Can a cloud be sovereign without being EU-owned under CADA?

Summary Yes, as proposed under the Cloud and AI Development Act (CADA), a cloud computing service could be recognised as sovereign without being EU-owned, particularly at lower Union assurance levels (1 and 2) and conditionally at level 3. Article 18 would allow the Commission to recognise third countries as providing sufficient assurances for level 3, enabling providers subject to third-country control to qualify if specific safeguards are met. However, the highest level (level 4) would require the provider and its subcontractors to be free from third-country control, making EU control a de facto requirement for the most sensitive public order activities.

Detail

The proposed CADA would establish a "Union cloud computing sovereignty framework" comprising four "Union assurance levels" (Article 16). The framework is designed to mitigate risks tied to dependence on third-country providers — including unauthorised data access, service disruption, and political coercion. Crucially, the proposal would decouple "sovereignty" (defined by adherence to specific legal, technical, and operational criteria in Annex II) from strict EU ownership. Whether a non-EU-owned provider can achieve sovereign status would depend entirely on which assurance level a given public sector activity requires.

Lower levels: self-assessment and audit-based compliance

For Union assurance level 1, the provider must be established in the Union (Annex II, point 1.1(a)). Infrastructure, assets, and customer data must remain exclusively within the Union, unless the public sector body explicitly requires otherwise (Annex II, points 1.1(b)–(c)). The proposal would not mandate that ultimate owners be EU nationals. However, if the provider is subject to the control of a third country or a legal entity established in a third country, it must guarantee — demonstrated by independent sources — that no laws or practices in that third country require it to report software vulnerabilities to third-country authorities before those vulnerabilities are known to have been exploited (Annex II, point 1.1(g)). Compliance at this level would be demonstrated through a conformity self-assessment and an EU statement of conformity (Article 19).

For Union assurance level 2, the criteria would be stricter. The audited provider and its subcontractors must be established in the Union, and infrastructure, assets, and personnel involved in the service must be located in the Union (Annex II, points 2.1(a)–(c)). If the provider is subject to third-country control, it must demonstrate that legal, technical, and organisational measures ensure that third-country control does not restrain its ability to perform the service (Annex II, point 2.1(g)(i)); that third-country access to customer data is prevented (2.1(g)(ii)); and that disruption or degradation of the service by a third country is prevented (2.1(g)(iii)). Technical and operational support must be initiated and performed exclusively within the Union (Annex II, point 2.1(h)). Compliance would require an independent third-party audit (Article 20).

Third-country recognition and level 3

Union assurance level 3 would introduce the key opening for non-EU-owned providers: the possibility of "associated third countries" under Article 18. By default, Annex II, point 3.1(g), would require that the audited provider and its subcontractors are not subject to the control of a third country or a legal entity established in a third country. By way of derogation, a provider subject to such control may be audited for level 3 where the Commission has adopted an implementing act recognising the third country as providing sufficient assurances.

Article 18(1) would allow the Commission to identify third countries whose controlled providers may be audited against the level 3 criteria, provided the third country fulfils six cumulative criteria:

• it is subject to a relevant adequacy decision under Article 45 of the GDPR (Article 18(1)(a));
• it has no measures enabling control over the provider that would conflict with the rules on lawful access to non-personal data in Article 32(2)–(3) of the Data Act (Regulation (EU) 2023/2854) (Article 18(1)(b));
• it has no measures compelling the provider to degrade or disrupt service continuity, or to enforce sanction regimes or embargoes unless legitimate under EU or Member State law (Article 18(1)(c));
• it has no measures impeding the provision of state-of-the-art technologies (Article 18(1)(d));
• it maintains an open market to Union cloud computing services (Article 18(1)(e)); and
• it grants equivalent access to its public procurement procedures for Union-controlled services (Article 18(1)(f)).

If a third country is recognised, the provider must still demonstrate that third-country control does not restrain service delivery, that data access is prevented, and that service continuity is protected (Annex II, point 3.1(g)(i)–(iii)). At level 3, personnel involved in the service must be Union citizens, and where appropriate hold national security clearances for handling classified information (Annex II, point 3.1(d)).

Level 4: the effect of EU control

For Union assurance level 4, the proposal would be unequivocal. Annex II, point 4.1(g), would require that the audited provider and its subcontractors are not subject to the control of a third country or a legal entity established in a third country. There would be no derogation for third-country recognition at this level. So even a provider incorporated in the EU could not reach level 4 if it is subject to control by a third-country entity (control being defined in Article 2, point (21), by reference to Article 2, point (6), of Regulation (EU) 2021/697). This effectively requires EU control for the most critical public order activities.

Limits on tailored offerings

Recital 48 of the proposal addresses the market reality of non-EU hyperscalers offering "sovereign" or tailored versions of their services. It states that those versions "do not address the core sovereignty issues allowing for the extraterritorial reach of third-country laws and the possible degradation or disruption of the service." The recital concludes that, without a harmonised mechanism, the Union "will not ensure autonomy or control over its data, assets and digital infrastructure." Contractual assurances alone would be insufficient; structural and legal safeguards embedded in the assurance levels would be required.

What this means for you

For in-house counsel and compliance officers, the proposal would shift procurement from a binary "EU vs. non-EU" decision to a risk-based assessment of assurance levels.

1. Conduct risk assessments. Under Article 29, Member States and Union entities would carry out risk assessments to determine which assurance level (2, 3, or 4) is appropriate for activities contributing to the preservation of public order — including sectors under Annex I or II of the NIS2 Directive and the areas of national security, internal/external security, defence, justice, or law enforcement.
2. Verify assurance levels, not just ownership. Do not rely on a provider's location or marketing claims of "sovereignty." Check the central repository (Article 22) for recognition at the required level — the EU statement of conformity for level 1, and the positive audit opinion for levels 2–4.
3. Monitor third-country recognition. If you rely on a non-EU-owned provider, track the Commission's decisions under Article 18 and its published list (Article 18(3)). Recognition can be repealed, amended, or suspended (Article 18(2)), and Article 29(6) would require migration within a reasonable transition period not exceeding 12 months where a risk assessment so requires.
4. Penalties and liability. Member States would lay down effective, proportionate, and dissuasive penalties for provider infringements of the sovereignty framework (Article 24(1)). Recipients would have the right to seek compensation for damage or loss caused by a provider's infringement of its obligations under that Chapter (Article 24(3)).
5. Deadlines. Member States would designate national competent authorities within one year of entry into force (Article 25), and risk assessments would be due within one year and every two years thereafter (Article 29(1)).

Common misconceptions

• "Sovereign cloud means EU-owned." Inaccurate under CADA as proposed. A service could be sovereign at level 1, 2, or even 3 without being EU-owned, provided it meets the criteria — including, for level 3, third-country recognition. Only level 4 would categorically bar third-country control.
• "GDPR adequacy is enough for sovereignty." An adequacy decision would be a prerequisite for recognition under Article 18, but not sufficient on its own. The third country must also satisfy criteria on service continuity, market openness, and the absence of coercive measures.
• "Tailored sovereign offerings from non-EU hyperscalers are compliant." Recital 48 states current tailored offerings do not address core sovereignty issues. Compliance would require formal recognition under the assurance levels, not contractual modifications alone.
• "Level 3 is open to all third-country providers if they audit." No. Level 3 would be open to providers subject to third-country control only where the Commission has recognised their home country under Article 18.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• Why are Member State sovereign cloud labels fragmented? CADA's answer
• Why can't GDPR deliver cloud sovereignty? CADA and the gap
• What makes a cloud service truly sovereign under CADA?
• Sovereign cloud vs air-gapped cloud: the difference under CADA
• Sovereign cloud vs ordinary cloud: the difference under CADA

This is general information about a draft EU regulation, not legal advice.