control. The highest level is, by its own legal logic, not reachable by US-headquartered providers because the CLOUD Act creates a structural conflict.

CADA proposes that financial, judicial and health data of governments and public-sector organisations be required to run on infrastructure at the highest sovereignty level. This is not a recommendation. It is a binding obligation written into the proposal, with national designated authorities to enforce it.

The legal basis is Article 114 TFEU — internal-market harmonisation. This matters: Article 114 produces directly applicable regulation with internal-market effect, not directive that member states transpose. If CADA passes, member states are not free to weaken its application individually.

What the package gets right

The package writes a non-US-passable sovereignty test into binding regulation. Previous European sovereignty instruments either lacked teeth (Gaia-X labelling), were aspirational (ENISA cybersecurity scheme), or were sector-specific. CADA proposes a horizontal regulatory measure that explicitly cannot be satisfied by US providers without architectural restructuring. That is structurally different.

It pairs sovereignty restriction with capacity-building. Virkkunen, asked by reporters whether the package was about excluding US providers, was specific: “Europe wants to be in the position to make its own choices, avoiding risky dependencies on single dominant suppliers, one company or one third country.” Chips Act 2.0 and the Open Source Strategy provide the supply-side answer to the restriction. A pure restriction without alternative capacity is unworkable; the Commission has avoided that.

It treats open source as infrastructure rather than as policy theatre. The Open Source Strategy, building on the January–February 2026 Call for Evidence, frames OSS as a long-run structural element rather than a hobbyist concern. That language was not in previous Commission communications. It opens space for procurement and funding instruments aligned to OSS infrastructure.

What the package does not address

CADA addresses cloud infrastructure and certain categories of government data. It does not, in the current proposal, address the layers below cloud.

Code hosting infrastructure: EU sovereignty solutions are predominantly hosted on GitHub, Microsoft-owned. This is the deepest sovereignty gap and the least addressed. Cryptographic trust chains: certificate authorities and DNS root server operations remain US-dominated. CADA’s sovereignty levels do not enumerate trust-chain criteria explicitly. CI/CD pipelines: GitHub Actions, npm, PyPI, Docker Hub — the build, package, and distribution infrastructure that everything depends on remains predominantly US-hosted.

This is not a criticism of CADA’s drafted scope. It is an observation that CADA does not, on its own, deliver sovereignty at the layers below cloud infrastructure. A reader celebrating CADA as completing the European sovereignty project will be reading something the proposal does not claim — and which Virkkunen herself did not claim in Brussels.

The trilogue, and who is positioning for it

The cui-bono pass is straightforward. EU sovereign cloud providers broadly benefit — OVHcloud, IONOS, Schwarz Digits/StackIT, Outscale, the Atos sovereign division. These companies have spent years lobbying for exactly this regulatory framework. Mistral, Aleph Alpha and the European AI infrastructure cluster benefit from the KIPITZ-style mandatory adoption logic scaled to EU level. The Commission, institutionally, expands competence: Article 114 regulation produces direct effect rather than national transposition. French and German industrial policy benefit because both have strong vendor clusters that align with CADA criteria. Italian, Spanish, and Eastern European clusters have less industrial base to capture the procurement opportunity.

Three serious objections are circulating, none of which the Commission can settle alone.

The first is that Article 114 is the wrong legal basis. Internal-market harmonisation is contestable as a basis for restrictions that are primarily geopolitical rather than market-functional. The European Court of Justice has historically been protective of Article 114’s market-integration logic. A challenge before the ECJ could narrow the regulation’s binding scope after adoption.

The second is that the trilogue will dilute the highest sovereignty level. Council representation includes member states with deeper US tech-industry investment positions — Ireland, Luxembourg, the Netherlands. The trilogue typically softens Commission proposals at the margins. The non-US-passable highest tier is exactly the kind of provision that gets softened.

The third is that industry will route around the restrictions via European subsidiaries. A US hyperscaler can incorporate a European subsidiary, structure governance and key custody domestically, and apply for the highest sovereignty level. Whether such a structure passes the substantive test depends on how strictly the assessment authority interprets “control”. Microsoft’s existing Sovereign Cloud proposal is essentially a bet on this routing-around being possible.

What this article is not

It is not a claim that CADA will pass as drafted. The trilogue will modify the proposal; the question is by how much.

It is not a claim that the Open Source Strategy is empty. It frames OSS structurally. Whether it produces funding is a separate question, decided in the next Multiannual Financial Framework cycle rather than in June 2026.

It is not a claim that European sovereignty is settled by the package. The package addresses one layer of dependency, leaves others untouched, and depends on a legislative process that runs into 2027 or 2028.

What to watch first

The first signal is the Council’s first reading. Member states with US-aligned tech-industry positions will indicate, through their general approach, how much they intend to fight on the highest sovereignty tier.

The second is the European Parliament’s rapporteur appointment — which committee, which political group. ITRE, IMCO, LIBE will each produce different versions of CADA, and the choice of committee competence will shape the proposal’s emphasis on industrial policy, internal market, or fundamental rights respectively.

The third is whether implementation funding for the Open Source Strategy components materialises in the next EU budget cycle. Without budget, OSS-as-infrastructure remains rhetoric, regardless of how persuasive Virkkunen’s framing was at the press conference.

The Commission has set the political and legal terms. The next two years of inter-institutional negotiation will determine whether the terms hold.

Sources

Topic overview: Digital Sovereignty in Europe Related articles: Microsoft hands over Dutch names, Sovereignty as procurement law