Summary Yes, but access is tiered and conditional. As proposed, providers established outside the EU can reach Union assurance level 1 through self-assessment, but the higher levels demand strict, EU-centric criteria on data localisation, personnel and infrastructure. Crucially, providers subject to third-country control may access Union assurance level 3 only if the Commission recognises their home country under Article 18, and they are effectively excluded from level 4.

Detail

CADA would establish a four-tier Union cloud computing sovereignty framework (Article 16) to mitigate risks from dependence on third-country providers. It is not an absolute ban on non-EU providers; rather, it creates a graduated system of assurance levels that non-EU entities can navigate depending on their legal structure, operational footprint and the status of their country of control.

The baseline: Union assurance level 1

Union assurance level 1 is the minimum baseline for public-sector procurement under CADA, and it is accessible to non-EU providers that meet specific structural and operational criteria (Article 16; Annex II, point 1).

To reach level 1, a provider must be established in the Union, meaning it must have a legal entity incorporated under the law of a Member State (Annex II, point 1.1(a)). CADA allows operational flexibility on infrastructure and data: under Annex II, points 1.1(b)–(c), infrastructure, assets and customer data (including metadata and telemetry) may sit outside the Union unless the public-sector body explicitly requires otherwise.

This creates a pathway for non-EU hyperscalers to serve the EU market for standard public-sector workloads. If a public authority does not mandate EU data residency, a non-EU provider with an EU-established entity can self-assess conformity and issue an EU statement of conformity. This self-assessment route, under Article 19, places the burden on the provider to demonstrate state-of-the-art cybersecurity and full transparency on subcontractors.

The barrier: Union assurance levels 2, 3 and 4

As the levels rise, requirements for non-EU providers become significantly more restrictive.

Union assurance level 2 requires that the audited provider and its subcontractors are established in the Union, and that the infrastructure, assets and personnel involved in the service are located in the Union (Annex II, points 2.1(a)–(b)). Customer data must remain exclusively within the Union (point 2.1(c)), and data generated by the service must not be used to train or fine-tune any AI system operated by a third country (point 2.1(f)). A non-EU provider could in principle meet level 2 through a fully EU-based subsidiary, but providers subject to third-country control must additionally demonstrate legal, technical and organisational measures so that control does not restrict the service, enable data access, or disrupt continuity (point 2.1(g)). Note that mandatory Union citizenship for personnel is not a default at level 2; it applies only where the public-sector body determines it is necessary (point 2.1(d)).

Union assurance level 3 introduces a hard distinction based on "control." Under Annex II, point 3.1(g), providers and subcontractors involved in level 3 services must not be subject to the control of a third country or of a legal entity established in a third country. Level 3 also requires personnel involved in the service to be Union citizens (point 3.1(d)). This is a significant barrier for most major non-EU hyperscalers, which are typically controlled by entities in the US, China or other third countries.

However, CADA provides an exception via Article 18 ("Associated third countries"). The Commission may adopt implementing acts identifying third countries whose providers may be audited against the level 3 criteria, provided the country meets cumulative criteria, including:

  • Being subject to a relevant adequacy decision under Article 45 of the GDPR (Regulation (EU) 2016/679).
  • Having no measures enabling control over the provider that conflicts with the lawful-access rules for non-personal data in Article 32(2)–(3) of the Data Act (Regulation (EU) 2023/2854).
  • Having no measures to compel the provider to degrade or disrupt service, or to impose restrictive measures such as sanctions not legitimate under EU or Member State law.
  • Maintaining an open market for Union cloud services and granting equivalent access to public procurement.

Union assurance level 4 is the highest tier, for the most sensitive public-order activities. It maintains the prohibition on third-country control (Annex II, point 4.1(g)) with no equivalent Article 18 derogation, requires Union-citizen personnel, and adds stricter requirements on software supply chains and effective control over components. In practice, level 4 is designed for providers under EU control with no third-country influence over strategic decisions, infrastructure or personnel.

The problem with "sovereign" offerings

Recital 48 explains why these strict tiers are seen as necessary. It notes that providers have launched "tailored versions" of their services in response to sovereignty concerns, but "those versions do not address the core sovereignty issues allowing for the extraterritorial reach of third-country laws and the possible degradation or disruption of the service." CADA's framework therefore moves beyond technical security to assess legal and operational autonomy. A non-EU provider cannot simply claim to be "sovereign" by hosting data in an EU data centre; for the higher levels it must show its corporate structure and legal obligations are insulated from third-country interference.

What this means for you

For cloud service providers and data-centre operators, the implications depend on your legal structure and target market.

If you are a non-EU hyperscaler: You could continue to serve the EU public sector, but access would be segmented. You would likely be limited to level 1 for standard workloads unless your home country secures recognition under Article 18. To compete at level 1, ensure your EU-established entity can issue a compliant EU statement of conformity, and prepare for public-sector clients to increasingly demand EU data residency.

If you are an EU-based provider: You have an advantage in the higher tiers. Because levels 3 and 4 require the absence of third-country control, EU-native providers (or those fully restructured under EU control) are the primary candidates for sensitive contracts in defence, justice or critical infrastructure. Prepare for independent third-party audits (Article 20) to validate compliance.

For all providers: Monitor the Commission's Article 18 decisions closely; recognition of "associated" third countries will be decisive. Invest in transparency on your software supply chain and subcontractors, as these are key audit criteria across all levels (e.g., the SBOM requirements in Annex II, point 2.1(i)).

Common misconceptions

"CADA bans all non-EU cloud providers." Incorrect. CADA would not ban non-EU providers. They can compete for level 1 and, potentially, level 3 if their country is recognised under Article 18. The effective bar at the highest levels is on third-country control, not on nationality as such.

"Hosting data in the EU is enough to be 'sovereign'." Recital 48 states that tailored offerings focused on data localisation do not address core sovereignty issues. The higher levels require control over personnel, infrastructure and corporate decision-making, not just data residency. A provider with data centres in Frankfurt but controlled by a US parent remains exposed to third-country control risks.

"Level 1 is a 'low' standard that ignores security." Level 1 is a baseline requiring state-of-the-art cybersecurity and subcontractor transparency. It is not security-free. It does allow data and infrastructure outside the EU if the public-sector client permits, reflecting a proportionate approach in which not all public services need the highest assurance.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.