On October 31, 2025, the International Criminal Court began moving its files off Microsoft Office. Seven months later, on May 27, 2026, the European Commission is expected to present a Tech Sovereignty Package that would keep public-sector healthcare, financial, and judicial data off U.S. clouds. Those two dates are not separate stories.

CNBC first reported the cloud proposal on May 7, 2026. Computerworld and TechRadar Pro confirmed it days later. The presentation has slipped twice already, from March to April to May 27.

The trigger wasn't the law, it was the email

The 2018 U.S. Cloud Act has been on the books for eight years. Concern over what it lets U.S. law enforcement compel from American companies abroad is older than the proposal. So why now?

Because in 2025, Europe watched a single executive order switch off a European institution. On February 6, 2025, the Trump administration sanctioned ICC Chief Prosecutor Karim Khan over the court's Gaza investigations. Within months, Khan lost access to his Microsoft email account. Microsoft and the ICC publicly disputed who pulled the plug, but Dutch press reported Microsoft had warned the court that Khan had to be cut off or the ICC would lose service.

By that October, the ICC had begun migrating to OpenDesk, an open-source suite built by Germany's centre for digital sovereignty. The Cloud Act stopped being abstract.

The proposal is a carve-out, not an exit

The scope is narrow. Public-sector data in three sectors only: health, finance, and the courts. Private companies are not in scope.

Narrow is not the same as small. CNBC's sources describe a requirement, not a nudge: certain sectors "have to be hosted on European cloud capacity." Health, court, and public financial data are not edge cases in a government's data estate. They are most of what a state knows about its citizens.

The hyperscalers' actual exposure is small

Synergy Research Group's Q1 2026 numbers put AWS at 28% of the global cloud infrastructure market, Microsoft Azure at 21%, and Google Cloud at 14%, roughly two-thirds combined. European pureplay providers, by CNBC's own count, hold about 15% of the EU cloud market.

A carve-out at the sensitive end of government workloads is a small slice of revenue, and a much larger slice of political exposure. If healthcare data leaves the hyperscalers' commercial clouds, what travels next is the precedent.

The workaround was already shipping

Hyperscalers and their European partners have spent two years building offerings calibrated for this kind of rule.

In France, Bleu distributes Azure under Orange and Capgemini operational control, and S3NS, a Google and Thales venture, received its SecNumCloud sovereignty label in late 2025. On January 15, 2026, AWS launched its European Sovereign Cloud in Brandenburg, operated by EU residents only and physically isolated from other AWS regions.

In April 2026, the Commission awarded a €180 million sovereign cloud tender to four provider groups: Post Telecom with OVHcloud, STACKIT, Scaleway, and Proximus with S3NS. The Proximus bid bundles the Google joint venture, and Brussels' own procurement standard already treats it as sovereign enough.

No veto, but no easy passage

The package has not passed. It has not even been introduced. Once the Commission tables it on May 27, the Cloud and AI Development Act moves into the Ordinary Legislative Procedure: co-decision with the European Parliament and a qualified-majority vote in the Council of the EU. No single member state can veto it.

That does not mean it sails through. Seven states (Denmark, Estonia, Greece, Ireland, the Netherlands, Poland, and Sweden) signed a non-paper opposing earlier sovereignty rules, arguing they exclude too many companies and import politics into a technical standard. France, Italy, Spain, and Germany pushed the other way then, and are pushing the other way now. Procedural math favors movement. Political math says haggling.

Why it matters

The Commission is proposing that the most sensitive public-sector data sit on sovereign infrastructure. That infrastructure already exists, built jointly with two of the three companies the rule is reacting to. AWS, the third, beat the policy by four months with its own sovereign region in Germany.

They are not being expelled. They are being repackaged.

Whatever May 27 produces will not return European public data to European-only stacks. It codifies a corporate form: the U.S. hyperscaler running through an EU-controlled joint venture under a sovereignty label, sealed off from American legal reach by contract and certification rather than by code.

That arrangement only holds if the certification holds. The ICC episode is the warning shot underneath all of it. A contract said one thing. An executive order overrode it. The contract bent anyway.

Brussels is drafting a rule that says the next contracts will not bend. Washington, by its own statute, can still demand they do. The unresolved question is which document European institutions believe.

If the data sits on a European server but the parent company answers to American law, what exactly is May 27 protecting?

Originally published as an Instagram carousel on @recul.ai.