On May 27, 2026 — the same day the European Commission formally presented its long-anticipated Tech Sovereignty Package — officials in Brussels needed only to point across the Atlantic for the argument they had been making for years. Ten days earlier, a contractor for the United States' own cybersecurity agency had left the keys to America's most sensitive government cloud accounts sitting on the open internet for six months. The timing did not require a press officer to explain.
The EU's Tech Sovereignty Package proposes restrictions on the use of American cloud platforms — Amazon Web Services, Microsoft Azure, and Google Cloud — for sensitive government data across all 27 member states. Together, those three providers control roughly 70 percent of Europe's cloud market. The core legal mechanism behind the move is not a European law but an American one: the CLOUD Act of 2018, which authorizes US law enforcement to compel any American-headquartered company to produce data it holds — regardless of where in the world that data is stored.
The package includes two headline legislative instruments: the Cloud and AI Development Act, which sets sovereign-cloud procurement standards for EU institutions, and an update to the original Chips Act, aimed at strengthening European semiconductor capacity. Private-sector companies are not covered; the strictest restrictions apply only to government and public-sector workloads handling financial, judicial, and healthcare data.
CISA Leak Handed Brussels Its Best Argument Yet
The proximate US event was not a foreign adversary attack. It was a contractor employed by Nightwing, a Dulles, Virginia firm with a long-running privileged role in federal cyber operations, who had been using a personal GitHub account to synchronize work files between a government laptop and a home computer since November 2025. The public repository he created — named, without apparent irony, "Private-CISA" — contained 844 megabytes of data spread across its Git history by the time Guillaume Valadon, a researcher at the security firm GitGuardian, found it on May 14.
What Valadon found inside was, in his own assessment, the worst leak he had ever witnessed in his career: administrative credentials for three AWS GovCloud accounts, a file titled "Important AWS Tokens.txt," a CSV spreadsheet listing plaintext usernames and passwords for dozens of internal Cybersecurity and Infrastructure Security Agency systems, SSH keys, Kubernetes configuration files, GitHub Actions workflows, and detailed records of how CISA builds, tests, and deploys its own software. The contractor had also deliberately disabled GitHub's built-in secret-scanning feature, which would otherwise have flagged or blocked the publication of credentials.
AWS GovCloud is Amazon's dedicated cloud environment for US government workloads, physically and logically separated from commercial AWS infrastructure. A separate researcher, Philippe Caturegli of the security consultancy Seralys, independently tested the exposed credentials and confirmed full administrative access to three GovCloud accounts. The credentials remained valid for approximately 48 hours after the repository was taken offline — a window during which any adversary who had already downloaded the files could still have authenticated to CISA's infrastructure.
CISA said it had found no evidence that sensitive data was ultimately compromised. The response from Capitol Hill was less measured. Sen. Maggie Hassan (D-N.H.), a member of the Senate Homeland Security Committee, demanded an urgent classified briefing from acting CISA Director Nick Andersen. Senior Democrats on the House Homeland Security Committee echoed the demand. As of May 22, CISA was still working to revoke the last of the leaked credentials.
Read more: Lawmakers Demand Answers as CISA Scrambles to Contain Catastrophic GitHub Credential Leak
Netherlands Issued First-Ever BTI Acquisition Block
One day before the Commission's package was presented, the Dutch government acted on the same legal principle and reached the same conclusion — this time through a binding prohibition.
State Secretary Willemijn Aerdts announced on May 26 that she had blocked IBM spinoff Kyndryl from acquiring Solvinity, the Dutch cloud company that hosts DigiD, the Netherlands' national digital identity system. DigiD underpins citizen access to government services, healthcare records, and tax filings for millions of Dutch residents. Solvinity also operates MijnOverheid, the citizen-facing portal for government communications, and Digipoort, the national data exchange platform for businesses filing with Dutch government agencies.
The ruling was the first acquisition ever prohibited by the Dutch Investment Screening Bureau (BTI), the national body that screens cross-border investments under the Insufficient Controls of Telecommunications Act, known by its Dutch acronym WOZT. The BTI had reviewed the deal — announced by Kyndryl in November 2025 and cleared on antitrust grounds by the competition authority ACM in February 2026 — and recommended a complete ban. Aerdts adopted the recommendation.
The reasoning was explicit. Under the CLOUD Act, US law can compel American-owned companies to produce data they hold regardless of server location. Bringing Solvinity under Kyndryl's ownership would, the BTI concluded, subject the identity data of millions of Dutch citizens to potential compelled disclosure by American authorities. No contractual commitment to data residency, and no physical location of servers within the Netherlands, would override that statutory obligation.
Kyndryl described itself as "extremely disappointed" and said the decision was "heavily politically motivated," adding that it had "consistently engaged in good faith" throughout the review process. Solvinity said it would remain focused on delivering its existing services.
The precedent is pointed: investment screening bodies across the EU now have a live example of a prohibition grounded not in competition law but in jurisdictional data access — specifically, the risk that a change in corporate ownership could expose domestic digital infrastructure to foreign government authority.
How CLOUD Act Jurisdiction Works, and Why Data Residency Cannot Fix It
The CLOUD Act — formally the Clarifying Lawful Overseas Use of Data Act, passed by the US Congress on March 23, 2018 — resolved a long-running legal dispute between the US government and Microsoft over whether American companies could be compelled to produce data stored on servers in Ireland. The law's answer was yes: as a US-incorporated company, Microsoft was required to comply with US government data requests regardless of where its servers sat.
That ruling created a structural problem for every European organization using American cloud infrastructure. A data-residency clause in a contract says data will be stored in Europe. The CLOUD Act says a valid US warrant overrides that clause. As Christoph Strnadl, chief technology officer of Gaia-X, the European cloud-standards initiative, summarized the position: "No US company can guarantee that the US government will never access your data." Microsoft's own chief legal officer, Anton Carniaux, acknowledged during a French court hearing that Microsoft could not rule out being forced to disclose data stored in Europe under US legal orders.
GDPR warrants are not an adequate counterweight. The EU's Schrems II ruling, handed down by the Court of Justice of the European Union in 2020, established that contracts cannot override foreign government access laws. An American cloud provider that receives a valid US warrant and discloses European data has not violated its contract — it has complied with US federal law. The European customer has no practical recourse.
EU Faces Its Own Contradiction in the Sovereign Cloud Market
The Tech Sovereignty Package enters the EU's legislative machinery against an awkward backdrop the Commission has not yet resolved. In April 2026, the Commission awarded an €180 million sovereign cloud tender to four European provider groups — a move intended to demonstrate that genuine European alternatives exist. One of the four winning consortia was a partnership led by Belgian telecom operator Proximus, using services from S3NS, a joint venture in which French defense company Thales holds a controlling stake and Google Cloud provides the underlying infrastructure.
The inclusion drew immediate criticism. Francisco Mingorance, secretary general of CISPE, the European cloud providers' trade association, called recognizing S3NS as sovereign "clearly an own goal" that "threatens to institutionalize sovereignty washing at the highest levels." The Commission addressed the controversy directly in its announcement, stating that non-European technologies, when operated within a strict governance framework, can meet the minimum sovereignty threshold it has defined.
The analysis is not settled. Forrester analyst Maisto noted that S3NS offers "much better legal insulation" from CLOUD Act jurisdiction than a direct US provider relationship — but added that this insulation is "yet to be tested in court since Google still has a minority share." What is settled is that Europe does not yet have homegrown hyperscalers capable of absorbing the full range of government workloads currently on American infrastructure. The Thales-Google compromise is not an anomaly; it reflects the actual state of the European cloud market.
Local cloud providers hold roughly 15 percent of the European market. AWS, Azure, and Google Cloud collectively hold approximately 70 percent. Worldwide sovereign cloud spending is forecast to reach $80 billion in 2026, with European spending growing 83 percent year-over-year from a base of $6.9 billion in 2025, according to Gartner. That trajectory is real — but the starting point is a market where European governments have built critical infrastructure on US-controlled platforms over two decades, and where the available alternatives are still catching up on scale, services, and developer tooling.
What Does EU Tech Sovereignty Package Restrict, and for Whom?
The package does not ban American cloud providers from EU government contracts. Routine, non-classified government work will likely remain on existing platforms. The restrictions apply to specific categories of data: financial, judicial, and healthcare records processed by public-sector organizations. Private companies are explicitly excluded; they remain free to choose any cloud platform for their own data.
The most significant structural question is not what the package restricts today but what precedent it sets for investment screening across the continent. The Dutch BTI prohibition applied a national-security framing to corporate ownership of critical digital infrastructure — not to the data itself, and not to the cloud provider. It said: bringing this infrastructure under foreign corporate jurisdiction is, by itself, a public-interest risk. If other member states apply that logic through their own investment-screening regimes, the effect on US cloud market share in European government contracts could be considerably larger than the package's stated scope suggests.
The Tech Sovereignty Package now requires approval by all 27 EU member states. Internal divisions are real: the Nordics and Ireland, where US cloud companies have significant operations and tax bases, have argued for a softer interpretation of the sovereignty requirements. The Commission's compromise — strongest restrictions only for government-controlled sensitive data, private sector untouched — reflects those divisions.
Frequently Asked Questions
What is the EU Tech Sovereignty Package?
The EU Tech Sovereignty Package, presented by the European Commission on May 27, 2026, is a legislative bundle proposing restrictions on the use of US cloud providers — including Amazon Web Services, Microsoft Azure, and Google Cloud — for sensitive government data across all 27 EU member states. It includes the Cloud and AI Development Act and a Chips Act update. The restrictions apply to public-sector organizations handling financial, judicial, and healthcare data; private companies are not covered.
What does the CLOUD Act mean for European data stored on US cloud platforms?
The CLOUD Act of 2018 authorizes US law enforcement to compel American-incorporated companies to produce data they hold, regardless of where that data is physically stored. This means a valid US warrant can require an American cloud provider to disclose data stored on European servers without notifying the European customer. No data-residency clause in a contract overrides this statutory obligation, which is why the EU argues that organizational sovereignty requires European-controlled cloud infrastructure for its most sensitive workloads.
Why did the Netherlands block Kyndryl from acquiring Solvinity and its DigiD infrastructure?
The Dutch Investment Screening Bureau concluded that Kyndryl's acquisition of Solvinity — the company that hosts DigiD, the national digital identity system — would bring the data of millions of Dutch citizens within the jurisdictional reach of the US CLOUD Act. As an American-incorporated company, Kyndryl would be legally obligated to comply with valid US government data requests, overriding any contractual data-protection commitments. The prohibition, the first ever issued by the BTI, was upheld by State Secretary Willemijn Aerdts on May 26, one day before the Commission presented its sovereignty package.
How does the CISA GitHub credential leak connect to the EU cloud sovereignty debate?
The CISA leak — in which a contractor working for cybersecurity firm Nightwing left 844 megabytes of AWS GovCloud credentials and internal CISA system passwords on a public GitHub repository for six months — does not directly affect European data. But it arrived at a moment when European policymakers were publicly arguing that reliance on American cloud infrastructure carries inherent procedural and jurisdictional risks. The incident illustrated that even GovCloud's hardened architecture cannot protect against human and contractor process failures — a category of vulnerability that contractual sovereignty commitments cannot address.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.
