Does holding your own encryption keys make a cloud sovereign under CADA?

Summary No. Holding your own encryption keys (BYOK/HYOK) would not, on its own, make a cloud service sovereign under the proposed Cloud and AI Development Act (CADA). Key management mitigates data-confidentiality risk, but CADA's framework (Article 16) requires broader controls over infrastructure, personnel, and third-country jurisdictional exposure. Recital 48 notes that providers' tailored "sovereign" offerings do not address core sovereignty issues such as the extraterritorial reach of third-country laws or the possible degradation or disruption of service. CADA is a proposal and is not yet in force.

Detail

Under the proposed CADA, sovereignty is not defined by a single technical control but by a framework of "Union assurance levels." Article 16 would establish four such levels, each with cumulative criteria (set out in Annex II) that providers must meet to be recognised at that level when serving Union entities and public sector bodies.

The limitations of BYOK and HYOK

Bring Your Own Key (BYOK) and Hold Your Own Key (HYOK) architectures are valuable for data protection: they help ensure that even if a provider's infrastructure is accessed, data remains encrypted and unreadable without the customer's key. But CADA's criteria for the higher Union assurance levels go well beyond encryption.

To meet the higher levels, a provider would have to demonstrate control over, among other things:

• Infrastructure and assets: located within the Union (Annex II).
• Personnel: at the higher levels, personnel involved in service provision must be Union citizens, with security clearances where classified information is handled (Annex II).
• Technical and operational support: performed within the Union (Annex II).
• Software supply chain: measures to prevent remote tampering and to address third-country control over relevant components (Annex II).

Holding encryption keys does not satisfy these structural requirements. A provider could allow BYOK yet still host infrastructure in a third country, use non-Union support staff, or rely on components controlled by a third-country entity. Under CADA, such a service would not qualify for the higher Union assurance levels.

Recital 48: tailored measures are insufficient

The legislative text addresses the idea that technical tweaks equate to sovereignty. Recital 48 states:

"Cloud computing service providers have launched tailored versions of their service offerings in response to the Union's growing concerns over sovereignty. However, those versions do not address the core sovereignty issues allowing for the extraterritorial reach of third-country laws and the possible degradation or disruption of the service."

Many providers market "sovereign clouds" by adding data residency or customer-managed keys. CADA's view is that these measures do not address the extraterritorial reach of third-country laws. If a provider is subject to a third country's jurisdiction (for example the US CLOUD Act), that country may seek to compel the provider to act regardless of who holds the encryption keys.

Operational and technical control

CADA emphasises operational autonomy: the provider should be able to deliver and maintain the service without third-country interference.

• Service continuity: the higher assurance levels are designed to ensure that a third country cannot compel the provider to degrade or disrupt service quality or continuity (Annex II). Encryption keys do not prevent a provider from being pressured to shut down a data centre or throttle access.
• Legal control: at the higher levels, the provider and its subcontractors must not be subject to the control of a third country or a legal entity established in a third country, save for the narrow Article 18 route for "associated third countries" at level 3. This requires assessing ownership, control structures, and legal exposure.

The role of risk assessments

Under Article 29, Member States and Union entities would conduct risk assessments to determine which Union assurance level is appropriate, considering the sensitivity and criticality of the data, the risk of unlawful access by a third country, and the risk of service disruption. Even where an organisation uses BYOK, if the provider is subject to third-country jurisdictional risk, the assessment may conclude the service does not meet the required level for critical public-order activities.

What this means for you

For CTOs, architects, and SMEs evaluating cloud providers, CADA would shift focus from purely technical controls to legal and operational due diligence.

1. Don't rely solely on encryption: For public-sector contracts or critical data, BYOK/HYOK is necessary but not sufficient. You would need to verify the provider's legal structure, ownership, and operational footprint.
2. Check the assurance level: Ask which Union assurance level a provider is recognised for under Article 17. Level 1 (self-assessed) may not meet the requirements for high-risk public-sector activities, which often require levels 2, 3, or 4.
3. Evaluate jurisdictional exposure: Investigate whether the provider is subject to third-country laws that could compel data access or service disruption — a core concern for the higher levels.
4. Prepare for audits: Higher levels require independent third-party audits (Article 20) covering the supply chain, personnel, and infrastructure. Confirm your provider can undergo them.
5. Consider multi-cloud: A multi-cloud or multi-vendor approach can reduce single-provider dependency; Article 29(9) requires this to be considered in risk assessments.

Common misconceptions

• Misconception: "If we hold the keys, the provider can't see our data, so it's sovereign."
  • Reality: Sovereignty under CADA includes protection against service disruption and access to metadata or infrastructure, not just data content. A provider subject to third-country laws could be pressured to disrupt your service, rendering your keys moot.
• Misconception: "Data residency in the EU is enough."
  • Reality: Data residency is only one criterion (Annex II). A provider can store data in the EU yet still be controlled by a third-country parent, use non-Union staff, or rely on third-country components. CADA requires a holistic assessment of control and autonomy.
• Misconception: "Only large public-sector entities need to worry about this."
  • Reality: Public-sector procurement is directly affected (Article 30), but private-sector essential and important entities under NIS2 may carry out similar assessments (Article 31), and public procurement signals will likely shape the wider market.

Related

• Does a US company's EU subsidiary make a cloud sovereign under CADA?
• Why are Member State sovereign cloud labels fragmented? CADA's answer
• What makes a cloud service truly sovereign under CADA?
• Sovereign cloud vs air-gapped cloud: the difference under CADA
• Sovereign cloud vs ordinary cloud: the difference under CADA

This is general information about a draft EU regulation, not legal advice.