The Compute Chokepoint · Part III · Regulatory Analysis

The Data Sleeps in Europe. The Kill Switch Doesn't.

Julian Gretzinger  ·  July 8, 2026  ·  Substack

Abstract

On 3 June 2026 the European Commission answered the compute chokepoint with law. The Cloud and AI Development Act — CADA, the centerpiece of the Tech Sovereignty Package — grades cloud and AI sovereignty into four Union assurance levels and conditions access to public-sector contracts on them. This part examines what the framework can relocate and what it cannot.

Read against this series' framework, the four levels are, without saying so, a formal taxonomy of two categorically different dependencies: where data lives, and who controls access to capability. CADA can compel the first. The second runs into a wall no procurement rule can move — for a frontier AI provider, genuine European control implies the model weights leaving home, and no rational lab will let them. The Commission's own arithmetic concedes the point: on its estimates, the control plane of Europe's digital infrastructure remains foreign for roughly ninety-nine per cent of in-scope procurement.

The equilibrium is therefore neither sovereignty nor surrender. It is the one critical dependencies always settle into: supplier management — continuity commitments, notice periods, degraded-mode guarantees, hard portability of everything around the model — with the residual sovereign risk carried the way a bank carries exposure to a systemic counterparty it cannot replace. Europe should say so out loud.

A procurement framework can move where the data sleeps. It cannot move who holds the kill switch — and the Commission's own percentages admit it.

Part III of IV — continues from The Compute Bloc, continues in Five Games, One Board

#AI#compute#EU#sovereignty#regulation

I — The Instrument Arrives

Part I of this series located the chokepoint in the metal rather than the model — in the chip, not the code. Part II traced what follows: a manufactured resource sorting nations into those who set the terms of compute and those who take them. Brussels, as it happens, had already supplied the third act. On 3 June 2026 the European Commission published its proposal for the Cloud and AI Development Act — CADA — the centerpiece of its Tech Sovereignty Package.

The mechanism deserves more attention than the press coverage gave it. CADA does not ban anyone. It establishes a cloud sovereignty framework built on four "Union assurance levels" that condition access to public-sector contracts, on the model France pioneered with SecNumCloud. (European Commission, 2026) Level 1 requires an EU entity with data localized in EU infrastructure — a bar the EU-based subsidiaries of the American hyperscalers already clear. Level 2 requires demonstrated independence from third countries and transparency over the software supply chain. Level 3 requires EU ownership and control, with additional criteria extending to personnel citizenship. Level 4 — the "strategic autonomy" tier — demands full control over the software supply chain and no interference from any third country, reserved for the most sensitive workloads.

Member states run the risk assessments; the sensitive sectors track the NIS2 perimeter — energy, health, transport, water — plus defense, border management, and law enforcement. Alongside the levels sits a quieter lever: public tenders must weigh "Union added value" as a non-price criterion, capped in the recitals at roughly 15 points out of 120. (Covington, 2026) Ancillary, not decisive — but a structural thumb on the scale.

This is sovereignty converted from slideware into a graded market-access condition. As regulatory craftsmanship, it is better than its critics allow. The question is what it actually buys.

II — What the Levels Really Measure

Read the four levels against this series' framework and something becomes visible that the public debate has missed: the levels are a taxonomy of two categorically different dependencies.

Levels 1 and 2 regulate the data plane — where information physically lives, who can inspect the supply chain that touches it. Levels 3 and 4 regulate the control plane — who owns the operator, who can lawfully interfere with it, who holds the authority to switch the capability off. The drafters plainly understood the distinction. The commentary has not, because "sovereignty" flattens both into one word.

Ninety-nine contracts in a hundred, on the Commission's own numbers, will run on a control plane Europe does not hold.

The Commission's own arithmetic tells you which plane Europe expects to secure. Its estimates put roughly 20 percent of in-scope contracts at Level 2, under 10 percent at Level 3, and about 1 percent — mainly defense — at Level 4. (Lawfare, 2026) Read those numbers honestly: the European Union, in its own sovereignty legislation, projects that the control plane of its digital infrastructure remains foreign for something like 99 percent of public procurement. That is not a criticism of the drafting. It is the drafting quietly telling the truth.

III — The Senate Moment

Why data residency cannot substitute for control residency was established under oath a year before CADA existed. In June 2025, Microsoft's director of public and legal affairs in France told the French Senate that Microsoft could not guarantee that data stored by French public-sector customers in French data centers would never be transmitted to US authorities without French consent. (French Senate, June 2025) Nothing in that testimony was legally new — the CLOUD Act had permitted such access since 2018. What the moment did was collapse a comfortable ambiguity: no contractual arrangement with a US-domiciled provider fully resolves the jurisdictional exposure, because jurisdiction attaches to the company, not the server.

For cloud storage that is uncomfortable. For frontier AI it is structurally worse, because the asset at risk is not data at rest but continued access to a capability. A stored file seized is a breach; a model withdrawn is an amputation. And withdrawal does not require a subpoena — an export-control designation, a national-security review, a vendor safety decision, or an alliance-management compromise will do.

June 2026 supplied the demonstration. Washington ordered Anthropic to suspend access to its two most advanced models for all foreign nationals — a directive the company could only implement by switching the models off for everyone, everywhere, within hours. (Nextgov, June 2026) The off-switch for the model layer sits inside a foreign company subject to foreign law, and can be thrown for reasons entirely outside the customer relationship. That the order was reversed three weeks later does not soften the lesson; it is the lesson — access was restored by the same discretion that had removed it. A European inference endpoint changes where the prompts sleep. It does not change who can wake the model, or decline to.

IV — Why Level 3 Is a Wall, Not a Step

Here the analysis has to separate the hyperscalers from the frontier labs, because CADA treats them as one industry and they are not.

For a hyperscaler, Level 3 is expensive but conceivable. Cloud is software plus real estate plus operations; all three can, at a price, be carved into an EU-owned operator running licensed technology — the direction AWS's European Sovereign Cloud already gestures toward. Painful, margin-destroying, but topologically possible.

For a frontier AI lab, Level 3 implies something categorically different: the weights leave home. EU ownership and control of the serving entity is meaningless if the entity does not possess the model; possession means the weights sit inside a legal person no US authority can reach. Walk the three theoretical routes to that outcome and each one fails.

Licensing weights to an independently governed EU entity founders on the nature of the asset. Weights are the crown jewels of a frontier lab — the single artifact that embodies the entire capital stack behind the model — and they are a non-recoverable secret: once transferred, control is gone forever, and the transferee's security becomes the lab's security. No frontier lab extends that trust to any external party today, allied government or otherwise.

The weights are the one asset that cannot be lent, escrowed, or ring-fenced — only kept, or lost.

Escrow with continuity triggers founders on time. A frontier model is not a static artifact; it is a point on a capability curve that moves in months. Escrowing today's weights against tomorrow's withdrawal is escrowing planned obsolescence — by the time the trigger fires, the escrowed asset is two generations stale, which is precisely the state the withdrawal was meant to impose.

The ring-fenced operator — a Project-Texas-style structure with EU staff, EU audit, EU keys — founders on the Senate testimony above. Ring-fencing reorganizes the org chart; it does not detach the parent from its home jurisdiction. US law reaches the US person wherever the subsidiary sits, and export-control obligations attach to the origin of the technology, not the flag on the data center.

The conclusion is uncomfortable for both sides of the Atlantic and should be stated plainly. No frontier lab will cross the Level 3 line, and the EU cannot compel the crossing — it can only exclude. And exclusion has a price the sovereignty debate refuses to name: public-sector AI running on capability one or two tiers below the frontier, indefinitely, in exactly the domains — security, health, critical infrastructure — where the capability gap costs the most. That trade-off may even be worth making in specific domains. But it should be made with open eyes, and nobody is currently pricing it.

V — The Equilibrium: Contracts, Not Ownership

Where does this settle? Not at sovereignty, and not at surrender. It settles where critical dependencies always settle: at supplier management.

The realistic end state is a sovereign endpoint wrapped in a critical-supplier contract — continuity commitments, notice periods before capability withdrawal, degraded-mode guarantees, audit rights, and hard portability of everything around the model: orchestration, retrieval, evaluation, logging, identity, escalation policy. The model is a component; the decision system that surrounds it is the part an organization can actually own. Regulation and procurement practice will converge on mandating exactly that separation, because it is the only version of "control" that is simultaneously real and available.

Be honest about what such contracts are worth. Against commercial disruption — repricing, deprecation, capacity squeezes — they are genuinely protective. Against a sovereign invocation of national security, they are worth the paper: no notice period survives an emergency designation. Which means the residual exposure is real, permanent, and should be treated the way a bank treats exposure to a systemic counterparty it cannot replace — measured, limited, collateralized where possible, and rehearsed. You do not eliminate the dependency. You decide, domain by domain, how much of it you can carry, and you pre-position the fallback for the rest.

The Quiet Part, in Writing

CADA's real achievement is not the capacity targets or the procurement points. It is honesty-forcing. By grading sovereignty into four levels, the framework makes visible — in the Commission's own percentages — that Europe is buying Levels 1 and 2 and calling the purchase by the whole word. The remaining gap is not regulatory. It is physical, corporate, and jurisdictional, and it will not close on any legislative timetable, because the asset that would close it is the one asset no frontier lab will ever let leave home.

The sooner European procurement documents say the quiet part in writing — we accept a revocable control plane, mitigated by contract and rehearsed fallback — the sooner the sovereignty debate becomes what Parts I and II argued the chokepoint always was: an operating discipline, not a slogan.

The EU has written the rules for where the data sleeps. It has not answered who is allowed to wake the model.


The views expressed are the analytical position of the author in a personal capacity and do not constitute investment, legal, or policy advice.

Sources

Julian Gretzinger

Investor and writer on monetary history, real wealth mechanics, and financial markets. substack.com/@juliangretzinger