Data residency vs data sovereignty under CADA

Summary Data residency is about where data physically sits. Data sovereignty is about who can legally reach it and control it. They are not the same thing. Under the proposed Cloud and AI Development Act (CADA), keeping data inside the EU (residency) is necessary but not enough for the higher sovereignty tiers: a provider must also show it is shielded from foreign laws that could force access to the data or disrupt the service. CADA is a proposal, not yet in force, so everything here is "as proposed".

Detail

People often use "data residency" and "data sovereignty" as if they meant the same thing. They don't, and the difference matters for anyone deciding which cloud service a public body should use under CADA.

Data residency: the physical location

Residency answers a geographic question: where is the data stored? If your files sit on servers in a data centre in Frankfurt, your data has EU residency.

Residency is easy to achieve — a provider just has to host the data in a given country. But location alone says nothing about who is allowed to get at the data. A server can be in Berlin while the company running it is a subsidiary of a parent in another country whose laws can reach into that subsidiary.

Data sovereignty: legal control and protection from foreign reach

Sovereignty answers a legal and operational question: which laws apply to this data, and who can compel access to it or interfere with the service? The goal is to keep the data under the control of the customer or public authority, protected from foreign legal demands.

As the CADA explanatory memorandum puts it, "the notion of sovereignty goes beyond data transfers and relates to operational autonomy too." In other words, even data that never crosses a border can lack sovereignty if a foreign government could lawfully compel the provider to hand it over, decrypt it, or shut the service down.

How CADA frames this

CADA, if adopted, would create a "Union cloud computing sovereignty framework" of four "Union assurance levels" under Article 16, with the detailed criteria in Annex II. Every level requires that customer data — "including metadata and telemetry data" — remains within the Union (residency), but the higher levels layer on sovereignty controls:

• Union assurance level 1. The provider is established in the Union, its infrastructure and assets are in the Union, and customer data stays exclusively within the Union — "unless the public sector body explicitly requires otherwise." This covers basic residency and EU establishment, and is self-assessed by the provider (Article 19).
• Union assurance levels 2, 3 and 4. These add audited sovereignty controls. For example, level 2 requires that data generated by using the service is not used to train or fine-tune AI systems operated by a third country, plus measures against third-country control and software supply-chain risks. Level 3 requires that personnel involved in the service are Union citizens (with security clearance where appropriate). At level 4, the provider and its subcontractors must not be subject to the control of a third country or a third-country entity at all.

The role of third-country control

A central idea in CADA is "control". A provider can be physically present in the EU yet still be controlled by a third-country entity — which can disqualify it from the higher levels. Article 18 lets the Commission designate certain "associated third countries" whose providers may be audited against level 3, but only where that country meets six strict cumulative criteria (including a GDPR adequacy decision). For most providers, reaching the higher levels means demonstrating that no foreign government can exercise control in a way that compromises the data or the service.

Why this matters for procurement

The CADA explanatory memorandum stresses that dependence on third-country providers exposes the Union to risks including "unauthorised access to Union data, technology leakage, sabotage and espionage." By separating residency from sovereignty, CADA pushes buyers to look past the server's address. A provider with EU residency but weak sovereignty protections — say, a subsidiary of a foreign parent subject to extraterritorial access laws — would not meet the requirements for the most sensitive public sector activities.

What this means for you

If you help choose or oversee cloud services for a public body, the shift from "where" to "who controls it" changes how you evaluate bids:

1. Don't stop at location. "The data is stored in Germany" does not, on its own, answer the security question. Ask for evidence of protection from foreign legal reach.
2. Reference the assurance levels. Under Article 30, public bodies whose activities contribute to the preservation of public order would have to procure services recognised at level 2, 3 or 4; other public services would use level 1 as the baseline. Put the relevant CADA level in your tender documents.
3. Look at the corporate structure. EU residency plus a third-country parent with broad access laws can still fail the level 2–4 control criteria. Ask who ultimately controls the provider and its subcontractors.
4. Follow the risk assessment. Article 29 would require Member States and Union entities to run risk assessments to decide which level fits which activity, considering data sensitivity and the impact of any service disruption. Your procurement choices should follow that assessment.

Common misconceptions

• "If the data stays in the EU, it's sovereign." Not necessarily. If a foreign government can lawfully compel access through extraterritorial laws, the data is not sovereign even if it never leaves the EU. CADA's higher levels require evidence of protection against that.
• "Sovereignty only covers personal data." No. The framework covers customer data broadly — Annex II refers to "customer data, including metadata and telemetry data" remaining within the Union. Sovereignty also covers operational autonomy: the service itself should not be disruptable by a foreign legal order.
• "Only non-EU providers are a risk." No. An EU-based provider can still fall short if it is controlled by a third-country entity, or if its supply chain includes components under foreign control. CADA's levels 2–4 require scrutiny of subcontractors and the software supply chain too.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• Data sovereignty vs operational autonomy under CADA: what's the difference?
• CLOUD Act vs EU-US Data Privacy Framework vs CADA: which addresses sovereignty?
• GDPR data localisation vs CADA sovereignty levels: are they the same?
• CADA's EU sovereignty framework vs China's cloud data localisation: what differs?
• Digital sovereignty vs digital autonomy under CADA: what's the difference?

This is general information about a draft EU regulation, not legal advice.