Reading the runes on AI & Cloud sovereignty

Digital sovereignty is currently central to the EU policy agenda, driven by concerns about a reliance on ‘non-EU’ providers in an era of persistent geopolitical headwinds.

Of course, sovereignty is not a new concept. However, attempts to codify it for cloud services in EU regulation to date (most notably in the context of an EU cybersecurity certification framework) have proved challenging.

The concept itself has also continued to evolve, and it is no longer just a question of where data is stored. For many, it now brings in a variety of operational considerations related to the underlying software and broader network infrastructure (including any significant third-party dependencies), as well as legal considerations such as company formation, decision making and control.

Given the increased political emphasis on digital sovereignty, how is the EU debate shaping up, and what should companies be aware of in terms of future regulatory intervention in this area? 

An important driver in this respect has been the objective of ensuring sufficient computational capacity for AI, as set out in the Commission’s recent AI Continent Action Plan. This plan makes it clear that for highly critical use cases, including AI applications, sovereignty and operational autonomy require highly secure EU-based cloud capacity.

The legislative initiative that is expected to deliver on this strategy is the forthcoming EU Cloud and AI Development Act, one of the headline digital policies of the European Commission’s Competitiveness agenda. Indeed, the Commission has stated that one of the objectives of this initiative is to “ensure that a set of narrowly defined highly critical use cases can be operated using highly secure EU-based cloud capacity”.

With any EU legislative proposal expected in either Q4 2025 or Q1 2026, what does all of this mean for companies seeking to navigate this space?

First, it will be important to determine the use-cases which might fall within scope of any subsequent EU intervention and reconcile this against current service provision and strategic priorities. Some would likely be public sector (such as defence). However, the Commission has also been clear that the ‘problem statement’ extends into other economic sectors which exhibit highly critical use-cases with high security needs. This could bring in energy and healthcare, for example.

Second, it seems likely that any subsequent regulatory initiative would provide more regulatory detail on what is meant by ‘digital sovereignty’ in this context. For those cloud service providers and customers currently grappling with the abovementioned operational and legal considerations, this will be important to look out for.

Third, given the widening sovereignty ambit, questions relevant to switching and portability, and the wider competitive environment in EU cloud service provision, are likely to be on the political agenda. With this in mind, the deadline of 12 September 2025 for the majority of the Data Act’s switching and portability provisions brings this consideration into sharp relief.

Finally, this increased emphasis on digital sovereignty is also mirrored at Member State level. For instance, the recent Franco-German statement following their 25th Council of Ministers that took place at the end of August affirmed a commitment to strengthening European digital sovereignty, scheduling a further high-level summit in November 2025. Therefore the interplay between Member State activity and potential future EU regulation should also be factored into the equation.  

Deloitte’s multi-disciplinary Digital Regulation team is comprised of a range of experts with experience across digital regulatory issues. For expert guidance and support in navigating and adapting to the fast-moving digital regulatory landscape, please reach out to one of the contacts listed below, or sign up to the Deloitte quarterly digital regulation newsletter.