Europe's €300 Billion Cloud and AI Bet
CADA aims to shield Europe from US tech controls.
Model Diplomat8 min readEurope

The Kill Switch, the Long Arm, and Europe's €300 Billion Bet
Europe's Cloud and AI Development Act tries to insulate the bloc from US export controls, CLOUD Act data demands, and AI kill switches. It cannot — and Brussels knows it.
The US Department of Commerce sent a letter on June 12, 2026, ordering Anthropic to shut off its two most capable AI models — Claude Fable 5 and Mythos 5 — to every foreign national on the planet, including allied users who had negotiated access days earlier. Anthropic pulled the plug entirely, unable to verify citizenship at the API layer. Eighteen days later, on June 30, Commerce reversed itself. But the political conclusion in Brussels was already fixed: the "kill switch" is not a theoretical Snowden-era fear — it is an operational instrument Washington is willing to use on allies, in daylight, without warning. That conclusion is the load-bearing beam under the European Commission's Cloud and AI Development Act (CADA) — and the reason the law's most honest critics, including its intellectual midwives, concede it will not do what its authors promise.
The thesis of this story is simple. CADA is not a competition policy dressed up as a security policy; it is a security policy that cannot buy the security it advertises. So long as European workloads run on American chips, models, updates, and cloud control planes, ownership rules on the wrapper do not cut the wire. The real fight over the next twenty-four months will not be in Brussels — it will be in Washington, over whether the United States is willing to write down its own extraterritorial powers.

What CADA actually does — and what it doesn't
Presented on June 3, 2026 by Executive Vice-President Henna Virkkunen, CADA is the operational half of a broader Tech Sovereignty Package that also includes a Chips Act 2.0 and an Open Source Strategy. Its core mechanism — set out in Article 16 of the proposal — is a four-tier "Union assurance" framework. The European Commission's digital strategy page describes the tiers from Level 1 (EU-located infrastructure) up to Level 4 (full supply-chain transparency and "no interference from a third country"). Member states must run sovereignty risk assessments, then match sensitive workloads to the appropriate tier.
The primary text is unusually candid about the reason. In the CADA explanatory memorandum, the Commission writes that three non-EU hyperscalers control "over 70% of the European cloud market" and that this dependence exposes European users to "risks related to operational discontinuity, particularly in scenarios where unilateral decisions by third-country actors could disrupt service provision." That is EU-speak for a kill switch. It is the first time the Commission has anchored a cloud regulation on the risk that Washington itself is the threat.
The Belfer Center's policy brief on the package lays out the qualifying architecture bluntly: US hyperscalers pass Level 1; they can reach Level 2 only through majority-EU joint ventures such as Microsoft-Bleu with Capgemini and Orange, or Google's S3NS with Thales; Level 3 requires an adequacy decision from the Commission; Level 4 — reserved for defence, national security, and critical infrastructure and covering an estimated 1% of public-sector data — is closed to them entirely.
That is the ceiling of CADA's ambition, and it is smaller than the headlines. The Centre for European Reform notes that CADA is framed explicitly as risk management, not industrial policy: there is no "Buy European" mandate, at Germany's insistence and over France's objection. Enforcement is delegated to member states, meaning hyperscalers can shop for the most permissive capitals. And, crucially, the sovereignty rules cover only public-sector procurement — leaving the rest of the European economy exposed to precisely the dependencies the law diagnoses.
Why the law cannot deliver what it advertises
The most important critique of CADA is not that it goes too far. It is that, on its own logic, it does not go nearly far enough. The Lawfare essay by Pablo Chavez that anchors this week's debate makes the technical point with precision: the kill switch "follows American inputs," while the long arm "follows the data." A European-owned cloud that runs on Nvidia GPUs, Intel firmware, VMware hypervisors, and OpenAI or Anthropic model weights is still one presidential executive order or one Bureau of Industry and Security letter away from degradation.
The receipts are all from 2025 and 2026. On February 6, 2025, President Trump signed Executive Order 14203, sanctioning ICC prosecutor Karim Khan under the International Emergency Economic Powers Act. Microsoft cut his court email; the Associated Press later reported that six ICC judges and the chief prosecutor had lost credit-card, cloud, and even Amazon Alexa services under the same order, according to
Al Jazeera. That is the long arm and the switch demonstrated inside an intergovernmental institution physically located in the EU. A European Parliament question tabled by MEP Alex Agius Saliba in May 2025 asked the Commission bluntly what legal tools existed to "force Microsoft to resume their services" — a question the
Parliament's own record shows has not been convincingly answered.
The Anthropic case sharpened the panic. According to PIIE's analysis, Commerce used an "is informed" letter under the Export Control Reform Act to impose a worldwide licence requirement without any published regulation.
CSIS notes it was the first time such an interim control was used to pull a working AI service off the market. The
BBC's coverage of the lift on July 1, 2026, quotes Commerce Secretary Howard Lutnick's letter approving restoration only after Anthropic committed to "proactively detect and address security risks" — an implicit acknowledgment that Washington can and will meter frontier model access at will.
The Trump administration's brief suspension of Ukraine intelligence sharing in March 2025 completed the picture. As the Atlantic Council's digital sovereignty report documents, it was after that episode that Microsoft President Brad Smith issued his April 30, 2025 pledge that if "ordered by any government anywhere in the world to suspend or cease cloud operations in Europe, we are committing that Microsoft will promptly and vigorously contest such a measure." Read carefully, that is not a guarantee — it is a promise to litigate a compliance order, in US courts, under US law.
The awkward math: dependency by the numbers
The dependency figures in the Commission's own file are damning. The CADA proposal states that EU providers' market share fell from 29% in 2017 to 15% in 2022 and "has remained stagnant since." A December 2025 European Parliament study on
European Software and Cyber Dependencies puts SAP's share of the EU cloud market at around 2%. The
IISS 2025 defence dossier estimates AWS holds 31%, Microsoft 23%, and Google 11% of European hyperscale — with all European providers combined at roughly 13%.
CADA promises to triple EU data-centre capacity by 2035, from about 12 gigawatts today toward 32–60 GW, with €300 billion of expected investment by 2036, according to the Belfer brief. Set against that ambition, note the tension: US hyperscalers have already announced European data-centre commitments running into the hundreds of billions of dollars. Without a Buy European mandate — and without one on the horizon — CADA's "acceleration zones" risk subsidising the very incumbents the law is designed to hedge against.
Meanwhile, the parts of the stack that matter most for the switch — advanced chips, foundation models, hypervisor software — are barely addressed. The Chips Act 2.0 attached to the package does not fund a European frontier fab. Mistral remains, as Al Jazeera's
reporting on the Anthropic fallout put it, "the EU's only major homegrown frontier-model competitor" — and its models trail Anthropic's and OpenAI's on the benchmarks that regulators actually care about.
The unspoken second-order effect: this is a lever, not a shield
Read the file the way a competition lawyer reads it, and CADA looks less like a wall and more like a lever. The four-tier structure gives the Commission a graduated instrument to reward or punish specific US providers — and, by implication, a bargaining chip in transatlantic negotiations that will run through 2027 and 2028. Level 3 adequacy decisions can be granted, withheld, or conditioned. Member-state risk assessments can be tightened or relaxed. The EPRS briefing explicitly cites the Court of Justice's 2022 ruling on "EU added value" criteria in public procurement as a legal foothold the Commission can extend.
Who benefits? The immediate winners are the majority-EU joint ventures already positioned at Level 2: Bleu (Microsoft–Capgemini–Orange), S3NS (Google–Thales), and Delos (Microsoft–SAP-adjacent stack in Germany). They will inherit the sovereign-cloud contracts that CADA effectively hard-codes. OVHcloud, Deutsche Telekom, and SAP win at Level 3 and above — but the volume there is small. The clearest loser is the pure US hyperscaler business model: not banished, but structurally capped in the growing segment of "sovereign" workloads and forced into revenue-share partnerships to stay in the room.
The historical parallel that reframes this is not Huawei but the 1980s Toshiba–Kongsberg episode, when Washington's extraterritorial enforcement of Cold War export controls pushed Japan and Europe to accelerate their own defence-industrial autonomy. Weaponised interdependence is a self-limiting instrument. Use it on allies once, and they discount the cost of building around you.
Diplomat View
CADA will pass — probably in amended form by mid-2027, given that the ordinary legislative procedure on COM(2026) 502 is already underway on the Council and Parliament tracks. It will meaningfully shift a slice of European public-sector spending toward EU-majority joint ventures and, at the top tier, toward genuine European providers. It will not neutralise the kill switch or the long arm, because it cannot: Europe does not control the chips, the foundation models, or the software supply chain, and the US CLOUD Act and IEEPA reach any American provider anywhere. The realistic ceiling for CADA is a 10–15 percentage-point recovery in European cloud share over a decade, concentrated in regulated sectors, at a cost measured in tens of billions of euros of foregone efficiency. The forecast changes if Washington offers a durable executive-branch commitment, codified in a successor to the EU–US Data Privacy Framework and paired with a carve-out on export controls for treaty allies, that binds future administrations. Absent that, expect rolling, low-grade transatlantic tech decoupling in which the biggest quiet winner is neither Brussels nor Silicon Valley but Beijing — which no longer has to argue that dependence on the American stack is a liability. Europe just made the argument for it.
What to watch next
- September–December 2026: Council working-party negotiations on CADA. Watch whether France's push for an explicit "European preference" clause is revived and whether Germany holds the line against it.
- Q1 2027: European Court of Justice ruling on Philippe Latombe's appeal of the EU–US Data Privacy Framework. A strike-down would collapse the legal basis for most transatlantic data transfers and force CADA-style sovereign clouds into commercial workloads, not just public ones.
- Ongoing: BIS's next "is informed" letter. The Anthropic precedent is now on the shelf; the next model pulled — or the next allied country cut off — is the falsifying event that decides whether CADA becomes the ceiling of Europe's response or merely the floor.
Discover more

India
Congress Accuses Modi of Stalling Women's Law
Congress accuses Modi of stalling women's reservation law by linking it to delimitation, revealing a deeper electoral strategy.

US Politics
US Launches $166B Tariff Refund Portal
The US is launching a $166 billion tariff refund portal to aid importers hit by Trump-era tariffs, with major implications for trade and supply costs.

India
Women’s Reservation Bill 2026
The Constitution (131st Amendment) Bill, 2026 was defeated in Lok Sabha, revealing deeper political conflicts over women's reservation and delimitation.

Global
US Reinstates Iran Blockade, Splits Hormuz
US reinstates naval blockade of Iran on July 14, ending 26-day ceasefire. Strait of Hormuz splits into competing toll lanes as traffic collapses to 23 ships daily. 60-day war-powers clock ticks toward Congress.