The Commission’s long‑awaited Tech Sovereignty Package has become something of a moving target – postponed from March to April, then to late May, and now expected for adoption on 3 June. Those repeated delays have only raised expectations around what is now clearly framed as the EU’s flagship attempt to turn “digital sovereignty” from a slogan into an operational agenda.

Some leaks have emerged in the last days and on the basis of that material we can sketch a profile of the Tech Package to be.

From resilience to sovereignty

The leaked Communication on “European Tech Sovereignty”, which accompanies the broader package, marks a clear shift in tone. It openly acknowledges that the EU remains structurally dependent on non‑EU providers for over 80% of its digital products, services, infrastructure and IP, and that these asymmetric dependencies are increasingly weaponised in a harsher geopolitical environment. In response, the document calls for a move away from a reactive focus on resilience towards a more assertive strategy centred on Europe’s ability to develop, control and scale critical technologies under EU jurisdiction.

To get there, the package bundles four main initiatives: a “Chips Act 2.0” to deepen Europe’s semiconductor ecosystem, the new Cloud and AI Development Act (CADA), an Open Source Strategy for “EU Open Digital Ecosystems”, and a roadmap plus delegated act on digitalisation and AI in the energy sector. The common thread is the ambition to build an integrated “European technology stack” – from chips to cloud to AI and open source software – while still insisting that tech sovereignty does not mean isolation or full decoupling.

CADA, data centres and cloud sovereignty

For anyone following cloud policy, CADA is the centre of gravity. The draft sets an explicit goal of tripling EU data‑centre capacity within five to seven years and reaching the Union’s “needed capacity” by 2035, under a harmonised framework for deployment and sustainability. Data centres become a core industrial policy tool: they are linked to AI Factories and AI Gigafactories, to the second Chips Act, and to a broader push for energy‑efficient infrastructure that fits the Green Deal narrative.

More interesting from a governance perspective is the way CADA structures “sovereignty” in the cloud. The text introduces four levels of cloud sovereignty services, based on criteria such as control over the service, control over the supply chain, localisation of infrastructure, handling of AI inference data, and cybersecurity posture. Member States are required to conduct a sovereignty risk assessment to determine which use cases within their administrations require which sovereignty level, with Commission guidance to follow. This moves the debate away from abstract principles and into the concrete business of classifying workloads and defining acceptable risk – something procurement officials and CISOs can actually work with.

The Act also explicitly links its “grand challenge” on cloud and AI autonomy to the development of processors and accelerators designed and, where appropriate, manufactured in the EU. In other words, CADA is not just about how the public sector buys cloud services; it is also a demand‑side lever for the European chip and hardware ecosystem.

Open source, public code and anchor customers

The Open Source Strategy that accompanies the Communication is equally telling. It starts from a blunt diagnosis: the EU spends around 264 billion euro every year, mostly on US proprietary IT products and services, locking itself into foreign vendors and losing control over critical digital infrastructures. The counter‑proposal is to leverage Europe’s sizeable open‑source community as a strategic asset to reduce dependencies, lower costs, and embed European values into the digital stack.

Here, the public sector is cast as a key “anchor customer”. The draft openly criticises procurement frameworks that have been historically designed around proprietary vendor characteristics and that tolerate vendor lock‑in. To “reverse this trend”, CADA and the Open Source Strategy introduce two politically significant principles: an “open source‑first” approach for public procurement of cloud and AI software, and a “public money, public code” expectation that software paid for with public funds should be made available for reuse. This does not name any particular geography, but it clearly favours providers able (and willing) to play by these rules – which, in practice, tend to be smaller European vendors and EU‑grown open‑source ecosystems the strategy sets out to support.

The missing words: “Buy European” without saying it

Conspicuously absent from the draft is any explicit “Buy European” requirement. There is no simple clause instructing public authorities to choose European providers, nor any outright exclusion of non‑EU vendors from the most sensitive segments of the market. On the contrary, the text repeatedly stresses that tech sovereignty “remains grounded in openness, partnership, and fair competition” and that the EU does not seek protectionism or tech decoupling.

Yet, when all the pieces are put together, it is hard not to see a systemic trend that points in that direction:

• Sovereignty risk assessments for government workloads, combined with multi‑level sovereignty criteria, will inevitably push critical and sensitive use cases towards high‑sovereignty solutions that are easier to provide from within the EU – or at least from operators ready to place infrastructure and governance entirely under EU law.
• The emphasis on being “immune to extraterritorial interference” and on full EU jurisdiction over data, infrastructure and management services creates a powerful, if indirect, filter against certain third‑country corporate structures and legal exposures.
• The open‑source‑first rule and the public‑code principle steer public demand towards solutions where code is auditable, reusable and not tied to proprietary licensing – again, an area where EU players hope to excel and where global hyperscalers are not always culturally or commercially aligned.
• CADA explicitly aims to “foster the EU value added of public spending in the area of cloud and AI”, while the Chips Act 2.0 uses innovation procurement and “demand accelerators” to boost the uptake of EU‑designed and EU‑made chips.

Taken together, these elements amount to a de facto “Buy European by design” approach: instead of a frontal legal obligation that would trigger an immediate transatlantic confrontation, the Commission relies on risk‑based criteria, certification, sovereignty levels, and procurement principles that structurally favour European – or at least EU‑law‑compliant – offerings. This is very much in line with the broader tech‑sovereignty debate, where observers have noted a progressive tightening of sovereignty‑oriented procurement frameworks without explicit geographic bans. The repeated delays of the package – and reporting that US trade concerns played a role – only reinforce the impression that language around “Buy European” has been carefully managed to avoid unnecessary escalation, while keeping the policy direction intact.atlanticcouncil+4

A systemic trend, not an isolated file

Seen against the wider canvas of EU digital regulation – from the AI Act to the Data Act, from NIS2 to the forthcoming Digital Networks Act – the Tech Sovereignty Package looks less like a radical departure and more like the consolidation of a trend: Europe using its regulatory and market power to shape trusted digital infrastructures that reflect its own legal order and industrial priorities. What is new here is the explicit coupling of that agenda with very concrete industrial policy tools (data‑centre acceleration zones, strategic semiconductor projects, EU‑level investment windows) and with a clearer articulation of cloud sovereignty levels that can be operationalised in contracts.

For transatlantic partners, the message is mixed. On the one hand, the EU insists it wants to remain open and to attract “foreign champions” to invest in European infrastructure, provided they play by EU rules. On the other, the combination of sovereignty metrics, jurisdictional constraints and open‑source expectations will, over time, reshape what it means to be competitive on the European cloud and AI market. This may well be more consequential than any explicit “Buy European” label – precisely because it works through system design, not slogans.