Brussels Risks Prioritising Symbolism Over Substance in Cloud Procurement

In its push for digital sovereignty, the European Commission is reportedly planning to replace Microsoft Azure with the French cloud provider OVHcloud or another European alternative. But this move, while politically symbolic, would be costly. Far from enhancing security, this migration would sacrifice sound procurement and EU legal obligations in service of a hollow vision of digital nationalism. It burdens taxpayers, ignores practical realities, and risks delivering inferior outcomes. Instead of prioritizing symbolic gestures, the EU should rely on objective, measurable metrics to deliver best-in-class public services using best-in-class digital solutions.

The Commission’s move is not justified by any genuine security concerns. Every cloud service provider operating within the EU—regardless of its nationality—must already comply with identical data protection standards under the General Data Protection Regulation (GDPR). The GDPR also includes specific restrictions on international data transfers and comprehensive safeguards for personal data processing, making the nationality of the cloud provider irrelevant to data security.

Moreover, the Commission has no legitimate grievance against Microsoft’s cloud offerings. The company established its EU Data Boundary project specifically to enable European customers to store and process data exclusively within the EU. Microsoft’s “Defending Your Data” programme includes legally binding commitments to challenge government requests for customer data, whilst the recently launched European Security Program provides additional governmental assurances. The company has invested billions in European data centre capacity operated by European personnel and partnered with local providers, including Germany’s Delos.

Furthermore, the EU’s commitments under the World Trade Organization’s Agreement on Government Procurement require transparent, merit-based supplier selection rather than discriminatory practices based on corporate nationality. By limiting consideration to European alternatives—OVHcloud, Germany’s IONOS, France’s Scaleway, and Italy’s Aruba—whilst dismissing American providers, the Commission appears to use digital sovereignty as a pretext for protectionist procurement that violates its international trade obligations as well as its own public procurement principles.

The Commission’s current Microsoft Azure arrangement delivers precisely what European institutions need: proven reliability, comprehensive security, and global-scale infrastructure at competitive prices. Microsoft’s global market share advantage over OVHcloud reflects genuine technical strengths and economies of scale that directly benefit European taxpayers through lower costs and better service. Abandoning this successful partnership in favour of less mature or scalable alternatives could prove unnecessarily costly and disruptive.

Some three-quarters of large-scale cloud migrations exceed initial budgets, with just over ten percent of migration projects stretching for three quarters or longer beyond their planned timelines. Why fix what isn’t broken? The Commission already enjoys enterprise-grade cloud services that comply with all European data protection requirements whilst delivering global connectivity and cutting-edge capabilities.

Before rushing to a European alternative, the Commission should consider previous failed attempts at European digital sovereignty. The EU’s social media sovereignty experiment provides one such cautionary tale. In April 2022, the European Data Protection Supervisor launched EU Voice and EU Video, European-operated alternatives to Twitter and YouTube using the open-source software Mastodon and PeerTube, in an effort to promote European digital sovereignty. Despite the EDPS declaring the pilot “successful in delivering alternative, privacy-friendly and user-focused social media platforms,” both platforms closed in May 2024 when no institution would assume operational responsibility.

The project attracted 40 institutional accounts but failed to achieve sustainable adoption—Competition Commissioner Margrethe Vestager never used her EU Voice account during the entire two-year pilot. The experiment’s failure shows that replacing digital services with European options is not as simple as policymakers suggest. The European Commission continues operating its own separate Mastodon instance, but most EU institutions maintain dual-platform strategies rather than abandoning American platforms entirely.

EU policymakers should also note that digital sovereignty is not a one-way street—if the EU discriminates against foreign providers, it risks retaliation. Should every other country’s government agencies abandon European solutions like SAP? Picking trade fights with America over cloud security concerns that existing regulations already address seems particularly ill-timed, with the EU seeking a trade deal with the United States in the next month, where failure to reach an agreement could potentially trigger retaliatory measures.

European institutions require reliable, cost-effective technology solutions that enable public service delivery. The European Commission should stick to objective metrics such as data security, regulatory compliance, cost effectiveness, and operational reliability, to dictate procurement decision making, which invariably involves maintaining partnerships with leading global providers to deliver superior outcomes.