Europe's Sovereignty Trap in Tech Policy
Brussels' CADA faces challenges from U.S. tech dominance.
Model Diplomat8 min readEurope

The Kill Switch and the Long Arm: Europe's Sovereignty Trap
Brussels' Cloud and AI Development Act ties EU procurement to a four-level sovereignty test — but the Anthropic shutdown shows why ownership rules alone cannot neutralise Washington's reach.
Sixteen days after the European Commission tabled the Cloud and AI Development Act on June 3, 2026, the U.S. Commerce Department ordered Anthropic to shut off foreign-national access to its two most capable models — proving, in real time, the exact vulnerability Brussels claims to be legislating away. Yet the story of that sequence, laid out in the July 8 Lawfare essay by Pablo Chavez, is not that Europe was vindicated. It is that Europe has misdiagnosed the disease. The kill switch and the long arm belong to the U.S. government, not to any American provider — and no amount of European ownership, location, or audit can shift where those powers actually live. That gap between the political promise of tech sovereignty and the legal physics of a globally integrated stack is the story of the year in tech policy.
What CADA actually does
The Commission's proposal, formally COM(2026) 502, does three things at once. It funds data-centre build-out, mandates open-source procurement inside EU institutions, and — the piece that matters — creates a "Union cloud computing sovereignty framework" with four assurance levels. Level 1 requires only EU location. Level 4 requires "full supply chain control that's free of third-country interference," in the Commission's own phrasing on its
Cloud and AI Development Act policy page.
Article 30 of the draft regulation obliges every EU contracting authority to buy at minimum Level 1, and to procure only Levels 2, 3, or 4 for activities their national risk assessment flags as having "public order relevance." That is not a nudge. It is a legal on-ramp to walking American hyperscalers out of the most sensitive slices of European public-sector IT.
Executive Vice-President Henna Virkkunen framed the package around a single line: "nobody has a kill switch" over Europe's critical systems. In her June 3 press conference she singled out the U.S. CLOUD Act as the reason American cloud and AI providers would struggle to reach the top assurance level, per Chavez's reporting in Lawfare.
The numbers explain the panic. The Commission's own explanatory memorandum concedes that "three non-EU hyperscalers control over 70% of the European cloud market" — a share Synergy Research Group and the Financial Times put at roughly 70% for AWS, Microsoft, and Google combined, against 15% for European providers. The
BBC has run the same figure with the blunt headline "Should Europe wean itself off US tech?"
Two powers, one confusion
Chavez's contribution — and it is a genuine one — is to insist that Virkkunen has fused two different U.S. instruments that behave differently and require different responses.
The kill switch operates through export controls (the Export Control Reform Act) and sanctions (the International Emergency Economic Powers Act). When Treasury designates a person or Commerce lists an end-user, a U.S. provider must cut them off. It disables the system. The long arm operates through the CLOUD Act and Section 702 of the Foreign Intelligence Surveillance Act. It reaches through the provider to pull data out. It reads the system.
Ownership rules — the core of CADA — mostly bite the long arm. Move the corporate entity outside U.S. jurisdiction and you complicate U.S. legal process for the data it holds. But they do very little against the kill switch, because the switch follows American inputs: chips, foundational models, hypervisor updates, security patches, GPU firmware. A European-owned cloud running on Nvidia H100s and licensed OpenAI weights is still sitting on American plumbing that Washington can turn off.
The June episode made this vivid. On June 13, 2026, Anthropic told users it had received an export-control directive from the Commerce Department to "suspend all access to Fable 5 and Mythos 5 by any foreign national, whether inside or outside the United States, including foreign national Anthropic employees," according to Al Jazeera. Rather than police nationality, Anthropic pulled both models globally. The
BBC reported the trigger was a suspected China-linked jailbreak; the European Commission's spokesman, Thomas Regnier, said the order "further underlined Europe's need for technological sovereignty." On July 1, Commerce reversed itself and Anthropic began restoring access, per
BBC coverage of the U-turn.
Chatham House's Isabella Wilkinson called the reversal a demonstration that "the world's most powerful AI governance mechanisms are opaque, ad hoc and highly politicised," in a July 1 analysis. The kill switch was flipped on for eighteen days and off again. No CADA level would have prevented it: the models were American, the export authority is American, and the fix required a decision by American officials.
The long arm is older, and unresolved
The long arm has a longer paper trail. In Case C-311/18 — Schrems II — the Court of Justice of the EU struck down the EU-U.S. Privacy Shield in July 2020 on the ground that U.S. surveillance under FISA Section 702 and Executive Order 12333 offered no "essentially equivalent" protection to EU fundamental rights. The successor Data Privacy Framework is again under legal challenge, and the
European Parliament research service has flagged that structural fragility from the outset.
The ICC episode showed what the long arm looks like when it converges with the switch. After Washington sanctioned Prosecutor Karim Khan over the Netanyahu warrants, reports surfaced that Microsoft warned the court to disconnect Khan or lose service entirely; Microsoft first told the U.K. Parliament the ICC had chosen the cutoff, then corrected the record. One U.S. designation, filtered through one American provider, put the court's own email at risk.
Why Brussels legislated anyway
Understand the politics and CADA looks less like a technical fix than a signalling device. Under Trump, transatlantic tech dependence became a live coercion channel: the Financial Times reported that Finland has war-gamed a U.S. "kill switch" scenario and France banned civil servants from using Zoom and Teams in favour of an internally built alternative. Virkkunen herself told the FT that reliance on foreign technology "can be weaponised against us."
The Cross-Border Data Forum's legal analysis — republishing Chavez's Lawfare piece for European audiences — notes that CADA's ownership requirements are one of the few tools Brussels can deploy without American cooperation. Everything else (a stable adequacy decision, a CLOUD Act carve-out, guarantees on export-control reversibility) requires Washington to volunteer restraint.
That is not obviously coming. The Trump administration has publicly labelled EU digital rules as "extortion" against U.S. companies, per CSIS, and folded them into ongoing tariff talks. The Foreign Affairs semiconductor analysis argues that Europe's parallel push — updating the
Chips Act toward "Chips Act 2.0" — will likewise fall well short of its 20% global-manufacturing target by 2030.
What CADA cannot solve
The Bloomsbury Intelligence and Security Institute's assessment of CADA is polite about its limits. The blunter reading is Chavez's: the switch follows American inputs and the long arm follows the data. A European-owned Level 3 stack running Nvidia GPUs and licensed frontier models is still one Commerce Department listing away from degradation. A Level 4 stack that manages to eliminate American software and hardware — a plausible objective for perhaps a narrow band of defence workloads — will be extraordinarily expensive and probably technologically inferior for years.
Forrester's Dario Maisto told the FT that hyperscaler investment in Europe "makes the IPCEI-CIS investment look like peanuts," referring to the €1.2bn state-aid programme meant to seed a sovereign cloud stack. IDC's 2025 worldwide digital sovereignty survey found only 4% of European organisations plan to abandon global vendors for local ones. Demand, in other words, does not yet match doctrine.
The angle worth naming clearly: CADA's real winner may be neither Europe nor its incumbents but the middle layer of French, German, and Nordic sovereign-cloud vendors — OVHcloud, Deutsche Telekom's T-Systems, Scaleway, Exoscale — that gain a state-backed procurement pipeline they could never have won on price or capability alone. The losers are more numerous and quieter: European scientific institutions that will end up on slower European models; SMEs that will pay the compliance overhead without qualifying for the top procurement lanes; and, perhaps most consequentially, the EU's own AI competitiveness agenda, which the Economist has already framed as a productivity trade-off.
Forward look
Three catalysts will decide whether CADA becomes law that bites or a symbolic settlement.
- September–December 2026: Ordinary legislative procedure begins in the European Parliament and Council. Watch the ITRE committee for amendments that either soften Level 4 (to keep hyperscaler partnerships viable) or harden it (to force cleaner separation from U.S. supply chains). The dossier is tagged
2026/138 COD on EUR-Lex.
- First half of 2027: Member-state sovereignty risk assessments under Article 29 begin. The scope member states assign to "public order relevance" will determine whether CADA touches 5% or 30% of public IT spend.
- Ongoing: The next Schrems challenge to the EU-U.S. Data Privacy Framework. A CJEU ruling striking it down would collapse the legal fiction on which most transatlantic data transfers still rest, and force CADA's ownership route from optional to necessary.
Diplomat View
CADA is best read not as a shield but as a bargaining chip. Brussels knows ownership rules cannot fully neutralise the kill switch or the long arm; the point is to raise the price Washington pays for using them casually. Our call: the top assurance level will survive the legislative process largely intact, but Member State risk assessments will be written narrowly enough that fewer than 15% of public-sector workloads end up requiring Levels 3 or 4 by 2028 — which means U.S. hyperscalers keep most of the market and Europe gets a defensible political story. That forecast breaks if two things happen: another unilateral U.S. export-control action against a frontier model that hits allied users, and a CJEU ruling invalidating the successor Data Privacy Framework. Either would push European buyers past political sovereignty into contractual sovereignty, and the €1.2bn IPCEI-CIS bet would suddenly look small rather than symbolic. Until then, the honest answer to Virkkunen's promise is the one Chavez gives: only Washington can agree to limit Washington's powers.
The Bottom Line
CADA is Europe's attempt to legislate its way out of a dependency it cannot legislate away — the switch follows American chips and models, the long arm follows the data, and both powers sit with the U.S. government, not with any provider Brussels can regulate. The Anthropic episode was not a vindication of tech sovereignty; it was a demonstration that ownership rules address the symptom, not the source. The real fight over the next decade is not in Brussels but in Washington, over whether America will voluntarily narrow the extraterritorial reach it has spent thirty years building.
Discover more

US Politics
SNAP Food Assistance Faces Legal Challenges
In 2026, SNAP faces stricter eligibility rules and mounting legal challenges, threatening food assistance for the millions of Americans who rely on the program.

India
Congress Accuses Modi of Stalling Women's Law
Congress accuses Modi of stalling women's reservation law by linking it to delimitation, revealing a deeper electoral strategy.

India
BJP's Misunderstanding of Women's Quota Needs
The BJP's linking of the Women Reservation Bill to delimitation risks delaying women's empowerment in India, misreading the aspirations of female voters.

Global
US Reinstates Iran Blockade, Splits Hormuz
US reinstates naval blockade of Iran on July 14, ending 26-day ceasefire. Strait of Hormuz splits into competing toll lanes as traffic collapses to 23 ships daily. 60-day war-powers clock ticks toward Congress.