YEAR II  ·  No. 576  ·  MONDAY, JULY 6, 2026

GENEVA --:--  ·  BOGOTÁ --:--  ·  ACIDREPORT v3.5
AcidReport
INVESTIGATIONEUROPEAN UNION

Europe has built its state on servers that Washington can open and no law can stop it

Europe has just admitted, in an official document drafted by its own lawyers, that it does not control the infrastructure on which its hospitals, its power grids and its governments run. It did not say so directly, of course. It said so in the bureaucratic language Brussels reserves for its most uncomfortable defeats, speaking of “strategic dependencies” and “sovereignty assessment frameworks”. On 3 June 2026 the European Commission presented the European Technological Sovereignty Package, a set of laws intended to reduce the continent’s dependence on Amazon, Microsoft and Google. Its centrepiece is called the Cloud and AI Development Act, known by its English acronym, CADA. Behind the jargon lies a question simpler and older than any regulation. Whoever controls the cables controls the power, and infrastructure never asks who elected it.

The warning that arrived in small print in 2018

The story begins in Washington, not in Brussels. In 2018, under the first Trump administration, the US Congress passed a law called the CLOUD Act, short for Clarifying Lawful Overseas Use of Data Act. The law establishes that any American company is obliged to hand over data to its own country’s authorities, regardless of where in the world that data happens to be stored. The cloud, that is, the remote servers where companies and governments keep and process information once kept on paper, thus became disputed territory. A hospital in Frankfurt may store its medical records in a German data centre, run by a German subsidiary of a parent company in Seattle, and that legal detail changes nothing. Washington has a lawful route to request that information, with no European judge intervening in the process.

For years, European governments treated that law as a legal curiosity, a remote possibility that would never actually be triggered. That complacency rested on the idea that American tech giants, by building data centres inside the European Union, offered a kind of geographic shield. The argument had an obvious flaw. The law does not concern itself with where the servers sit. It concerns itself with where the company running them is headquartered.

The diagnosis that arrived two years before the law

On 9 September 2024, the Italian economist Mario Draghi, former president of the European Central Bank, presented the Commission with a report commissioned by Ursula von der Leyen herself on the future of European competitiveness. Among its conclusions was the continent’s digital dependence on a handful of foreign providers, flagged as a structural threat rather than a technical footnote. The report recommended, among other things, building genuine European capacity in cloud computing and artificial intelligence. A year later, an independent audit found that barely 11% of the report’s 383 recommendations had been fully implemented. A year after presenting it, Draghi himself returned to warn that every challenge he had flagged had only grown worse, worsened further by Donald Trump’s tariff policy and by China’s rising weight in advanced technology. The CADA is, in that sense, the late and partial translation of a diagnosis the Union had already known for two years.

The arithmetic of a dependency

The figures behind this story are not opinions. According to estimates cited by the European Commission itself and by digital security analysts, American companies account for around 80% of professional cloud spending within the European Union. European providers, meanwhile, have lost ground steadily over the past decade.

According to figures collected by the European Commission, the market share of European cloud computing providers fell from approximately 29% in 2017 to 15% in 2022.

These are two different ways of measuring the same imbalance, not the same figure repeated twice. The first describes how much governments and companies in Europe currently spend with American providers. The second describes how much ground European companies competing in that same market have lost over the years. That decline did not happen by accident or conspiracy. It happened because Amazon, Microsoft and Google offered better prices, greater capacity and smoother integration with the tools European governments and companies were already using every day. Digital neoliberalism needs no coercion. Efficiency is enough.

Under oath before the French Senate

The moment that turned this theoretical discussion into a concrete political problem came on 10 June 2025, during a French Senate hearing on the role of public procurement in the country’s digital sovereignty. The committee was examining, among other cases, the Health Data Hub, the platform that centralises the medical records of millions of French citizens and runs on Microsoft Azure servers, and the Bleu project, an alliance between Microsoft, Orange and Capgemini meant to offer a supposedly sovereign cloud. Anton Carniaux, Microsoft France’s director of public and legal affairs, appeared alongside Pierre Lagarde, the company’s technical director for the public sector. A senator asked him a direct question. Could he guarantee, under oath, that the data of French citizens stored in Microsoft’s cloud would never be handed to American authorities without France’s explicit authorisation.

Carniaux answered with a single sentence, recorded in the Senate’s official record. “No, I cannot guarantee that.”

The executive clarified that such a situation had never actually occurred and that Microsoft resists American requests it considers unfounded. No technical clarification managed to dissolve the political effect of those few words. A representative of one of the three corporations underpinning the digital infrastructure of an entire continent had just confirmed, before the legislature of one of its largest economies, that the protection afforded to European data ultimately depends on the goodwill of a foreign government. Lagarde tried to soften the blow, explaining that since January 2025 European customer data does not leave the territory of the Union at any point during processing. The senator chairing the committee called that guarantee purely declarative, with no external oversight to verify it. France had already passed a law in 2024 known as SREN, which requires the state’s most sensitive data to migrate to providers certified under the SecNumCloud standard, designed specifically to exclude companies subject to the CLOUD Act. Enforcement of that law has moved slowly, and much of the French civil service continues, in the meantime, to contract the same American giants the law was meant to avoid.

Four levels to guard against distrust

Brussels responded by building a classification system. The CADA establishes four sovereignty levels for cloud providers wishing to work with European public institutions. The first level requires data to be processed and stored within Union territory. The second obliges the provider to demonstrate independence from third-country governments and transparency over its software supply chain. The third requires the company to be owned and controlled by European entities, with additional requirements on the nationality of its staff. The fourth level, reserved for the most sensitive national security workloads, demands even stricter guarantees of control and protection against any foreign influence.

Henna Virkkunen, the Commission’s executive vice-president for technological sovereignty, was blunt about the practical implications of that design. She told reporters it would be extremely difficult for American companies to reach the highest sovereignty levels, precisely because of the obligations the CLOUD Act imposes on them at home. This is not a casual administrative hurdle. It is a legal architecture designed so that certain companies cannot pass the test, no matter how many data centres they build on European soil. The Computer and Communications Industry Association, which represents Amazon, Microsoft and Google before regulators, described the framework in an official statement as a recipe for progressive market closure dressed up as security policy. Washington is unlikely to accept the framework quietly either. Analysts who track the file expect a prolonged negotiation over definitions and eligibility criteria, followed by American industrial and procurement measures of its own, designed to protect the very companies the CADA is built to exclude.

The lesson of Amsterdam

What in Brussels is still a legislative proposal was already, in Amsterdam, a very real scare. In October 2025 the municipality chose the Dutch company Solvinity to run its public cloud, specifically to reduce its dependence on American providers, and signed a fourteen million euro contract with it. Solvinity runs, among other things, the infrastructure behind DigiD, the digital identity system used by sixteen and a half million Dutch citizens for dealings with the state. Weeks later, on 5 November 2025, the American firm Kyndryl announced it would buy Solvinity. The municipality learned of it barely a day before the public announcement. The digital sovereignty choice Amsterdam believed it had made ended up, overnight, under the jurisdiction of a company subject to the CLOUD Act.

The case triggered a petition with a hundred and forty thousand signatures and an emergency parliamentary hearing, forcing ministers to explain in public why a company chosen precisely to escape American jurisdiction had ended up back under it within weeks. The Dutch government eventually blocked the deal in May 2026, citing risk to the public interest. It is, so far, the most concrete example of exactly what the CADA is trying to prevent by law. It took no severed switch and no court order for Amsterdam to grasp the problem. Reading the buyer’s name in a press release was enough.

The symbol arrived before the law

A day after presenting the legislative package, the European Parliament did something no law yet requires it to do. From 4 June 2026, the French search engine Qwant replaced Google as the default on the Firefox and Edge browsers of the Parliament’s institutional computers, a change affecting seven hundred and twenty lawmakers and thousands of assistants and staff. Any MEP may keep using Google if they prefer, no one is forced to change their habits. The gesture is not meant to impose anything. It is meant to show something.

Symbols usually arrive before laws, because they cost less and are understood faster. The European Union will take years to negotiate, vote on and apply the CADA across its twenty-seven member states. Changing a default search engine takes an afternoon of IT work. Between the two gestures lies a distance that measures, with some precision, how much it actually costs to build digital sovereignty and how much it costs simply to announce it.

Latin America watches this dispute from a position even more fragile than Europe’s. No country in the region has a bloc of four hundred and fifty million people, a joint budget or a Commission capable of legislating on data sovereignty against Washington or Beijing. Hospitals, ministries and universities across Latin America depend on the same American infrastructure now worrying French and Dutch lawmakers, without there being, for now, an equivalent public debate over what that means on the day someone decides to flip that switch, the way Amsterdam found out, by reading a name in a press release…

G.S.

Gabriel Schwarb

ABOUT THE AUTHOR

Gabriel Schwarb

Gabriel Schwarb was born between borders, grew up between languages and learned to read power before the books that claimed to explain it. A Swiss-Colombian writer, founder and editorial director of AcidReport — a trilingual outlet with no affiliation, no marketing and no sponsors, publishing from Switzerland in Spanish, French and English. He does not publish to please. He publishes to answer. Working in visual communication since 1997, he deliberately abandons aesthetic comfort to immerse himself in analysis, archival research and textual confrontation. He builds AcidReport as one builds an archive in times of ruin — with method, with urgency and with memory.

Writing from Switzerland, the geographical heart of global finance, about the peripheries that same finance organises is not a contradiction. It is the method. Distance does not produce neutrality; it produces perspective. His style is direct, analytical, stripped back — closer to dissection than to metaphor. His method combines rigorous source verification, archival research, OSINT and public correction of errors. For him, writing is not a literary aspiration. It is an instrument of analysis, a space for exposure and an exercise in lucidity before structures that prefer not to be named.

See all articles →

Leave a comment