The Number That Should Keep Every European CTO Awake

How drone strikes, stablecoin consortiums, and a proposed Cloud Act are converging into Europe’s most aggressive push for digital independence

The Bitter Apple

Eighty-five percent. That’s the share of Europe’s cloud infrastructure market controlled by American hyperscalers — AWS, Microsoft, and Google. European providers collectively hold just 15%, down from 29% in 2017. Two-thirds of euro area card transactions are processed by non-European schemes. The EU hosts roughly 5% of the world’s AI compute capacity compared to 75% for the United States.

These numbers were uncomfortable before March 1, 2026. After March 1, they became existential.

On that date, Iranian drones struck three AWS data centers across the UAE and Bahrain — the first military attack on a major cloud provider in history. Two of three Availability Zones in the UAE region were significantly impaired. Over 100 AWS services went down. Financial institutions, fintech platforms, and AI services experienced cascading failures that took weeks to fully resolve.

Europe’s digital economy didn’t burn that day. But it watched its landlord’s building catch fire and realized it had no other place to live.

When 85% of your digital infrastructure is controlled by companies headquartered in a country that just launched a war in the Gulf, “sovereign cloud” stops being a policy talking point and starts being an operational emergency.

The Dependency Map: Three Numbers That Define Europe’s Exposure

Enterprise architects love dependency maps. Here’s Europe’s — and it’s not pretty.

Domain	Dependency	What It Means
Cloud Infrastructure	85% non-EU	AWS, Azure, Google control the compute layer. European providers hold 15% and shrinking. US CLOUD Act applies regardless of data location.
Payments Processing	~65% non-EU	Visa and Mastercard process nearly two-thirds of euro area card transactions. 13 countries depend entirely on international schemes for in-store payments.
AI Compute	~5% EU share	The US holds 75% of global AI compute. Private AI investment in the US exceeds €100B vs €7B for the entire EU — a 15-to-1 gap.
Enterprise Software	>80% non-EU	Microsoft 365 alone has 450M business subscribers. When the ICC’s prosecutor was US-sanctioned, he lost access to Outlook. That’s the dependency in action.

Synergy Research Group’s chief analyst put it bluntly: with US providers investing roughly €10 billion every quarter in European data center capacity, European competitors face what he called an impossible hill to climb. The gap isn’t closing. It’s accelerating.

The Wake-Up Call: When Drones Hit the Cloud

The AWS Gulf strikes weren’t a theoretical risk scenario from a Gartner report. They were Shahed drones hitting physical servers. AWS confirmed structural damage, power disruption, and fire suppression activation across multiple facilities. Recovery stretched for weeks. A second Bahrain strike followed on March 24.

For European enterprise architects, the implications cut deep. Multi-AZ resilience — the foundational assumption of cloud architecture — failed when a regional conflict took out two of three Availability Zones simultaneously. Standard commercial insurance policies exclude acts of war. Force majeure clauses face novel legal testing. And migrating workloads out of affected regions may violate local data localization laws.

The political response was swift. The European Parliament voted 471 to 68 for a resolution calling on Europe to break free from US tech dependency. French President Macron invoked the Anti-Coercion Instrument — which could restrict US cloud providers from government contracts. German Chancellor Merz acknowledged at Munich Security Conference that Europe’s digital dependency was, in his words, self-inflicted.

Meanwhile, the Trump administration named Spotify, SAP, Siemens, and Capgemini as potential retaliation targets. The US imposed travel bans on former EU Commissioner Breton. Apple demanded Brussels scrap the DMA. The transatlantic tech relationship hasn’t been this hostile since Snowden.

Europe’s Triple Response: Cloud, Money, and Rules

What makes Q1 2026 different from a decade of sovereignty rhetoric is that three tracks are converging simultaneously — for the first time, with real money behind them.

Track 1: The Cloud and AI Development Act (CADA)

The EU’s most direct legislative response to cloud dependency. CADA would define sovereign cloud in binding law, mandate that critical use cases (defence, public admin, critical infrastructure) operate on EU-based cloud, and fund tripling EU data center capacity within 5–7 years. Twenty-four European cloud CEOs wrote to the Commission on March 18 calling it a once-in-a-lifetime opportunity, while warning against “sovereignty-washing” by US hyperscalers offering EU-branded subsidiaries.

Gartner projects European sovereign cloud IaaS spending will triple from €6.9 billion in 2025 to €23.1 billion by 2027. AWS’s own European Sovereign Cloud launched in Germany in January 2026 — but it remains wholly owned by Amazon.com Inc., meaning the CLOUD Act still applies.

Track 2: Payment Sovereignty — Qivalis and the Digital Euro

Qivalis — a consortium of 12 major European banks including BBVA, BNP Paribas, ING, CaixaBank, UniCredit, and Danske Bank — is preparing to launch a MiCA-compliant euro stablecoin in H2 2026. Fully backed 1:1, it targets B2B payments and on-chain settlement without reliance on dollar-backed tokens.

Simultaneously, the ECB’s digital euro project accelerated: the ECB selected OVHcloud — a French sovereign cloud provider — to host its infrastructure. Executive Board member Cipollone has been relentless, warning that payment dependency on non-European schemes represents a systemic risk. The European Parliament voted 438–158 in February supporting both online and offline functionality. A decisive plenary vote is expected May–June 2026.

Track 3: DORA Enforcement Meets Cloud Concentration Risk

DORA is now in active enforcement. In November 2025, the European Supervisory Authorities designated 19 Critical Third-Party Providers — including AWS, Google Cloud, and Microsoft — subjecting them to direct oversight by Lead Overseers with on-site inspection powers. DORA’s ICT concentration risk provisions effectively make single-cloud dependency untenable for any regulated financial institution.

NIS2 transposition, while delayed (only ~20 of 27 member states have adopted primary legislation), is expanding scope to submarine cable operators and digital identity providers. The regulatory scaffold for infrastructure sovereignty is being built — unevenly, but unmistakably.

The Sovereign Infrastructure Readiness Model (SIRM)

For CTOs and CIOs navigating this shift, the question isn’t whether European sovereignty will reshape your architecture. It’s whether you’re ready when it does. The Sovereign Infrastructure Readiness Model provides a structured diagnostic across five domains:

Domain	Key Question	Assessment Trigger
1. Compute Sovereignty	Can your critical workloads run on EU-controlled infrastructure?	Map every production workload to its cloud provider’s ultimate parent jurisdiction. Any critical function on a single non-EU provider = red.
2. Payment Rail Independence	Could your payment processing survive a Visa/Mastercard disruption?	Audit what percentage of transactions depend on non-EU schemes. Evaluate A2A, SEPA Instant, and stablecoin alternatives.
3. Data Jurisdiction Control	Is your data subject to non-EU legal orders you can’t control?	The EU-US Data Privacy Framework rests on an executive order Trump can revoke. Assess exposure to CLOUD Act and FISA Section 702.
4. Regulatory Alignment	Are you compliant with DORA, NIS2, and ready for CADA?	DORA requires ICT concentration risk assessment. NIS2 mandates supply chain security. CADA may restrict cloud choices for critical functions.
5. Exit Architecture	Can you migrate away from your primary cloud provider within 90 days?	DORA mandates realistic exit strategies. If your answer is “no” or “we’ve never tested it,” your architecture has a single point of geopolitical failure.

Most European enterprises will score red on at least three of five domains. That’s not a failure of management — it’s a reflection of twenty years of architecture decisions made in a world where American cloud dominance was a feature, not a bug. The world changed. Your architecture assessment needs to change with it.

What This Means for Enterprise Architects

Don’t panic-migrate. Do map your exposure. No CTO should rip out AWS tomorrow. But every CTO should know exactly which critical functions are running on non-EU infrastructure, under non-EU legal jurisdiction, with non-EU exit dependencies. The SIRM gives you the structure. DORA already requires it.

Watch CADA like your architecture depends on it — because it will. If CADA passes with reserved procurement for EU sovereign cloud, any enterprise selling to European public sector or critical infrastructure will need an EU-sovereign compute option. Start evaluating now.

Treat payment sovereignty as an architecture variable. Qivalis, the digital euro, and SEPA Instant are creating alternatives to Visa/Mastercard dependency. Enterprise architects who design payment flows assuming card rails are permanent are making the same mistake as those who assumed single-cloud was sufficient before March 1.

Build exit architecture before you need it. The most underinvested capability in European enterprise architecture today is the ability to migrate between cloud providers under pressure. DORA demands it. The AWS strikes proved why. Test your exit strategy the same way you test your disaster recovery — because it is your disaster recovery.

In the digital era, sovereignty isn’t about building walls.

It’s about owning the foundation your enterprise stands on.

About the Author

Paulo Falcão is a Fractional Enterprise Architect, AI Strategist, and Transformation Leader with 25+ years of experience — including 10+ years building high-performance payment applications and 14+ years in enterprise architecture. He operates at the intersection of payments systems, enterprise architecture, AI strategy, and European digital regulation. Based in Romania with deep experience across European markets including Portugal, Paulo helps mid-market organizations navigate complex technology transformations with enterprise-level architectural expertise.

Previous editions: https://drive.google.com/drive/folders/1lFurzmsvFcNhArc-iIKDhy08La6F6vUp

LinkedIn: linkedin.com/in/paulofalcao