Summary The proposed Cloud and AI Development Act (CADA) introduces a four-tier "Union cloud computing sovereignty framework" designed to systematically reduce the European Union's dependence on non-European cloud providers. As set out in Article 16, this framework establishes four "Union assurance levels" where higher tiers progressively exclude foreign control over data, infrastructure, personnel, and software supply chains. By mandating that public-sector bodies match the assurance level to the sensitivity of their activities via risk assessments, the proposal ensures that critical public-order functions are insulated from extraterritorial third-country laws and operational disruption, thereby advancing the EU's strategic autonomy.

Detail

The proposed Cloud and AI Development Act (CADA) addresses a critical vulnerability identified in the EU's digital infrastructure: the heavy reliance on a limited pool of third-country cloud computing service providers. This dependence exposes the Union to risks including unauthorized data access, service disruption, and the extraterritorial application of third-country laws that may conflict with EU fundamental rights. To mitigate these risks, CADA proposes a harmonized Union cloud computing sovereignty framework consisting of four assurance levels.

The Four Union Assurance Levels

As proposed in Article 16, the framework establishes four distinct Union assurance levels. These levels are not merely technical certifications but are designed to ensure operational autonomy and data confidentiality. The specific criteria for each level are detailed in Annex II of the proposal, creating a clear hierarchy of trust that scales with the sensitivity of the public-sector activity.

Union Assurance Level 1 serves as the baseline for all public-sector cloud procurement. Under this tier, cloud computing service providers must be established in the Union. Crucially, the infrastructure and assets of the provider, including those of its subcontractors, must be located within the Union. Furthermore, customer data, including metadata and telemetry, must remain exclusively within the Union unless the public sector body explicitly requires otherwise. While Level 1 allows for some outsourcing of technical support to third countries, it mandates legal and technical measures to ensure traceability and security, and requires that the provider is not subject to third-country control in a manner that compromises operational autonomy.

Union Assurance Levels 2, 3, and 4 introduce progressively stricter requirements, particularly regarding third-country control and personnel. These higher tiers require independent third-party audits to verify compliance, moving beyond the self-assessment permitted at Level 1.

Progressively Excluding Foreign Control

The core mechanism by which CADA would reduce foreign dependency is the gradual tightening of restrictions on third-country influence as one moves up the assurance levels.

At Union Assurance Level 2, the requirements become more rigorous. Providers and their subcontractors must be established in the Union, and all infrastructure, assets, and personnel involved in providing the service must be located in the Union. A critical addition at this level is the prohibition on using data generated by the service to train or fine-tune AI systems operated by third countries. Additionally, if a provider is subject to the control of a third country, they must demonstrate that this control does not restrict their ability to perform the service, allow third-country access to customer data, or undermine service continuity.

Union Assurance Level 3 introduces stringent personnel and citizenship requirements. Personnel involved in the provision of the service, including subcontractors, must be Union citizens. In cases involving classified information, national security clearance is also required. While Level 3 generally requires that providers and subcontractors are not subject to third-country control, Article 18 provides a mechanism for the Commission to recognize specific third countries as providing sufficient assurances. This allows for limited exceptions where a third country has implemented safeguards that prevent unauthorized access to Union data or service disruption, provided an adequacy decision exists under the GDPR. This derogation is conditional and applies only where the third country meets strict cumulative criteria regarding lawful access and service continuity.

Union Assurance Level 4 represents the highest degree of sovereignty. It retains the strict personnel and location requirements of Level 3 but adds enhanced cybersecurity certification requirements (at least 'high' assurance under the European Cybersecurity Certification Scheme). Crucially, Level 4 strictly prohibits any third-country control over the provider and its subcontractors. It also requires that software supply chain measures ensure no third country holds effective control over the design, development, or maintenance of critical software components. Unlike Level 3, Level 4 does not permit the Article 18 derogation for third-country control, ensuring a complete exclusion of foreign influence for the most sensitive operations.

Supporting EU Digital Autonomy Goals

The tiered structure directly supports the EU's broader goals of digital autonomy and strategic resilience. By mandating that public-sector bodies conduct risk assessments (as outlined in Article 29) to determine the appropriate assurance level for their activities, CADA ensures that critical public-order functions are protected by the highest levels of sovereignty. This approach prevents a "one-size-fits-all" solution that might be too burdensome for low-risk activities while ensuring that high-risk sectors, such as defense, justice, and national security, are insulated from foreign interference.

The framework also encourages the development of a competitive European cloud market. By creating a clear, auditable set of criteria for sovereignty, CADA would enable European providers to demonstrate their trustworthiness and compete for public contracts. This helps to break the monopoly of non-EU hyperscalers and fosters a diverse ecosystem of homegrown cloud services, aligning with the proposal's objective to "improve the functioning of the single market by laying down a uniform Union legal framework for increasing the Union's resilience and strategic autonomy."

What this means for you

For public-sector procurement officers and IT leaders, the implementation of CADA would fundamentally change how you evaluate and select cloud computing services. You would no longer be able to rely solely on price or generic technical specifications. Instead, you must integrate sovereignty considerations into your procurement processes.

  1. Conduct Risk Assessments: You would be required to carry out risk assessments to determine which Union assurance level is appropriate for your specific activities. This assessment must consider the sensitivity of the data, the criticality of the service, and the potential impact on public order, including sectors like national security, internal security, and law enforcement.
  2. Mandatory Minimum Standards: At a minimum, you would need to procure cloud services recognized as offering Union Assurance Level 1. For activities identified as contributing to the preservation of public order, you would be required to procure services recognized as offering Union Assurance Levels 2, 3, or 4.
  3. Verify Recognition Status: Before awarding contracts, you would need to verify that the cloud computing service provider has been formally recognized by a national competent authority as offering the required assurance level. This recognition would be published in a central repository maintained by the Commission.
  4. Plan for Transition: If your risk assessment indicates a need to migrate to a higher assurance level, you would need to plan for a reasonable transition period, which shall not exceed 12 months. This allows for the careful migration of data and services without disrupting public operations.

By adhering to these requirements, you would not only comply with the proposed regulation but also contribute to the strengthening of Europe's digital sovereignty and the protection of citizens' data.

Common misconceptions

Misconception 1: CADA bans all non-European cloud providers. This is incorrect. CADA does not ban non-European providers outright. Instead, it creates a framework where providers from third countries can still participate, particularly at Union Assurance Level 1 and, under specific conditions and with Commission approval, Level 3. However, to achieve higher assurance levels, providers must meet strict criteria regarding data localization, personnel citizenship, and the absence of third-country control. The goal is to reduce dependency, not to create an isolated market.

Misconception 2: Sovereignty is only about data location. While data localization is a key component, sovereignty under CADA encompasses much more. It includes operational autonomy, personnel citizenship, software supply chain transparency, and protection against extraterritorial legal access. A provider may host data in the EU but still be subject to third-country laws that allow access to that data, which would disqualify them from higher assurance levels.

Misconception 3: All public bodies must use the highest tier. CADA adopts a proportionate approach. Most public services do not require the highest levels of assurance. Union Assurance Level 1 is the minimum for all public sector bodies. Higher levels (2, 3, and 4) are reserved for activities that contribute to the preservation of public order, as determined by national risk assessments. This ensures that resources are focused on protecting the most critical functions.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.