GDPR data localisation vs CADA sovereignty levels

No, GDPR data localisation and CADA sovereignty levels are not the same. The GDPR restricts international transfers of personal data to ensure adequate protection but does not mandate specific sovereignty tiers or operational-control requirements. By contrast, the proposed Cloud and AI Development Act (CADA) would establish a Union cloud computing sovereignty framework of four Union assurance levels (Article 16) addressing operational autonomy, foreign-law exposure, and infrastructure resilience that go well beyond data residency.

Detail

The distinction between the General Data Protection Regulation (GDPR) and the proposed Cloud and AI Development Act (CADA) lies in their objectives: the GDPR protects individual privacy and fundamental rights, while CADA would secure the Union’s technological sovereignty and operational resilience. For in-house counsel and compliance officers, understanding this divergence is critical for navigating the upcoming regulatory landscape.

GDPR: transfer restrictions, not sovereignty tiers

The GDPR, specifically Chapter V, governs the transfer of personal data to third countries or international organisations. Its mechanism is to ensure that the level of protection afforded to personal data in the EU is not undermined when data leaves the jurisdiction, achieved through adequacy decisions, appropriate safeguards (such as Standard Contractual Clauses), or derogations.

The GDPR does not establish a tiered system of "sovereignty levels" for cloud services. It does not mandate that non-personal data remain within the EU, nor does it prescribe technical or operational controls over who owns the infrastructure, where personnel are located, or whether a provider is subject to third-country laws that might compel service disruption. Its focus is on the processing of personal data and the rights of data subjects, not on the strategic autonomy of the cloud infrastructure itself. As the CADA explanatory memorandum notes, while the EU-US Data Privacy Framework addresses transatlantic data transfers, it "does not remove sovereignty concerns about dependence on third-country providers."

CADA: a multi-layered sovereignty framework

CADA would introduce a "Union cloud computing sovereignty framework" of four Union assurance levels (Article 16), with the detailed criteria set out in Annex II. These levels are designed to mitigate risks of operational discontinuity, unauthorised access by third-country authorities, and technological dependence. Unlike the GDPR, the framework as proposed would apply to cloud computing services broadly — covering customer data including metadata and telemetry, both personal and non-personal — and would focus on the provider’s legal and operational structure.

Union assurance level 1 The baseline level would require that the provider is established in the Union, and that infrastructure and assets — including those of subcontractors involved in the service — are located in the Union unless the public sector body explicitly requires otherwise. Customer data, including metadata and telemetry, would have to remain exclusively within the Union unless the public sector body explicitly requires otherwise. It also requires full transparency around subcontractors and, where the provider is under third-country control, a guarantee that no third-country law requires it to report software vulnerabilities to that country before those vulnerabilities are known to have been exploited.

Union assurance levels 2, 3 and 4 The higher levels would add increasingly stringent requirements focused on operational control and the exclusion of third-country influence.

• Level 2 would require the provider and its subcontractors to be established in the Union, with infrastructure, assets, and personnel located in the Union, and a European cybersecurity certificate of at least "substantial" assurance. It would prohibit using data generated by the service to train or fine-tune AI systems operated by a third country. If the provider is subject to third-country control, it would have to demonstrate that such control does not restrict its ability to perform the service, prevents third-country access to customer data, and prevents disruption of service continuity. Technical and operational support would have to be initiated and performed exclusively within the Union.

• Level 3 would add stricter personnel requirements: personnel involved in the service (including subcontractors’) must be Union citizens, and technical and operational support must be performed exclusively within the Union by Union residents. As a rule, the provider and its subcontractors must not be subject to the control of a third country or a legal entity established in a third country. A narrow derogation would allow such a provider to be audited for Level 3 only where the Commission has adopted an implementing act recognising the relevant third country under the "associated third countries" mechanism (Article 18), which requires that country to meet cumulative criteria including a GDPR adequacy decision.

• Level 4 is the highest tier. It would require a European cybersecurity certificate of at least "high" assurance, and would retain Level 3’s prohibition on third-country control and its Union-citizen personnel requirements. Customer data identified as sensitive through a risk assessment would have to remain exclusively within the Union. It would also require effective control over software components — demonstrating that no third country holds or exercises effective control over their design, development, maintenance, and evolution.

Distinguishing data residency from data sovereignty

A common confusion is equating data residency (where data is stored) with data sovereignty (who controls the data and under which laws). The GDPR addresses residency mainly in the context of international transfers of personal data. CADA, as proposed, would address sovereignty by looking at the whole stack:

1. Jurisdictional control: CADA’s higher assurance levels would prohibit third-country control over providers, addressing the risk of laws such as the US CLOUD Act that can compel disclosure regardless of where data is stored. The GDPR has no equivalent prohibition on provider ownership or control.
2. Operational resilience: CADA would require technical support and operational control to remain within the Union, mitigating service-disruption risk. The GDPR does not mandate operational-resilience measures.
3. Non-personal data: CADA’s framework would apply to all customer data, including non-personal data, metadata, and telemetry, which are largely outside the scope of GDPR transfer restrictions.

What this means for you

For in-house counsel and compliance officers, CADA would introduce significant new obligations beyond GDPR compliance.

Risk assessments and procurement Member States and Union entities would have to carry out risk assessments (Article 29) to identify public sector activities that contribute to the preservation of public order — in sectors falling under Annex I or II of the NIS2 Directive (Directive (EU) 2022/2555) and in areas such as national security, internal security, external border management, defence, justice, or law enforcement — and to determine the appropriate Union assurance level (2, 3 or 4) for them. Contracting authorities whose activities are so identified would only be able to procure cloud services recognised at Union assurance level 2, 3 or 4 (Article 30); those not so identified would use level 1 services. Map your organisation’s activities to these risk categories and adjust procurement accordingly.

Vendor due diligence Due diligence would have to expand beyond data-protection measures to evaluate the provider’s legal structure, ownership, and operational footprint. You would need to verify that providers meet the criteria for their claimed assurance level, including personnel location, the absence of third-country control, and Union-based technical support — likely requiring review of the independent third-party audit reports underpinning recognition (Article 20).

Transition periods If a risk assessment requires migration to another cloud service, the Member State or Union entity would have to migrate within a reasonable transition period not exceeding 12 months, taking into account technical feasibility, continuity of service, and data portability (Article 29(6)). Plan migrations early to avoid disruption.

Penalties Member States would have to lay down rules on penalties for infringements by cloud computing service providers that are effective, proportionate, and dissuasive (Article 24). The proposal does not set fine amounts but lists non-exhaustive criteria for their imposition, including the nature, gravity, scale, and duration of the infringement, financial benefits gained, and the infringing party’s annual Union turnover. Recipients of the services would also have the right to seek compensation for damage or loss suffered due to a provider’s infringement (Article 24(3)).

Common misconceptions

Misconception 1: GDPR compliance is sufficient for CADA sovereignty requirements. Incorrect. A provider may fully comply with GDPR transfer mechanisms (e.g., Standard Contractual Clauses) yet still fail to meet CADA’s Union assurance levels due to third-country ownership, lack of Union-based personnel, or insufficient operational control. CADA would address structural and geopolitical risks that the GDPR does not.

Misconception 2: Data residency equals data sovereignty. Storing data in the EU would be necessary for CADA’s assurance levels but not sufficient. Sovereignty under CADA would also require that the provider is not subject to third-country laws that could compel data access or service disruption, and that operational control remains within the Union.

Misconception 3: CADA only applies to public sector bodies. While CADA would impose procurement requirements on Union entities and public sector bodies, its sovereignty framework would apply to cloud computing service providers offering services to those bodies and entities. Private entities listed in Annex I of the NIS2 Directive that are not public sector bodies may carry out similar impact assessments (Article 31), and the Commission could adopt delegated acts requiring such assessments and risk-mitigation measures for entities in sectors of high criticality (Article 31(3)).

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• CADA's EU sovereignty framework vs China's cloud data localisation: what differs?
• CLOUD Act vs EU-US Data Privacy Framework vs CADA: which addresses sovereignty?
• Data sovereignty vs operational autonomy under CADA: what's the difference?
• Data residency vs data sovereignty under CADA: what is the difference?
• CADA vs the EU-US Data Privacy Framework: which one matters for sovereignty?

This is general information about a draft EU regulation, not legal advice.