The European Commission has unveiled a major technology sovereignty package designed to reduce Europe's strategic dependence on foreign technology suppliers — primarily from the United States and China. The package, announced on June 5, 2026, bundles together draft legislation, strategic frameworks, and policy roadmaps that collectively represent the EU's most comprehensive push toward digital autonomy since the General Data Protection Regulation (GDPR).
What's in the Package
The sovereignty package comprises four interconnected components:
1. Chips Act 2.0
A revised and expanded version of the original EU Chips Act, Chips Act 2.0 goes beyond the 2022 legislation's focus on domestic semiconductor manufacturing investment. The updated draft law introduces:
- Expanded production targets — aiming to raise Europe's global chip fabrication market share beyond the original 20% goal for 2030
- Supply chain diversification requirements for critical sectors including defense, automotive, and energy infrastructure
- Export controls alignment to harmonize chip export restrictions with allied nations
- Chip design ecosystem investment to reduce reliance on US-based EDA tool vendors and IP blocks
- Strategic stockpile provisions for critical semiconductor inputs and finished chips used in defense and critical infrastructure
The Chips Act 2.0 directly responds to the semiconductor supply chain disruptions of 2022-2024 and growing concern about dependency on Taiwan Semiconductor Manufacturing Company (TSMC) for advanced node production.
2. Cloud and AI Development Act (CADA)
The Cloud and AI Development Act is the most expansive element of the package for the technology and cybersecurity sector. CADA establishes a European framework for:
- Cloud provider certification with tiered security requirements tied to data sensitivity classifications
- Data residency and sovereignty obligations for public sector and critical infrastructure workloads
- AI model training data requirements — mandating documentation of training datasets for AI systems above defined capability thresholds
- European cloud infrastructure incentives to support EU-headquartered hyperscaler development
- Interoperability mandates requiring major cloud providers to support data portability standards that enable switching between providers
CADA is framed as a complement to the existing NIS2 Directive and AI Act, adding commercial infrastructure requirements alongside the regulatory obligations those laws impose.
3. Open Source Strategy
The Open Source Strategy commits the EU and member state institutions to:
- Preferring open source software in public procurement where security-equivalent options exist
- Funding European open source maintenance for critical software components identified as digital infrastructure
- Publishing source code developed with EU public funding where legally permissible
- Supporting open source security tooling to address vulnerabilities in widely used open source components
The strategy references the Log4Shell incident and the xz Utils backdoor as motivating examples of the risk that critical, under-resourced open source projects pose to European digital infrastructure.
4. Digital Energy Roadmap
The fourth component is a roadmap for digitalizing the energy system — addressing the intersection of cybersecurity and energy infrastructure as Europe expands its smart grid, renewable energy interconnection, and cross-border electricity trading systems. Key elements include:
- Cybersecurity requirements for smart grid components built on the ENISA framework
- Digital twin standards for energy grid management
- Data sharing frameworks for energy system operators that preserve security while enabling grid optimization
Strategic Context
The package arrives at a moment of significant geopolitical pressure on European technology policy:
US-Europe tensions: Ongoing uncertainty about US technology export controls, data privacy frameworks (following the invalidation and renegotiation of transatlantic data transfer agreements), and growing concern about US hyperscalers' compliance with European law have pushed EU policymakers toward reducing structural dependency.
China concerns: European regulators have grown increasingly uncomfortable with Chinese components in 5G infrastructure (Huawei/ZTE bans), enterprise networking equipment, and industrial control systems. The Chips Act 2.0 and CADA both contain provisions designed to reduce strategic exposure to Chinese-origin technology in sensitive sectors.
Competitive AI ambitions: The EU's AI Act established a regulatory floor; CADA is intended to create conditions for European AI development that doesn't depend on US cloud infrastructure or Chinese-developed models.
Security Implications
For organizations operating in Europe and the broader cybersecurity community, the package has several material implications:
Cloud Provider Certification
CADA's cloud certification framework, once enacted, will create formal security tiers for cloud workloads that map to specific compliance obligations. Organizations running sensitive workloads on US-headquartered hyperscalers should expect:
- Increased compliance documentation requirements
- Potential requirements to use EU-certified cloud regions or providers for certain data categories
- Data residency obligations that may affect disaster recovery and multi-region architectures
Supply Chain Diversification Pressure
The Chips Act 2.0 and CADA together signal that European procurement — public sector and regulated industries — will increasingly favor vendors that can demonstrate supply chain independence from high-risk origins. Security product vendors serving European government and critical infrastructure markets should anticipate this becoming a procurement criterion.
Open Source Security Investment
The Open Source Strategy's commitment to funding critical open source maintenance addresses a known structural vulnerability in global software supply chains. If executed well, this could meaningfully improve the security posture of open source components that underpin European (and global) digital infrastructure.
Reactions and Timeline
The package has drawn mixed initial reactions:
- European cloud providers (OVHcloud, Deutsche Telekom, IONOS) have welcomed the measures, seeing CADA as an opportunity to compete more effectively against AWS, Azure, and Google Cloud
- US tech industry groups have raised concerns about CADA creating de facto market access barriers
- Security researchers have cautiously welcomed the Open Source Strategy but called for concrete funding commitments rather than aspirational language
- Critical infrastructure operators have raised concerns about the cost of compliance with CADA's certification framework for organizations running hybrid cloud environments
The package is in draft law stage — both Chips Act 2.0 and CADA require passage through the European Parliament and Council before becoming law. Given the complexity and scale of the package, implementation timelines are likely measured in years, not months.
Key Takeaways
- The EU's technology sovereignty package represents its most comprehensive move yet toward digital strategic autonomy, combining semiconductor, cloud, AI, open source, and energy dimensions
- Chips Act 2.0 expands European semiconductor investment targets and supply chain diversification requirements
- CADA establishes cloud certification tiers, data residency obligations, and AI training data transparency requirements that will affect organizations running workloads in Europe
- The Open Source Strategy addresses supply chain vulnerability in critical open source components — a meaningful acknowledgment of systemic risk
- For security practitioners: cloud compliance requirements, supply chain provenance documentation, and data residency architecture decisions are all likely to be affected once the legislation passes
Sources
- EU Unveils Tech Sovereignty Package to Cut Reliance on US, Chinese Suppliers — The Record
- European Commission — Digital Technology Sovereignty Package (June 2026)