• The EU's draft cloud procurement law could impose mandatory non-price criteria favoring EU-designed software and hardware in public tenders.
  • Non-EU providers like Amazon, Google, and Microsoft would face additional scrutiny on data protection standards and home-market openness.
  • The measures aim to boost European cloud vendors but risk increasing costs and reducing competition.

New Procurement Rules Shape Cloud Competition

The European Union is advancing draft regulations that would reshape how public-sector cloud contracts are awarded, potentially limiting the dominance of US tech giants. According to people familiar with the matter and draft documents seen by sources, the revised law would introduce mandatory non-price criteria for very critical cloud services. These include preferences for EU-designed or EU-made hardware and software, EU-based research and development, and security of supply. For non-EU providers, authorities would assess data protection standards, the level of third-country influence over data and decision-making, and reciprocal openness of their home markets.

The move is part of the EU's broader push for digital sovereignty, aiming to strengthen the position of European cloud vendors in public tenders. A European Commission spokesperson declined to comment on ongoing discussions, but an EU official familiar with the matter said the goal is to ensure "a level playing field and security for sensitive public data."

Big Tech Faces Compliance Hurdles

Amazon Web Services (AMZN), Google Cloud (GOOGL), and Microsoft Azure (MSFT) currently hold dominant positions in Europe's cloud market, often winning lucrative public-sector contracts. The proposed rules could tilt future bids away from them, forcing compliance with localization and security assessments that may raise costs. "The criteria would increase the administrative burden and could exclude us from some contracts," a representative of a major US cloud provider said, speaking on condition of anonymity.

Industry analysts warn that overly strict requirements risk fragmenting the market and delaying government IT modernization. "A balance is needed between sovereignty and efficiency," said a tech policy analyst. "If rules are too rigid, cash-strapped public bodies might delay cloud adoption."

European Vendors Poised to Gain

The draft could benefit European cloud providers like OVHcloud, Deutsche Telekom, and Atos by prioritizing local design and manufacturing. "This is a welcome recognition of European innovation," a spokesperson for a French cloud company said, adding that they have "long argued for fair competition based on security and local investment."

Negotiations among EU member states and the European Parliament are ongoing, with a final text expected in late 2025. EU cloud certification schemes under the EU Cybersecurity Act are also being revised to align with the new criteria.

Correction: An earlier version of this article misstated the timeline for a final text. The article has been updated to reflect ongoing negotiations.