Summary Under the proposed Cloud and AI Development Act (CADA), "sovereignty" is no longer a marketing slogan but a legally defined, audited status. Article 16 establishes four strict "Union assurance levels" that cloud providers must meet to serve the public sector, with detailed criteria in Annex II. Unlike voluntary commercial claims, CADA recognition is verifiable through an official central repository and requires independent third-party audits for higher tiers. As proposed, a provider cannot simply claim to be "sovereign"; they must be formally recognised by a national competent authority.

Detail

The Cloud and AI Development Act (CADA), proposed by the European Commission on 3 June 2026 (COM(2026) 502 final), fundamentally shifts how cloud sovereignty is regulated in the EU. Historically, "sovereign cloud" has been a loosely defined marketing term used by providers to suggest data protection and operational autonomy without a unified legal standard. CADA replaces this ambiguity with a mandatory, harmonised framework of four "Union assurance levels" established under Article 16.

From Marketing Claims to Legal Criteria

Article 16 explicitly establishes a "Union cloud computing sovereignty framework." It mandates that cloud computing service providers must meet specific criteria, set out in Annex II, to be recognised as providing services at Union assurance levels 1, 2, 3, or 4. These are not voluntary badges or self-declared marketing labels; they are legal prerequisites for serving certain public-sector customers.

The key distinction between CADA tiers and current market claims is verification. Under the proposal:

  • Level 1 requires a conformity self-assessment and an "EU statement of conformity" issued by the provider (Article 19).
  • Levels 2, 3, and 4 require independent third-party audits by accredited auditing organisations (Article 20).

This means a provider cannot simply claim to be "sovereign" or "EU-aligned" based on a whitepaper or a sales pitch. They must undergo a rigorous audit process where an independent body verifies compliance with the technical, legal, and operational criteria in Annex II. Only upon a "positive" audit opinion and subsequent recognition by a national competent authority does the status become valid.

The Four Union Assurance Levels

Annex II defines the cumulative criteria for each level. The requirements escalate in strictness, particularly regarding data location, personnel citizenship, and third-country control.

  • Union Assurance Level 1: The baseline for all public-sector procurement. Providers must be established in the Union. Infrastructure and assets must be located in the Union, and customer data must remain exclusively within the Union unless the public sector body explicitly requires otherwise. Providers must demonstrate compliance with state-of-the-art cybersecurity standards and provide full transparency on subcontractors.
  • Union Assurance Level 2: Adds stricter requirements. Personnel involved in service provision must be located in the Union. Data generated by using the service cannot be used to train or fine-tune AI systems operated by third countries. Providers must implement robust software supply chain measures, including Software Bills of Materials (SBOM) and controls to block remote features that could disrupt service. If the provider is controlled by a third country, it must prove that this control does not restrain service delivery or allow data access.
  • Union Assurance Level 3: Introduces personnel citizenship requirements. Personnel involved in service provision must be Union citizens. The provider and its subcontractors must not be subject to the control of a third country, unless the Commission has adopted a specific implementing act for an "associated third country" under Article 18. Technical support must be performed exclusively within the Union by Union residents.
  • Union Assurance Level 4: The highest level, designed for the most critical public-order activities. It requires a European cybersecurity certificate of at least assurance level "high." Like Level 3, it mandates Union citizenship for personnel and prohibits third-country control. It also requires effective control over software components, ensuring third countries do not influence the technical evolution or security remediation of the software.

The Central Repository: A Single Source of Truth

To eliminate doubt and prevent "sovereignty washing," Article 22 requires the Commission to establish and maintain a central repository of cloud computing services recognised under Article 17. This repository is publicly available and regularly updated. When a provider is recognised at a specific assurance level, it is registered here. Conversely, if an audit report is revoked or recognition withdrawn, it is published in the repository and remains visible for five years. This creates a single source of truth for procurement officers, removing reliance on provider-provided marketing materials.

What this means for you

For public-sector procurement officers and compliance teams, CADA transforms the procurement process from a qualitative assessment of vendor claims to a quantitative check of legal status.

  1. Mandatory Minimums: Article 30 states that contracting authorities whose activities have not been identified as contributing to the preservation of public order must use cloud services recognised as having Union assurance level 1. For activities identified as contributing to public order (e.g., national security, justice, critical infrastructure), authorities must procure services recognised as Union assurance levels 2, 3, or 4, based on risk assessments conducted under Article 29.
  2. Risk Assessments are Key: You cannot arbitrarily choose a tier. Article 29 obliges Member States and Union entities to conduct risk assessments to determine which assurance level is appropriate for their specific activities. These assessments consider data sensitivity, criticality, and the risk of unlawful access by third countries.
  3. Verify, Don't Trust: When evaluating tenders, do not accept a provider's self-declaration of sovereignty. Require evidence of recognition in the central repository (Article 22). For Levels 2–4, request the audit report and "positive" audit opinion from the auditing organisation.
  4. Transition Periods: If a risk assessment requires migrating to a higher assurance level, Article 29(6) allows a reasonable transition period not exceeding 12 months, considering technical feasibility and data portability.

Common misconceptions

  • "Sovereign cloud" means data stays in one country. CADA focuses on Union-level assurance. Data must remain within the Union, not necessarily within a single Member State, unless specific national rules apply. The framework is designed to prevent fragmentation while ensuring EU-wide control.
  • Any EU-based provider is automatically sovereign. Being established in the EU is only the first criterion for Level 1. Providers must also meet cybersecurity, subcontractor transparency, and operational autonomy requirements. A provider can be EU-established but still fail to meet Level 1 if, for example, it allows third-country access to data or lacks proper cybersecurity certifications.
  • Higher tiers are just "more secure." While higher tiers include stricter cybersecurity requirements (e.g., Level 4 requires a "high" assurance cybersecurity certificate), the primary differentiator is autonomy and control. Levels 3 and 4 explicitly prohibit third-country control over the provider and require Union citizenship for personnel, addressing risks of extraterritorial legal reach and operational disruption.
  • Marketing labels will suffice for compliance. CADA explicitly replaces self-assessment with independent audit for Levels 2–4. A provider's marketing brochure claiming "sovereign architecture" holds no legal weight under CADA. Only recognition by the national competent authority, based on an audit report, counts.

Related

This is general information about a draft EU regulation, not legal advice.