The EU Tech Sovereignty Package: Key measures explained

The European Union proposes tripling its data center capacity by 2030 through the Cloud and AI Development Act (CADA) and the Chips Act 2.0. According to the proposal, these measures aim to reduce strategic dependence on non-EU suppliers across the digital stack, from chip design to cloud infrastructure, while accelerating permitting timelines to under 18 months.

How will the Cloud and AI Development Act (CADA) change data center construction?

The proposed CADA targets a massive expansion of EU computing capacity to meet 2035 requirements. To achieve this, the EU intends to slash bureaucracy. Operators should be able to secure all necessary permits to build and run a data center in less than 18 months, according to the draft legislation.

In designated “acceleration zones,” this window drops to 12 months. Member States must establish at least one such zone within six months of the Regulation entering into force. These zones will prioritize sites with high grid capacity, clean energy generation, and waste heat reuse potential.

Did you know? The EU isn’t just looking for more servers. The CADA prioritizes “strategic projects” that support essential public functions or integrate EU-manufactured chips and quantum computers.

Projects designated as “strategic” must meet at least two specific criteria, such as contributing to grid stability or addressing major compute shortages. These projects gain access to EU funds, financial instruments, and a potential “competitiveness seal” to attract institutional investors.

What are the new requirements for EU public sector cloud procurement?

Public bodies will soon face stricter rules on who can provide their cloud services. Under the CADA, Member States must conduct risk assessments every two years to identify “public order-relevant activities.” These activities will require specific assurance levels, ranging from level 1 to 4.

According to the proposal, level 1 requires only a self-assessment. However, levels 2 through 4 necessitate independent third-party audits. While third-country controlled providers may access some levels, they are expressly barred from level 4 recognition.

Procurement will also shift away from a “lowest price” model. Contracting authorities will now include “Union added value” criteria. This means they will weigh how much a provider strengthens the EU digital supply chain or integrates European research and technology into their offering.

How does Chips Act 2.0 address semiconductor supply chain risks?

The Chips Act 2.0 replaces the 2023 framework to prevent dependencies that threaten the security of semiconductor supplies. It introduces “European semiconductor technology initiatives” (ESTIs) and strategic projects, both of which benefit from a streamlined 12-month permit-granting process via a one-stop shop.

The Commission is introducing a “Business-to-Business Semiconductor Supply Chain Platform.” This digital twin of the supply chain allows the Commission to gather intelligence at an “alert stage” before a formal crisis is declared.

If a crisis occurs, the Commission can impose “priority-rated orders.” This requires ESTIs and strategic projects to prioritize specific orders over existing contractual obligations. The proposal explicitly excludes contractual liability for breaches caused by complying with these government orders.

Pro Tip: Legal teams should review commercial contracts now. Adding clauses that account for “priority-rated orders” under EU law can prevent future litigation during supply chain crises.

How will AI and data centers integrate into the EU energy grid?

The EU is reframing data centers as “flexibility providers” rather than just energy consumers. A Strategic Roadmap for digitalization and AI in energy outlines a plan to integrate these facilities more sustainably into the grid.

The EU’s Tech Sovereignty Package Explained

By the second half of 2026, the Commission plans to publish a model tripartite agreement. This contract will involve public authorities, data center operators, and energy actors to coordinate grid planning, waste heat recovery, and Power Purchase Agreements (PPAs).

Sustainability will become a regulatory hurdle. The Data Centre Energy Efficiency Package, expected in 2026, will introduce labels by 2027. These labels will likely affect whether a project qualifies for “strategic” status or acceleration zone benefits.

The roadmap also flags solar and wind infrastructure as priority cybersecurity concerns. The Commission has already restricted funding for projects using inverters from “high-risk suppliers” and plans a full risk assessment of solar installations in 2026.

Comparing Permitting Timelines

Project Type	Standard Permit Time	Fast-Track Permit Time
CADA Data Centers	18 Months	12 Months (Acceleration Zones)
Chips Act 2.0 Projects	Not Specified	12 Months (One-Stop Shop)

Frequently Asked Questions

When will these laws take effect?
Negotiations between the Parliament and Council are pending. Based on typical EU timelines, adoption is expected between 2027 and 2028.

What is a “risk-prone” sector?
The Commission can designate sectors like energy and data centers as “risk-prone” if they are vulnerable to semiconductor disruptions. This can lead to binding obligations for dual sourcing and stockpiling.

How does the Open-Source Strategy fit in?
The strategy aims to increase technological sovereignty by promoting open, interoperable digital ecosystems for public administrations and industrial deployment in the energy sector.

What are the PPA implications?
Draft regulations may require guarantees of origin to match 15-minute consumption periods and originate from the same bidding zone.

Join the conversation: Do you believe faster permitting is enough to make the EU a global leader in AI infrastructure, or is the energy grid the real bottleneck? Let us know in the comments or subscribe to our newsletter for updates on digital sovereignty.