The European Union is advancing a regulatory architecture designed to embed digital sovereignty into the functioning of its cloud market. Through instruments such as the Tech Sovereignty Package, Digital Markets Act (DMA) investigations, and revised procurement rules, EU institutions are reshaping competitive dynamics in ways that directly challenge the established position of US-based hyperscalers, including Alphabet’s Google Cloud. While Google Cloud has not yet been named in the DMA gatekeeper probe alongside Amazon Web Services (AWS) and Microsoft Azure 1,18,21, the broader thrust of EU policy—aimed at reducing reliance on non-European technology providers and ensuring sensitive data remains within European borders—demands a strategic response grounded in institutional alignment.
Google Cloud’s recently announced sovereign cloud partnership with Thales in Germany 13,19 represents a significant step toward such alignment, offering a model of operational and legal separation that may satisfy the most stringent national criteria. Yet the uneven depth of its integrated sovereign infrastructure relative to some peers, and the accelerating momentum of domestic European alternatives, require continuous attention to the evolving regulatory and market fabric.
Key Developments and Competitive Responses
Escalating Regulatory Scrutiny of US Hyperscalers
In November 2025, the European Commission opened market investigations to determine whether AWS and Microsoft Azure should be designated as gatekeepers under the DMA 1,18,35. A designation would impose strict operational obligations similar to those applied to digital platform gatekeepers. Although Google Cloud is not currently subject to such an investigation, the Commission’s evaluation of the cloud sector as a core platform service signals that no major US provider can be considered immune from future scrutiny 35. Moreover, the Commission’s adoption of a "tech sovereignty" agenda in June 2026 36 and the draft cloud procurement law—which introduces non-price criteria favoring EU-based infrastructure, local R&D, and supply chain security 28,29,32—could structurally narrow the addressable market for non-European competitors in sensitive public-sector tenders.
The Tech Sovereignty Package: Institutionalizing Local Control
The forthcoming Tech Sovereignty Package is widely reported to include provisions requiring that financial, judicial, health, and other sensitive government data be stored and processed within EU-based cloud infrastructure 6,7,37. The package does not impose an outright ban on US companies but would significantly limit their role in high-value government contracts 5,6. Still being finalized 6, it reflects a strategic push toward "digital autonomy" 7,37 and is supported by a €180 million tender for European sovereign cloud projects 22,37 and plans to triple European data centre capacity within five to seven years 17,44. These measures directly challenge Google Cloud’s ability to compete for the estimated €264 billion in annual US-based cloud software spend within the EU 44.
Google Cloud’s Counter-Move: A Sovereign Cloud Partnership with Thales
On May 20, 2026, Google announced a strategic partnership with French aerospace and security group Thales to launch a sovereign cloud offering in Germany 13,19. The model involves a new German entity fully owned and controlled by Thales, operating dedicated infrastructure, and ensuring that no non-European entity—including Google Cloud itself—can access stored or processed data 13,19. The solution aims to simultaneously comply with Germany’s C5 and C3A frameworks 13 and France’s SecNumCloud 3.2 standard 13, while offering pan-European geo-redundant and cross-border disaster recovery capabilities 13. The offering is currently in preview, with general availability expected by the end of 2026 13, and replicates the S3NS/Thales approach proven in France 13. It targets healthcare, finance, and public sector organizations seeking access to Google Cloud innovation under full local control 13.
National Intensification and the Rising Bar for Sovereignty
Individual member states are amplifying the sovereignty push. In the Netherlands, the Open Cloud Alliance (OCA), a coalition of seven Dutch providers launched in April 2026 8, explicitly requests government prioritization of data sovereignty in cloud tenders 4,8. A Dutch parliamentary motion adopted in June 2025 mandates that by 2029, at least 30% of government cloud usage come from Dutch or European providers 8. The Dutch government’s DICTU released a sovereignty assessment tool in January 2026 evaluating cloud services on legal and operational dimensions 8; notably, AWS’s sovereign cloud was found lacking under that framework because its parent is US-incorporated 8. AWS’s European Sovereign Cloud, launched in January 2026 in Brandenburg, Germany, with a Dutch local zone 8, achieved SOC 2, C5, and multiple ISO certifications 8, yet these certifications have not satisfied the most stringent legal sovereignty criteria. Google Cloud’s Thales model, with its complete operational and legal separation, may be better positioned to meet such requirements.
Proliferation of European Alternatives
The cluster of initiatives underscores a mushrooming of European sovereign cloud projects. Oracle offers EU sovereign clouds 2,3,34,39; TCS launched SovereignSecure Cloud™ in Europe 27; Red Hat announced streamlined compliance and premium sovereign support 38; KPN and Thales partnered for a classified defence cloud 8; T‑Systems and Scheer Group are building a secure sovereign alternative 30,41; and firms such as BearingPoint, EasyCloudify, and Infomaniak are advancing sovereign stacks 10,14,31. Although many lack the scale or feature depth of hyperscalers—e.g., OCA members currently lack serverless and DBaaS equivalents 8—they are increasingly capable in targeted government niches and enjoy political backing. Meanwhile, Microsoft continues to expand its European datacentre footprint with regions in Denmark, new campuses in Southern Europe, and Azure Local for large-scale sovereign deployments 33,40, maintaining strong competitive pressure.
Broader Geopolitical and Data-Residency Forces
The sovereignty trend is not confined to Europe. Similar dynamics are observed in Africa, the Middle East, and Asia 23,24,26,42,43, signaling a global shift toward localized cloud infrastructure. Within Europe, dependence on US providers remains high and may even be growing 16, yet governments actively explore open-source and homegrown alternatives 37. The US CLOUD Act is frequently cited as a risk that European sovereignty measures aim to counter 25,44. For Google Cloud, these forces mean that the Thales joint venture must not only achieve technical compliance but also be perceived as genuinely independent to win trust in highly sensitive sectors. The EU’s sector probe, linked directly to digital sovereignty concerns 20,35, maintains a regulatory overhang on all American providers.
Strategic Implications for Google Cloud and Institutional Evolution
The developments described constitute a defining challenge for Alphabet’s Google Cloud business in Europe. Adapting its operating model to an environment that increasingly demands local control, EU-incorporated operations, and immunity from extraterritorial legal reach requires more than a one-off product launch—it demands the patient construction of a durable institutional architecture. The Thales partnership is a structured attempt to meet this demand. It is more advanced than AWS’s current sovereign cloud approach, which remains legally tied to a US parent, and comparable in spirit to Microsoft’s European-controlled sovereign options. However, the dependence on third-party ownership for the sovereign entity, while operationally sound, may raise questions about long-term strategic control and the depth of integration with Google’s global innovation pipeline.
The financial and competitive implications are material. The EU’s draft cloud procurement rules, if enacted, could tilt a significant portion of the €264 billion European cloud software market toward domestic players, curtailing Google Cloud’s revenue growth in a key geographic segment. Google’s ability to leverage its AI and data analytics strengths—often cited by European customers—will depend on how effectively those capabilities are delivered within the sovereign boundary. The upcoming launches of Amazon Bedrock and AWS OpenSearch Serverless 9,15,45 and Microsoft’s Blackwell-powered instances 11,12 illustrate that the hyperscalers are racing to embed advanced AI features in sovereign-compatible architectures, raising the bar for Google Cloud’s Thales-based offering to keep pace.
Uncertainty remains high: the Tech Sovereignty Package is still being drafted and could be softened under pressure from member states and businesses 5,6. Both AWS and Microsoft are expected to mount vigorous resistance to any DMA gatekeeper designation, and the outcome of those investigations—due by November 2026 35—could reshape the regulatory landscape. For Google, evading gatekeeper status while its rivals are targeted would represent a relative win, but the company must still invest heavily in European sovereign infrastructure to meet even the minimum compliance thresholds that the new rules are likely to set. The path toward European digital sovereignty is one of incremental integration, and success will belong to those who embed themselves most durably into the emerging regulatory architecture.
