Summary As proposed, the Cloud and AI Development Act (CADA) balances sovereignty with provider availability through a graduated Union cloud computing sovereignty framework established under Article 16. Rather than imposing a blanket ban on non-EU providers, CADA mandates a baseline of Union assurance level 1 for all public procurement, ensuring a broad market of compliant providers. For higher-risk activities, Member States must conduct risk assessments to determine if levels 2, 3, or 4 are required. Crucially, Article 18 provides a specific "associated third-country" route that widens the supply pool for level 3 services, allowing trusted non-EU providers to qualify. However, level 4 remains exclusively for providers under full Union control, trading maximum availability for maximum sovereignty in the most critical public-order functions.

Detail

The core mechanism CADA uses to balance technological sovereignty with market availability is the Union cloud computing sovereignty framework. Rather than imposing a blanket ban on non-European providers or requiring the highest level of security for every digital service, CADA introduces four "Union assurance levels" (UALs). This graduated approach ensures that public authorities can access a wide pool of providers for standard services while maintaining strict control over critical infrastructure.

The Baseline: Universal Access to Level 1

To ensure provider availability is not choked off by excessive bureaucracy, CADA sets Union assurance level 1 as the mandatory minimum for all public sector procurement. According to Article 30(2), Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognized at this level.

Level 1 has relatively accessible criteria (outlined in Annex II of the proposal), such as requiring the provider to be established in the Union and ensuring data remains within the Union unless explicitly required otherwise by the public body. Crucially, Article 17(3) provides a streamlined recognition process for SMEs: their EU statement of conformity for level 1 is "directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority." This lowers barriers to entry for smaller, domestic providers, fostering competition and reducing reliance on large, non-EU hyperscalers for standard administrative tasks.

Risk-Based Escalation for Critical Functions

For activities deemed critical to public order—such as national security, defense, justice, or essential services listed in Annex I of the NIS2 Directive—Article 29 obliges Member States and Union entities to conduct risk assessments. These assessments determine whether a higher assurance level (2, 3, or 4) is necessary.

Article 30(3) mandates that contracting authorities whose activities are identified as contributing to the preservation of public order must procure services recognized at Union assurance levels 2, 3, or 4. This ensures that sovereignty requirements are proportional to the risk. A local library's website does not need the same level of sovereign control as a national defense database. By tying higher tiers to specific risk assessments, CADA avoids imposing unnecessary costs and technical burdens on low-risk procurement, thereby keeping more providers available in the market for standard use cases.

Widening Supply: The Associated Third-Country Route

A key innovation in CADA's balance of sovereignty and availability is Article 18, which addresses the scarcity of EU-based providers for higher assurance levels. Recognizing that the EU cloud market is currently dominated by non-EU players, the proposal allows the Commission to identify "associated third countries" whose providers may be audited against the criteria for Union assurance level 3.

Under Article 18(1), a third country can be included if it meets cumulative criteria, including:

  • Having an adequacy decision under the GDPR (Article 45 of Regulation (EU) 2016/679).
  • Having no measures that allow the third country to exercise control over the provider in ways that conflict with EU data laws (specifically Article 32 of the Data Act).
  • Having no measures compelling the provider to degrade or disrupt service continuity or to comply with restrictive measures (sanctions/embargoes) unless legitimate under EU law.
  • Maintaining an open market to Union cloud services and granting equivalent access to public procurement.

This mechanism widens the pool of available providers for level 3 services, preventing a situation where only a few large global incumbents could theoretically meet the criteria. However, it stops short of allowing third-country providers to reach level 4.

Level 4: Maximum Sovereignty, Limited Availability

Union assurance level 4 represents the highest tier of sovereignty, designed for the most sensitive public order activities. The criteria for level 4 (Annex II, Section 4) are stringent: the provider and its subcontractors must not be subject to the control of a third country or a legal entity established in a third country. Personnel must be Union citizens, and infrastructure must be located exclusively in the Union.

Because Article 18 only opens the door for third-country providers up to level 3, level 4 remains exclusively for providers under Union control. This trade-off is intentional. CADA prioritizes absolute sovereignty and operational autonomy for the most critical state functions, accepting that the pool of available providers for level 4 will be smaller and primarily composed of EU-based entities. This ensures that for the most sensitive data, there is no risk of extraterritorial access or service disruption by foreign governments, even if it means fewer market choices.

What this means for you

For public-sector procurement officers, CADA shifts your role from simple cost-benefit analysis to risk-based sovereignty management. You cannot simply choose the cheapest or most technologically advanced provider; you must first determine the sovereignty requirements of your specific activity.

  1. Conduct Risk Assessments: You are required to carry out risk assessments under Article 29 to determine if your activities fall under the preservation of public order. This assessment dictates your minimum assurance level. If you are a standard administrative body, you only need level 1. If you handle sensitive law enforcement or defense data, you must aim for levels 2–4.
  2. Check the Central Repository: Before issuing a tender, verify that potential bidders are listed in the central repository of recognized services (established under Article 22). You can only procure services that have been formally recognized at the appropriate Union assurance level.
  3. Leverage Level 1 for Broad Competition: For non-critical services, actively seek out EU-based SMEs. Their level 1 conformity is automatically recognized across the EU, allowing you to support domestic industry without complex cross-border validation processes.
  4. Plan for Level 4 Scarcity: If your risk assessment mandates level 4, be prepared for a limited supplier market. You will need to engage with providers that are fully established and controlled within the Union. Early engagement with these providers may be necessary to ensure they can meet the technical and personnel requirements (such as Union citizenship for staff) before tender deadlines.
  5. Monitor Associated Countries: For level 3 requirements, keep an eye on the Commission's list of associated third countries under Article 18. If a key partner country is designated, it may expand your pool of eligible bidders for sensitive but not ultra-critical services.

Common misconceptions

  • "CADA bans all non-EU cloud providers." This is incorrect. CADA does not ban non-EU providers outright. Providers established in the Union but controlled by third-country entities can still qualify for level 1 (and potentially level 2) if they meet the strict criteria regarding data localization and lack of third-country control. Furthermore, Article 18 explicitly allows providers from associated third countries to compete for level 3 contracts, provided their home country meets specific sovereignty and reciprocity standards.

  • "All public services must use the highest sovereignty level." No. CADA is risk-based. Article 30(2) explicitly states that bodies whose activities are not identified as contributing to public order only need to use level 1 services. Requiring level 4 for every digital service would cripple availability and inflate costs unnecessarily. The tiered system ensures that high sovereignty is applied only where it is proportionate to the risk.

  • "Level 3 is only for EU providers." While the default criteria for level 3 are strict, Article 18 creates a pathway for third-country providers to qualify for level 3 if the Commission adopts an implementing act recognizing their country as "associated." This is a key flexibility mechanism to ensure that the EU does not isolate itself from trusted international partners while still maintaining high sovereignty standards.

  • "Sovereignty certification replaces cybersecurity certification." CADA's sovereignty framework is complementary to, but distinct from, cybersecurity standards like the European Cybersecurity Certification Scheme for Cloud Services (EUCS). While levels 2, 3, and 4 require a cybersecurity certificate (e.g., "substantial" or "high" assurance under the Cybersecurity Act), the sovereignty assessment also evaluates legal and operational autonomy, such as freedom from third-country legal compulsion and data localization, which pure cybersecurity audits do not cover.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.