CADA harmonised EU sovereignty criteria vs divergent national cloud rules

Summary As proposed, the Cloud and AI Development Act (CADA) would replace fragmented national approaches to cloud sovereignty with a single, harmonised EU-wide framework built on four "Union assurance levels" (Article 16). The proposal argues that divergent national rules undermine the internal market and the Union's technological sovereignty, justifying EU-level intervention principally under Article 114 TFEU. For in-house counsel, this would mean preparing for risk assessments and procurement restrictions that would apply on common criteria across the EU, rather than a patchwork of conflicting national standards.

Detail

The problem: fragmentation undermines sovereignty and competitiveness

The proposed CADA is built on the premise that the EU cloud market is marked by pronounced dependence on a limited pool of third-country providers and the absence of coherent sovereignty standards. The explanatory memorandum notes that, while the EU cloud market is growing significantly, the market share of EU providers "decreased from 29% in 2017 to 15% in 2022 and has remained stagnant since then."

The proposal identifies divergent national rules as a barrier to building a resilient, sovereign cloud ecosystem. Recital 47 records that some Member States have developed, or are developing, national approaches to identifying national sovereign services, but that these "national measures do not adequately address the cross-border issues related to the Union's lack of sovereignty in the cloud computing ecosystem and risk fragmenting the Union internal market and undermining common goals of autonomy and sovereignty."

On the proposal's reasoning, this fragmentation creates regulatory disparities that hinder providers' ability to operate seamlessly across Member States. Divergent procurement practices and inconsistent sovereignty criteria would raise compliance costs and reduce the attractiveness of the EU for investment compared with more unified regulatory environments.

The solution: a single EU-wide framework (Article 16)

To address this, CADA would establish a harmonised Union cloud computing sovereignty framework. Article 16 sets up a framework "comprising four Union assurance levels, the criteria for which are set out in Annex II, that cloud computing service providers shall meet in order to provide their cloud computing services to Union entities and public sector bodies." The levels run from Union assurance level 1 to level 4.

The verification mechanism differs by level:

• Union assurance level 1: a conformity self-assessment by the provider, followed by an EU statement of conformity (Article 19).
• Union assurance levels 2, 3 and 4: independent third-party audits resulting in an audit report and a "positive" audit opinion (Article 20).

The criteria in Annex II cover infrastructure and data location, personnel, cybersecurity certification and safeguards against third-country control. Higher levels are stricter: at levels 3 and 4 the personnel involved in providing the service must, as proposed, be Union citizens, and the provider and its subcontractors must not be subject to the control of a third country (with a narrow derogation for level 3 under Article 18).

By fixing these criteria at EU level, CADA would aim to give public buyers a common understanding of sovereignty risk rather than navigating divergent national definitions.

Legal basis: Article 114 TFEU (with Article 173(3))

The proposal relies on Article 114 TFEU as its primary legal basis for the harmonisation measures. Article 114 empowers the EU to adopt measures for the approximation of national provisions that improve the functioning of the internal market. The explanatory memorandum argues that EU intervention is justified because fragmentation in data-centre deployment and cloud procurement is driven by divergent national approaches that create internal-market barriers.

The proposal additionally draws on Article 173(3) TFEU, the legal basis for measures supporting the competitiveness of Union industry. Broadly, Article 114 is invoked for the harmonisation of sovereignty and procurement rules, while Article 173(3) supports the industrial-competitiveness and innovation measures.

Implications for public-sector procurement

The harmonised framework would feed directly into procurement. Article 29 requires Member States and Union entities to carry out risk assessments to identify public-sector activities that contribute to the preservation of public order and to determine the appropriate assurance level. On that basis:

• Non-public-order activities: Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order would have to use services recognised at Union assurance level 1 (Article 30(2)).
• Public-order activities: contracting authorities whose activities contribute to the preservation of public order (in NIS2 Annex I or II sectors, or in national security, internal security, external border management, defence, justice or law enforcement) would only be able to procure services recognised at Union assurance level 2, 3 or 4 (Article 30(3)).

What this means for you

For in-house counsel and compliance officers, the shift to a harmonised EU sovereignty framework would have several practical implications:

1. Standardised compliance: instead of mapping each Member State's definition of "sovereign cloud," you would align with the four Union assurance levels and their Annex II criteria, reducing cross-border complexity.
2. Risk-assessment alignment: prepare for the Article 29 risk assessments. Understand which of your public-sector clients' activities would be classified as public-order relevant, and ensure your services meet the corresponding level.
3. Audit preparation: for levels 2, 3 or 4 you would need independent third-party audits. Ensure documentation (for example SBOMs and evidence of operational separation) meets the audit-evidence requirements in Annex III.
4. Procurement strategy: Article 32 would require contracting authorities to apply "Union added value" non-price award criteria in procurement of innovative cloud services and AI systems; those criteria must be ancillary and not decisive in the award.

Common misconceptions

• "CADA replaces all national cloud policies." No. As proposed, CADA would harmonise sovereignty levels and public procurement, but it would operate alongside existing instruments such as the GDPR, the NIS2 Directive and the Data Act rather than replacing all national cybersecurity or data-protection law.
• "All public sector bodies must use level 4 services." No. The framework is proportionate. Bodies whose activities are not public-order relevant would use level 1; higher levels are reserved for activities identified through the Article 29 risk assessment.
• "Harmonisation means no national discretion." The criteria would be harmonised, but Member States and Union entities would still determine, through their risk assessments, which activities are public-order relevant and which level applies — subject to Commission review under Article 29(5).

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• CADA vs NIS2: how do the cloud sovereignty and security rules differ?
• CLOUD Act vs EU-US Data Privacy Framework vs CADA: which addresses sovereignty?
• CADA Union added value criteria vs lowest-price procurement: what changes?
• CADA sovereignty risk assessment vs a NIS2 risk assessment
• CADA national competent authority vs a data protection authority

This is general information about a draft EU regulation, not legal advice.