CADA's EU sovereignty framework vs China's cloud data localisation

Summary The proposed Cloud and AI Development Act (CADA) would establish a graded sovereignty framework built on four Union assurance levels and risk assessments, rather than a blanket data-localisation mandate. Unlike China's broad localisation and security-review regime, CADA would let third-country-controlled providers be audited up to Union assurance level 3 where the Commission recognises their home country as an "associated third country" under Article 18. This preserves market access for trusted partners while enforcing operational autonomy and data confidentiality for the most critical public sector activities. CADA is still a proposal and the text may change.

Detail

The proposed CADA takes a nuanced approach to cloud sovereignty that differs fundamentally from the localisation regimes seen in jurisdictions such as China. Where China's Cybersecurity Law, Data Security Law and Personal Information Protection Law generally require critical data and personal information collected in China to be stored locally, with cross-border transfers subject to security assessments, CADA would adopt a risk-based, tiered model.

The CADA framework: graded assurance, not just geography

As proposed, CADA establishes a "Union cloud computing sovereignty framework comprising four Union assurance levels" (Article 16), with criteria set out in Annex II. The levels are defined not solely by where data is stored, but by a combination of establishment, location of infrastructure and personnel, cybersecurity certification and — crucially — the absence of third-country control.

• Union assurance level 1: the provider is established in the Union; infrastructure and assets are located in the Union; and customer data, including metadata and telemetry, remains exclusively within the Union — in each case "unless the public sector body explicitly requires otherwise." Level 1 is self-assessed (Article 19).
• Union assurance levels 2, 3 and 4: progressively stricter, cumulative and audited criteria. Level 2, for example, requires a European cybersecurity certificate of at least "substantial" (where such a scheme exists), software supply-chain measures, and — if the provider is under third-country control — demonstrated safeguards against foreign access and service disruption. Level 3 adds that personnel be Union citizens and that the provider not be under third-country control (subject to the Article 18 route). Level 4 requires a certificate of at least "high" and an absolute prohibition on third-country control, with no associated-third-country derogation.

Article 18: the gateway for trusted third countries

A key distinction from China's model is CADA's mechanism for recognising third countries. Under Article 18, the Commission may, by implementing act, identify third countries whose providers — even where controlled by that third country — "may be audited against the criteria for Union assurance level 3." The third country must meet six cumulative criteria:

1. It is subject to a relevant adequacy decision under Article 45 of the GDPR (Regulation (EU) 2016/679).
2. It has no measures enabling it to exercise control over the provider in a way that conflicts with the lawful-access rules in Article 32(2)–(3) of the Data Act (Regulation (EU) 2023/2854).
3. It has no measures to compel the provider to degrade or disrupt service continuity, or to oblige it to apply restrictive measures such as sanctions or embargoes (unless legitimate under Member State or Union law).
4. It has no measures to impede the provision of state-of-the-art technologies and services by the provider.
5. It maintains an open market to Union cloud computing services.
6. It grants equivalent access to its public procurement procedures for Union-controlled providers.

Where a country is recognised, providers under its control can still be audited for level 3, provided they also demonstrate specific legal, technical and organisational measures preventing third-country access to data and service disruption. This creates a pathway for non-EU providers to serve critical EU public sector needs — contrasting with China's more exclusionary approach to critical-infrastructure providers.

Risk assessments and procurement obligations

Member States and Union entities would conduct risk assessments (Article 29) — within one year of entry into force, then every two years — to identify public sector activities contributing to the preservation of public order and to determine the appropriate level. Under Article 30, bodies whose activities are not so identified must use recognised level 1 services, while those whose activities are identified (in NIS2 Annex I/II sectors, or in national security, defence, justice or law enforcement) must procure only level 2, 3 or 4 services. Sovereignty measures are therefore proportionate to risk, rather than a blanket localisation mandate.

Contrast with China's model

China's regime typically requires:

• Data localisation: critical information infrastructure operators must store personal information and important data collected in China within China.
• Security reviews: many cross-border transfers are subject to assessment by the Cyberspace Administration of China.
• Vendor restrictions: a strong de facto preference for domestic vendors in critical sectors, with foreign providers facing significant hurdles.

CADA, by contrast, would focus on operational autonomy and legal safeguards rather than pure geography. Data would remain in the Union for the relevant levels (subject to the explicit-requirement exception), but the emphasis is on preventing foreign-government access and conflicting foreign laws that could compromise continuity or confidentiality.

What this means for you

For in-house counsel, the shift from a binary localisation model to a graded assurance framework calls for a strategic reassessment of cloud procurement and vendor management.

1. Vendor eligibility and Article 18 recognition. Monitor the Commission's implementing decisions on associated third countries (which it must publish on its website). If you rely on providers from third countries, assess whether those countries are likely to be recognised. Providers from non-recognised countries would generally be limited to level 1 (self-assessment), or could only reach the audited levels if they demonstrate effective separation from third-country control — often difficult for globally integrated hyperscalers.

2. Risk-assessment implementation. Run internal assessments aligned with Article 29. Identify which activities fall within "preservation of public order"; for those, procure recognised level 2, 3 or 4 services, while level 1 may suffice for the rest. This supports a multi-cloud strategy — and Article 29(9) expressly requires considering whether a multi-vendor or multi-cloud approach is appropriate.

3. Audit and compliance readiness. For levels 2–4, prepare for independent third-party audits (Article 20), covering software supply-chain measures, personnel requirements and cybersecurity certification. Ensure subcontractor contracts and data-processing terms address the Annex II criteria on third-country access and service disruption.

4. Transition planning. Where a risk assessment requires migration to another service, Article 29(6) allows a reasonable transition period not exceeding 12 months, taking account of technical feasibility, continuity and data portability. Map data and workloads to required levels early.

5. Penalties and liability. Member States would set penalties for provider infringements that are "effective, proportionate and dissuasive" (Article 24). Recipients of cloud services would also have a right to seek compensation from providers for damage caused by infringements of the sovereignty framework (Article 24(3)). Build representations, audit-cooperation duties and liability allocation into provider contracts.

Common misconceptions

"CADA mandates data localisation for all cloud services." Not quite. Data would remain in the Union for recognised services, but the level required depends on the risk assessment, and the public sector body can explicitly require otherwise. The focus is sovereignty and control, not geography alone.

"Only EU-based providers can serve critical public sector needs." No. Article 18 provides a pathway for third-country-controlled providers to reach level 3 where their home country is recognised and the provider demonstrates adequate safeguards.

"CADA replaces the GDPR or AI Act." No. CADA would complement them. The GDPR continues to govern personal-data protection and the AI Act governs AI systems; CADA would address cloud sovereignty, resilience and procurement.

"All public sector cloud procurement must use level 4." No. The level is set by the risk assessment (Article 29). Many activities would require only level 1; the highest levels are reserved for the most critical public-order activities, such as defence.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• CLOUD Act vs EU-US Data Privacy Framework vs CADA: which addresses sovereignty?
• GDPR data localisation vs CADA sovereignty levels: are they the same?
• CADA vs the EU-US Data Privacy Framework: which one matters for sovereignty?
• EU vs US vs China cloud sovereignty under CADA: how do the three approaches compare?
• Data sovereignty vs operational autonomy under CADA: what's the difference?

This is general information about a draft EU regulation, not legal advice.