Sovereignty Is No Longer a Choice. It's a Procurement Criterion.

TL;DR: On June 3, 2026, the European Commission published its Technological Sovereignty Package — the Cloud and AI Development Act (CADA), Chips Act 2.0, and the EU's first full Open Source Strategy. Despite the headlines, it doesn't ban American technology. It does something more consequential for European organizations: it turns digital sovereignty from a political aspiration into an auditable procurement requirement, with four assurance levels that are assessed across the entire supply chain. And that last detail matters more than most coverage acknowledges — because a sovereignty chain is only as strong as its weakest link, and the weakest link is usually the integration layer.

We've written before that the hardest problem in European digital sovereignty isn't building individual European tools — it's making them work together across borders, systems, and trust boundaries. On June 3, that debate took concrete legislative form.

The Commission's package centers on three interconnected initiatives: Chips Act 2.0, the Cloud and AI Development Act, and an EU Open Source Strategy. They're worth reading together rather than separately, because their combined logic is what will reach the desks of European organizations — public and private.

What CADA actually does

Let's start with what it doesn't do, because the social media headlines claim otherwise: CADA does not ban American technology. The Commission has been explicit that the goal is to strengthen Europe's digital autonomy and resilience without closing the market, which remains largely open to like-minded partners. Commissioner Henna Virkkunen put the underlying concern plainly: Europe wants certainty that no provider of critical workloads holds a "kill switch" over European data. The context is hard to argue with — three US providers control roughly 70% of Europe's cloud market, and the US CLOUD Act means they can be compelled to hand over data regardless of where it physically sits. Microsoft's own counsel confirmed as much under oath before the French Senate in 2025.

What CADA does instead is two things with real-world consequences.

First, it defines four assurance levels for cloud and AI sovereignty, to be applied by public sector bodies based on their own risk assessments. The criteria span control over the service and its supply chain, how AI inference data is processed, where infrastructure is located, and cybersecurity posture. The higher levels require demonstrated independence from third countries and transparency over the software supply chain; the highest demands full supply chain transparency and control, with no possibility of third-country interference.

Second, it requires member states to assess which public sector systems depend on foreign cloud, classify them by sovereignty level, and procure accordingly. In strategically sensitive sectors — banking, energy, healthcare — public procurement will weigh new non-price criteria favoring EU-developed software and hardware alongside cost. The ambition behind it is industrial as much as regulatory: the Act targets a tripling of EU data centre capacity within five to seven years.

In other words, the question is no longer "may we use European alternatives?" It's "how do you demonstrate which sovereignty level you operate at?" That's a procurement requirement — and procurement requirements, unlike summit declarations, change what organizations actually buy.

Why open source moved to the center

For the first time, the package includes a full Open Source Strategy. This is not a side note. The Commission frames open source as the way to reduce dependencies across the entire technology stack and to develop European alternatives in areas where the EU still relies on proprietary solutions controlled by a single supplier.

Look again at the criteria for the highest sovereignty level: full transparency and control over the software supply chain, no third-country interference. In practice, that's a description of open source. A proprietary stack can promise transparency; an open-source stack can prove it. You cannot fully audit what you cannot read.

This is the same conclusion we reached building FastHub — by a different route, arriving at the same place. Open source isn't a feature to list in a sales deck. It's a trust architecture. When a customer asks how they can verify that their data is handled correctly and within jurisdictional boundaries, the answer can't be "trust us." The answer is "read the code."

FastHub is built entirely on open-source components — Kubernetes, Keycloak, Open Policy Agent, Apache Camel, Quarkus — and runs on 100% EU-hosted infrastructure. Every layer can be audited. No single company can pull the rug, and no foreign authority can compel a backdoor into a system whose every line the customer can inspect.

The weakest link is the one nobody classifies

Here's the part of the package that deserves more attention than it's getting. The sovereignty levels are assessed across the supply chain — not component by component in isolation. That has a consequence most sovereignty roadmaps quietly ignore.

Picture a European organization that has done everything right: a French SecNumCloud-certified cloud, a German open-source collaboration suite, an Estonian e-government interface — each individually compliant, each at a high assurance level. Now ask: what connects them? If the answer is a US-controlled integration platform — a proprietary iPaaS subject to the same CLOUD Act exposure the whole exercise was meant to escape — then the chain's effective sovereignty collapses to that link. Every workflow, every data flow, every credential passes through the one layer nobody thought to classify.

The integration layer isn't adjacent to the sovereignty question. It is the sovereignty question, because it's the layer that touches everything.

And it's exactly where Europe's fragmented landscape creates the most friction. Who ensures data flows respect every jurisdictional boundary while the business operates as one organization? Who governs which AI models process what data, and where? Sovereignty isn't delivered through summits and declarations. It's delivered through the mundane, essential work of connecting systems, moving data, and keeping organizations running — inside the compliance rules that, as of June 3, are on their way to becoming procurement law.

That's what FastHub was built for. Not as another entry in Europe's growing catalogue of sovereign alternatives, but as the connective layer that makes them useful together — vendor-agnostic, fully auditable, and sovereign by the same standard it helps its customers meet.

FastHub is an AI-native integration platform built in Turku, Finland — constructed entirely on open-source technologies and hosted 100% within the EU.