AI
The EU just made sovereign, open source AI official policy.
On 3 June 2026, the European Commission presented the European Technological Sovereignty Package: two legislative proposals, the Chips Act 2.0 and the Cloud and AI Development Act (CADA), plus an EU Open Source Strategy and a Strategic Roadmap for Digitalisation and AI in Energy.
For a decade, European digital policy meant rules: GDPR, the Data Act, the AI Act. This package marks a shift from regulating technology to building it. Commission President Ursula von der Leyen put it plainly: Europe cannot afford to depend on others for the technologies that keep its hospitals running, its energy grids stable and its services secure.
If you run AI workloads in a regulated European organisation, this is not abstract policy. It describes the infrastructure decisions you will be making over the next two years.
The numbers behind the package
The Commission's own communication is unusually blunt about Europe's position:
The EU remains structurally reliant on non-EU providers for more than 80 percent of digital products, services, infrastructure and intellectual property. More than 70 percent of the European cloud market is held by three US hyperscalers. Europe produces roughly 10 percent of the world's semiconductors.
Every API call to a US-hosted model sits on top of that dependency. The package exists because Brussels has concluded this is a strategic risk, not just a market outcome.
What the Cloud and AI Development Act actually does
CADA is the piece that matters most for AI infrastructure decisions. Three mechanisms stand out:
A single EU-wide sovereignty assessment framework. CADA introduces common criteria defining levels of sovereignty for cloud and AI services, with stricter levels required for sensitive public sector workloads. Executive Vice-President Henna Virkkunen framed the goal directly: no provider of critical workloads should hold a kill switch. She also noted that US providers will find the highest sovereignty levels difficult to reach because of the US CLOUD Act, which can compel American companies to hand over data regardless of where it is stored.
A public sector adoption mechanism. Public bodies handling sensitive workloads will be steered toward providers that meet the sovereignty criteria. Procurement is how the EU intends to build demand for European infrastructure, not subsidies alone.
Accelerated data centre deployment. CADA aims to speed up permitting and conditions for building compute capacity inside the EU, with priority for facilities serving essential public functions.
CADA is a proposal. It still needs to pass the European Parliament and the Council, and the final text will change. But the direction is set, and procurement teams in regulated sectors are already reading it.
Open source moves from footnote to centrepiece
The EU Open Source Strategy is the part we find most significant. For the first time, open source sits at the centre of EU digital policymaking rather than in an annex.
The strategy prioritises open source funding in the areas where dependency hurts most: AI, cloud, cybersecurity, operating systems and semiconductors. It creates an Open Source Maintenance Instrument to fund critical components, tasks ENISA with mapping the EU's most exposed dependencies, and commits to procurement guidance that requires fair assessment of open source bids against proprietary ones.
The strategy also names the structural problems honestly: limited long-term funding, barriers between innovation and industrial deployment, and limited open source access to public procurement. Analysts at OpenForum Europe note the roughly EUR 2 billion envelope over seven years will not close the dependency gap on its own. Fair. But policy direction shapes procurement long before budgets do.
Why this validates the on-premise, open source model
The package describes an architecture: sovereign AI models, trained and run on European terms, on infrastructure no third country can switch off, built on open source so there is no lock-in to begin with.
That is not a future ambition for us. It is what the Xinity Runtime is.
The Xinity Runtime is an open source inference engine, licensed under Apache 2.0, with an OpenAI-compatible API. The full codebase is public and auditable on GitHub. It runs open-weight models on your own hardware. Your prompts, your documents and your model weights never leave your building. There is no hyperscaler in the loop, no CLOUD Act exposure, no kill switch held by anyone but you.
This is exactly the point of open source as a sovereignty instrument: you do not have to trust our claims, you can read the code. The EU Open Source Strategy makes auditability and the absence of lock-in policy priorities. We made them architecture.
For organisations in finance, healthcare, public administration and critical infrastructure, this is the configuration CADA's sovereignty framework points toward. GDPR compliance stops being a data processing agreement you hope holds up and becomes a property of the architecture. The same logic applies to the EU AI Act: when inference runs on your premises, you control the logs, the access and the audit trail.
What to do now
You do not need to wait for CADA to pass.
Map your exposure. List every workload that sends data to a non-EU API. That list is your dependency surface, and under CADA-style assessment it becomes a procurement question.
Pilot sovereign inference on one workload. An OpenAI-compatible runtime means migration is an endpoint change, not a rewrite. The Xinity Runtime is free on GitHub, so you can start today. Begin with internal document processing or a RAG pipeline.
Watch the public sector adoption mechanism. If you sell into or operate in the public sector, sovereignty criteria will flow into tenders. Being compliant by architecture beats retrofitting.
Europe does not have to choose between innovation and independence. Open source delivers both. We have been building on that premise since day one. Brussels just agreed.
Want to see sovereign inference running on your own data? Book a demo call or explore the Xinity Runtime on GitHub.
FAQ
What is the European Technological Sovereignty Package? A set of measures presented by the European Commission on 3 June 2026 to strengthen Europe's capacity in semiconductors, AI, cloud and open source. It contains two legislative proposals, the Chips Act 2.0 and the Cloud and AI Development Act, plus an EU Open Source Strategy and an energy digitalisation roadmap.
What is the Cloud and AI Development Act (CADA)? A proposed EU regulation that introduces a single EU-wide framework for assessing the sovereignty of cloud and AI services, a public sector adoption mechanism for sovereign providers, and measures to accelerate data centre deployment in the EU. It must still be approved by the European Parliament and the Council.
Does CADA ban US cloud providers? No. It defines sovereignty levels for sensitive workloads. US providers may struggle to reach the highest levels because the US CLOUD Act can compel them to disclose data held abroad, but the framework is criteria-based, not nationality-based.
How does open source AI support digital sovereignty? Open source removes vendor lock-in, makes systems auditable, and lets organisations run models on infrastructure they control. The EU Open Source Strategy prioritises open source funding in AI, cloud and cybersecurity for exactly this reason.
Is the Xinity Runtime really open source? Yes. The core components (gateway, daemon, CLI, infoserver) are Apache 2.0 licensed and publicly available at github.com/xinity-ai, where you can also find migration adapters and example code for moving off closed-source AI APIs.
How does Xinity fit into the EU sovereignty agenda? Xinity builds the Xinity Runtime, an Apache 2.0 licensed, OpenAI-compatible inference engine that runs LLMs fully on-premise on a hardware. Data and models stay inside your organisation, which aligns with GDPR, the EU AI Act and the sovereignty architecture CADA describes.
Sources
Commission proposes tech sovereignty package, European Commission, 3 June 2026
Proposal for the Cloud and AI Development Act (CADA), European Commission, June 2026
The EU Open Source Strategy, European Commission, June 2026
Europe unveils tech sovereignty package amid growing concerns over reliance on US tech, CNBC, 3 June 2026
Europe's Tech Sovereignty Package: Cloud, AI, Chips and Open Source, ERP Today, June 2026
How the EU's Tech Sovereignty Package Finally Puts Open Source to the Test, TechPolicy.Press, June 2026