In relation to European sovereignty, the CLOUD AI Act is frequently mentioned. To clear up any misunderstandings, here is an in-depth analysis.
The “CLOUD AI Act” haunts the debate on European digital sovereignty. But what is really behind it? A failed U.S. bill against Chinese cloud access to AI chips—and an actual law that causes entirely different conflicts.
When people in Brussels or Berlin talk about the “CLOUD AI Act,” fears of U.S. overreach often come into play. But the reality is more complicated: Not only is there confusion between two completely different U.S. laws, but there is also a failed bill that has since been replaced by a stronger successor. It’s time to untangle this—and take a look at how Europe is responding.
There are not only two different U.S. laws with similar acronyms, but also a failed bill that has since been resurrected in a new form. Time to untangle the facts.
First, the good news for everyone who was expecting dramatic court rulings or EU lawsuits: The CLOUD AI Act (H.R. 4683) from 2023 was never passed. It got stuck in committee and died a quiet death with the end of the 118th Congress in January 2025. No fines, no lawsuits, no legal effect. The bill, introduced on a bipartisan basis by Democrats and Republicans led by Congressmen Jeff Jackson and Mike Lawler, targeted a specific security vulnerability: Chinese actors were circumventing U.S. export controls on advanced AI chips by accessing them remotely via cloud services.
The bill sought to prohibit exactly that—U.S. persons and their foreign subsidiaries would no longer be allowed to provide support to Chinese or Macanese entities for remote access to certain high-performance chips (Export Control Classification Numbers 3A090 and 4A090). The Department of Commerce was supposed to issue strict regulations. Instead, the Biden administration simply closed the loophole in 2023 via an executive order issued by the Bureau of Industry and Security (BIS).
The actual CLOUD Act of 2018, on the other hand, is a federal law in force. It arose from the famous Microsoft-Ireland case and clarifies that U.S. law enforcement agencies can demand data from U.S. tech companies even if that data is stored on servers abroad. First, it clarifies that U.S. law enforcement agencies can compel technology companies to provide data based on a U.S. court order, even if that data is stored outside the U.S. Second, it establishes a framework for law enforcement agencies outside the U.S. to request data directly from U.S. technology companies via bilateral executive agreements.
Additionally, it creates the possibility of bilateral agreements through which foreign authorities can request data directly. So far, such agreements exist with the United Kingdom and Australia.
This is where the real point of friction with Europe lies: The CLOUD Act clashes head-on with the GDPR. European data protection advocates view U.S. cloud providers as a systemic risk because U.S. authorities could theoretically demand access at any time—regardless of where the data is physically stored. The Schrems II ruling by the European Court of Justice (ECJ) in 2020, initiated by Austrian data protection activist Max Schrems, made precisely this conflict the central argument against the Privacy Shield.
The Direct Successor: Remote Access Security Act (2026)
The spirit of the CLOUD AI Act, however, is by no means dead. The House of Representatives passed the Remote Access Security Act in January 2026 with an overwhelming bipartisan majority of 369 to 22 votes. This is the direct legislative successor to the CLOUD AI Act.
The law modernizes the Export Control Reform Act by expanding federal authority to restrict foreign adversaries’ remote access to technologies—including AI chips—via cloud computing services. It clarifies that cloud computing is subject to U.S. export control law just as physical chips are.
The primary sponsor was Congressman Mike Lawler (R-NY)—the same lawmaker who had co-sponsored the original CLOUD AI Act in 2023.
Why so much pressure now?
The political context had become drastically more tense compared to 2023: Chinese companies facing export controls on high-performance Nvidia GPUs have been gaining access via platforms like Amazon Web Services since at least 2023. Chinese cloud providers such as Alibaba and Tencent are said to have enabled customers in China to access export-controlled GPUs by renting cloud hardware hosted outside of China.
Parallel developments at the executive level (BIS)
While Congress was taking action, the executive branch was also acting—albeit in a contradictory manner: A new BIS rule represents a significant departure from the previous practice that remote access to cloud services did not constitute an “export” in the absence of other factors—possibly a harbinger of a fundamental reevaluation of this policy in light of criticism from Congress.
At the same time, the Trump administration relaxed controls elsewhere: In August 2025, President Trump announced that he would grant Nvidia export licenses to sell H20 chips to China—on the condition that the company remit 15 percent of its revenue from these sales to the U.S. government. In December 2025, the model was expanded to H200 chips at 25 percent.
Other pending legislative initiatives (119th Congress)
Several other bills are pending in the 119th Congress: The GAIN AI Act would give U.S. companies priority in acquiring advanced AI chips over exports to China. The STRIDE Act would require the State Department to work with partner countries to strengthen their semiconductor export controls. The AI Overwatch Act would mandate congressional review of export licenses for advanced AI chips to China.
Increasing enforcement capacity
Congress recently approved a 23 percent increase in the BIS budget for fiscal year 2026, with several members explicitly signaling bipartisan support for stronger export control enforcement and several million dollars earmarked specifically for semiconductor-related enforcement measures.
Europe’s Response: Sovereignty in Question
In Europe, the response to U.S. legislation has been less about protests and more about developing its own industrial and regulatory policies. However, the conflict with the CLOUD Act of 2018 persists and is evident in every data protection impact assessment.
European Reception of the CLOUD AI Act and the Remote Access Security Act
The European response to this U.S. legislation cannot be viewed in isolation: it is part of a profound geopolitical reassessment of Europe’s digital dependence on American technology conglomerates—accelerated by Trump, the Chinese open-source offering DeepSeek, and growing semiconductor nationalism.
- The CLOUD AI Act (2023): Hardly Any Direct Resonance
The failed CLOUD AI Act of 2023 received hardly any independent attention in Europe. Its subject matter—China-specific AI chip export controls—affected European companies only indirectly as potential cloud providers selling computing time to Chinese customers. At that time, the broader European debate was still centered on the CLOUD Act of 2018 and its conflicts with the GDPR.
- The Remote Access Security Act (2026): Direct Compliance Implications for EU Companies
The Remote Access Security Act would expand the regulation of remote access to controlled goods—including advanced AI chips—via network connections such as cloud computing services. Specifically, cloud providers and “GPU rental” intermediaries would have to meet stricter compliance obligations regarding customer verification, apply for licenses, and restrict remote access to controlled accelerators
For European data centers and cloud providers, this means: Anyone operating U.S. AI chips (Nvidia H100, H200, etc.) and granting cloud access to Chinese customers—even indirectly—will in the future be subject to U.S. export control laws. In January 2026, the BIS already agreed to a $1.5 million settlement with a European company over the unlawful transfer of semiconductor manufacturing goods to a factory on the Entity List via a Chinese subsidiary.
- The Structural CLOUD Act Dilemma: GDPR vs. U.S. Law
At the same time, the 2018 CLOUD Act remains the most persistent source of friction between Europe and the U.S.:
The core of the problem lies in a direct and irreconcilable legal conflict: The U.S. CLOUD Act allows American authorities to compel U.S. technology companies to hand over data, regardless of where it is stored—which directly conflicts with Europe’s GDPR.
The conflict between the CLOUD Act and European data protection law becomes a practical obstacle due to Article 35 of the GDPR, which requires a data protection impact assessment before deploying technologies that pose a high risk to natural persons. For US hyperscaler services, these assessments regularly identify the CLOUD Act as a significant, often unacceptable risk.
A specific incident illustrates the gravity of the situation: In November 2025, the American IT company Kyndryl announced its intention to acquire the Dutch cloud provider Solvinity. This came as an “unpleasant surprise” to several government clients, including the City of Amsterdam and the Dutch Ministry of Justice, which had explicitly chosen Solvinity to reduce their dependence on American companies and mitigate CLOUD Act risks.
- Europe’s Strategic Response: The Digital Sovereignty Movement
The EU is responding not primarily with diplomatic protests, but with a comprehensive legislative and industrial policy counterstrategy.
The Cloud and AI Development Act (CADA) — Europe’s Direct Counterproposal
The proposed EU Cloud and AI Development Act aims to strengthen Europe’s leadership in cloud computing and AI by creating a robust regulatory framework for high-performance computing resources and digital infrastructure—while securing Europe’s technological sovereignty.
The CADA will seek to close Europe’s gap in the cloud and AI sectors by promoting new data centers and is intended to introduce EU-wide licensing requirements for cloud service providers as well as harmonized procurement procedures—in a way that could restrict the participation of non-European companies.
The EU Council has explicitly introduced security safeguards for the participation of third countries: high-risk providers—an implicit reference to Huawei and ZTE—will not be allowed to participate in EU-funded projects.
The EuroStack Concept
In Europe, 52 percent of companies will be in the cloud by 2024; and the European Commission aims to increase this share to 75 percent by 2030. Cloud infrastructure is a core component for essential government functions, ranging from e-government to the conduct of military operations.
In March 2025, leading European technology companies and industry associations called on the European Commission to take “radical measures” to build a sovereign digital infrastructure. At the center is the “EuroStack” concept: an integrated European technology layer architecture encompassing semiconductors, cloud systems, operating systems, and digital identity. According to a Bertelsmann Foundation study, the transformation could take a decade and require up to 300 billion euros by 2035.
The Cybersecurity Act 2 (CSA2)
On January 20, 2026, the European Commission published a proposal to update the Cybersecurity Act. It would introduce, for the first time, a horizontal EU framework for ICT supply chain security, which could have significant implications for organizations that procure components from suppliers in high-risk jurisdictions. Violations can be punished with fines of up to 7 percent of global annual turnover.
The Dilemma Between Claims of Sovereignty and Reality
The most honest analysis comes from a critical insider’s perspective: Member states tout “sovereignty” and act bilaterally: France advocates for European cloud sovereignty, yet simultaneously builds “Bleu” (Microsoft + Orange + Capgemini) and “S3NS” (Google + Thales)—joint ventures that embed U.S. hyperscaler technology into French legal structures. Germany is doing the same with “Delos” (Microsoft + SAP).
Conclusion: More Than Just a Case of Confusion
The “CLOUD AI Act” is, above all, one thing: a lesson in the risk of confusion and geopolitical realpolitik. The failed 2023 draft has no direct consequences for Europe, but its core concern certainly does—via the Remote Access Security Act. The real long-running issue remains the 2018 CLOUD Act with its GDPR conflicts.
Europe is trying to catch up with regulation and billions in investments. Whether that will be enough to achieve true sovereignty remains to be seen. Dependence on American technology runs deep, the Chinese challenge is real, and the political will is strong—but not yet sufficiently backed by capital.
Anyone who wants to have a say in the debate should therefore take a close look: Which “CLOUD” law is actually being referred to? And above all: How much sovereignty is even feasible in a connected world?
Dr. Jakob Jung is Editor-in-Chief of Security Storage and Channel Germany. He has been working in IT journalism for more than 20 years. His career includes Computer Reseller News, Heise Resale, Informationweek, Techtarget (storage and data center) and ChannelBiz. He also freelances for numerous IT publications, including Computerwoche, Channelpartner, IT-Business, Storage-Insider and ZDnet. His main topics are channel, storage, security, data center, ERP and CRM.
Contact via Mail: jakob.jung@security-storage-und-channel-germany.de