Does the EuroCloud Federation handle classified or sensitive government workloads?

Summary Yes, the proposed EuroCloud Federation is explicitly designed to facilitate the sharing of cloud services capable of handling classified and sensitive government workloads, but participation is strictly conditional. Under Article 35(2) of the Cloud and AI Development Act (CADA) proposal, any "sharing entity" must implement robust technical, operational, and organisational measures to ensure a "secure and resilient provision of services." Crucially, the ability to host classified information is not automatic; it depends on the underlying service achieving Union Assurance Level 3 or 4 as defined in Annex II. While the primary text mandates the existence of these security policies, the specific technical specifications will be detailed in future implementing acts under Article 35(6).

Detail

The EuroCloud Federation, established under Article 34, creates a voluntary framework for Union entities and public sector bodies to share data centre and cloud computing services. Its strategic purpose is to enhance the Union's technological autonomy by pooling resources and reducing reliance on non-European providers. However, the capacity to handle classified or sensitive workloads is a high-stakes feature that triggers a rigorous compliance chain involving the sovereignty framework, security mandates, and Commission oversight.

The Security Mandate: Article 35(2)

The cornerstone of handling sensitive data within the Federation is Article 35(2). This provision imposes a mandatory obligation on the "sharing entity" (the public body providing the service) to put in place "appropriate technical, operational and organisational measures to ensure an effective, secure and resilient provision of services."

The proposal explicitly lists the categories of measures required:

• Policies on risk analysis and information system security.
• Access control policies.
• Policies on incident handling and business continuity.
• Policies supporting interoperability and connectivity.

These are not optional best practices. Before a sharing entity can legally share services within the Federation, Article 35(3) requires it to demonstrate to the Commission that it fulfills these conditions. The Commission then conducts an assessment under Article 35(4) and only allows the sharing to proceed if the conditions are met. This creates a "gatekeeper" mechanism ensuring that no sensitive workload is shared without verified security controls.

The Sovereignty Threshold: Union Assurance Levels 3 and 4

While Article 35 sets the operational security requirements, the sovereignty requirements for classified data are found in the Union Assurance Levels (UALs) defined in Annex II and clarified in Recital 62.

Recital 62 states clearly that "Union assurance levels 3 and 4 should allow for the secure hosting of EU classified information." Consequently, a cloud service shared via the EuroCloud Federation can only host classified workloads if it has been formally recognised as offering at least Union Assurance Level 3 or Level 4.

• Level 3 Requirements: Under Annex II, Section 3.1(d), personnel must be Union citizens (with security clearance where appropriate). Crucially, Section 3.1(g) states that providers must not be subject to third-country control, unless the Commission has adopted an implementing act under Article 18 (the third-country derogation) confirming sufficient safeguards.
• Level 4 Requirements: This is the highest tier. Annex II, Section 4.1(g) mandates that the provider and its subcontractors are not subject to the control of a third country or legal entity established in a third country. There is no derogation for Level 4; it requires absolute Union control.

If a service is only recognised at Level 1 or 2, it lacks the necessary sovereignty criteria (such as the strict personnel or control requirements) to legally host classified information under the CADA framework, regardless of its participation in the Federation.

The Role of Implementing Acts (Article 35(6))

The CADA proposal distinguishes between the obligation to have security measures and the specifics of those measures. Article 35(2) sets the baseline, but Article 35(6) empowers the Commission to adopt implementing acts to "specify the technical, operational and organisational measures" referred to in paragraph 2.

This means the primary regulation does not enumerate every firewall rule, encryption standard, or access protocol. Instead, it delegates the technical detailing to the Commission. These future implementing acts will harmonise the security standards across the Union, ensuring that a "secure" service in one Member State meets the same technical definition as in another. Until these acts are adopted, the general principles of Article 35(2) and the existing cybersecurity frameworks (such as NIS2 and the Cybersecurity Act) will guide the implementation, but the specific CADA-compliant technical specifications will be defined in secondary legislation.

Cost Structure and Procurement Exemption

A unique feature of the EuroCloud Federation is its non-commercial nature regarding internal sharing. Article 35(5) allows a sharing entity to charge a fee to the "using entity," but strictly limits this fee to the costs incurred (e.g., allocating resources, managing access, ensuring compliance).

Recital 73 clarifies that these fees do not constitute a "pecuniary interest" and therefore the sharing of services within the Federation does not fall under Union public procurement rules (such as Directive 2014/24/EU). This exemption is vital for classified workloads, as it allows public bodies to rapidly share high-security infrastructure without navigating the lengthy and complex procedures of standard public procurement, provided the security and assurance level conditions are met.

What this means for you

For public-sector IT directors, procurement officers, and security architects, the EuroCloud Federation offers a streamlined path to sovereign, high-security capacity, but it requires a two-step verification process.

1. Verify the Assurance Level First: Before considering a service for classified workloads, confirm it holds a formal recognition of Union Assurance Level 3 or 4. A service at Level 1 or 2 is legally insufficient for classified data under Recital 62, even if it is part of the Federation.
2. Validate Article 35 Compliance: Ensure the sharing entity has successfully demonstrated its compliance with Article 35(2) to the Commission. You should request evidence of their risk analysis, access control policies, and incident handling procedures. While the Commission's approval under Article 35(4) is a prerequisite, your own due diligence regarding the specific classification level of your data is essential.
3. Monitor Secondary Legislation: Keep a close watch on the implementing acts to be adopted under Article 35(6). These will define the precise technical measures required. Non-compliance with these future specifications could jeopardise the security posture of your shared infrastructure.
4. Budget for Cost Recovery Only: When planning for shared resources, anticipate fees based strictly on cost recovery as per Article 35(5). Do not expect commercial pricing models, as the mechanism is designed to be non-profit and focused on public interest.

Common misconceptions

"The EuroCloud Federation automatically authorises the sharing of any classified data." Reality: No. Participation is voluntary, but the capability to handle classified data is strictly tied to the Union Assurance Level of the service. Only services recognised at Level 3 or 4 meet the sovereignty criteria for classified information. A Level 1 service shared via the Federation cannot legally host classified data.

"Sharing via EuroCloud is a commercial transaction subject to standard procurement rules." Reality: Incorrect. Article 35(5) and Recital 73 establish that sharing is based on public interest cooperation. Fees are limited to cost recovery and do not constitute a pecuniary interest. Therefore, standard public procurement directives do not apply to the internal sharing mechanism, allowing for faster deployment of critical infrastructure.

"Private cloud providers can join the EuroCloud Federation to offer classified services directly." Reality: No. Article 34(1) limits participation to "Union entities and public sector bodies." Recital 71 explicitly excludes direct private participation where the sharing entity owns the hardware. Private providers may supply the underlying technology to a public body, but the public body must be the entity participating in and managing the Federation share.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• Why was the EuroCloud Federation created? CADA's public-sector cloud strategy
• Why does CADA separate the EuroCloud Federation from Commission procurement?
• Who runs the EuroCloud Federation under CADA?
• Who pays for running the EuroCloud Federation under CADA?
• Who can join the EuroCloud Federation under CADA?

This is general information about a draft EU regulation, not legal advice.