Summary No. As proposed, the Cloud and AI Development Act (CADA) does not impose a blanket mandate to use only EU-headquartered cloud providers. It establishes a risk-based framework: public procurement of cloud services must meet at least "Union assurance level 1," and higher levels (2, 3, or 4) are required only when a risk assessment finds the activity contributes to the preservation of public order. CADA is a proposal and not yet in force.

Detail

CADA proposes a structured approach to cloud sovereignty designed to reduce strategic dependencies while keeping the market open. It focuses on assurance levels and risk mitigation rather than corporate nationality alone, so it does not create a closed market reserved for European providers.

The minimum baseline: Union assurance level 1

Under Article 30(2), there is a baseline for public procurement of cloud services where activities have not been identified as contributing to public order:

"Union entities and public sectors bodies whose public sector activities have not been identified as contributing to the preservation of public order under the risk assessment referred to in Article 29(1) shall use cloud computing services that have been recognised under Article 17 as having a Union assurance level 1."

So every public body, from a municipality to an EU institution, must procure services recognised at level 1 — but meeting level 1 does not automatically exclude non-EU providers.

The cumulative criteria for level 1 are set out in Annex II. Key requirements include:

  • the provider is established in the Union;
  • the provider's (and its subcontractors') infrastructure and assets are located in the Union, unless the public-sector body explicitly requires otherwise;
  • customer data, including metadata and telemetry, remains exclusively within the Union, unless the public-sector body explicitly requires otherwise.

These criteria strongly favour providers with substantial EU operations, but the framework is compliance-based: a non-EU group could meet them through a distinct EU entity satisfying establishment, data-residency, and infrastructure requirements. The focus is on where data and infrastructure reside, with third-country control scrutinised more strictly at higher levels.

Higher assurance levels for public order

Requirements escalate only when risks are identified. Article 30(3) provides:

"Contracting authorities, including the entities acting on their behalf, whose activities have been identified as contributing to the preservation of public order under Article 29(1) in sectors falling under Annex I or II of Directive (EU) 2022/2555 and in the areas of national security, internal security, external border management, defence, justice or law enforcement, including the prevention, investigation, detection and prosecution of criminal offence, shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4."

This is triggered by the Article 29 risk assessments, which identify which public-sector activities contribute to public order. Where an activity is critical, the authority must procure at level 2, 3, or 4. Broadly, the higher levels add independent third-party audits and progressively stricter controls on third-country control and on personnel, with level 4 the most stringent. Annex II sets out the precise cumulative criteria for each level.

Exceptions and derogations

CADA includes flexibility. By derogation from Article 30(2) or (3), and on an exceptional, duly justified basis, Article 30(4) lets contracting authorities decide not to procure a recognised service where one or more circumstances apply:

  • the subject matter cannot be supplied by recognised services in the central repository, and no adequate or comparable alternative exists (and that absence is not an artificial narrowing of the procurement);
  • a similar procurement launched in the previous year received no suitable tenders or participants;
  • applying the requirements would require procurement at disproportionate cost.

What this means for you

For public-sector procurement officers, CADA would shift focus from simple vendor selection to rigorous risk categorisation.

  1. Conduct risk assessments: Perform or participate in the Article 29 assessments. Decide whether your cloud usage supports public-order activities (e.g. sensitive justice data or critical-infrastructure management).
  2. Apply the correct tier:
    • If the activity is not identified as preserving public order, procure at Union assurance level 1 (ensure the provider holds a valid EU statement of conformity under Article 19).
    • If it is, procure at Union assurance level 2, 3, or 4 and verify the provider's audit reports and recognition status.
  3. Check the repository: Consult the central repository (Article 22) before tendering, directing procurement to services already recognised under Article 17.
  4. Document derogations: If no suitable recognised provider exists, you may rely on Article 30(4), but document the justification thoroughly.

Common misconceptions

  • "CADA bans all non-EU cloud providers."
    • Reality: CADA restricts services that do not meet the assurance level required for the procurement. While the criteria for levels 2–4 effectively exclude most third-country-controlled providers, the framework is built on technical and operational safeguards rather than an explicit nationality ban. Level 1 allows some flexibility on third-country control where the vulnerability-reporting condition is met (Annex II, 1.1(g)).
  • "All public cloud use requires the highest sovereignty tier."
    • Reality: Only activities identified through risk assessment as contributing to public order require levels 2, 3, or 4. General administrative tasks or non-sensitive processing require only level 1.
  • "EU headquarters automatically guarantee compliance."
    • Reality: EU establishment is necessary but not sufficient. Providers must undergo recognition under Article 17 — including independent audits for levels 2–4 (Article 20) — and demonstrate compliance with the Annex II criteria on data residency, personnel, and third-country control.

Related

This is general information about a draft EU regulation, not legal advice.