Brussels Just Gave Itself the Power to Override Private Contracts

On May 27, 2026, the European Commission presented its Tech Sovereignty Package, a legislative bundle that includes two draft laws: the Cloud and AI Development Act, and a revised Chips Act 2.0. Both are scheduled for formal publication on June 3. Together, they represent the most aggressive assertion of European regulatory authority over private technology markets since the General Data Protection Regulation took effect in 2018. The reaction from the technology industry, from Washington, and from legal scholars has been, in the precise sense of the word, controversial.

The package does two things that no European regulatory initiative has explicitly done before. First, it proposes to give the European Commission the legal power to force semiconductor manufacturers to abandon existing private supply contracts and redirect their output to buyers the Commission designates as crisis-critical. Second, it proposes to restrict Microsoft, Amazon Web Services, and Google Cloud from processing sensitive government data across all 27 EU member states, affecting a market these three providers currently dominate with a combined share of approximately 70 percent of Europe's cloud infrastructure.

Both proposals are still subject to change ahead of the June 3 publication. Both require approval from all 27 member states before becoming law. Neither is a done deal. But the direction of travel they represent, an EU that is explicitly prepared to override private contracts, restrict foreign technology providers from public sector markets, and assert direct state control over industrial supply chains, is a strategic posture with implications that extend well beyond European borders and well beyond the technology sector.

The Chips Act Clause That Has Never Existed Before

The revised Chips Act 2.0 contains a provision that, according to a draft seen by the Financial Times, would allow the European Commission to, in the event of a declared semiconductor shortage, force semiconductor manufacturers to prioritize orders for crisis-critical products, overriding existing contracts. The Commission could also impose fines of up to €300,000 on companies that fail to provide requested information about their supply chain capacity. A separate provision enables the Commission to conduct common purchasing of chips on behalf of member states, effectively creating a European state buyer that can compete with and override private procurement at scale.

The legal controversy this creates is direct and unambiguous. Private supply contracts are the foundation of commercial relationships across every sector of the global economy. A manufacturer that signs a multi-year supply agreement with a customer is making an enforceable legal commitment. The Chips Act 2.0 proposal, if enacted, would give a government body the authority to unilaterally nullify that commitment during a crisis it defines and declares. The company that had counted on receiving those chips, the customer whose contract is being honored, would have no recourse.

The target of this provision is not abstract. Europe makes under 10 percent of the world's chips. Taiwan supplies more than 90 percent of the advanced semiconductors that European manufacturers, defence contractors, medical device producers, and digital infrastructure operators depend on. The EU's explicit concern, stated in the draft legislation and confirmed by Reuters and TASS, is that semiconductors have become a potential tool of economic coercion in a world where US-China tensions are creating supply chain fragility that Europe cannot control. The Dutch government's 2025 forced acquisition of chipmaker Nexperia from its Chinese owner was cited by multiple analysts as the clearest precedent for the kind of intervention the new law would systematize.

The Cloud Ban That Is Not Quite a Ban

The Cloud and AI Development Act component of the package is more nuanced than the Chips Act provision, but its commercial consequences are potentially larger. According to CNBC, which first reported the package in early May, the proposal would restrict EU member governments from using US cloud providers to process sensitive public sector data across defined categories including healthcare, financial systems, and judicial records. The restriction does not constitute an outright ban on US providers from European government markets. Private companies remain free to use whichever cloud provider they choose. But for the public sector contracts that represent some of the most stable, long-duration revenue in the cloud market, the restriction would effectively require that governments replace their existing AWS, Azure, and Google Cloud infrastructure with providers subject exclusively to European legal jurisdiction.

The specific legal mechanism driving the restriction is the US CLOUD Act of 2018, which grants American law enforcement the authority to compel US-based technology companies to produce data they hold, regardless of where that data is physically stored. European data residency guarantees, including Microsoft's European sovereign cloud, Amazon's AWS European Sovereign Cloud, and Google Cloud's sovereign solutions, cannot neutralise this structural problem because the parent companies remain subject to US law. EU officials quoted in the CNBC report described this as precisely the vulnerability they are legislating against. One Commission official said explicitly: the core idea is defining sectors that have to be hosted on European cloud capacity.

The timing of the May 27 presentation was not accidental. On May 17, a contractor for the United States Cybersecurity and Infrastructure Security Agency was found to have left the access credentials for America's most sensitive government cloud accounts exposed on the open internet for six months. The Brussels announcement came ten days later. EU officials, as reported by TechTimes, did not need to explain the juxtaposition.

What Microsoft, Amazon, and Google Stand to Lose

The three US hyperscalers currently control approximately 70 percent of Europe's cloud infrastructure market. European governments, healthcare systems, judicial bodies, and financial regulators have built critical digital infrastructure on these platforms over the past two decades. The total value of affected public sector contracts, if the CADA restrictions are enacted and enforced, has not been officially quantified. Industry analysts cited by TechRadar described the potential displacement as tens of billions of euros in contract value, spread across all 27 member states, over a transition timeline that has not yet been defined.

The stock market implications are real but contested. Microsoft Azure, AWS, and Google Cloud do not break out European government revenue as a separate line item in their public reporting. But the EU public sector market is a significant and strategically important component of each company's enterprise cloud business, representing not just direct revenue but the reference credibility that drives commercial sector adoption. A European government that has migrated its healthcare data to a European sovereign cloud is a powerful signal to private sector enterprises in that country that the US hyperscalers' credibility in the market has been structurally compromised.

The hyperscalers' response has been to accelerate investment in European sovereign cloud offerings rather than challenge the legislation directly. Microsoft has launched its Cloud for Sovereignty product. Amazon has its AWS European Sovereign Cloud. Google Cloud offers sovereign and air-gapped solutions. But as the EU official's comment makes explicit, these products do not resolve the underlying problem: as long as the parent company is headquartered in the United States and subject to US law, no contractual arrangement or data residency guarantee can prevent the US CLOUD Act from applying.

European data residency does not solve the CLOUD Act problem. The parent company is still American. That is the precise vulnerability Brussels is legislating against.

The Geopolitical Reading That Markets Are Missing

The conventional reading of the EU Tech Sovereignty Package is that it is a defensive measure: Europe protecting itself from external coercion by building domestic alternatives. That reading is accurate but incomplete. The more commercially significant reading is that Europe is signaling its willingness to deploy its regulatory authority as an offensive geopolitical instrument, in the same way the US has deployed export controls on semiconductors, the CLOUD Act on data, and tariffs on manufactured goods.

The Chips Act 2.0 provision that allows the Commission to override private supply contracts is not defensive. It is a legal mechanism that gives Brussels the ability to direct global chip supply flows during a crisis it defines. That power, once codified in law, does not disappear after the crisis ends. It creates a permanent legal instrument for state intervention in private commercial relationships across one of the world's largest economic blocs. TSMC, Samsung, SK Hynix, and Intel all have exposure to the European market. The legal question of what happens to their existing customer contracts in a declared European semiconductor emergency is now a live commercial risk for every company in that supply chain.

The China dimension compounds the controversy. The package also includes new restrictions on Chinese semiconductor imports, according to Confluence Investment Management's May 29 daily comment. China has already responded, with the Chinese government publicly warning of a response and describing the EU's measures as cherry-picking to justify trade curbs, according to The Business Times. The EU is simultaneously restricting American cloud providers, reserving the right to override chipmaker contracts, and tightening restrictions on Chinese semiconductor imports. It is managing three separate geopolitical technology relationships with escalatory measures on all three fronts at the same time.

The Legal and Investment Risk That Is Currently Unpriced

The package faces a significant legislative path before any provision becomes enforceable law. The Commission presented the drafts on May 27. They will be formally published on June 3. They then require review, amendment, and approval from the European Parliament and the Council of the EU, which represents all 27 member state governments. The process typically takes 12 to 24 months for complex legislation of this scope. Member states with significant US technology industry presence, notably Ireland, which hosts European headquarters for Apple, Google, Microsoft, and Meta, have potential incentives to moderate the most aggressive provisions.

But the investment risk does not begin when the law is passed. It begins now, as every company that currently holds or is bidding for European public sector cloud contracts must include the possibility of this legislation in its risk modelling. Every chipmaker that has existing or planned supply agreements with European customers must now assess the contractual enforceability of those agreements under a legal regime that may grant Brussels the authority to redirect their output. Every investor in Microsoft, Amazon, Google, TSMC, Samsung, or SK Hynix is now holding an asset whose revenue profile includes a European regulatory risk that did not formally exist on May 26, 2026.

The market has not fully priced this. The May 27 presentation landed in a week dominated by the US-Iran ceasefire MOU news, which drove the most attention in energy and macro markets. The EU package received coverage in technology media and trade press but has not yet produced the equity market reaction that its potential commercial consequences would justify. That gap between the significance of the legislative development and its current market pricing is the specific and live opportunity that the most analytically sophisticated investors in European and Asian technology markets are currently assessing.

What Operators Need to Know Before June 3

The formal publication of the Cloud and AI Development Act and Chips Act 2.0 on June 3 will be the first moment at which the specific legal text of the provisions is publicly available in final pre-legislative form. Until that publication, the package exists as a draft seen by the Financial Times and described by Commission officials to CNBC. On June 3, the market will have the actual text. The distance between the draft language reported this week and the published version on June 3 will itself be a market signal: a softened chips override provision would suggest member state pushback has already moderated the most aggressive measures; an unchanged or strengthened text would confirm that Brussels is prepared to move forward with the full scope of the regulatory assertion that the draft describes.

For financial brands operating across Europe and Asia, the EU Tech Sovereignty Package is not a Brussels-specific story. It is a structural shift in the rules governing the technology supply chains, cloud infrastructure contracts, and semiconductor allocation mechanisms that underpin every financial institution, every digital bank, every fintech platform, and every regulated broker operating in the European market. The question of which cloud your compliance data sits on, who can legally access it, and what happens to your chip supply agreements in a declared emergency are not abstract legal questions. They are operational and financial risk questions that the June 3 publication will sharpen considerably.