Summary Yes, as proposed, the Cloud and AI Development Act (CADA) Union Assurance Level 1 explicitly requires that a cloud provider's infrastructure and assets be located within the European Union. This is a baseline requirement for public sector procurement. However, this is not an absolute ban on non-EU infrastructure; a strict, conditional exception applies only if the specific public sector body explicitly requires otherwise.

Detail

The Cloud and AI Development Act (CADA), as set out in the proposal COM(2026) 502 final, establishes a "Union cloud computing sovereignty framework" to mitigate strategic dependencies and reduce risks associated with third-country access to data and infrastructure. This framework, defined in Article 16, relies on four tiered "Union assurance levels." Level 1 serves as the mandatory baseline for all public sector procurement, establishing the minimum standard for trusted cloud services within the Union.

To qualify for Level 1, cloud computing service providers must satisfy a set of cumulative criteria detailed in Annex II of the Regulation. These criteria are designed to ensure that the physical and logical foundations of the service remain under Union jurisdiction.

The specific requirement regarding physical location is found in Annex II, Section 1.1(b). The text states that for Union assurance level 1, "the infrastructure and assets of the cloud computing service provider, including those of its subcontractors which are involved in the provision of the service, are located in the Union unless the public sector body explicitly requires otherwise."

This provision establishes a default "EU-only" rule for the physical hardware, network equipment, and operational assets that support the cloud service. Crucially, the scope of this requirement extends beyond the primary provider. It explicitly includes the infrastructure and assets of subcontractors involved in the provision of the service. If a provider relies on a subcontractor that operates critical infrastructure outside the EU, the provider generally cannot claim Level 1 status for that service chain, unless the end-user (the public sector body) has explicitly requested or mandated the use of non-EU infrastructure.

It is essential to distinguish this infrastructure location requirement from the data residency requirement found in Annex II, Section 1.1(c). While 1.1(b) focuses on where the servers, network gear, and physical assets reside, 1.1(c) focuses on where the customer data (including metadata and telemetry) is processed, stored, and transferred. Both provisions share the same conditional exception clause: "unless the public sector body explicitly requires otherwise." This parallel structure ensures that both the physical assets and the digital data remain under EU jurisdiction by default, creating a dual layer of protection against extraterritorial legal reach and physical seizure.

The rationale behind this strict localization is to prevent scenarios where EU public data is hosted on hardware physically located in jurisdictions with laws that may compel access to that data, such as the US CLOUD Act. By anchoring the infrastructure in the EU, CADA aims to ensure that EU authorities maintain primary jurisdiction over the physical evidence and assets involved in cloud service delivery, thereby safeguarding operational autonomy.

What this means for you

For CTOs, architects, and SMEs evaluating their cloud strategy in light of CADA, this provision has several practical implications for compliance, service design, and procurement.

1. Supply Chain Auditing for Providers If you are a cloud provider aiming to sell to the EU public sector, you must audit your entire supply chain, not just your primary data centers. You cannot simply host your primary control plane in Frankfurt and route traffic to a storage bucket or backup node in Virginia, even for non-sensitive data, if you wish to maintain a Level 1 certification for that service. Any subcontractor involved in the provision of the service must also have their relevant infrastructure located in the Union. You will need to document the precise physical locations of your servers, network equipment, and storage facilities to prove compliance during the conformity self-assessment process required for Level 1.

2. Precision in Public Procurement For public sector buyers and the private entities that supply them, procurement specifications must be precise. The exception "unless the public sector body explicitly requires otherwise" is a narrow escape hatch, not a blanket waiver. If your organization has a legitimate business need to use a service that relies on non-EU infrastructure (for example, a global SaaS application that cannot be regionally isolated), you must explicitly state this requirement in your tender documents. If you do not explicitly require non-EU infrastructure, you are legally bound to procure from a Level 1 (or higher) provider. This effectively excludes many global hyperscalers that do not fully isolate their EU infrastructure from their global backends.

3. Multi-Cloud and SME Architecture For SMEs building multi-cloud architectures, this creates a significant compliance burden. If you use a mix of providers, you must ensure that any component touching public sector data or infrastructure is sourced from a provider that can demonstrably meet the Annex II criteria. This may force you to abandon certain global, integrated cloud offerings in favor of regionalized or sovereign cloud options that can provide the necessary transparency regarding asset location.

Common misconceptions

"Infrastructure" refers only to data centers. A frequent misunderstanding is that "infrastructure" refers only to the data centers where customer data is stored. In reality, Annex II 1.1(b) covers "infrastructure and assets," which is a broader term. This can include edge nodes, load balancers, network switches, and other hardware that facilitates the service. If a provider uses a global content delivery network (CDN) that caches data on servers outside the EU, this could violate the infrastructure location requirement unless the public body explicitly allows it.

Level 1 allows "data sovereignty" without "infrastructure sovereignty." Some providers may believe they can comply by keeping data in the EU while running their management consoles, backup systems, or monitoring tools on non-EU hardware. CADA rejects this approach. The physical location of the hardware is treated as a fundamental element of sovereignty because hardware located outside the EU is subject to the physical jurisdiction of that third country, regardless of where the data logically resides.

The "explicit requirement" exception is a standard clause. Some assume that the "explicit requirement" exception is a standard clause that can be easily included in all contracts to avoid compliance costs. This is incorrect. The exception is intended for specific, justified cases where EU-based infrastructure is technically impossible or unavailable. Relying on this exception as a default strategy undermines the purpose of the sovereignty framework and may be viewed skeptically by national competent authorities during audits.

Related

This is general information about a draft EU regulation, not legal advice.