Summary No, the Cloud and AI Development Act (CADA) does not mandate that all cloud providers obtain sovereignty recognition. The recognition process for Union assurance levels is voluntary for providers. However, obtaining this recognition is effectively mandatory if a provider wishes to sell cloud computing services to Union entities and public sector bodies. Under Article 16(1), the framework establishes the criteria that providers "shall meet in order to provide their cloud computing services to Union entities and public sector bodies." Consequently, while a provider can operate freely in the private market without recognition, they are legally barred from the public sector market unless they are recognised at the appropriate assurance level.
Detail
The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, introduces a nuanced regulatory structure that separates the supply side (providers) from the demand side (public buyers). Understanding this distinction is critical for compliance strategy.
The Legal Distinction: Voluntary Supply, Mandatory Demand
The core of the CADA sovereignty framework is found in Article 16, which establishes the "Union cloud computing sovereignty framework."
1. Recognition is voluntary for providers CADA does not impose a general obligation on every cloud computing service provider operating within the EU to undergo the sovereignty assessment process. A provider may choose not to seek recognition. As proposed, the mechanism for recognition is set out in Article 17, which details how a provider submits an application for recognition to the national competent authority of establishment. There is no penalty under CADA for simply choosing not to participate in this scheme, provided the provider does not claim to offer a specific Union assurance level. A provider can continue to serve private sector clients or public bodies for non-critical functions (if permitted by national law) without this certification.
2. Procurement is mandatory for public buyers While recognition is voluntary for sellers, the demand side is strictly regulated. Article 16(1) explicitly states that the framework sets out criteria "that cloud computing service providers shall meet in order to provide their cloud computing services to Union entities and public sector bodies."
This creates a de facto market access requirement. Under Article 30, contracting authorities (public sector bodies) are prohibited from procuring cloud computing services that have not been recognised under Article 17. The procurement rules are tiered based on the risk assessment of the activity:
- Baseline Requirement: Public bodies whose activities are not identified as contributing to the preservation of public order must use services recognised as having at least Union assurance level 1.
- Public Order Requirement: Public bodies whose activities are identified as contributing to the preservation of public order (e.g., defence, justice, law enforcement, internal security) must only procure services recognised as having Union assurance level 2, 3, or 4, depending on the outcome of their risk assessments under Article 29.
Therefore, while a cloud provider is not legally forced to apply for recognition, they are effectively excluded from the public sector market if they do not.
The Four Assurance Levels and Their Criteria
The framework defines four cumulative levels of sovereignty, each with stricter criteria than the last, detailed in Annex II. These levels are not merely labels; they represent specific operational and legal constraints.
- Union Assurance Level 1 (Baseline): This level requires the provider to be established in the Union. Infrastructure and assets (including those of subcontractors) must be located in the Union, and customer data must remain exclusively within the Union unless the public sector body explicitly requires otherwise. Providers must demonstrate compliance with state-of-the-art cybersecurity standards and provide full transparency regarding subcontractors. Crucially, if the provider is subject to third-country control, they must guarantee no laws require reporting software vulnerabilities to that third country prior to exploitation.
- Union Assurance Level 2 (Substantial Cybersecurity): This level adds the requirement for an independent third-party audit. It mandates that personnel and infrastructure remain in the Union. A key differentiator is the prohibition on using data generated by the service to train or fine-tune AI systems operated by a third country. It also requires strict software supply chain controls, including a complete Software Bill of Materials (SBOM) and controls to block remote tampering features.
- Union Assurance Level 3 (High Sovereignty): This level further restricts third-country control. Personnel involved in the service must be Union citizens (conditional at L2, mandatory at L3/L4). Technical and operational support must be performed exclusively within the Union by Union residents. This level is designed to allow the secure hosting of EU classified information. Notably, Article 18 provides a derogation mechanism where the Commission can recognise a third country as providing sufficient assurances, allowing providers under that third country's control to qualify for Level 3, though no such country has been designated yet.
- Union Assurance Level 4 (Maximum Sovereignty): The highest level requires the highest cybersecurity certification (assurance level 'high' under the Cybersecurity Act). It imposes the strictest controls on third-country influence, requiring that no third country holds effective control over the design, development, or maintenance of the software components.
The Role of Risk Assessments
Which level a public body must procure is not arbitrary; it is determined by a mandatory risk assessment. Under Article 29, Member States and Union entities must carry out risk assessments to identify which public sector activities contribute to the preservation of public order. These assessments determine whether Level 1 is sufficient or if Levels 2, 3, or 4 are required based on the sensitivity of the data and the criticality of the service. The Commission provides guidance on this methodology, ensuring consistency across the Union.
What this means for you
If you are a cloud service provider or data centre operator targeting the European public sector, the CADA proposal fundamentally changes your market strategy.
- Market Access Strategy: If you wish to compete for government contracts, you must achieve at least Union assurance level 1. This is not optional for public sector sales. For Level 1, you must perform a conformity self-assessment and issue an EU statement of conformity. For Levels 2–4, you must undergo independent third-party audits by an accredited auditing organisation.
- Operational Transformation: Achieving these levels may require significant operational changes. You may need to relocate infrastructure to the EU, ensure all subcontractors are EU-based, implement strict data residency controls, and adopt specific software supply chain transparency measures (like SBOMs). For Level 3 and 4, you must verify the citizenship of your personnel and ensure no third-country control exists over your critical software components.
- Competitive Advantage: Recognition is a competitive differentiator. Being listed in the central repository of recognised services (established under Article 22) signals to public buyers that you meet the EU's sovereignty standards. This repository is publicly available and regularly updated, serving as the primary source of truth for contracting authorities.
- Private Sector Spillover: While CADA's procurement rules apply strictly to public bodies, Article 31 allows private sector entities in critical sectors (as defined in the NIS2 Directive) to conduct similar impact assessments. This may lead to private buyers voluntarily adopting these sovereignty standards, expanding the market for recognised providers beyond the public sector.
Common misconceptions
"CADA bans non-EU cloud providers." No. CADA does not ban non-EU providers outright. However, non-EU providers face high barriers to entry for the public sector. To qualify for Union assurance level 3, a third-country provider must meet strict criteria regarding legal safeguards against data access and service disruption under Article 18. Currently, no third country has been designated as meeting these requirements, making it effectively impossible for non-EU providers to serve high-security public sector needs under the current proposal.
"All cloud services must be sovereign." No. The sovereignty framework applies specifically to services procured by Union entities and public sector bodies. Private sector users not in critical sectors are not bound by the procurement mandates of Article 30. A provider can continue to serve private customers without CADA recognition.
"Recognition is a one-time event." Recognition requires ongoing compliance. Providers seeking Levels 2–4 must undergo annual reviews to confirm continued compliance (Article 20). Furthermore, providers must report any material changes that could affect their status to the auditing organisation and the competent authority (Article 23). Failure to comply can lead to the revocation of recognition and removal from the central repository.
Official sources
Related
- CADA Sovereignty Tiers: Protection Against Foreign Law Explained
- CADA Cumulative Criteria: How Higher Sovereignty Levels Build on Lower Tiers
- CADA Recognition: What Public Buyers Need to Know About Sovereignty Tiers
- How do CADA sovereignty tiers help reduce foreign cloud dependency?
- Why is CADA Level 4 the highest sovereignty tier?
This is general information about a draft EU regulation, not legal advice.