EU mulls restricting use of U.S. cloud for sensitive government data:

The European Union is considering rules that would restrict its member governments’ use of U.S. cloud providers to handle sensitive data, sources familiar with the talks told CNBC.

The European Commission — the EU’s executive branch — is expected to present its “Tech Sovereignty Package” on May 27, which will include a range of measures aimed at bolstering the bloc’s strategic autonomy in key digital areas.

As part of preparations for that package, discussions are taking place within the Commission around limiting the exposure of sensitive public-sector data to cloud platforms provided by companies outside of the EU, two Commission officials, who asked to remain anonymous as they weren’t authorized to discuss private talks, told CNBC.

As tensions with U.S. President Donald Trump’s administration have intensified, there have been calls for Europe to diversify away from U.S. cloud providers, which currently dominate the European market, and towards homegrown providers for its most critical workloads.

“The core idea is defining sectors that have to be hosted on European cloud capacity,” one of the officials said. They added that companies providing cloud solutions from third countries, including the U.S., could be impacted.

Proposals would not prohibit overseas companies’ cloud platforms from government contracts entirely, but limit their use in processing sensitive data at public sector organizations, depending on the level of sensitivity, they added. The officials said that talks are ongoing and yet to be finalized.

“U.S. cloud providers could face restrictions in certain sensitive and strategic sectors” within EU member states’ public bodies as a result of the proposals, one official said.

The officials told CNBC there are discussions around proposing that financial, judicial and health data processed by governments and public-sector organizations require high levels of sovereign cloud infrastructure.

The discussions do not relate to private-sector companies and the “Tech Sovereignty Package” would not propose rules about their use of cloud platforms, one of the officials said.

Once presented by the Commission, the package would need to be greenlit by all 27 member states. The “Tech Sovereignty Package” will include the Cloud and AI Development Act (CADA) and the Chips Act 2.0, bills aimed at encouraging sovereign, homegrown solutions and products in both of those areas.

When asked for comment, a Commission spokesperson told CNBC the package was “about Europe waking up and getting its act together.”

They added that it would “improve opportunities for sovereign cloud offerings, including through public procurement, and support the entry into the market of a more diverse set of cloud and AI service providers.”