How CADA balances cloud sovereignty with proportionality

Summary The proposed Cloud and AI Development Act (CADA) would balance sovereignty with proportionality through a tiered framework of four Union assurance levels, applying strict requirements only where needed to protect public order. Under Article 29, Member States and Union entities would conduct risk assessments to determine the appropriate level; most public-sector activities would require only the baseline Union assurance level 1, while the highest tiers (levels 3 and 4) would be reserved for activities critical to public order and national security.

Detail

CADA's approach rests on rejecting a one-size-fits-all sovereignty standard in favour of a risk-based framework intended to mitigate strategic dependencies without imposing undue burdens. As proposed, the balance is achieved through three mechanisms: the four-tier assurance levels, mandatory risk assessments, and differentiated procurement obligations.

The four-tier Union assurance levels

As proposed in Article 16, CADA would establish a Union cloud computing sovereignty framework of four Union assurance levels, with criteria set out in Annex II, that providers must meet to serve Union entities and public sector bodies. The criteria escalate:

• Union assurance level 1 requires, among other things, that the provider is established in the Union, that infrastructure and assets are located in the Union unless the public sector body requires otherwise, and that customer data remain exclusively within the Union unless the body explicitly requires otherwise. This is the baseline for general public-sector use.
• Union assurance levels 2, 3 and 4 add progressively stricter requirements, including independent third-party audits, Union citizenship for personnel involved in the service at levels 3 and 4, European cybersecurity certification at higher levels, and tighter controls on third-country influence and software supply chains.

This structure scales sovereignty measures to the sensitivity of the data and the criticality of the service.

Proportionality through risk assessment

The mechanism that enforces proportionality is the risk assessment in Article 29. Member States and Union entities would carry out these assessments to identify public-sector activities that contribute to the preservation of public order — in sectors falling under Annex I or II of the NIS2 Directive (Directive (EU) 2022/2555) and in the areas of national security, internal security, external border management, defence, justice and law enforcement — and to determine which Union assurance level (2, 3 or 4) is appropriate.

Recital 52 underscores this proportional design, stating: "The Union assurance levels should provide for a proportionate framework to ensure that public order is preserved by maintaining control and agency by public-sector bodies. Most public services would not require the highest levels of assurance. In some specific cases Union assurance levels 3 or 4 may be considered necessary and proportionate in preserving public order." It adds that the risk assessment "ensures that the principles of proportionality and subsidiarity are complied with."

The highest levels are therefore not the default; they are reserved for cases where the risk to public order is significant, assessed case by case rather than through blanket requirements.

Procurement obligations linked to risk

The outcome of the risk assessment drives procurement under Article 30:

1. General activities: Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order under the Article 29 assessment must use services recognised at Union assurance level 1 (Article 30(2)).
2. Public-order activities: Contracting authorities whose activities have been identified as contributing to public order must procure only services recognised at Union assurance levels 2, 3 or 4 (Article 30(3)).

Article 30(4) even allows narrowly defined, duly justified exceptions — for example where no recognised service can supply the requirement and no adequate alternative exists. This linkage keeps obligations aligned with identified risk, avoiding unnecessary cost for low-risk services while protecting high-risk ones.

Mitigating third-country influence proportionately

The framework also balances sovereignty with international cooperation. Article 18 allows the Commission to recognise certain "associated third countries" whose controlled providers may be audited for Union assurance level 3, but only where strict cumulative criteria are met — including a relevant adequacy decision under Article 45 GDPR and the absence of measures enabling unauthorised access, service disruption, or compelled sanction enforcement. As proposed, this signals that sovereignty means controlled, verified autonomy rather than isolation.

What this means for you

For public-sector procurement officers and legal teams, CADA would require a structured, documented, risk-based approach rather than ad-hoc sovereignty calls.

1. Conduct comprehensive risk assessments. Under Article 29, Member States and Union entities would carry out assessments by one year after entry into force and every two years thereafter (or whenever necessary), identifying which activities contribute to the preservation of public order.
2. Map activities to assurance levels. Where activities are not tied to public order, you would likely procure only at level 1, widening the pool of eligible providers and simplifying procurement.
3. Document your justification. For any activity requiring levels 3 or 4, you would need to show, through the risk assessment, why that level is necessary and proportionate.
4. Plan for migration. Where a risk assessment requires migration, Article 29(6) provides a reasonable transition period not exceeding 12 months.
5. Engage with national competent authorities and follow the Commission's methodology, which it would specify by implementing acts under Article 29(3).

Common misconceptions

• Misconception: All public-sector cloud services must meet the highest sovereignty standards.
  • Reality: As proposed, most public services would not require the highest levels; level 1 is the baseline, and levels 3 and 4 are reserved for specific high-risk, public-order activities (recital 52).
• Misconception: Sovereignty means data may never leave the EU under any circumstances.
  • Reality: The assurance levels require customer data to remain within the Union, but with an exception where the public sector body explicitly requires otherwise; the risk assessment also allows nuanced, case-specific decisions.
• Misconception: CADA prohibits non-EU cloud providers entirely.
  • Reality: It does not ban non-EU providers. Providers from certain third countries may be eligible for level 3 if the Commission recognises that country as providing sufficient safeguards under Article 18.
• Misconception: The risk assessment is a generic cybersecurity audit.
  • Reality: The Article 29 assessment focuses on impact on public order and the appropriate assurance level, considering the sensitivity, criticality and magnitude of data and the risks of unlawful third-country access or service disruption. It is strategic, not merely technical.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• Why is cloud sovereignty important for critical infrastructure? CADA
• Why is sovereignty described as layered or nuanced in CADA?
• CADA Sovereignty: Why Assessment is Per Service, Not Per Provider
• Why is sovereignty a competitiveness issue, not just a security one? | CADA
• Why data residency is not enough for cloud sovereignty under CADA

This is general information about a draft EU regulation, not legal advice.