Does the EUCS sovereignty debate matter for CADA tiers?

Summary The long-standing debate over whether the European Cybersecurity Certification Scheme for Cloud Services (EUCS) should include "sovereignty" criteria is effectively resolved by the proposed Cloud and AI Development Act (CADA). As proposed in COM(2026) 502 final, CADA bypasses the certification stalemate by embedding sovereignty requirements directly into binding law via four mandatory Union assurance levels (Article 16). While EUCS, once finalized, will address the technical cybersecurity layer, CADA governs the autonomy layer—defining who controls the infrastructure, where data resides, and the citizenship of personnel. For legal teams, this means sovereignty is no longer a voluntary certification choice but a statutory procurement requirement, with EUCS serving only as a technical prerequisite for the higher tiers.

Detail

To navigate the intersection of CADA and EUCS, it is essential to distinguish between cybersecurity (technical resilience against attacks) and sovereignty (legal and operational autonomy from third-country interference). For years, the EU struggled to harmonize these concepts within a single certification scheme, leading to a significant delay in the adoption of EUCS. CADA breaks this deadlock by codifying sovereignty into a distinct regulatory framework, leaving EUCS to handle the underlying technical security certification.

The EUCS Stalemate: Why Sovereignty Was Separated

The EUCS, developed under the Cybersecurity Act (Regulation (EU) 2019/881), was originally intended to provide a single EU-wide certification for cloud services. However, its adoption was stalled partly due to intense political and technical debate over whether the scheme should include "sovereignty" or "trust" criteria. Many stakeholders, including Member States and industry representatives, argued that EUCS should remain strictly technical, focusing on data confidentiality, integrity, and availability, while leaving geopolitical sovereignty concerns to national laws or specific procurement rules.

CADA explicitly acknowledges this limitation. The Explanatory Memorandum states: "Certification under the Cybersecurity Act can address technical cybersecurity criteria but is not suited for addressing sovereignty concerns that go beyond these technical elements." By separating the two, CADA ensures that sovereignty is not left to the discretionary or delayed process of a certification scheme, but is instead established as a clear, harmonized legal requirement.

CADA's Four-Tier Sovereignty Framework (Article 16)

As proposed, CADA introduces a Union cloud computing sovereignty framework comprising four Union assurance levels (Article 16). These levels are not voluntary certifications but mandatory criteria that cloud computing service providers must meet to offer services to Union entities and public sector bodies. The criteria are detailed in Annex II of the proposal and escalate in strictness:

• Union Assurance Level 1: The baseline for all public sector procurement. It requires the provider to be established in the Union, with infrastructure and data remaining exclusively within the Union unless explicitly required otherwise by the public sector body. It also mandates transparency on subcontractors and compliance with state-of-the-art cybersecurity standards.
• Union Assurance Levels 2, 3, and 4: These higher tiers impose stricter conditions, including:
  • Personnel: Requirements for Union citizenship. At Level 2, this is conditional (only if the public sector body determines it is necessary). At Levels 3 and 4, Union citizenship for personnel is mandatory.
  • Control: Prohibitions on third-country control over the provider or its subcontractors. Level 3 allows for limited exceptions where the Commission has adopted an implementing act under Article 18 (Associated third countries), provided specific safeguards are met. Level 4 strictly prohibits third-country control.
  • Data: Stricter prohibitions on data being used to train AI systems operated by third countries.
  • Cybersecurity Certification: Levels 2, 3, and 4 explicitly require the service to obtain a European cybersecurity certificate of at least "substantial" assurance (Levels 2 & 3) or "high" assurance (Level 4) under a scheme established under Regulation (EU) 2019/881. This is where EUCS becomes relevant.

The Role of EUCS in CADA's Higher Tiers

While EUCS does not define sovereignty, it becomes a prerequisite for achieving Union Assurance Levels 2, 3, and 4. According to Annex II, paragraphs 2.1(e), 3.1(e), and 4.1(e), providers seeking these higher tiers must obtain a European cybersecurity certificate. Until EUCS is fully adopted and available, national cybersecurity certification schemes may apply. Once EUCS is finalized, it will serve as the technical proof that a cloud service meets the cybersecurity standards required for higher sovereignty tiers.

This creates a layered compliance model:

1. CADA (Sovereignty): Defines who controls the data and infrastructure, and where it is located.
2. EUCS (Cybersecurity): Proves how the infrastructure is technically secured against cyber threats.

Risk Assessments and Procurement Obligations

CADA does not leave it to providers to self-select their tier. Member States and Union entities must conduct risk assessments (Article 29) to determine which public sector activities require which assurance level. If an activity is deemed to contribute to the preservation of public order (e.g., national security, defense, justice, law enforcement), contracting authorities must procure only services recognized at Union Assurance Levels 2, 3, or 4 (Article 30(3)). For all other public sector activities, Level 1 is the minimum requirement (Article 30(2)).

This means that for high-risk public sector use cases, compliance with CADA's sovereignty criteria is mandatory, and without the corresponding cybersecurity certification (eventually EUCS), a provider cannot achieve the necessary assurance level.

What this means for you

For in-house counsel, compliance officers, and public procurement teams, the separation of CADA and EUCS has immediate and long-term implications:

1. Immediate Sovereignty Compliance: You cannot wait for EUCS to be finalized to address sovereignty. CADA's four-tier framework (Article 16) will apply once the regulation enters into force. If your organization provides cloud services to the EU public sector, you must assess your current offering against Annex II criteria. Can you guarantee data remains in the Union? Is your infrastructure free from third-country control? If not, you may be disqualified from public sector tenders.
2. Procurement Strategy for Public Sector Buyers: If you are in the public sector, you must begin conducting risk assessments (Article 29) to identify which services require Levels 2–4. This will drive your procurement specifications. You will need to demand evidence of compliance with the specific sovereignty criteria, not just general security certifications.
3. Future-Proofing for EUCS: While CADA handles sovereignty, you must prepare for EUCS. If you aim for Assurance Levels 2–4, you will need a cybersecurity certificate. Start aligning your technical controls with the expected EUCS standards now. When EUCS is adopted, it will likely be the primary mechanism to demonstrate the cybersecurity component of your CADA compliance.
4. Penalties and Enforcement: Non-compliance with CADA's sovereignty framework can result in penalties (Article 24). Member States must lay down rules on penalties that are effective, proportionate, and dissuasive. Additionally, recipients of services have the right to seek compensation for damages caused by infringements of these obligations. Ensure your contracts with cloud providers include clauses that indemnify you against failures to meet these sovereignty requirements.

Common misconceptions

• Misconception 1: EUCS will replace CADA's sovereignty rules.
  • Reality: EUCS is a cybersecurity certification. It does not address legal sovereignty, data localization, or third-country control. CADA's four-tier framework (Article 16) is the binding legal instrument for sovereignty. EUCS is merely one of the technical requirements for the higher CADA tiers.
• Misconception 2: Sovereignty is optional for cloud providers.
  • Reality: If you want to serve the EU public sector, sovereignty compliance is mandatory. Article 30 requires public sector bodies to procure only services that meet the minimum assurance level determined by their risk assessment. Level 1 is the floor for all public sector procurement; Levels 2–4 are required for critical activities.
• Misconception 3: CADA and EUCS are competing frameworks.
  • Reality: They are complementary. CADA provides the "what" (sovereignty criteria), and EUCS will provide part of the "how" (cybersecurity proof). CADA explicitly references the Cybersecurity Act's certification scheme as a requirement for Levels 2–4, creating a dependency rather than a competition.
• Misconception 4: Level 2 requires mandatory Union citizenship for all staff.
  • Reality: For Level 2, Union citizenship for personnel is conditional (only if the public sector body determines it is necessary). It becomes mandatory only at Levels 3 and 4.
• Misconception 5: Third-country providers are completely banned from Level 3.
  • Reality: While Level 3 generally prohibits third-country control, Article 18 allows the Commission to adopt implementing acts identifying specific third countries where providers may be audited for Level 3, provided strict safeguards are in place.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)
• Data Act (Regulation (EU) 2023/2854)

Related

• EUCS vs CADA: Does cybersecurity certification guarantee sovereignty tiers?
• CADA for SaaS Providers: How NIS2, Data Act and Sovereignty Tiers Stack
• CADA for CTOs: Mapping EU Compliance, Sovereignty Tiers & Procurement
• CADA and EUCS: How the Cloud Certification Scheme Fits the Sovereignty Framework
• CADA vs Gaia-X: Does industry conformity meet EU sovereignty tiers?

This is general information about a draft EU regulation, not legal advice.