Hero Image

EU Tech Sovereignty Package: What It Means for UK and EU Hosting Decisions"

EU Tech Sovereignty Package: What It Means for UK and EU Hosting Decisions"

On 3 June 2026, the European Commission proposed the European Tech Sovereignty Package, and in doing so dragged cloud sovereignty out of policy circles and into the boardroom. The package itself is sprawling industrial policy: chips, AI, cloud, open source, and energy.

But its practical effect on everyone else is narrower and more useful. It makes one question, "where does our infrastructure actually run, and who controls it?", something procurement teams now have to answer out loud.

This guide covers what the package actually is, why the Cloud and AI Development Act is the part that matters most for hosting, and how to turn it into practical questions before you pick a provider. It also draws a line a lot of marketing is about to blur: UK-hosted isn't the same as EU sovereign, and pretending otherwise helps nobody.

Key Takeaways

  • The European Tech Sovereignty Package was proposed on 3 June 2026 and bundles four parts: the Chips Act 2.0, the Cloud and AI Development Act, an EU Open Source Strategy, and a Strategic Roadmap for Digitalisation and AI in Energy (European Commission, June 2026).
  • The Cloud and AI Development Act aims to at least triple the EU's data centre capacity within five to seven years and introduces a four-level cloud sovereignty framework (European Commission, June 2026).
  • The package exists because the EU depends on non-EU countries for more than 80% of its key digital products, services, and infrastructure (European Commission, June 2026).
  • UK-hosted infrastructure cannot be described as EU sovereign. CADA Level 1 requires data to be processed and stored inside the Union, and the UK is not one of the 27 member states.

What Is the European Tech Sovereignty Package?

The European Tech Sovereignty Package is a set of proposals the European Commission announced on 3 June 2026 to strengthen the EU's capacity in semiconductors, AI, cloud, and open source, and to cut its structural dependence on non-EU technology. It's a direction-of-travel statement as much as a rulebook: a sign that digital autonomy is now treated as an economic and security priority, not just a talking point.

The motivation is blunt. By the Commission's own assessment, the EU depends on non-EU countries for more than 80% of its key digital products, services, and infrastructure. Presenting the package, the Commission's executive vice-president for tech sovereignty, Henna Virkkunen, put it plainly: the aim is to make sure "nobody has a kill switch" over critical European technology (CNBC, June 2026).

The package has four moving parts:

  • Chips Act 2.0 aims to build EU capacity in advanced semiconductors, including prioritising a foundry for leading-edge manufacturing inside the bloc.
  • Cloud and AI Development Act (CADA) targets cloud and data centre capacity and introduces an EU sovereignty framework for cloud and AI services. This is the part that matters most for hosting.
  • EU Open Source Strategy promotes open technologies as a route to reducing lock-in and dependency.
  • Strategic Roadmap for Digitalisation and AI in Energy addresses how AI and data centre growth interact with the energy system.

For a hosting buyer, only one of these four needs close reading. The others set context.

Why Does the Cloud and AI Development Act Matter Most for Hosting?

The Cloud and AI Development Act is the part of the package that touches hosting decisions directly. It answers two questions that hyperscaler dependency has made urgent: is there enough European data centre capacity, and how do you actually tell how sovereign a given cloud service is? It's a response to two pressures at once, a shortage of EU data centre capacity as AI demand grows, and over-reliance on a handful of non-EU cloud providers.

On capacity, the Act aims to at least triple the EU's data centre capacity within five to seven years by making data centres simpler and faster to build and deploy (European Commission, June 2026). That's a supply-side ambition to build European compute, not a rule that changes your contract tomorrow.

The more useful part, if you're the one buying hosting, is the sovereignty framework. CADA defines four assurance levels that public-sector bodies can use, based on their own risk assessments, to judge how sovereign a cloud or AI service really is. The levels climb from basic data location at the bottom to full control over the software supply chain at the top.

CADA Cloud Sovereignty Assurance Levels Level 1 Data stored in the EU Level 2 Independence from third countries + supply-chain transparency Level 3 EU-owned and controlled, plus criteria such as personnel citizenship Level 4 Full transparency and control over the software supply chain, no third-country interference Increasing sovereignty assurance, Level 1 to Level 4 The four CADA cloud sovereignty assurance levels. Source: European Commission, verified June 2026. In the Commission's wording, Level 1 requires that "data is processed and stored in infrastructure located in the Union." Level 2 asks providers to demonstrate independence from third countries and transparency over their software supply chain. Level 3 requires that providers are owned and controlled from the EU and meet additional criteria such as personnel citizenship. Level 4 requires full transparency and control over the entire software supply chain, with no interference from a third country.

The detail to hold onto: this is a framework buyers use to assess providers, mainly in public-sector procurement. It isn't a certificate a hosting company can hand you today, and it's anchored to EU geography from Level 1 upward.

Is UK-Hosted Infrastructure the Same as EU Sovereign?

No, and any provider that implies otherwise is overclaiming. CADA Level 1 is explicit that data must be "processed and stored in infrastructure located in the Union," and the United Kingdom isn't one of the EU's 27 member states. A server in Manchester is UK-located, full stop.

This matters because the temptation, for any UK provider reading the sovereignty headlines, is to bend the framework to fit the sales pitch. We'd rather be straight with you. UK hosting genuinely supports three things: UK data control, a single clear jurisdiction, and less dependency on non-European hyperscalers. What it can't do is satisfy an EU procurement rule that demands EU-located infrastructure or a specific CADA level. If that's your requirement, the honest answer is that you need EU-located capacity, and you should pin down the exact workload, data location, and assurance level your contract calls for.

So the package isn't a compliance shortcut for UK hosting. It's something more useful: proof that the questions UK and European buyers have started asking are now mainstream, and that wanting clear answers about location and control is no longer a fringe concern.

What Should Hosting Buyers Take From This?

The practical value of the package is the checklist it implies, not the legislation itself. Most buyers will never invoke CADA directly, but they'll increasingly be asked these questions by their own clients, auditors, and boards. In the conversations we have with prospects, the sovereignty question almost always turns out to be a control question, and it comes down to a handful of things any provider should be able to answer without flinching.

  • Where is my infrastructure physically hosted? Country and data centre, not a vague region.
  • Who operates it, and what is their legal jurisdiction? Server location and corporate jurisdiction are not the same thing.
  • How dependent am I on a single non-European hyperscaler? Concentration risk is now a board-level item, not just a procurement preference.
  • Can I understand, move, and manage my environment? Or is the stack opaque enough that you are locked in by complexity?
  • Do I get support, or just a platform? A console is not the same as someone answering when something breaks.

This demand isn't hypothetical. In November 2025, Gartner found that 61% of Western European CIOs expected geopolitical factors to increase their reliance on local or regional cloud providers. In a separate forecast, Gartner predicted that more than 75% of European and Middle Eastern enterprises would "geopatriate" their virtual workloads by 2030 to reduce geopolitical risk, up from less than 5% in 2025 (Gartner, October 2025). And Accenture found 60% of European organisations planning to increase investment in sovereign AI technology over the next two years. The EU package didn't create this trend. It formalised it.

Close-up of blue and yellow network cables connected to server infrastructure in a data centre

The counterpoint matters too, because the honest version of this argument isn't "hyperscalers are bad." For plenty of global, complex, deeply integrated environments, AWS, Azure, or Google are still the right call. The shift is narrower than that: for a lot of UK and European businesses, a simpler managed model with clearer control and a single jurisdiction is the better fit, and the package finally gives them a reason to compare.

Where Does Layershift Fit?

Layershift is a UK provider operating from our own Manchester data centre. That makes us a clean fit for buyers whose priority is UK data control and less hyperscaler dependency, rather than formal EU-located procurement. Just as important for a sovereignty conversation: you decide where your data sits, it's documented, and it doesn't move unless you move it.

  • Fully managed VPS runs in our Manchester data centre by default, with Singapore and Chicago available if your workload needs them. The location is your choice, stated plainly, not something that shifts behind the scenes.
  • Enscale PaaS gives you more flexible application hosting without the hyperscaler complexity, with the same Manchester-by-default control over where it runs.
  • EHLO Mail is always hosted in the UK, in Manchester, so your business email stays in one known jurisdiction rather than scattered across third-party platforms.

A managed UK provider takes one specific variable off the table: where your data lives becomes a clear, documented decision, Manchester by default, with support and a single point of accountability behind it. It doesn't turn UK hosting into EU-located infrastructure, and we won't claim it does. If your requirement is genuinely EU geography or a defined CADA level, that's a different specification, and we'd tell you so plainly.

Score Your Own Setup Before You Close This Tab

Theory is easy. Here's the part that isn't: run your current hosting through five quick questions. Give yourself one point for each one you can answer right now, without emailing your provider or guessing.

  1. Which country, and which data centre, is my production data sitting in today?
  2. Who legally operates that infrastructure, and under whose jurisdiction does it fall?
  3. If my main provider had an outage, a policy change, or a price hike next week, how locked in am I?
  4. Could my team move this environment somewhere else without a full rebuild?
  5. When something breaks at 2am, does a human answer, or do I file a ticket and wait?

Scored 4 to 5: you already treat sovereignty as an infrastructure decision. You're in good shape.

Scored 2 to 3: there are a few gaps worth closing before a client, auditor, or procurement reviewer asks about them.

Scored 0 to 1: you're far from alone, plenty of capable teams can't answer these yet. It simply means provider control is worth a closer look, and it's exactly the kind of thing we're happy to walk through with you.

Wherever you landed, that number is the honest starting point. Tell us your score when you get in touch, and we'll pick it up from there.

Talk to Us About UK-Hosted Infrastructure

If the sovereignty conversation has reached your procurement process, the useful next step is a concrete answer about where your workloads would run and who'd control them, not a brochure. We'll walk through your architecture, data flows, and jurisdiction requirements, and tell you plainly where UK-hosted managed infrastructure fits, and where it doesn't.

Talk to Layershift about UK-hosted infrastructure

Frequently Asked Questions

What is the European Tech Sovereignty Package?

The European Tech Sovereignty Package is a set of measures the European Commission proposed on 3 June 2026 to reduce the EU's dependence on non-EU technology. It bundles four parts: the Chips Act 2.0, the Cloud and AI Development Act, an EU Open Source Strategy, and a Strategic Roadmap for Digitalisation and AI in Energy.

Does the Cloud and AI Development Act apply to UK hosting providers?

Not directly. The Cloud and AI Development Act is an EU framework aimed at EU data centre capacity and EU public-sector procurement. A UK provider is outside the EU's 27 member states, so UK-hosted infrastructure is not classed as EU-located under the Act. The Act still matters as a signal of how buyers now assess cloud sovereignty.

Is UK-hosted infrastructure "sovereign" under the EU framework?

No. The Act's Level 1 assurance requires that data is processed and stored in infrastructure located in the Union. UK hosting can support UK data control, operational clarity, and reduced hyperscaler dependency, but it cannot be described as EU sovereign or as meeting CADA Level 1. Strict EU procurement may require EU-located infrastructure.

What is CADA Level 1?

Level 1 is the entry tier of the Cloud and AI Development Act's four-level sovereignty framework. It requires that data is processed and stored in infrastructure located within the European Union. Higher levels add independence from third countries, EU ownership and control, and full software supply chain transparency with no third-country interference.

Should UK businesses care about the EU sovereignty package?

Yes, but for the questions it raises rather than the rules it sets. The package pushes data location, provider control, jurisdiction, and hyperscaler dependency up the agenda. UK businesses serving European customers, or worried about concentration risk, will face these questions in procurement whether or not the EU rules apply to them directly.

The Bottom Line

The European Tech Sovereignty Package doesn't mean every business needs to rebuild its infrastructure, and it doesn't make UK hosting EU sovereign. What it does is take a question that used to be niche, who actually controls the systems you depend on, and make it mainstream. For hosting buyers, that turns sovereignty from a slogan into a short list of practical checks: where the infrastructure runs, who operates it, which jurisdiction applies, and how dependent you are on a single hyperscaler.

Our position is the modest one. We help you think those questions through and give clear answers for UK-hosted managed infrastructure. We don't sell EU compliance, and we'll tell you when your requirement points somewhere else. For a lot of UK and European businesses worried about control, that kind of clarity is exactly what unblocks the decision.

This post is an infrastructure and procurement explainer. It is not legal advice. EU regulatory requirements, including the Cloud and AI Development Act, depend on your specific workloads, data types, and procurement obligations. Consult a qualified adviser for guidance on your situation.

Sources

Previous Post