Brussels just put US cloud on a legal clock
The news: The European Commission presented its Tech Sovereignty Package on May 27, headlined by a Cloud and AI Development Act that would bar AWS, Microsoft Azure, and Google Cloud from processing sensitive public-sector data across all 27 member states, and opened Digital Markets Act gatekeeper probes into AWS and Azure the same week.
Why it matters: The public-sector restriction is the headline, but the gatekeeper probes reach every enterprise running on those clouds, and the underlying problem the act targets is one you already carry: under the US CLOUD Act a US warrant can compel data off European servers, and Schrems II settled years ago that a vendor's contract is not a defense. Sovereign-cloud language is moving from procurement preference to statute, and your EU public-sector customers will start writing it into your contracts well before the act finalizes.
What to do: This week, ask your cloud lead which EU workloads touch regulated or public-sector data, and what your provider's EU Data Boundary actually covers versus what it markets.
Your GlobalProtect VPN is the way in this week
CISA added Palo Alto's GlobalProtect authentication-bypass flaw (CVE-2026-0257) to the KEV catalog on May 29, with a federal remediation deadline of June 19. Palo Alto has confirmed active exploitation, and Rapid7 tracked two separate waves hitting unpatched gateways since mid-May. An unauthenticated attacker can bypass authentication and stand up a VPN session straight into your network, which is the worst possible failure mode for a box that sits at the perimeter by design. If you run GlobalProtect, do not wait for the federal date: patch this week and hunt for unauthorized session activity going back to May 17.
Asana bought an agent-builder. Watch who buys next.
Asana acquired StackAI, a no-code platform for building AI agents, for $75 million in a push to become AI-native work management. On its own it is a tuck-in. As a pattern it is the latest case this month of an incumbent suite swallowing an independent agent-builder, after SAP grabbed Dremio and Prior Labs for the same data-and-agents play. If you are weighing a standalone no-code agent platform right now, the buy-versus-wait math just shifted: the suites you already license are racing to ship the same capability. Pressure-test any new agent-tooling contract for a 12-month exit before you sign.
Watch This
The reason these KEV deadlines keep tightening is that the exploit timeline is collapsing. Every CISA catalog addition from May 6 to May 14 carried a three-day clock, and agency leadership is reportedly weighing making 72 hours the standard, driven by AI tooling that turns a fresh CVE into a working exploit in hours instead of weeks. Plan now for a world where the gap between disclosure and your patch SLA is measured in days, not the two weeks BOD 22-01 still allows on paper.
This week, DoGood network members are pulling EU data-residency reviews forward and re-checking GlobalProtect exposure before the June 19 deadline. If you run IT or security at a $100M+ company, that is the work already sitting on your peers' desks.
Know a CIO who needs this? Forward it and they can subscribe here.
Enterprise IT leader at a $100M+ company? Apply to join DoGood.