Do EU common data spaces need a CADA sovereignty tier?

Summary The proposed Cloud and AI Development Act (CADA) does not automatically mandate a specific sovereignty tier for all EU common data spaces. However, public-sector bodies operating these spaces must conduct risk assessments under Article 29 to determine the required Union assurance level. If a data space supports activities contributing to the preservation of public order or processes sensitive sectoral data (e.g., health, energy, defence), the hosting cloud services would likely need to be recognised at Union assurance levels 3 or 4. While the Data Governance Act (DGA) facilitates data sharing, it does not define technical sovereignty standards; CADA fills this gap by imposing a tiered framework on the cloud infrastructure underpinning critical public-sector data spaces.

Detail

The regulatory landscape for EU common data spaces is evolving from a focus on data interoperability to one that includes infrastructure sovereignty. The Data Governance Act (DGA) establishes the legal framework for data intermediaries and data altruism, enabling the sharing and reuse of data across sectors. However, the DGA does not prescribe the technical or sovereign characteristics of the cloud infrastructure hosting these data spaces. The proposed CADA (COM(2026) 502 final) addresses this gap by establishing a Union cloud computing sovereignty framework. The application of this framework to data spaces is not a blanket requirement but is contingent on the nature of the public-sector activities supported and the sensitivity of the data processed, as determined by the risk assessment mechanism in Article 29.

The Trigger: Article 29 Risk Assessments

The primary mechanism linking CADA to data spaces is Article 29, which obliges Member States and Union entities to carry out risk assessments. These assessments are designed to identify public sector activities that contribute to the preservation of public order. The text of Article 29(1) explicitly lists sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2) and areas such as national security, internal security, external border management, defence, justice, and law enforcement.

If a common data space—such as the European Health Data Space (EHDS), a mobility data space, or an energy data space—supports activities within these sectors, the hosting cloud services must meet specific Union assurance levels. The assessment must determine which level (2, 3, or 4) is appropriate based on:

• The sensitivity, criticality, and magnitude of the non-personal and personal data processed.
• The risk of unlawful access by a third country or a legal entity established in a third country.
• The risk of service disruption.

Article 29(1) mandates that these assessments be conducted by the date of entry into force plus one year, and thereafter every two years. For data spaces handling highly sensitive data, such as health records in the EHDS or critical infrastructure data in the energy sector, the risk assessment may conclude that only Union assurance levels 3 or 4 are sufficient to protect public order. Consequently, the cloud services hosting these data spaces must be recognised at these higher tiers. This creates a de facto sovereign hosting requirement for critical infrastructure, even though the DGA itself remains silent on cloud sovereignty.

Union Assurance Levels: From Baseline to High Sovereignty

CADA establishes four Union assurance levels in Article 16, with detailed criteria set out in Annex II. The levels escalate in strictness, with levels 3 and 4 imposing rigorous requirements on data localisation, personnel citizenship, and the absence of third-country control.

• Union Assurance Level 1: This is the baseline. It requires the provider to be established in the Union and for infrastructure and assets to be located in the Union, unless the public sector body explicitly requires otherwise. Customer data must remain exclusively within the Union.
• Union Assurance Level 2: This level adds requirements for personnel location in the Union and prohibits the use of customer data to train AI systems operated by third countries. Crucially, it requires a European cybersecurity certificate of at least 'substantial' assurance under a scheme established under Regulation (EU) 2019/881.
• Union Assurance Level 3: This tier is often required for sensitive sectoral data. It mandates that all personnel involved in service provision are Union citizens. It strictly prohibits third-country control over the provider and its subcontractors, unless an exception is granted for associated third countries under Article 18. Technical and operational support must be performed exclusively within the Union by Union residents.
• Union Assurance Level 4: Similar to Level 3 but with heightened cybersecurity requirements. It requires a European cybersecurity certificate of at least 'high' assurance. It also demands effective control over software components, ensuring no third country holds effective control over their design, development, or maintenance.

For a data space to operate at Level 3 or 4, the underlying cloud infrastructure must meet these cumulative criteria. This includes ensuring that customer data, including metadata and telemetry, remains exclusively within the Union. It also requires that no data generated by using the service is used to train AI systems operated by third countries.

Interaction with the Data Governance Act (DGA)

The DGA focuses on enabling data sharing through data intermediaries and data altruism organisations. It does not impose sovereignty requirements on the cloud services used by these intermediaries. However, when a public-sector body acts as a data holder or uses a data space for public administration purposes, CADA's sovereignty framework applies.

Recital 47 of the CADA proposal notes that existing Union law, including the DGA, addresses data portability and switching but does not contain elements to shape a more competitive offer of European cloud services or address sovereignty concerns. CADA complements the DGA by providing the trust framework necessary for the secure use of cloud services in critical sectors. Therefore, while the DGA may enable the legal flow of data, CADA dictates the technical and operational conditions under which that data can be hosted in the cloud for public-order-relevant activities.

Implications for Sectoral Data Spaces

Sectoral data spaces, such as those for automotive, healthcare, or energy, often involve mixed public and private participation. CADA's sovereignty framework primarily targets public-sector procurement under Article 30. However, Article 31 allows private sector entities listed in Annex I of the NIS2 Directive to conduct similar impact assessments. If a private entity operates a data space that is critical for economic security or public order, it may voluntarily adopt these assessments to mitigate risks.

For public-sector data spaces, the requirement to procure services at Level 3 or 4 for sensitive activities means that the cloud provider must be free from third-country control. This is a significant hurdle for many global hyperscalers, which may be subject to laws like the US CLOUD Act. CADA's criteria for Level 3 explicitly state that the provider and its subcontractors must not be subject to the control of a third country, unless an implementing act under Article 18 identifies that third country as providing sufficient assurances.

What this means for you

For in-house counsel and compliance officers overseeing data space initiatives, the following actions are critical:

1. Conduct Risk Assessments Early: Begin the Article 29 risk assessment process immediately. Identify which activities within your data space contribute to public order. Consider the sensitivity of the data (e.g., health, energy, transport) and the potential impact of service disruption or data access by third countries.
2. Map Cloud Services to Assurance Levels: Audit your current cloud service providers. Determine if they are recognised at the necessary Union assurance level. If your data space processes sensitive sectoral data, you may need to migrate to providers recognised at Level 3 or 4.
3. Review Contracts for Sovereignty Clauses: Ensure your cloud contracts include clauses that guarantee compliance with CADA's sovereignty criteria, such as data localisation within the Union, prohibition of third-country access, and restrictions on using customer data for AI training.
4. Monitor Associated Third-Country Decisions: Track Commission decisions under Article 18 regarding associated third countries. If your provider is subject to third-country control, its eligibility for Level 3 recognition depends on these decisions.
5. Prepare for Penalties: Non-compliance with CADA's sovereignty framework can lead to penalties. Member States must lay down rules on penalties for infringements by cloud computing service providers under Article 24. These penalties must be effective, proportionate and dissuasive. While CADA does not specify fine amounts, it lists criteria for imposition, including the nature, gravity, and duration of the infringement, and the financial benefits gained.

Common misconceptions

"The DGA imposes sovereignty requirements." No. The DGA focuses on data sharing and intermediation. It does not define sovereignty tiers. CADA imposes these requirements on public-sector cloud procurement, which indirectly affects data spaces operated by or for public bodies.

"All data spaces must use Level 4 cloud services." No. The required level depends on the risk assessment under Article 29. Only activities contributing to public order and involving high sensitivity may require Levels 3 or 4. Most public services may only require Level 1 or 2.

"CADA bans all non-EU cloud providers." No. CADA allows providers from third countries to be recognised at Level 3 if the Commission adopts an implementing act under Article 18, confirming that the third country provides sufficient assurances. This is a case-by-case determination.

"Private data spaces are exempt from CADA." Not entirely. While CADA primarily targets public-sector procurement, private entities in critical sectors (NIS2 Annex I) can conduct similar impact assessments under Article 31. Market pressure from public-sector clients may also drive private providers to adopt sovereign tiers.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• Cybersecurity Act (Regulation (EU) 2019/881)
• Data Act (Regulation (EU) 2023/2854)
• Data Governance Act (Regulation (EU) 2022/868)

Related

• Does health data under EHDS need a CADA sovereignty tier?
• Does FIDA financial data infrastructure need a CADA tier?
• Do financial entities need a CADA sovereignty tier in addition to DORA due diligence?
• Do AI Act high-risk systems need a specific CADA sovereignty tier?
• CADA for SaaS Providers: How NIS2, Data Act and Sovereignty Tiers Stack

This is general information about a draft EU regulation, not legal advice.