Digital sovereignty vs digital autonomy under CADA

Summary As proposed, the Cloud and AI Development Act (CADA) widens the EU's focus from "digital sovereignty" (control and data location) to "digital autonomy" (the capability to act independently and resiliently). Under Article 16, this is operationalised through a four-tier "Union assurance level" framework where autonomy is measured by the absence of third-country control and the prevention of service disruption — not just data residency. For in-house counsel, procurement strategy would have to account for operational resilience and supply-chain independence, not only GDPR-compliant transfer mechanisms.

Detail

The Cloud and AI Development Act (CADA), proposed by the European Commission on 3 June 2026 (COM(2026) 502 final), reframes how the EU thinks about trust in digital infrastructure. Where the GDPR centres on data protection and privacy, CADA addresses a broader strategic aim: reducing the Union's critical dependence on a limited pool of non-European cloud providers. Two often-conflated concepts sit at its core: digital sovereignty and digital autonomy.

Sovereignty vs. autonomy in the CADA context

CADA's explanatory memorandum references Mario Draghi's report "The future of European competitiveness," which calls for technological sovereignty in areas such as security and encryption. As proposed, CADA refines that into a more nuanced legal construct.

• Digital sovereignty generally refers to legal and political authority over data and infrastructure — where data is stored, who owns the hardware and which jurisdiction's laws apply. CADA acknowledges that sovereignty is not binary: a service can be sovereign in some respects (e.g. data location) but not others (e.g. operational control).
• Digital autonomy, as framed by CADA, is the capability to act independently — the ability of the Union and its Member States to retain control over infrastructure, data, assets and technology systems under Union and national jurisdiction, free from unilateral disruption or extraterritorial interference by third countries.

Recital 46 of the proposal frames the ability to retain control over the Union's infrastructure, data and assets under Union and national jurisdiction as having "become an imperative policy objective." That is autonomy in action: the power to ensure service continuity and data confidentiality regardless of geopolitical shifts.

The role of Article 16: the Union assurance levels

The mechanism that turns these concepts into legal obligations is Article 16, which establishes the Union cloud computing sovereignty framework comprising four Union assurance levels (criteria in Annex II). These are graded scales of autonomy and resilience, not just data location.

1. Union assurance level 1: the baseline. The provider must be established in the Union, with infrastructure and assets located in the Union, and customer data kept exclusively in the Union unless the public sector body explicitly requires otherwise. This ensures basic control but does not guarantee full operational autonomy against sophisticated foreign interference if the provider is foreign-controlled.
2. Union assurance level 2: adds stricter requirements verified by independent audit. Personnel and subcontractors involved in the service must be established in the Union, and the criteria introduce software supply-chain measures — including a Software Bill of Materials (SBOM) and controls to block remote features that could tamper with or disrupt systems. This begins to address autonomy by mitigating remote "kill-switch" or degradation risks.
3. Union assurance level 3: requires that the provider and the subcontractors involved in the service are not subject to the control of a third country or a legal entity established in a third country. This is where sovereignty and autonomy converge. A foreign-controlled provider can reach level 3 only by derogation, where the Commission has recognised that country as an "associated third country" (Article 18) and the provider also shows the required separation measures.
4. Union assurance level 4: the highest tier. Like level 3 on control (with no derogation available), but with stricter requirements on personnel (Union citizens, with national security clearance where appropriate) and cybersecurity certification (assurance level "high").

By structuring the framework this way, CADA moves beyond a binary "sovereign vs. non-sovereign" debate toward a risk-based approach where the required level of autonomy depends on the criticality of the public-sector activity.

Alignment with the international digital strategy

CADA is designed to be consistent with the EU's broader external posture. As proposed, the explanatory memorandum states that the proposal is "fully compatible with the EU's June 2025 Communication on an International Digital Strategy" and creates "a transparent, non-discriminatory blueprint for digital autonomy." The aim is not isolation: the memorandum stresses that the framework will "secure access to the internal market to entities from partner countries that meet required levels of Union assurance." Autonomy, in other words, is defined by auditable criteria (such as the absence of third-country control over critical infrastructure) rather than by excluding foreign players outright.

The strategic shift: from data protection to operational resilience

The explanatory memorandum notes that "three non-EU hyperscalers control over 70% of the European cloud market," exposing the Union to risks such as operational discontinuity and unilateral decisions by third-country actors. CADA would respond by requiring Member States and Union entities to conduct risk assessments (Article 29) to determine which public-sector activities require higher assurance. Where an activity is identified as contributing to the preservation of public order, the contracting authority must procure services recognised at level 2, 3 or 4 (Article 30(3)). This shifts compliance from purely data-centric checks (e.g. Standard Contractual Clauses) toward assessments of operational resilience, supply-chain integrity and geopolitical risk.

What this means for you

For in-house counsel and compliance officers, the proposed CADA would reshape procurement and risk management, especially for entities in or serving the public sector.

1. Procurement strategy overhaul. Data protection impact assessments (DPIAs) alone would no longer suffice to evaluate cloud providers. You would also assess the provider's position in the Union assurance framework. Public sector bodies — and private entities in NIS2 Annex I sectors that opt to assess (Article 31) — would determine the minimum assurance level required.
2. Supplier due diligence. Expand due diligence to include supply-chain analysis. Under Annex II, providers seeking higher levels must show their software supply chains are free from remote-tampering risks and (at levels 3 and 4) that they are not subject to third-country control. Request evidence such as SBOMs and ownership structures from vendors.
3. Transition planning. Under Article 29(6), where a risk assessment requires migration to another cloud service, migration must occur within a reasonable transition period not exceeding 12 months. Begin identifying alternative providers that meet the necessary levels.
4. Penalties and liability. Under Article 24, Member States must lay down rules on penalties for infringements by providers — "effective, proportionate and dissuasive." Recipients of cloud services would also have the right to seek compensation for damage suffered due to a provider's infringement. Align indemnity clauses and SLAs with these sovereignty requirements.
5. Monitoring and reporting. Recognised providers must notify material changes that could affect their assurance level (Article 23). Establish mechanisms to track changes in a provider's ownership, infrastructure or legal status.

Common misconceptions

• Misconception 1: CADA bans non-EU cloud providers.
  • Reality: it does not. It establishes a framework for recognition. A provider controlled by a third country may still qualify for level 3 where the Commission recognises that country as an "associated third country" (Article 18) and the provider shows the required measures.
• Misconception 2: Sovereignty means all data must stay in the EU.
  • Reality: data localisation is one component, but sovereignty under CADA is broader — it includes operational autonomy, supply-chain integrity and the absence of third-country control. A provider could keep data in the EU yet still fail higher levels if exposed to foreign laws allowing data access or service disruption.
• Misconception 3: The AI Act already covers cloud sovereignty.
  • Reality: the AI Act addresses the safety, fundamental-rights and transparency aspects of AI systems. The CADA explanatory memorandum states the AI Act "does not cover aspects of sovereignty." CADA complements it by addressing the resilience of the underlying cloud infrastructure.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)

Related

• Data sovereignty vs operational autonomy under CADA: what's the difference?
• Data residency vs data sovereignty under CADA: what is the difference?
• CADA vs the Digital Markets Act (DMA) for cloud: what is the difference?
• CADA vs Gaia-X: what is the difference for EU cloud sovereignty?
• CLOUD Act vs EU-US Data Privacy Framework vs CADA: which addresses sovereignty?

This is general information about a draft EU regulation, not legal advice.