EU Procurement Rule Puts US Cloud at Risk
New EU draft regulation targets US and Chinese firms equally.
Model Diplomat9 min readEurope

EU procurement rule puts US cloud on same risk list as China
The Commission's September draft lets EU buyers exclude foreign firms by ownership, financing, or exposure to US and Chinese data laws — a €2 trillion market shift.
The European Commission's draft procurement regulation, obtained by Euronews and set for release in September, quietly ends a decade-old assumption in EU public buying: that American vendors are the "safe" default. By letting contracting authorities exclude bidders whose "ownership, control, or financing structure" or "exposure to third-country legislation" creates disclosure risk, Brussels puts the US CLOUD Act and China's 2017 National Intelligence Law on the same disqualification list. The biggest exposure sits with US hyperscalers and analytics providers embedded in EU health, energy and intelligence systems — not with the Chinese firms already fenced out by earlier instruments.
What the draft actually does
The text tightens Directives 2014/24 and 2014/25 — the legal frame governing the roughly €2 trillion in annual EU public procurement flagged by the German Marshall Fund, or about 14% of EU GDP. Public buyers must take "appropriate measures … from planning and market consultation to contract award and execution, to ensure the protection of the security and public safety interests of the Union," per the draft language quoted by
Euronews.
Two clauses do the work.
The first targets ownership and financing: authorities can screen out a bidder whose corporate structure "bears risks of undue interference or influence." That echoes the Foreign Subsidies Regulation but shifts the trigger from subsidy to control — a much lower evidentiary bar than the "unduly advantageous tender" test the Commission spelt out in its January 2026 FSR Guidelines.
The second targets legal exposure: a bidder can be excluded if third-country statutes "may compel disclosure of sensitive information or interference with contract performance." The text does not name the US CLOUD Act or China's National Intelligence Law, but nothing else it describes exists. This is the extraterritoriality clause, and it is new.
Scope covers energy, water, transport, postal services, and oil and gas extraction — the utilities sectors listed in the Critical Entities Resilience Directive. A voluntary "Made in Europe" preference sits alongside, but the disqualification tools are the load-bearing element. The draft also invokes protection of "critical infrastructure, critical supply chains, critical technologies or essential services … including due to harmful strategic dependencies on third-country suppliers," per the Euronews reporting on the draft.
Why the CLOUD Act now sits alongside China
Read the text literally. "Exposure to third-country legislation that may compel disclosure" fits US law more cleanly than Chinese law, because US law reaches more European systems today.
The US Clarifying Lawful Overseas Use of Data Act of 2018 lets American authorities compel data held by US-headquartered providers regardless of where the servers sit. That reaches Microsoft Azure, Amazon Web Services, Google Cloud, Palantir Foundry, and Oracle. In April 2026 the French government terminated its Microsoft contract for the country's Health Data Hub; in June it replaced Palantir with the French firm ChapsVision at the domestic intelligence service (DGSI) — the operational examples that Euronews cites. Palantir has publicly framed the reshuffling as part of a "transition towards French autonomy" in a December 2025 company announcement that quietly acknowledged the French client is downsizing the American footprint even as it renewed a narrower contract.
The UK is now running the same play a year behind. Palantir's £330 million NHS Federated Data Platform contract, publicly documented on the UK Contracts Finder, is openly under review, with officials weighing a 2027 break clause according to
Al Jazeera. What began in 2019 as a Chinese-vendor debate around Huawei has generalised into a jurisdictional-risk debate around any bidder answerable to a non-EU legal system. The BBC has reported that Labour MPs are demanding scrutiny of Palantir's data handling in the NHS —
the same governance concern that drove France to swap it out.
For Chinese firms, the fence is already up. Under the International Procurement Instrument, the Commission excluded Chinese bidders from EU medical-device tenders above €5 million on 19 June 2025 — the first live use of Regulation 2022/1031, capping Chinese-origin content at 50% in relevant contracts. Add the Foreign Subsidies Regulation, whose January 2026 Guidelines codified the tender-distortion test, and Chinese state-linked bidders in strategic sectors already face two filters before the September draft even bites.
The new instrument adds the third — and it is the one that catches American firms.
Data cards: the September draft in one page, and how Brussels built the toolkit, appear above.
The legal architecture Brussels is quietly rebuilding
The draft does not stand alone. It slots onto a legal spine the Court of Justice quietly finished in 2024. In Kolin (C-652/22), the Grand Chamber ruled on 22 October 2024 that bidders from countries lacking an equal-access agreement with the EU have no right to "no less favourable" treatment under Directive 2014/25, and that market access falls within exclusive EU commercial-policy competence. Case C-266/22, CRRC Qingdao, extended the logic to Chinese rail-stock manufacturers in March 2025.
The Commission's own post-Kolin briefing note to national contracting authorities, published in May 2025, told buyers that "in the absence of acts adopted by the Union, it is for each contracting authority / entity to decide whether economic operators of a non-covered country should be admitted or not to a public procurement procedure." That created a discretion the Member States were nervous to exercise unilaterally. The September draft is the Union act that removes the ambiguity.
The European Parliament's own 9 September 2025 resolution on public procurement reads the two judgments as authorising legislators, "in the absence of such agreements, [to] limit or exclude these bidders" and calls for "decisive action" via existing trade-defence instruments plus new legislation on strategic sectors. Brussels has now delivered the statute Parliament requested.
The Commission also just closed its statutory review of the Foreign Subsidies Regulation. The Article 52(2) FSR review consultation, ahead of the 14 July 2026 reporting deadline, drew 54 responses; 31 of them found the notification scope in public procurement "not clear and predictable." Industry itself asked the Commission to legislate rather than leave the exclusion question to case-by-case discretion. The September draft answers that request too — with a wider remit and a lower burden of proof.
Who wins, who loses
European sovereign-cloud and defence-tech champions are the mechanical winners. OVHcloud, Deutsche Telekom's T-Systems, Orange's Bleu joint venture, and Atos-owned Eviden gain a procurement-law argument they previously had to make on politics alone. ChapsVision, Dassault Systèmes, and Airbus subsidiary Stormshield sit in the same beneficiary column for analytics and cyber. Airbus's cloud partnership with Thales and Orange, S3NS, is priced entirely around jurisdictional immunity from US demands — the exact quality the new draft rewards.
Germany sits with an internal contradiction. Berlin has, according to the Atlantic Council, "weakened parts of the Industrial Accelerator Act during negotiations, and removed 'Buy European' provisions from its own EV subsidy programs after lobbying pressure from German carmakers." At the same time SAP has invested heavily in a Frankfurt-based sovereign-cloud tier explicitly designed to pass the new test. Whether SAP's "delivered from the EU" architecture qualifies will depend on Commission guidance yet to be drafted.
Losers cluster by legal jurisdiction, not by product quality. US hyperscalers face the most exposure: the CLOUD Act's extraterritorial reach is precisely the "exposure to third-country legislation" the draft names. Palantir has already been substituted at the DGSI. Microsoft lost the French health-data mandate. AWS's contracts with EU energy utilities and national rail systems face the same test on next renewal. The Trump administration has, per the German Marshall Fund, lobbied against "Buy Europe" defence procurement — a sign that Washington understands the direction of travel.
Chinese firms — Huawei, ZTE, CRRC, Nuctech, DJI, Wingtech-owned Nexperia — were already largely excluded via national security orders and IPI. The marginal impact on them is small; the marginal impact on US firms is large.
Data card: exposure map by bidder category appears above.
The supply-chain second-order effect
The draft is written in security language, but its economics point at the Industrial Accelerator Act (IAA) unveiled on 4 March 2026. That package, described in a European Commission proposal, sets minimum EU-content shares in public procurement — 25% low-carbon steel and aluminium, 5% EU-origin concrete, and 70% EU value for procured EVs from 2029.
Chatham House called the IAA a "wider change of EU doctrine" and noted that earlier drafts had extended European preference to artificial intelligence and advanced semiconductors before those sectors were dropped from the final text.
The September procurement draft supplies the missing enforcement channel. IAA content thresholds work only if buyers can lawfully weight or exclude non-EU tenders; Kolin gave the constitutional basis, IPI gave the trade-defence template, and the new draft gives the general operating tool for critical utilities sectors. Bruegel's assessment of the reform, published in early 2025, warned that mainstreaming non-price criteria could "lead to increased costs for the public, stimulate inflation, and lock cheaper green goods from abroad out of the market" — a trade-off the Commission has evidently now accepted.
The China exposure runs the other way. Beijing's April 2025 rare-earth export controls — cutting off gallium, germanium, and heavy rare-earth flows to Europe — and its restrictions via Nexperia on chips for the EU auto industry are the "weaponisation of dependencies" the draft cites. According to MERICS, China's Ministry of Commerce has sent written objections to the Commission calling the IAA "a serious investment barrier" and demanding that the revised Cybersecurity Act's definition of "high-risk suppliers" be changed or dropped. Commerce Minister Wang Wentao is planning a lobbying visit. The September procurement instrument extends the surface Beijing will contest.
The Centre for European Reform notes that Chinese FDI into Europe is now rising again, particularly in automotive and batteries, and warns that the EU's improved FDI screening framework due in summer 2026 leaves "important gaps" around greenfield investment. The September draft partly fills that gap: even a Chinese-controlled EU-registered greenfield operator can now be screened out of public tenders on ownership grounds.
Diplomat View
The September draft is not a Buy-European law disguised as security; it is a security law that produces a Buy-European result. The load-bearing shift is jurisdictional: for the first time, EU procurement rules place US firms and Chinese firms in the same analytic category — vendors whose home-state law can reach into an EU contract. That category, once codified, is very hard to un-codify.
Expect the Commission to publish substantially the leaked text in September, expect Germany and the Nordics to try to narrow "critical sectors," and expect France — where industry commissioner Stéphane Séjourné has spearheaded the Buy-European push, according to the Financial Times — to try to widen them.
The forecast that would revise this call: if the September publication drops the "exposure to third-country legislation" clause under US pressure, then the instrument becomes an anti-China tool with cosmetic security language about Washington. That outcome is possible but, given the Kolin ruling's constitutional weight and Paris's control of the industrial commissioner's pen, not the base case.
What to watch:
- September 2026: Commission publication of the procurement regulation. Watch whether the "third-country legislation" clause survives intact or is narrowed to "systemic rivals."
- 14 July 2026: Statutory FSR review report to Parliament and Council — the political anchor for the September package.
- October 2026: von der Leyen's China trade deadline. If Beijing misses, expect the September draft to be presented in a hardened form.
- Q4 2026 / Q1 2027: UK NHS Federated Data Platform break-clause decision on Palantir. A UK exit would validate the French template and pressure other Member States to move.
- 2029: IAA implementing acts on EU-content thresholds bite; the September regulation supplies the exclusion machinery those thresholds require.
The Bottom Line
Brussels has stopped writing procurement law as a market-opening exercise and started writing it as a jurisdictional firewall. The September draft's real innovation is treating US extraterritorial statutes as a disqualifying risk, which finally forces European public buyers to price the CLOUD Act into every renewal. If the text ships as drafted, the winners are not Chinese vendors — they were already excluded — but European sovereign-cloud and analytics firms that spent a decade waiting for a legal reason to displace American incumbents.
Discover more

US Politics
SNAP Food Assistance Faces Legal Challenges
In 2026, SNAP faces stricter eligibility rules and mounting legal challenges, threatening food assistance for the millions of Americans who rely on the program.

US Politics
House Ethics Committee Pushes Sexual Miscond.
The House Ethics Committee has shifted responsibility for sexual harassment settlement records to the Office of Congressional Workplace Rights, complicating disclosure efforts.

India
700 Activists Accuse PM Modi of MCC Breach
Over 700 activists allege PM Modi breached election code with a televised address attacking opposition parties just before state elections.

Tech Policy
U.S. Grants UAE License-Free AI Chip Access
U.S. Commerce reclassifies UAE to Country Group A:5, granting license-free AI chip access to G42 and American tech giants, rewarding Emirati China divestment and Operation Epic Fury sacrifices.