EU Sovereignty Package Analysis: Crisis-Proof by Law?

Contents

It is an extensive package that the EU Commission has launched. It consists of various matters that are to be regulated under the heading “Technological Sovereignty”. The core of the EU Commission's proposed changes for greater technological sovereignty are two legal texts: The Chips Act 2 aims to define Europe's role in the semiconductor ecosystem more resiliently. The Cloud and AI Development Act (CADA) is intended to regulate critical capabilities of the information society. Can this work?

An analysis by Falk Steiner

Falk Steiner is a journalist based in Berlin. He works as an author for heise online, daily newspapers, specialist newsletters and magazines and reports on digital policy at federal and EU level, among other things.

Multidimensional Challenge

The EU Commission wants to strengthen the EU's role, as the previous modus operandi is no longer functioning under the changed conditions of dependence on providers from two problematic regions of the world. While an apparent distinction is still made, Chinese providers are assumed to have direct access to often state-subsidized companies to achieve strategic state goals. This concerns the question of direct threats, such as espionage and sabotage scenarios. In addition, it is also considered whether markets are being deliberately conquered here to permanently eliminate alternatives from Europe. It is therefore not about dependence on individual components but on entire manufacturers and ultimately entire industries.

However, much more relevant compared to the first Trump presidency is the changed perspective on the USA. The departure from the belief that the United States and companies based there are permanently reliable partners with shared values has been massively shaken – even among convinced transatlanticists. Against “America Alone”, only a more digitally independent Europe helps; it is now said even there – and as quickly as possible. What for 27 member states usually means something between half a year and two years until the laws are passed.

Cloud Requirements: Hardly Feasible for US Providers

The discussion of recent months is reflected particularly in the Cloud and AI Development Act. In the future, under the Cloud Computing Sovereignty Framework (CCSF), there will be four trust levels to transparently demonstrate the degree of independence from cloud providers EU-wide and to set minimum requirements for public bodies. The Commission proposes that state bodies should in any case require a registered office in the EU and keep data centers in the EU – unless expressly instructed otherwise. And access for non-EU authorities should also be clearly declared at the very least.

From Level 2, it's over quickly

From the second level onward, external auditors must prove that a provider meets the criteria. Then, for example, data may not be used for AI training outside the EU, and an EU cybersecurity certificate becomes mandatory. Crucially, however, are the restrictions on the influence of third-state actors: they must not influence the maintenance of operational capability – for example, through legal sanctions. This would already completely exclude all providers headquartered in the USA – and illustrates, among other things, the case of two European judges at the International Criminal Court who were personally sanctioned by US President Donald Trump.

The requirements in Levels 3 and 4 are even stricter, with the requirements for external auditing for conformity assessment increasing at each level. From Level 3, which may be relevant for police applications, for example, there is an even sharper focus on the components used, and proof of dependencies via software components from outside the EU is required. Level 4, on the other hand, states in somewhat flowery terms that a provider must de facto only come from the EU, operate within it, and be used for high-security purposes.

The criteria for these “trust levels” are contained in the annexes to the CADA draft (PDF) and are to apply cumulatively. They are undoubtedly a problem from the perspective of some providers. For the accuracy of the information, CADA stipulates from Level 2 onwards that external auditors work through the catalogs and then certify to the provider which criteria have been met.

Sharp criticism comes, for example, from the Computer and Communications Industry Association (CCIA), an association that represents the interests of large US IT companies in the EU, among others. The association describes the plan as a “dangerous recipe for a gradual market closure.” No international provider outside the EU can meet the security levels required by the Commission.

However, the CADA draft also includes exceptions: Third countries can be equated with EU states, according to Article 18. A minimum requirement is an adequacy decision pursuant to Article 45 of the General Data Protection Regulation. Such a – controversial – decision exists for the USA, even in a certain framework, but not for China. In addition, there are other criteria, such as cloud providers not being allowed to be forced to interrupt services – unattainable under US law.