EU Tech Sovereignty Package 2026: What SaaS and Cloud Companies Must Know Before the May 27 Deadline
Post #1145 in the sota.io EU Cloud Compliance Series
Europe's push for digital autonomy has accelerated sharply in 2025–2026. Following the adoption of the Cloud and AI Development Act (CADA) framework and the broader EU Tech Sovereignty Package, cloud buyers in the public sector and the SaaS companies that serve them are now facing concrete compliance requirements that cannot be met by AWS, Microsoft Azure, or Google Cloud in their current form.
May 27, 2026 is a key policy milestone: the European Parliament's Digital Infrastructure Committee tables its formal opinion on the CADA secondary legislation package, which specifies EUCS certification requirements for cloud operators serving critical infrastructure and public-sector bodies across EU member states. This is not a distant regulation — procurement offices at ministries, regional governments, and health authorities are already updating their supplier requirements to reflect the upcoming EUCS High-level mandate.
This guide explains what the EU Tech Sovereignty Package contains, why CLOUD Act-exposed US clouds cannot meet EUCS High, and what SaaS teams must do today.
What Is the EU Tech Sovereignty Package?
The EU Tech Sovereignty Package is a set of legislative and investment initiatives launched under the European Commission's second Competitiveness Mandate (von der Leyen II). It clusters five major pillars:
| Pillar | Instrument | Status (May 2026) |
|---|---|---|
| Cloud procurement requirements | CADA (Cloud and AI Development Act) | Secondary legislation in progress |
| EU compute sovereignty | AI Factories programme (€20B) | Operational (Bologna, Paris, Jülich) |
| Strategic technology investment | STEPI (Strategic Technologies for Europe Platform) | Active |
| Data portability and switching | EU Data Act 2025 | In force since Jan 2025 |
| Cross-border digital infrastructure | EDIC (European Digital Infrastructure Consortium) | Framework established |
For SaaS companies, the most operationally significant pillar is CADA + EUCS. The other pillars affect investors, large infrastructure operators, and platform providers. But CADA directly changes who your cloud provider can be if you serve EU public-sector customers.
CADA Explained: The Cloud and AI Development Act
CADA is not a general cloud regulation — it is a procurement and certification mandate focused on where sensitive EU public-sector data is processed and controlled.
Its core requirement is simple: cloud services processing data for public-sector bodies and critical infrastructure must hold EUCS (EU Cybersecurity Scheme for Cloud Services) certification at the appropriate level. For high-sensitivity use cases (health records, law enforcement, defence, critical energy infrastructure), the required level is EUCS High.
The Three EUCS Levels
| Level | What It Covers | Who Can Achieve It |
|---|---|---|
| Basic | General GDPR compliance, standard security controls, data processing agreements | Any cloud provider, including AWS/Azure/GCP |
| Substantial | Enhanced controls, vulnerability management, incident response, some data residency | AWS/Azure/GCP can qualify for EU regions |
| High | Full EU jurisdiction, no third-country authority access, EU-owned or EU-controlled entity required | Only EU-incorporated providers with no US parent |
The decisive word in that last row is jurisdiction. EUCS High explicitly requires that the cloud provider be not subject to third-country laws that could compel access to customer data outside EU legal frameworks. The US CLOUD Act — which allows US law enforcement to compel US-incorporated entities to disclose data regardless of where that data is stored — makes every US-headquartered cloud provider ineligible for EUCS High certification.
The CLOUD Act Problem: Why AWS, Azure, and GCP Cannot Achieve EUCS High
The CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 18 U.S.C. §2523) was enacted in March 2018 and has not been substantively amended. Its jurisdictional reach covers:
- Any US person (citizen or resident)
- Any entity incorporated in the United States or its territories
- Any entity that maintains a physical presence in the United States
AWS (Amazon Web Services Inc., incorporated in Delaware), Microsoft Azure (Microsoft Corporation, Washington State), and Google Cloud (Google LLC, Delaware) all fall squarely within CLOUD Act jurisdiction. Their EU subsidiaries (AWS EMEA SARL, Microsoft Ireland Operations Ltd, Google Cloud EMEA Ltd) do not change this: US courts have consistently held that the US parent's control over the subsidiary is sufficient to extend CLOUD Act obligations globally.
CLOUD Act Scores for Major Providers (from this series):
| Provider | Parent Entity | CLOUD Act Score | EUCS High Eligible? |
|---|---|---|---|
| AWS | Amazon.com Inc. (WA) | 21/25 | ❌ No |
| Microsoft Azure | Microsoft Corp. (WA) | 21/25 | ❌ No |
| Google Cloud | Google LLC (Delaware) | 20/25 | ❌ No |
| OVHcloud | OVH SAS (Roubaix, FR) | 1/25 | ✅ Yes |
| Hetzner | Hetzner Online GmbH (Nuremberg, DE) | 0/25 | ✅ Yes |
| Scaleway | Scaleway SAS (Paris, FR) | 1/25 | ✅ Yes |
| IONOS | IONOS SE (Montabaur, DE) | 0/25 | ✅ Yes |
| Exoscale | A1 Digital International GmbH (Vienna, AT) | 2/25 | ✅ Yes |
AWS's "sovereign cloud" offering (AWS European Sovereign Cloud) does not resolve this. The sovereign cloud subsidiary is a technical architectural separation, but the parent company remains Amazon.com Inc. — a US corporation subject to CLOUD Act obligations. The same structural limitation applies to Azure's EU Data Boundary and Google's Assured Workloads.
Impact on SaaS Companies Serving EU Public Sector
If you build SaaS for ministries, municipalities, hospitals, utilities, defence contractors, or any entity classified as critical infrastructure under CADA, the implications are significant:
1. Your Hosting Choice Is Now Part of Your Procurement Questionnaire
EU public-sector buyers have begun including EUCS certification level as a mandatory criterion in tender documents. A SaaS company that runs its backend on AWS us-east-1 or eu-west-1 cannot certify EUCS High-level data processing — and will be excluded from procurement processes that require it.
This is already happening in Germany (BSI Grundschutz certification requirements), France (SecNumCloud qualification), and the Netherlands (BIO Baseline Informatiebeveiliging Overheid). CADA harmonises these national schemes into a single EU-wide framework, creating a common standard across all 27 member states.
2. Data Processor Chain Compliance
Under GDPR Article 28, your customers (the data controllers) are responsible for ensuring that their data processors — including you, as the SaaS provider — implement appropriate technical and organisational measures. CADA extends this to EUCS certification requirements. If your sub-processors include AWS, Azure, or GCP, your customers' DPIAs (Data Protection Impact Assessments) will flag the CLOUD Act exposure as an unmitigated risk.
3. The SCCs No Longer Cover It
Standard Contractual Clauses (SCCs) under GDPR Article 46 were designed to legitimise cross-border data transfers to countries without EU adequacy decisions. They do not — and cannot — override CLOUD Act jurisdiction. The EU-US Data Privacy Framework (July 2023) covers commercial data flows between EU controllers and US processors for commercial purposes, but it specifically does not limit US government access under FISA Section 702 or the CLOUD Act. EUCS High closes this gap by requiring structural separation from CLOUD Act jurisdiction.
4. Vertical-Specific Requirements Are Already In Force
| Sector | Regulation | Cloud Requirement |
|---|---|---|
| Healthcare (EHR systems) | EU Health Data Space (EHDS) | EUCS Substantial minimum; High for sensitive patient data |
| Finance (core banking, payment data) | DORA (Digital Operational Resilience Act) | Contractual protections; EUCS Substantial recommended |
| Energy (grid management, SCADA) | NIS2 + CADA | EUCS High for critical infrastructure operators |
| Defence & security | National procurement rules + CADA | EUCS High mandatory for most use cases |
| Public administration (EU institutions) | EUCS + ENISA cloud guidance | EUCS Substantial minimum; High for classified data |
What Happens After May 27, 2026?
The May 27 parliamentary committee opinion does not trigger immediate enforcement. The CADA implementation timeline follows the standard EU legislative process:
- May 2026: EP Digital Infrastructure Committee opinion → formal EP position
- Q3 2026: Council of the EU position (COREPER)
- Q4 2026 – Q1 2027: Trilogue (Parliament + Council + Commission)
- 2027 (estimated): Final text published in Official Journal
- 2028–2029: Transposition period (member states implement into national law)
- 2029–2030: CADA fully enforceable across EU
Why act now if enforcement is 3–4 years away?
Three reasons:
First, procurement offices are already ahead of the legislation. BSI in Germany, ANSSI in France, and their equivalents in the Netherlands, Sweden, and Austria are updating procurement frameworks now. Public tenders issued in 2027 and 2028 will require EUCS Substantial or High based on guidelines being written today.
Second, migration timelines are long. Moving a multi-tenant SaaS backend from AWS to EU-native infrastructure takes 12–24 months when done properly (data migration, compliance testing, customer notification, DPA amendments, performance validation). Starting in 2028 when enforcement begins is too late.
Third, competitive positioning. SaaS companies that achieve EUCS-compatible architecture in 2026–2027 will be able to address public-sector RFPs that competitors on AWS/Azure/GCP cannot. This is a genuine differentiator, not a compliance checkbox.
Practical Action Items for SaaS Teams
Immediate (Now → Q3 2026)
- Audit your cloud stack: List every AWS/Azure/GCP service you use. Categorise by whether it processes customer data directly or indirectly.
- Run a CLOUD Act exposure assessment: For each service that processes customer data, document the data controller, the data processor (you), and the sub-processor (AWS/Azure/GCP). Mark every US-incorporated sub-processor as CLOUD Act exposed.
- Review your customer contracts: Do any customer contracts already include EUCS compliance obligations? If so, you may already be in breach of contract.
- Add EUCS to your roadmap: Define a target state (Substantial vs. High) based on the sensitivity of data you process and the sectors you serve.
Medium-Term (Q4 2026 → Q2 2027)
- Select an EU-native cloud provider: Evaluate OVHcloud, Hetzner, Scaleway, IONOS, or Exoscale based on your technical requirements. If you need managed Kubernetes, OVHcloud Managed Kubernetes and Scaleway Kapsule are EUCS-eligible.
- Migrate incrementally: Start with non-critical workloads to build operational experience, then migrate customer-data workloads.
- Update DPAs: Amend your Data Processing Agreements with customers to reflect your EU-native infrastructure.
- Prepare for EUCS certification audit: Engage a EUCS-accredited conformity assessment body (Notified Body) to begin the audit process.
Ongoing
- Monitor the CADA secondary legislation: Track the EP committee position post-May 27 and the Council's response. Sign up for ENISA and BSI notifications.
- Update your security documentation: EUCS certification requires documented security controls (ISO 27001 baseline plus cloud-specific controls). Start this documentation work now.
EU-Native Cloud Alternatives: Technical Comparison
For SaaS companies evaluating the migration, here are the most capable EU-native managed cloud platforms:
OVHcloud (OVH SAS, Roubaix, France)
- CLOUD Act score: 1/25
- EUCS eligibility: High (in certification process)
- Key services: Public Cloud (OpenStack), Managed Kubernetes (Kapsule), Managed Databases (PostgreSQL, MySQL, Redis), Object Storage (S3-compatible), CDN
- Regions: FR-GRA (Gravelines), FR-SBG (Strasbourg), DE-HEL (Helsinki), PL-WAW (Warsaw), UK-LON (London)
- Pricing: ~25–35% cheaper than AWS eu-west-1 for equivalent compute
Hetzner Online GmbH (Nuremberg, Germany)
- CLOUD Act score: 0/25 — cleanest in this comparison
- EUCS eligibility: High (German GmbH, no US parent, no US investor)
- Key services: Cloud Servers (CX/CPX/CCX lines), Load Balancers, Managed Databases, Object Storage (S3-compatible), Private Networking
- Regions: DE-FSN (Falkenstein), DE-NBG (Nuremberg), FI-HEL (Helsinki), DE-HEL (Helsinki)
- Pricing: Lowest of any managed cloud in this comparison — CX22 (2 vCPU, 4GB RAM) at €3.79/month
Scaleway SAS (Paris, France — Iliad Group)
- CLOUD Act score: 1/25
- EUCS eligibility: High (French SAS, Iliad Group parent, no US ownership)
- Key services: Kubernetes Kapsule, Managed Databases (PostgreSQL, MySQL, Redis), Serverless Functions and Containers, Object Storage, Secret Manager
- Regions: FR-PAR (Paris), NL-AMS (Amsterdam)
- Pricing: Mid-range, competitive with Hetzner for managed services
IONOS SE (Montabaur, Germany — United Internet Group)
- CLOUD Act score: 0/25
- EUCS eligibility: High (German SE, DAX-listed parent United Internet AG, no US ownership chain)
- Key services: Cloud Servers, Managed Kubernetes, Object Storage, CDN
- Regions: DE-FRA (Frankfurt), DE-TXL (Berlin), GB-LHR, ES-VIT, US-LAS (US available but EU-incorporated controller)
- Pricing: Competitive; enterprise support tier available for public-sector requirements
Exoscale (A1 Digital International GmbH, Vienna, Austria)
- CLOUD Act score: 2/25
- EUCS eligibility: High (Austrian GmbH, A1 Telekom Austria Group, no US parent)
- Key services: Compute, Managed Kubernetes (SKS), Database-as-a-Service (DBaaS), Object Storage
- Regions: AT-VIE (Vienna), CH-GVA (Geneva), CH-ZRH (Zurich), DE-FRA (Frankfurt), BG-SOF (Sofia)
- Notable: Swiss regions for Swiss data residency requirements
Self-Hosted Architectures: The Zero CLOUD Act Option
For teams with strong DevOps capability, a self-hosted architecture on dedicated servers at Hetzner or OVHcloud delivers a CLOUD Act score of 0/25 — equivalent to running your own data centre but at commodity pricing.
A typical three-tier production architecture on Hetzner:
Control Plane:
AX161 Dedicated (AMD EPYC 7763, 128 GB ECC, 2× 1.92 TB NVMe) → €148/mo
k3s control plane + etcd cluster (3 nodes for HA)
Worker Nodes:
CCX53 Cloud (32 vCPU, 128 GB RAM) → €148.48/mo each
CCX23 Cloud (8 vCPU, 32 GB RAM) → €43.19/mo each
Storage:
Volume Storage (100 GB) → €4.76/mo
Object Storage (1 TB) → €5.99/mo
Total for typical multi-tenant SaaS (3 workers + HA control):
~€400–600/mo for a stack that AWS would charge €1,200–1,800/mo
The tradeoff: you own the operational burden. Managed services (RDS, S3, EKS) simplify operations — their EU-native equivalents (Hetzner Databases, Object Storage, k3s) require your team's expertise.
How sota.io Addresses CADA Requirements
sota.io is a European PaaS (Platform-as-a-Service) designed specifically for the EUCS-compliance use case. It runs on EU-native infrastructure (Hetzner and OVHcloud) and is operated by a German entity, making it structurally incompatible with CLOUD Act jurisdiction.
For SaaS companies that want EU-native deployment without the self-hosted operational burden, sota.io provides:
- Zero CLOUD Act exposure: No US parent, no US-incorporated entity in the data processing chain
- EUCS High path: Infrastructure aligned with EUCS High certification requirements
- GDPR-native architecture: Data processing entirely within EU jurisdiction
- Simple deployment: Git-push to deploy on EU infrastructure, no AWS/GCP account required
- Transparent pricing: From €29/mo, compared to €500+/mo for equivalent AWS eu-west-1 setup
If you are evaluating cloud providers for your CADA compliance roadmap, start a free trial at sota.io →
Summary: CADA Compliance Roadmap for SaaS Teams
| Timeline | Action |
|---|---|
| Now | Audit CLOUD Act exposure across your sub-processor chain |
| Q2–Q3 2026 | Select EU-native cloud provider(s) for migration target |
| Q3–Q4 2026 | Begin incremental migration, starting with non-PII workloads |
| Q1–Q2 2027 | Migrate customer-data workloads to EU-native infrastructure |
| Q3 2027 | Update DPAs and customer contracts to reflect EU-native stack |
| 2028 | Engage EUCS Notified Body for certification audit |
| 2029–2030 | CADA fully enforceable — you are already compliant |
The companies that will struggle with CADA are those that treat it as a 2029 problem. The companies that will benefit from it are those that complete their EU-native migration in 2026–2027 and start winning public-sector tenders that their AWS-hosted competitors cannot address.
May 27, 2026 is a signal. The direction of EU cloud policy has been consistent for three years: CLOUD Act exposure is an unacceptable risk for EU public-sector data processing. CADA codifies what forward-thinking procurement offices have already been enforcing.
This post is part of the sota.io EU Cloud Compliance Series. Related reading: EU Tech Sovereignty Package and GovTech/FinTech/HealthIT Impact · CADA Developer Checklist: EU Cloud Hosting Stack for 2026 · EU Cloud Sovereignty Certification: EUCS Levels Explained
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.