Introduction
Cloud regulation is no longer limited to questions of data protection and cybersecurity. Increasingly, governments are also examining who controls the infrastructure on which data is stored, processed, and accessed. Reflecting this shift, the European Commission proposed the Cloud and AI Development Act on 3 June 2026, a legislative initiative aimed at strengthening the European Union’s technological sovereignty and reducing its dependence on foreign cloud service providers.
The proposal seeks to establish a framework for evaluating the security, reliability, and trustworthiness of cloud providers, particularly those servicing public-sector functions. While the Act is still under consideration within the EU, its implications extend beyond Europe. By focusing on issues such as infrastructure ownership, foreign governmental access, and service continuity, the proposal raises broader questions that are increasingly relevant for jurisdictions like India. As India continues to expand its digital economy and cloud-dependent infrastructure, the debate is no longer confined to how data is protected, but also who ultimately controls the systems on which that data resides.
Cloud Sovereignty: Understanding the Act’s Proposals
The EU is concerned about a simple issue that more than 70% of cloud infrastructure used in Europe is now owned by three large cloud companies that are not based in Europe, and European cloud providers’ share of their own home market has dropped significantly from 29% in 2017 to just 15% in 2022 and hasn’t recovered since. The EU considers this dependency on a limited number of foreign suppliers to be a threat, especially for government and public sector data.
The Act introduces a four-tier rating system, called Union Assurance Levels:
- Level 1: Entry-level. The provider self-certifies compliance.
- Level 2: Needs an independent third-party audit and extra protection.
- Level 3: Needs more stringent protection and external monitoring.
- Level 4: The highest level, for the most sensitive public-sector functions.
These ratings are not advisory. Once a government department decides on its desired level, it is legally obligated to only purchase cloud services from providers recognised at that level. If an existing provider is not compliant, the department shall transition to a compliant provider within 12 months.
Importantly for providers outside the EU, to qualify for Level 3 recognition, the home country must satisfy certain requirements for reciprocity: the home country must not have the power to force disruption of the provider’s services, the home country must keep its own market open to EU cloud providers, the home country must not restrict EU providers’ access to advanced technology, and the home country must grant equivalent access to its public procurement processes. Providers in countries that do not meet these conditions will not be able to get the higher levels of trust, no matter how secure they are.
The EU & India FTA: The Complication
The negotiations for the EU-India Free Trade Agreement (FTA) ended on 27 January 2026 after almost 20 years of talks, and the agreement features a specific Digital Trade chapter. That chapter seeks to create a secure and predictable digital trade landscape, safeguards businesses against forced disclosure of source code, and strengthens EU-India collaboration on the digital economy, and expressly leaves each side free to regulate to ensure privacy, security and public policy.
The final exception is the one to keep an eye on. The FTA’s digital trade chapter is based on mutual non-discrimination and regulatory cooperation, but the Cloud and AI Development Act, which is also being enacted at the same time, provides a mechanism for the EU to formally designate foreign providers (and, by extension, the legal regimes under which they operate) as “third-country access risks.
India’s Position: The Cloud Sovereignty Framework
Personal data is collected, processed and protected in accordance with the provisions of the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the respective DPDP Rules, 2025. They do not consider the infrastructure on which the data is stored and processed on, who owns the servers, what legal access a foreign government may have to the infrastructure, or how a sudden disruption of service should be dealt with.
This gap is not without consequences.
First, there is no statutory obligation to consider the sovereignty-related risk in public procurement in India as yet, whereas the EU’s proposed requirement is that before public procurement, member states should have a formal evaluation of the access risk, public-order risk, and service continuity risk posed by the cloud service.
Second, the banking and NBFC sector, which already has compliance challenges under the DPDP Act on bundled consent, conflicts between KYC retention and erasure obligations, and multi-regulator breach notification, does not have any similar requirement to evaluate if their cloud vendors themselves pose a systemic dependency risk.
Third, India is rapidly investing in data centres and AI infrastructure without any legal framework to address the EU’s underlying concern. The impact of a foreign government restricting access to, compelling disclosure from, or otherwise interfering with the infrastructure that hosts Indian data.
AMLEGALS Remarks
The Cloud and AI Development Act is currently a proposal from the EU and not yet a law. But its core principle, the law of the jurisdiction where the cloud provider is located, should be considered long before the Act is finalised. Instead of treating vendor- and infrastructure-level risk as a separate compliance issue, Indian businesses using cloud infrastructure, especially in regulated industries such as banking, financial services, and healthcare, should view it as a compliance risk that must be addressed alongside personal data compliance under the DPDP Act.
For any queries or feedback, feel free to connect with mridusha.guha@amlegals.com or Khilansha.mukhija@amlegals.com