Summary As proposed, the Cloud and AI Development Act (CADA) treats data sovereignty as more than keeping data within EU borders: it would require operational autonomy — the ability to keep a service running and confidential without interference from third-country laws. Article 16 would establish a four-tier "Union assurance level" framework (criteria in Annex II) in which higher tiers tighten controls over who can operate the service, access the infrastructure and control the provider, so that public order is protected from both extraterritorial legal reach and service disruption.

Detail

The CADA proposal explicitly broadens the traditional understanding of cloud sovereignty. While many existing frameworks focus on data residency (where data is stored), CADA's explanatory memorandum states that "the notion of sovereignty goes beyond data transfers and relates to operational autonomy too." For in-house counsel, the distinction is decisive: a service may keep data in the EU yet still fail sovereignty requirements if a third country can legally compel the provider to disrupt the service, access the data, or influence its operation.

The four Union assurance levels (Article 16 and Annex II)

Article 16 would establish the Union cloud computing sovereignty framework, comprising four Union assurance levels whose detailed criteria sit in Annex II. The criteria are cumulative — a higher level requires meeting all criteria of the lower levels (Article 20(1)) — and address risks such as unauthorised foreign access, service disruption and dependency on a single foreign-controlled supplier.

Union assurance level 1 (baseline)

  • Establishment: the provider must be established in the Union.
  • Infrastructure and data: infrastructure, assets and customer data (including metadata and telemetry) must remain in the Union unless the public sector body explicitly requires otherwise.
  • Cybersecurity: the service must comply with "state-of-the-art cybersecurity standards."
  • Third-country control: where the provider is controlled by a third country, it must guarantee there are no laws requiring it to report software vulnerabilities to that country's authorities before they are known to have been exploited.
  • Assessment: a conformity self-assessment and an EU statement of conformity (Article 19).

Union assurance level 2 (independently audited)

  • Personnel and subcontractors: the provider and subcontractors involved in the service must be established in the Union, with infrastructure, assets and personnel located in the Union.
  • Data use: data generated by using the service may not be used to train or fine-tune any AI system operated by a third country, and may not be transferred outside the Union.
  • Cybersecurity: a European cybersecurity certificate of at least "substantial" assurance level (or, until the EU scheme exists, national schemes or the highest applicable cybersecurity standards under Union law).
  • Third-country control: if controlled by a third country, the provider must demonstrate measures so that the control does not restrict service delivery, foreign access to customer data is prevented, and service disruption or degradation is prevented.
  • Software supply chain: measures including an SBOM and controls to block remote features that could tamper with or disrupt systems.
  • Assessment: an independent third-party audit with a "positive" audit opinion (Article 20).

Union assurance level 3 (no third-country control, with a narrow exception)

  • Citizenship: personnel involved in the service must be Union citizens (with national security clearance where appropriate for classified information).
  • Third-country control: the provider and subcontractors must not be subject to third-country control. By derogation, a provider controlled by a third country may be audited for level 3 only where the Commission has recognised that country as an "associated third country" (Article 18) and the provider also shows the required separation measures.
  • Support: technical and operational support must be performed exclusively within the Union by Union residents.
  • Cybersecurity: a certificate of at least "substantial" assurance level.
  • Assessment: independent third-party audit.

Union assurance level 4 (highest sovereignty)

  • Security clearance: personnel must be Union citizens and, where appropriate, hold national security clearance when handling classified information.
  • Cybersecurity: a certificate of at least "high" assurance level.
  • No third-country control: the provider and subcontractors must not be subject to third-country control — and there is no Article 18 derogation at this level.
  • Software supply chain: the provider must retain effective control over software components, demonstrating that no third country holds or exercises effective control over their design, development, maintenance or evolution.
  • Assessment: independent third-party audit.

Operational autonomy vs. data sovereignty

The core of CADA's approach is that, as proposed, data sovereignty without operational autonomy is insufficient. A provider might store data in Frankfurt (satisfying data residency) yet answer to a jurisdiction with extraterritorial data-access laws such as the US CLOUD Act. If that jurisdiction can compel the provider to shut down the service or hand over data, the EU loses operational autonomy.

CADA would address this by:

  1. Restricting control: levels 3 and 4 require that the provider and subcontractors are not subject to third-country control.
  2. Localising operations: requiring personnel, infrastructure and support operations to be located in the Union (and performed by Union residents at levels 3 and 4).
  3. Preventing coercion: requiring providers (at the higher levels) to demonstrate that foreign laws cannot be used to degrade service or access customer data.

What this means for you

For in-house counsel and compliance officers serving the public sector or critical private sectors, CADA would introduce procurement requirements driven by risk assessments.

1. Conduct risk assessments (Article 29) Member States and Union entities would carry out risk assessments to determine the appropriate Union assurance level.

  • Timing: by one year after entry into force, and thereafter every two years (or whenever necessary).
  • Scope: activities contributing to public order in sectors under the NIS2 Directive (Annex I or II) plus national security, internal security, external border management, defence, justice and law enforcement.
  • Action: identify whether your use case needs level 1 (baseline) or levels 2–4.

2. Procurement obligations (Article 30)

  • Level 1 minimum: activities not identified as contributing to public order must use services recognised at level 1 (Article 30(2)).
  • Higher levels for critical activities: activities identified as contributing to public order must procure services recognised at level 2, 3 or 4 (Article 30(3)).
  • Migration: where a risk assessment requires migrating to another service, migration must occur within a reasonable transition period not exceeding 12 months (Article 29(6)).

3. Penalties and compensation (Article 24)

  • Penalties: Member States must lay down effective, proportionate and dissuasive penalties, taking into account criteria such as the nature, gravity, scale and duration of the infringement and any financial benefits gained.
  • Compensation: recipients of cloud services would have the right to seek compensation for damage suffered due to a provider's infringement.

4. Audit, repository and transparency (Articles 20–23)

  • Audits: providers seeking levels 2–4 must undergo independent audits (Article 20).
  • Repository: verify your provider is listed at the right level in the Commission's central repository (Article 22).
  • Transparency: providers must notify material changes that could affect their assurance level (Article 23).

Common misconceptions

Misconception 1: "Data residency equals sovereignty." Keeping data in an EU data centre is only part of level 1. Sovereignty under CADA also requires control over the operator and the infrastructure. A foreign-controlled provider with an EU data centre may still be exposed to foreign laws allowing data access or service disruption, failing levels 2–4.

Misconception 2: "Only government agencies are affected." CADA's procurement rules (Article 30) target public sector bodies and Union entities, but Article 31 allows private entities in NIS2 Annex I sectors to carry out similar impact assessments. Providers building sovereign offerings for the public sector are also likely to offer those tiers to private clients.

Misconception 3: "Third-country providers are banned." CADA names no country and bans none outright. Level 3 allows a derogation where the Commission recognises a third country as an "associated third country" providing sufficient assurances (Article 18) — a high bar. Level 4 permits no third-country control at all.

Misconception 4: "Self-assessment is enough for all levels." Only level 1 allows a conformity self-assessment by the provider (Article 19). Levels 2, 3 and 4 require independent third-party audits and formal recognition by the national competent authority (Articles 17 and 20).

Official sources

Related

This is general information about a draft EU regulation, not legal advice.