\
    July 15, 2026

    How EU and UK Regulatory Complexity Is Reshaping Cloud Strategy

    SEL_07.13.26_EMEA Blog_v1_Web Banner

    By Yass Sumitomo, General Manager, Sumitomo Electric Europe

    Land and power alone no longer determined where new data centres can be built.

    Gone are the days when factors like available land and power alone determined where new data centres could be built. Across the European Union and United Kingdom, regulatory architecture for data is rapidly becoming one of the most consequential forces shaping where digital infrastructure investments are made.

    Gartner forecasts that sovereign cloud infrastructure spending in Europe will nearly double in 2026, from $6.9 billion to $12.6 billion (USD) – ranking it among the fastest-growing regions globally. Europe is expected to surpass North America in sovereign cloud investment by 2027. For data centre operators across the region, this regulatory architecture is becoming a direct specification for locally controlled physical infrastructure.

     

    A Complex Regulatory Stack

    Treating data protection as one rulebook is now out of the question. What has evolved across the EU is a layered, sector-specific stack, with each layer adding its own demands. General Data Protection Regulation (GDPR) set the baseline. Digital Operational Resilience Act (DORA) added obligations for financial services and their technology suppliers to withstand and recover from IT disruptions. Network and Information Security Directive 2 (NIS2) extended cybersecurity duties, with management-level accountability across energy, healthcare, transport, and digital infrastructure. The EU Data Act reshaped who controls data and how easily it can move between providers. And the EU AI Act brings high-risk AI systems under EU jurisdiction as it comes into full application.

    The newest addition to the EU stack is the most direct. In June 2026, the European Commission proposed the Cloud and AI Development Act (CADA), which sets out to triple the EU's data centre capacity over the next five to seven years and introduces a four-level sovereignty assessment framework. While it is a proposal and not yet law, if CADA is enacted as proposed, it could effectively reserve the most sensitive public-sector workloads for EU-based providers by design.

    Meanwhile, the UK, now outside the EU framework, is building its own version of this stack, which is parallel in intent but increasingly divergent in detail. We will return to what that divergence means, because for any operator working across both markets it is becoming one of the defining planning challenges.

    At their core, these regulations share a common thread: for public-sector and critical-industry workloads, sensitive data is expected to remain within defined borders, under EU- and UK-based jurisdiction, on infrastructure whose location and operation can be verified. The verification is crucial, extending sovereignty from a compliance question to a matter of where the infrastructure physically sits and who controls it. That is where regulation meets the physical network.

     

    The Sovereign Cloud Dilemma

    The tension at the heart of the matter is that US-based hyperscalers such as AWS, Microsoft Azure, and Google Cloud command roughly 70% of the European cloud market, with European providers collectively holding around 15%. Though they are deeply embedded, technically excellent, and trusted by enterprises across the region, US companies remain subject to the US CLOUD Act, which can compel access to data regardless of where in the world it is physically stored.

    European regulators have valid concerns about that tension. In mid-2025, a senior Microsoft legal executive, appearing under oath before the French Senate, was unable to guarantee that French citizens' data would never be passed to US authorities. The moment crystallised a worry that had been building for years, and it has accelerated real movement towards locally controlled infrastructure. This is a global shift; worldwide sovereign cloud spending is forecast to reach $80 billion in 2026, but the fastest growth is in markets emphasising sovereignty. Gartner expects "geopatriation" to shift 20% of current workloads from global to local cloud providers.

    The hyperscalers are responding. Early this year, AWS launched its European Sovereign Cloud from Brandenburg, Germany, a physically and logically separate environment operated by EU residents. Microsoft has built out its EU Data Boundary and partnered on national "sovereign" clouds such as Bleu in France and Delos in Germany. Google's S3NS venture in France achieved SecNumCloud qualification at the end of 2025. While these are serious investments, it remains up for debate whether they amount to full sovereignty beyond the reach of foreign jurisdiction.

    What remains indisputable is the market signal these developments send. In April 2026, the EU itself awarded a sovereign cloud contract worth up to €180 million to four European providers – the first procurement to apply explicit sovereignty criteria to cloud services. When the EU's own institutions buy this way, it tells every operator in the market which way the wind is blowing. Sovereignty is becoming a true procurement requirement.

     

    Same Forces, Different Settlement in the UK

    The same forces are at work in the UK, but they are producing a deliberately different settlement. Since Brexit, the UK has operated its own framework – UK GDPR, the Data Protection Act 2018, and now the Data (Use and Access) Act 2025, whose main provisions took effect in February 2026. That Act has begun to introduce genuine divergence from EU GDPR, from how legitimate interests are treated to the structure of the regulator itself.

    The EU renewed its adequacy decision for the UK in December 2025, valid until 2031, with a review built in after four years. The arrangement keeps data flowing freely for now, but it is not a permanent settlement. And because the UK sits outside CADA, the EU AI Act, and NIS2, a UK-based operator serving EU customers is treated as a third-country provider, which adds friction, paperwork, and a layer of uncertainty, especially regarding the future of the adequacy decision.

    For anyone planning infrastructure that spans both markets, the practical takeaway is that two regimes must be satisfied at once, and the gap between them is widening, not closing. This regulatory environment favours physical infrastructure plans designed to satisfy both.

     

    Impacts at the Physical Layer

    One might be tempted to read data sovereignty as a story about cloud contracts and legal teams, but every one of these regulations is, ultimately, a statement about where data physically resides and how its journey can be proven. Verifiable data localisation requires infrastructure that is located, operated, and connected within defined borders – colocation facilities on European and UK soil, carrier-neutral interconnection under European and UK control, and the fibre that ties it all together.

    In that sense, each new layer of regulation is also a specification for more locally controlled physical facilities. Sovereignty is delivered in concrete, in conduit, and in glass – in the trusted, high-capacity optical infrastructure that connects sovereign facilities to one another and to the users they serve.

    At Sumitomo Electric, we are often among the first to observe these shifts, at the level of what gets specified and where. As regulation drives more compute onto EU- and UK-based infrastructure, demand for the reliable, high-density fibre connecting those facilities follows in lockstep.

    That is the layer we work at, and the conversation we want to be part of: helping carriers and operators understand what sovereign-grade physical infrastructure actually requires, and working together on end-to-end solutions that can support it.

    Connect with us to start a conversation about your infrastructure plans. For more Next Generation Thinking™, follow us on LinkedIn and YouTube.

     

     

     

    1657294616206

    About the author: Yasunori "Yass"is currently serving as general manager for Sumitomo Electric Europe. He has spent his career driving global strategies in core markets like fibre optics including data centres, submarine fibre and emerging hydrogen infrastructure.

     

     

     

     

    Tag(s): Featured , Data Center , AI