ASD Input on the Cloud and AI Development Act

In a tense geopolitical environment, digital infrastructure is becoming a matter of national and European sovereignty.

Cloud computing is a strategic asset for the European defence and security industries. It underpins secure data sharing, AI-driven systems, cross-border collaboration, and mission-critical operations.

However, Europe remains heavily dependent on non-EU hyperscalers, posing significant risks to data control, operational continuity, and sovereignty.

ASD recommends that the Cloud and AI Development Act include concrete measures to:

• Establish an EU-wide certification scheme for sovereign cloud services, inspired by the EUCS High+ framework.
• Harmonise security requirements and data classification standards across Member States.
• Create procurement criteria that prioritise European ownership, control, and immunity from non-EU extraterritorial interference.
• Promote the development of federated identity and access management, end-to-end encryption, and interoperable service catalogues.
• Support joint European initiatives aimed at securing cloud infrastructure for critical applications, such as AEROSEC, MILSCA, and FCAS.

By embedding these principles, the EU can accelerate the deployment of trusted, sovereign cloud capabilities that are fit for purpose in defence and aerospace contexts.

The Cloud and AI Development Act represents an opportunity to consolidate Europe’s digital autonomy and ensure its long-term strategic resilience.

All references quoted are listed in full in the downloadable version of the Position Paper. 

The European Commission published the AI Continent Action Plan ("the Plan") on 9 April, setting out an ambitious vision to position the European Union as a global leader in artificial intelligence. The Plan encompasses five key areas: computing infrastructure, data access, AI adoption in key sectors, talent base and regulatory simplification. The Aerospace, Security and Defence Industries Association of Europe (ASD) welcomes the European Commission’s initiative.

The Communication on the AI Continent Action Plan includes a public consultation on the upcoming Cloud and AI Development Act ("the Act"), which falls under the “Computing infrastructure” pillar. This document sets out our key recommendations to ensure that the Act adequately addresses the strategic, operational and security-specific requirements of the defence and security sectors. Given that civil aviation is already governed by established regulatory and standardisation frameworks, such as those of the European Union Aviation Safety Agency (EASA) and standard-developing organisations like EUROCAE, it is not addressed within the scope of this paper.

Digital infrastructure is not only a driver of innovation in these domains, but a matter of national and European sovereignty. Cloud computing, in particular, has emerged as a strategic asset for the defence and security sectors. It underpins secure data sharing, AI-driven systems, cross-border collaboration, and mission-critical operations. However, the European Union (EU) remains heavily reliant on non-European cloud providers, with US-based hyperscalers dominating the market. This structural dependency poses serious risks to the EU’s digital autonomy, especially as geopolitical tensions and cyber threats increase.

For Europe to maintain its technological sovereignty, especially in highly sensitive sectors, a secure, sovereign, and interoperable cloud ecosystem is essential. This paper outlines the current challenges, highlights strategic capability gaps, and offers concrete policy and technical recommendations to ensure the EU’s digital infrastructure is equipped to support next generation defence and security applications.

Cloud as a strategic asset for aerospace and defence

The AI Continent Action Plan rightly highlights a critical vulnerability: the European Union lags behind the United States and China in data centre capacity. At present, the EU remains heavily reliant on cloud infrastructure that is either physically located outside its territory and/or controlled by non-European entities. The EU cloud services market is currently disproportionately dominated by non-EU providers, with the three major US-based cloud "hyperscalers" accounting for 65% of the market share.

This structural dependency is a serious concern for European industry, public institutions, and the EU’s long-term digital sovereignty. In particular, it entails the risk of service disruption due to extraterritorial legislation or influence from non-EU countries, notably through undue access to data or adverse impacts on the quality and/or availability of the provided service.

Mario Draghi emphasizes in his report the urgent need for the EU to maintain its technological sovereignty, including in cloud services. For the security and defence sectors, which increasingly rely on data flows, AI-driven capabilities, and secure information-sharing, this challenge is particularly acute. Cloud services are essential for innovation, operational readiness and secure cross-border collaboration. We therefore strongly support the Plan’s emphasis on developing sovereign, highly secure, EU-based cloud capabilities for highly critical use cases.

Cloud and technological sovereignty: key concerns

The security and defence industries have a vested interest in advancing the EU’s technological sovereignty. This is not only a matter of industrial competitiveness, but a critical requirement for secure, resilient and future-ready defence capabilities. Several key concerns must be addressed in the context of the Cloud and AI Development Act:

• High security and resilience requirements: defence systems require cloud and edge infrastructures that meet stringent demands for security, availability, and confidentiality needs.
• Interoperability across actors and borders: modern defence programmes involve a diverse and evolving network of stakeholders such as Ministries of Defence (MoDs), industrial partners, SMEs, and technology providers across Member States. Interoperability of data, tools and platforms is essential, yet current cloud and edge solutions fall short of enabling this level of collaboration at scale.
• Fragmentation of rules and standards: the absence of a unified EU accreditation framework and consistent cloud standards across Member States hinders collaboration and slows deployment. A joint European approach is urgently needed to streamline compliance and certification, particularly for defence-related cloud applications.
• Gaps in specific military programmes: existing cloud and edge technologies do not adequately support the long-term requirements of military systems. This shortfall undermines the long-term competitiveness of the European defence technological and industrial base (EDTIB), despite the European Union being a major provider of information technology.
• Disjointed digital regulatory environment: while initiatives such as the General Data Protection Regulation (GDPR), the Data Act, the AI Act or Gaia-X are important, they do not fully address the specific requirements of European defence programmes.
• Barriers to digital transformation and innovation: the absence of secure, shared IT infrastructure across the EU hampers the adoption of modern systems engineering methods (e.g., Agile, DevSecOps), which are essential for developing future-ready military capabilities.

Strategic capabilities for a sovereign European cloud ecosystem

To address the structural and operational limitations outlined above, the European Union should take decisive steps to further consolidate its technological sovereignty in cloud computing, a foundational layer of digital infrastructure across all sectors. A secure, resilient, and interoperable European cloud ecosystem is essential to enable digital autonomy, ensure data control, and support mission-critical operations. In the defence, and security sectors in particular, several technical and policy priorities stand out:

• Trusted Identity and Access Management (IAM): a federated and secure IAM framework is essential for operating across multi-cloud and hybrid environments. It must ensure robust traceability, strong authentication, and role-based access control across distributed infrastructures.
• End-to-end protection: fully trusted encryption, including advanced technologies such as homomorphic encryption, is critical to ensuring data privacy, especially when handling sensitive or classified information across jurisdictions and distributed systems. 
• Transparent and modular cost models: defence programmes require cloud billing systems that allow granular cost attribution based on usage, service type, and mission-specific requirements. Such models support both budgeting flexibility and operational accountability.
• Multi-cloud service catalogues with guaranteed service levels: a common, EU-managed catalogue of sovereign cloud services, listing European providers that meet the criteria of the certification scheme mentioned below, and offering clearly defined service level agreements (SLAs) would streamline procurement, build trust, and facilitate cross-border integration of cloud-based systems in defence and aerospace programmes.
• Unified management experience: simplifying user interfaces and operational workflows across cloud providers e.g., through orchestration layers or common management portals would support more agile development and deployment across the EU ecosystem.

Barriers to cloud adoption

One of the most significant challenges to cloud adoption in the European defence and security sectors is the lack of harmonised security standards, particularly regarding the handling of classified and sensitive data.

Several key obstacles must be addressed:

• Absence of European-wide convergence on data classification and protection: while “EU restricted” is defined under European Classified Information (EUCI), multiple national-level classifications or security markings remain in use across Member States e.g., “Diffusion Restreinte” (France), “Difusión Limitada” (Spain), “Riservato” (Italy), “VS-NfD” (Germany), OCCAR Restricted, and NATO Restricted. These classifications lack mutual recognition mechanisms and harmonized standards for cloud compliance.
• Lack of an EU-wide certification scheme for sovereign cloud services: the absence of such a certification scheme creates legal uncertainty and limits the ability of customers to assess EU sovereignty guarantees. Addressing this shortfall is essential to accelerate the adoption of European cloud infrastructure and to foster a thriving “cloud BY Europe” ecosystem. The EUCS High+ criteria can serve as strong inspiration in this regard. The assessment could be based on:
  o The location of the provider’s head office and central administration within the EU.
  o The place where key operational and management decisions are made.
  o The service provider is not controlled, even jointly, by non-EU stakeholders.
  This approach would help ensure that security and compliance functions align with the underlying sovereignty objectives. Additionally, consideration should be given to whether non-EU actors could, through other means e.g., specific restrictions, impede the provision or quality of the service. In other words, the criteria, subject to refinement, should guarantee immunity from non-EU extraterritorial reach, both regarding undue access to data and potential disruption of service.
• Absence of sovereign criteria for public procurement: this shortfall not only exposes public administrations to significant risks but also hampers the development of “cloud BY Europe” services, which are increasingly essential for highly critical industrial use cases. Therefore, sovereignty criteria for public procurement should be established at the EU level, proportionate to the sensitivity of the data involved. Importantly, these criteria should encompass all aspects of sovereignty outlined above to prevent non-EU extraterritorial disruption or data access. Accordingly, these criteria should be similar to the EUCS High+ requirements described earlier.
  In addition, the absence of certification criteria, similar to the EUCS High+, for a sovereign cloud for all other use cases in industry and services, particularly regarding collaborative engineering for defence programs, is equally a barrier to European collaborative initiatives and enterprises.
• No unified EU body to certify cloud technologies for restricted defence data: each Member State currently operates its own national cybersecurity authority (e.g., ANSSI in France, CCN in Spain, BSI in Germany, UCSE in Italy). However, there is no pan-European mechanism to jointly assess or certify IT products, particularly cloud services, for use with EU or nationally restricted data.
• Cloud incompatibility with high-level national classifications: more sensitive classifications, such as “Secret Défense” or “Très Secret Défense” in France, are explicitly incompatible with current commercial cloud offerings or connected AI systems. At present, no technological solution exists that fully meets national-level security requirements for handling such data in the cloud.

Proliferation of national caveats (e.g., “Eyes Only”): country-specific access restrictions, such as “German Eyes Only” or “Italian Eyes Only”, further fragment the landscape. Currently, there are no agreed-upon mechanisms or trusted infrastructure to enforce and respect these caveats within multi-national, cloud-based environments.

Conclusion

The Cloud and AI Development Act represents a strategic opportunity for the European Union to address critical gaps in digital infrastructure and strengthen its technological sovereignty, particularly in high-stakes sectors such as defence and security. ASD strongly supports the ambition of the AI Continent Action Plan and calls for the Act to incorporate the sector-specific requirements outlined in this paper.