Brussels Runs the Risk of Focusing on Superficial Meaning Instead of Practicality in Cloud Acquisition

Brussels Runs the Risk of Focusing on Superficial Meaning Instead of Practicality in Cloud Acquisition

The European Commission is currently in advanced negotiations with cloud providers like OVHcloud to replace Microsoft Azure as the primary provider for EU public sector cloud services[1][3]. This proposal is motivated by concerns regarding digital sovereignty and the perceived dependency on major U.S. tech firms. However, a closer examination of the justification and implications of this move is necessary, particularly in light of existing legal frameworks and international obligations.

Firstly, it is essential to acknowledge that all cloud providers operating within the EU, regardless of origin, must comply with the General Data Protection Regulation (GDPR)[2]. This regulation imposes stringent data protection standards, restricts international data transfers, and enforces robust safeguards for personal data processing. As a result, there is no inherent GDPR-based justification for favouring European providers over non-European ones, provided both meet the regulation’s requirements.

Secondly, the World Trade Organization’s Agreement on Government Procurement (GPA) and EU public procurement law require that public tenders be open, transparent, non-discriminatory, and based on objective criteria such as quality, cost-effectiveness, and technical merit[2][5]. Excluding global providers like Microsoft Azure from public contracts solely due to geographic origin could be seen as discriminatory and may violate both the GPA and EU procurement principles.

Microsoft has invested heavily in EU data center capacity, local partnerships, and security programs (e.g., “Defending Your Data” and the European Security Program), offering legally binding commitments and additional governmental assurances for data protection within the EU[2]. The Commission has not cited specific, evidence-based security grievances against Microsoft Azure—only general sovereignty concerns. Critics argue that the migration away from Microsoft to a European provider is not driven by genuine security risks but by a political desire to reduce dependence on U.S. technology.

Migrating to a European provider may be costly, could deliver inferior technical outcomes, and ignores practical realities of procurement best practices. The move is also seen more as a symbolic gesture toward digital sovereignty than a substantive improvement in security or service quality. Excluding foreign providers without objective justification risks violating international procurement agreements and EU public procurement law, which are designed to ensure fairness and competition.

Without clear evidence of superior security, cost-effectiveness, or technical merit from European alternatives, the Commission’s rationale appears more politically symbolic than legally or technically justified. It is crucial for the Commission to focus on objective metrics like data security, regulatory compliance, cost effectiveness, and operational reliability for procurement decision making. European institutions require reliable, cost-effective technology solutions for public service delivery, and large-scale cloud migrations often exceed initial budgets and timelines. The Commission already enjoys enterprise-grade cloud services that comply with all European data protection requirements.

In conclusion, the European Commission’s plan to replace Microsoft Azure with OVHcloud or another European cloud provider is not sufficiently justified by GDPR compliance, since all providers must meet the same data protection standards regardless of origin. Microsoft’s EU Data Boundary project and security commitments further undercut any unique regulatory justification for the switch. Discriminating against non-European providers could violate WTO GPA and EU procurement principles, which mandate non-discriminatory, value-based procurement. Without clear evidence of superior security, cost-effectiveness, or technical merit from European alternatives, the Commission’s rationale appears more politically symbolic than legally or technically justified.

[1] https://www.reuters.com/business/technology/european-commission-plans-replace-microsoft-azure-european-cloud-provider-2021-09-10/ [2] https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12528-Digital-European-Cloud-Infrastructure-and-Services-for-Public-Authorities [3] https://www.bloombergquint.com/onweb/european-commission-plans-to-replace-microsoft-azure-with-european-cloud-provider [4] https://www.dataprotection.ie/docs/GDPR/1623/16/Data-Protection-Regulation-(GDPR)/gdpr-guidance-on-data-protection-and-cloud-services [5] https://ec.europa.eu/growth/single-market/european-single-market/services/public-procurement_en

1. Despite the European Commission's plans to switch from Microsoft Azure to a European cloud provider like OVHcloud, all cloud providers, regardless of their origin, must adhere to the General Data Protection Regulation (GDPR)'s stringent data protection standards.
2. Compliance with the General Data Protection Regulation (GDPR) does not provide a justification for favoring European providers over non-European ones, as long as they meet the regulation’s requirements.
3. The World Trade Organization’s Agreement on Government Procurement (GPA) and EU public procurement law require that public tenders be open, transparent, non-discriminatory, and based on objective criteria such as quality, cost-effectiveness, and technical merit.
4. Excluding global providers like Microsoft Azure from public contracts solely due to geographic origin could be seen as discriminatory and may violate both the GPA and EU procurement principles.
5. Without clear evidence of superior security, cost-effectiveness, or technical merit from European alternatives, the Commission’s rationale for the switch appears more politically symbolic than legally or technically justified.

Read also: