Brussels, 24th June 2026. Broadcom claims it is building Europe’s sovereign cloud, supporting European providers with the technology to deliver competitive sovereign solutions. It is not. As a US provider subject to the CLOUD Act and other extra-jurisdictional orders, Broadcom’s VMware Cloud Foundation (VCF) software includes aspects that undermine customer control of cloud services. Its lack of portability and the paucity of alternatives mean that VCF disqualifies services even to qualify as Resilient under the CISPE Sovereign and Resilient Cloud Framework — the route designed to give customers assurance of control when using non-sovereign services.
After publication of the CADA, CISPE also believes that Broadcom software should also fail to meet anything but a Level 1 certification under the recently announced sovereignty framework within the Cloud and AI Development Act (CADA) published by the EU Commission on June 3rd.
CISPE’s analysis reveals that Broadcom’s terms and conditions, product features and marketing materials contain significant aspects that undermine sovereignty. The failures fall into two areas:
Software dependency. CISPE Sovereign and Resilient Cloud Framework clearly outlines the necessary controls customers need to have over software. These include the ability to inspect, maintain, move and replicate critical elements. VCF is a proprietary, closed-source stack from a US-controlled publisher exposed to Export Regulations (EAR), OFAC tariffs and the CLOUD Act. Broadcom’s T&Cs offer limited maintenance commitments, no source-code escrow, no substitution plan and no Data Act certification. This would also fail any CADA assurance beyond Level 1.
Running this software in a sovereign data centre, or on-prem, does not mitigate these dependencies. Broadcom retains unilateral control as the sole source of patches, updates and maintenance. Should it choose or be compelled to cut customers off, it can, leaving them with a rapidly degrading, unlicensed virtualisation layer.
Operational autonomy. Measures are needed to ensure resilience to operational risks such as service removal, interference or degradation. Broadcom’s own public response to CADA acknowledges that “A software dependency that allows a foreign government to access or disrupt European operations does [compromise sovereignty].” Yet its own “Compliance Reporting” mechanism included in VCF Specific Program Documentation (v9.0+) mandates a Compliance Report every 180 days, with management-plane degradation or blocking as the stated consequence of non-compliance. In plain terms, a ‘kill switch’.
Again, deploying it in sovereign data centres or on-prem does not remove the obligation, and there is no realistic or affordable alternative to switch to. Customers are locked into a non-sovereign, non-resilient software platform.
Francisco Mingorance, commenting on the findings, said:
“Broadcom has toured conferences, bought adverts and broadcast across every channel that it is building Europe’s sovereign cloud. Nothing could be further from the truth. VCF is a proprietary product with limited interoperability and substitutability, controlled by a foreign vendor that has behaved like a bully towards customers and channel partners. If Europe needs an example of the dangers of over-reliance on dominant overseas players, Broadcom is it.”
