Are hyperscaler 'sovereign cloud' offerings really sovereign under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), a hyperscaler's "sovereign cloud" offering would not be sovereign by default; it would have to be formally recognised against specific Union assurance levels. Recital 48 states that tailored service versions do not address core sovereignty issues, such as the extraterritorial reach of third-country laws or the risk of service disruption. Some providers may reach lower assurance levels, but the highest levels (3 and 4) would typically require proving the absence of third-country control — the main barrier for many non-EU hyperscalers. CADA is a proposal and not yet in force.

Detail

The proposed CADA would introduce a four-tier framework to define and verify cloud sovereignty, moving beyond marketing claims to auditable legal and technical criteria. For public-sector procurement officers, the gap between a provider's commercial "sovereign" branding and its legal status under CADA would be central to compliance.

The sovereignty gap in tailored offerings

A central premise of CADA is that existing market solutions often fail to meet the EU's definition of sovereignty. Recital 48 addresses this directly:

"Cloud computing service providers have launched tailored versions of their service offerings in response to the Union's growing concerns over sovereignty. However, those versions do not address the core sovereignty issues allowing for the extraterritorial reach of third-country laws and the possible degradation or disruption of the service. Consequently, the Union will not ensure autonomy or control over its data, assets and digital infrastructure."

The recital highlights two persistent risks tailored offerings often fail to mitigate:

1. Extraterritorial legal reach: laws from a provider's home country (for example, the US CLOUD Act) may compel data access or transfer regardless of where the data is stored.
2. Operational disruption: the ability of a third country to degrade or disrupt service continuity, through sanctions, embargoes or other measures.

As proposed, CADA aims to ensure these risks are legally and technically neutralised, not merely managed by contract.

The Union assurance levels

CADA would establish four Union assurance levels (1-4), detailed in Article 16 and Annex II. Recognition would not be self-declared except at level 1; it requires a conformity self-assessment and an EU statement of conformity (for level 1, Article 19) or independent third-party audits (for levels 2-4, Article 20), followed by recognition by a national competent authority (Article 17).

Union assurance level 1

• Criteria: the provider established in the Union; infrastructure and assets located in the Union; customer data remaining exclusively within the Union unless the public-sector body explicitly requires otherwise.
• Hyperscaler feasibility: many non-EU hyperscalers already operate EU-established subsidiaries. If they can show that infrastructure, assets and data flows remain within the Union, and that any third-country control does not compromise operational autonomy, level 1 is realistically achievable. This is the baseline for all public-sector procurement.

Union assurance level 2

• Criteria: builds on level 1. The provider and its subcontractors involved in the service must be established in the Union, with infrastructure, assets and personnel located in the Union. The service must obtain a European cybersecurity certificate at "substantial" level (or, until such a scheme exists, national certification or the highest applicable standards). Where the provider is subject to third-country control, it must demonstrate legal, technical and organisational measures to prevent third-country access to customer data, disruption or degradation of the service, and obligations to give effect to restrictive measures such as sanctions, unless those are legitimate under EU or Member State law.
• Hyperscaler feasibility: achievable for some hyperscalers, but requiring significant architectural and legal change. The provider must show effective separation from any third-country parent and controls against remote tampering. The audit evidence required (detailed in Annex III) is extensive, covering software supply chains, personnel location and governance.

Union assurance level 3

• Criteria: stricter than level 2. Personnel involved in the service, including those of subcontractors, must be Union citizens, and support must be performed within the Union by Union residents.
• Third-country control derogation: in principle, providers subject to third-country control are excluded. However, Article 18 would let the Commission adopt implementing acts identifying associated third countries that provide sufficient assurances, requiring a relevant GDPR adequacy decision, no measures enabling control that conflicts with EU lawful-access rules, and no measures to disrupt service or compel restrictive measures, among other cumulative conditions.
• Hyperscaler feasibility: highly challenging for non-EU hyperscalers unless their home country is designated by the Commission under Article 18 — and even then, the Union-citizen personnel and resident-support requirements pose significant operational hurdles.

Union assurance level 4

• Criteria: the highest level. Personnel must be Union citizens, with national security clearance where appropriate. The provider and subcontractors must not be subject to the control of a third country or a legal entity established in a third country, with no derogation at this level.
• Hyperscaler feasibility: effectively out of reach for non-EU hyperscalers. The absolute prohibition on third-country control means a provider with significant foreign ownership or governance influence could not qualify; this level would in practice be for fully EU-controlled providers.

The role of risk assessments

Public-sector bodies would not choose a level arbitrarily. Article 29 would require Member States and Union entities to carry out risk assessments to determine the appropriate level.

• Activities not contributing to the preservation of public order must use at least level 1 (Article 30(2)).
• Activities identified as contributing to the preservation of public order (such as national security, defence or law enforcement) must use level 2, 3 or 4 (Article 30(3)).

So for critical functions, a hyperscaler's level 1 or 2 offering may be insufficient, regardless of its commercial branding.

What this means for you

For public-sector procurement officers, CADA as proposed would shift the burden of proof from marketing claims to auditable compliance.

1. Look past marketing labels. Terms like "sovereign cloud" or "localised offering" in vendor brochures would carry no legal weight on their own. Under CADA, sovereignty would be a status granted by a national competent authority, not a product feature.
2. Verify recognition status. Before engaging a provider, check the central repository maintained by the Commission (Article 22) to see whether the service is recognised at a given assurance level.
3. Conduct rigorous risk assessments. Use the methodology under Article 29 to set the required level. Activities involving national security or critical infrastructure may need level 3 or 4, which would likely exclude non-EU hyperscalers.
4. Prepare for audits. If considering a provider claiming level 2 or 3, ensure it can supply the evidence required by Annex III, including a complete SBOM, proof of personnel citizenship and evidence of legal separation from third-country entities.
5. Plan multi-cloud where useful. To limit dependency, you could consider multi-vendor strategies; under Article 29(9), risk assessments would expressly consider whether a multi-cloud approach is warranted.

Common misconceptions

• "Data residency equals sovereignty."
  • Reality: storing data in an EU data centre does not prevent a third-country law from compelling access. CADA's higher levels would require legal and technical measures against such access, not just physical location.
• "All hyperscalers can achieve level 4."
  • Reality: level 4 prohibits third-country control with no derogation. Most major hyperscalers are headquartered and controlled in third countries, so they could not meet this criterion; in practice it would be for fully EU-controlled providers.
• "Tailored 'sovereign' offerings are compliant by default."
  • Reality: as Recital 48 states, tailored versions often fail to address core sovereignty issues. Compliance would require formal recognition through the framework, including audits and national authority approval for the higher levels.
• "I can choose any assurance level for my procurement."
  • Reality: the level would be driven by the risk assessment. For public-order activities, you would be required to procure level 2, 3 or 4 and could not opt for a lower level.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• Why are Member State sovereign cloud labels fragmented? CADA's answer
• What makes a cloud service truly sovereign under CADA?
• Sovereign cloud vs air-gapped cloud: the difference under CADA
• Sovereign cloud vs ordinary cloud: the difference under CADA
• What is sovereign compute for frontier AI under CADA?

This is general information about a draft EU regulation, not legal advice.