EU cloud news, week of 2026-05-28

The Tech Sovereignty Package landed on 27 May, and within 48 hours the gaps in it were already visible. A Dutch acquisition block, a US federal cyber agency's own credentials sitting on public GitHub, an unaddressed silicon question, and a non-EU consultancy adding itself to the sovereign-cloud shelf all happened in the same week the legislation arrived.

EU Tech Sovereignty Package lands with the Cloud and AI Development Act After two postponements, the European Commission published its Tech Sovereignty Package on 27 May. The headline element is the Cloud and AI Development Act, which proposes use-case restrictions rather than contract bans on US hyperscalers for sensitive public-sector workloads in health, finance, and the judiciary, alongside a target to triple EU data-centre capacity within seven years and a renewed attempt to define "highly secure" cloud for critical use. The legal text is what procurement teams in regulated mid-market firms will see cited back at them in tender questionnaires through the rest of 2026 and into 2027. Industry reaction is split between cautious welcome and a sustained warning from European providers that the SEAL mid-tiers leave hyperscalers a route to keep selling sovereign-labelled services through European fronting partners.

Dutch government blocks Kyndryl's €100M acquisition of Solvinity One day before the Package landed, the Dutch Digital Economy Minister issued a complete prohibition on Kyndryl's purchase of Solvinity, which operates DigiD, the citizen identity platform that mediates Dutch access to tax, benefits, and most state services. It is the first US acquisition the Dutch Investment Screening Bureau has blocked since 2020, and the reasoning cited foreign control of sensitive identity data and CLOUD Act exposure. The signal worth catching is the procedural one: the WOZT statute the Dutch used is a national-security investment-screening law that several other member states have analogues for. The Netherlands has now demonstrated that sovereignty concerns alone can stop a transaction before any CADA text is enforceable.

CISA's own AWS GovCloud admin keys sat exposed on GitHub for six months A Nightwing contractor working for the US Cybersecurity and Infrastructure Security Agency used a public GitHub repository as a sync between work and home, exposing admin credentials to three CISA GovCloud accounts plus plaintext passwords, SSH keys, and internal deployment logs. The repository was live from November 2025 until 15 May, and the keys remained valid for 48 hours after takedown. For European boards being asked to weigh claims about US hyperscaler operational maturity, the timing of this story landing the same week as the Package is what makes it useful, not as a political point but as an honest data point about who is and is not better at this in practice.

The processors underneath the sovereign cloud nobody is writing into the specs Rupert Goodwins's opinion column on 26 May lays out a gap that European procurement frameworks have not addressed: the Intel Management Engine and AMD Platform Security Processor are full Ring-3 management computers with deep host access, governed by US export-control law, and reachable on the same management network as the BMC. The IPCEI-CIS specification that anchors much of the French sovereign-cloud definition does not mention them. For CTOs designing a target architecture against CADA's "highly secure" tier, the practical question is whether the procurement framework will end up requiring measured boot, attestation, and management-network isolation, or whether silicon-level US dependence stays politely outside the scope of the document.

TCS launches SovereignSecure Cloud in Europe Tata Consultancy Services launched its SovereignSecure Cloud across the EU on 26 May, marketed at governments and regulated industries with a three-layer architecture: a hyperscaler-delivered sovereign layer, country-specific localisation, and a TCS-operated enterprise layer. The product itself is a reasonable engineering response to the market, but the launch is the clearest current illustration of why CISPE has been pressing the Commission on a strict definition of sovereignty. If "sovereign" simply means non-US, an Indian-headquartered consultancy operating in Europe qualifies under one reading and not under another, and CADA's SEAL framework will have to be specific enough that procurement teams can answer that question without ambiguity.

The week tells a single story: the legal text arrived, and the next twelve months will be about how completely it gets applied to the parts of the stack the text did not anticipate.

Thinking about migration? Book a free consultation to discuss your situation.