CADA vs Gaia-X and SecNumCloud

Summary As proposed, the Cloud and AI Development Act (CADA) fundamentally shifts the EU cloud landscape from a patchwork of voluntary industry initiatives and national sovereignty schemes to a single, binding statutory framework. While initiatives like Gaia-X (voluntary federation) and national schemes like SecNumCloud (French certification) have defined "sovereign" clouds in the past, CADA would replace their fragmented status with four mandatory Union assurance levels (Article 16). This framework creates legal certainty for public procurement, ensuring that a cloud service recognized at a specific level in one Member State is recognized across the entire Union. While Gaia-X and SecNumCloud may persist for private-sector differentiation or as evidence of technical compliance, CADA would become the definitive statutory baseline for public-sector cloud sovereignty.

Detail

The European Union's cloud ecosystem has historically been characterized by a lack of harmonization. On one side, Gaia-X emerged as a voluntary, industry-led initiative to create a federated data and cloud infrastructure based on common rules and trust frameworks. On the other, national authorities developed their own rigorous standards, most notably SecNumCloud in France, a certification scheme by the French Agency for National Security of Information Systems (ANSSI). While these initiatives advanced the concept of digital sovereignty, they resulted in market fragmentation: a provider certified under SecNumCloud faced uncertainty when operating in Germany or Spain, and Gaia-X's voluntary nature lacked the statutory weight required for binding public procurement.

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, addresses these structural weaknesses by establishing a Union cloud computing sovereignty framework. This framework, detailed in Article 16, creates a unified, legally binding system of four Union assurance levels (1 through 4). Unlike its predecessors, CADA is not voluntary; it imposes statutory requirements on cloud computing service providers (CSPs) wishing to serve Union entities and public sector bodies.

From Voluntary and National to Statutory and Union-Wide

The transition CADA proposes is from a market-driven or nationally isolated model to a harmonized Union law model.

Gaia-X was designed as a federated ecosystem relying on voluntary adoption. While it established technical and legal criteria for data sovereignty and interoperability, its non-binding nature meant compliance was not uniform, and it did not carry statutory weight in public procurement tenders. It remains a relevant industry ecosystem for interoperability but lacks the enforcement mechanism of a Regulation.

SecNumCloud, conversely, is a rigorous national certification. It provides a high level of technical assessment for security and sovereignty. However, as a French national standard, it does not automatically guarantee recognition in other Member States. This creates a "compliance tax" for pan-European providers and fragmentation for public authorities seeking sovereign solutions.

CADA resolves this by mandating that CSPs meet specific criteria, detailed in Annex II, to be recognized at one of four Union assurance levels. This framework is recognized across all Member States. A CSP recognized at a specific level in one country is recognized throughout the Union (Article 17), effectively creating a "single passport" for sovereign cloud services.

The CADA Sovereignty Framework: Article 16 and Annex II

Article 16 establishes the scope of the framework, while Annex II defines the cumulative criteria for each level. The framework is tiered to ensure proportionality:

• Union Assurance Level 1: The baseline for all public sector cloud services. It requires establishment in the Union, data localization within the Union (unless explicitly required otherwise by the public body), and compliance with state-of-the-art cybersecurity standards. It relies on a conformity self-assessment by the provider (Article 19).
• Union Assurance Levels 2, 3, and 4: These higher tiers introduce stricter requirements, including mandatory independent third-party audits (Article 20), specific personnel requirements (Union citizenship for L3/L4), and stricter controls on third-country influence.
  • Level 2: Requires a European cybersecurity certificate of at least assurance level 'substantial' (Annex II, 2.1(e)).
  • Level 3: Requires Union citizenship for personnel and a 'substantial' cybersecurity certificate. It allows for a derogation where providers subject to third-country control may still qualify if the Commission has adopted an implementing act under Article 18 (formerly mis-referenced as Article 19 in some drafts) confirming the third country provides sufficient safeguards.
  • Level 4: The highest tier, requiring a European cybersecurity certificate of at least assurance level 'high' (Annex II, 4.1(e)) and strict prohibitions on third-country control.

Interaction with Existing Schemes

CADA does not explicitly abolish national schemes like SecNumCloud or industry initiatives like Gaia-X. Instead, it subsumes their core sovereignty objectives into a higher-level statutory framework.

• SecNumCloud: A CSP with SecNumCloud certification may use that evidence to demonstrate compliance with certain technical criteria under CADA's Annex II (e.g., cybersecurity standards). However, SecNumCloud alone does not grant a CADA Union assurance level. The provider must still undergo the CADA recognition process via a national competent authority. In effect, SecNumCloud may become a component of a CADA compliance strategy rather than a standalone market differentiator for public sector contracts.
• Gaia-X: The CADA framework aligns with many of Gaia-X's sovereignty principles, such as data localization and control. However, CADA provides the legal enforcement mechanism that Gaia-X lacks. Public procurement authorities will likely prioritize CADA-recognized services over Gaia-X-compliant services that lack formal Union assurance level recognition, as the former carries statutory compliance weight.

Reducing Fragmentation

One of CADA's primary objectives, as stated in the explanatory memorandum, is to address the risks associated with divergent national approaches to sovereignty. By creating a single EU-wide framework, CADA aims to:

• Level the Playing Field: European CSPs can compete across the Union without needing to navigate dozens of different national certification schemes.
• Clarify Procurement Rules: Public authorities have clear, legally defined criteria (Union assurance levels) for what constitutes a "sovereign" or "trusted" cloud service, reducing ambiguity in tender documents.
• Enhance Market Access: For non-EU providers, the framework provides a clear path to market access through the "associated third countries" mechanism (Article 18). This allows providers from third countries with adequate safeguards (e.g., adequacy decisions, no extraterritorial data access laws) to be audited against Union assurance level 3 criteria, provided the Commission adopts an implementing act.

What this means for you

For in-house counsel, compliance officers, and public procurement teams, the transition from national/voluntary frameworks to CADA's statutory model requires strategic adjustments in cloud governance and procurement.

1. Audit Your Current Cloud Stack Against CADA Annex II

If your organization relies on SecNumCloud or Gaia-X compliance as a proxy for sovereignty, you must map those attestations against the specific criteria in Annex II of the CADA proposal. Key areas to review include:

• Data Localization: Does your provider ensure that customer data, including metadata and telemetry, remains exclusively within the Union (Annex II, Level 1, Criterion c)?
• Subcontractor Transparency: Does your provider provide full transparency around subcontractors and subject them to due diligence (Annex II, Level 1, Criterion f)?
• Third-Country Control: If your provider is subject to third-country control, does it guarantee no existing laws require reporting software vulnerabilities to third-country authorities prior to exploitation (Annex II, Level 1, Criterion g)?
• Cybersecurity Certification: For higher tiers, verify if the provider holds a European cybersecurity certificate of at least 'substantial' (L2/L3) or 'high' (L4) assurance levels.

2. Prepare for the Recognition Process

For cloud providers, achieving a Union assurance level is no longer a self-declaration exercise (except for Level 1). For Levels 2, 3, and 4, you must:

• Engage an Auditing Organization: Select an independent auditor that meets the strict independence and competence requirements of Article 20.
• Submit to National Competent Authorities: Apply for recognition with the national competent authority of your establishment (Article 17). Be prepared for a 60-day assessment period and potential review by other Member States.
• Maintain Ongoing Compliance: You must report any material changes in circumstances that could affect your assurance level (Article 23). Failure to do so can result in revocation of recognition.

3. Update Public Procurement Strategies

For public sector bodies, CADA mandates the use of risk assessments (Article 29) to determine the required Union assurance level for your cloud services.

• Conduct Risk Assessments: By one year after CADA's entry into force, and every two years thereafter, you must conduct risk assessments to identify public sector activities contributing to public order and determine the appropriate assurance level (Level 1, 2, 3, or 4).
• Procure Accordingly:
  • Activities not identified as contributing to public order must use services recognized at Union assurance level 1 (Article 30(2)).
  • Activities identified as contributing to public order (e.g., national security, justice, law enforcement) must use services recognized at Union assurance levels 2, 3, or 4 (Article 30(3)).
• Avoid Non-Compliant Tenders: Ensure your tender documents explicitly require CADA-recognized assurance levels rather than referencing only national schemes like SecNumCloud, unless those schemes are explicitly mapped and accepted as evidence for CADA compliance.

4. Monitor Penalties and Enforcement

CADA introduces significant penalties for non-compliance. Member States must lay down rules on penalties that are effective, proportionate and dissuasive (Article 24). While the specific fine amounts are left to Member States, the criteria for imposition include the nature, gravity, and duration of the infringement, as well as the infringing party's annual turnover. Recipients of cloud services also have the right to seek compensation for damages caused by a provider's infringement of their CADA obligations (Article 24(3)).

Common misconceptions

Misconception 1: CADA replaces SecNumCloud or Gaia-X entirely. Reality: CADA does not abolish these initiatives. SecNumCloud may still be used as evidence of technical compliance within the CADA audit process. Gaia-X may continue to operate as an industry ecosystem for interoperability and data sharing. However, for public procurement and legal sovereignty recognition, CADA's Union assurance levels are the mandatory standard.

Misconception 2: Union assurance level 1 is a "low" standard. Reality: Level 1 is the minimum baseline for all public sector cloud services. It includes strict criteria on data localization, cybersecurity standards, and subcontractor transparency. It is not a "light" option but a foundational requirement for any cloud service used by the public sector.

Misconception 3: Non-EU providers are excluded from the CADA framework. Reality: CADA includes a mechanism for "associated third countries" (Article 18). If a third country meets specific criteria (e.g., adequacy decisions, no extraterritorial data access laws), its providers can be audited against Union assurance level 3 criteria. This provides a pathway for non-EU providers to access the EU public sector market, provided they meet the stringent sovereignty requirements.

Misconception 4: Self-assessment is sufficient for all assurance levels. Reality: Only Union assurance level 1 allows for a conformity self-assessment (Article 19). Levels 2, 3, and 4 require independent third-party audits by accredited auditing organizations (Article 20). This distinction is critical for providers aiming for higher assurance levels.

Misconception 5: L3 and L4 have the same cybersecurity certification requirement. Reality: While both require a European cybersecurity certificate, the assurance level differs. Level 2 and 3 require a certificate of at least 'substantial' assurance. Level 4 requires a certificate of at least 'high' assurance (Annex II, 4.1(e)).

Official sources

• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• CADA vs GDPR: How Processor Due Diligence Changes Under the New Sovereignty Framework
• EuroCloud Federation vs Gaia-X: How CADA's Public Cloud Relates to Industry Standards
• CADA and EUCS: How the Cloud Certification Scheme Fits the Sovereignty Framework
• CADA vs Gaia-X: Does industry conformity meet EU sovereignty tiers?
• CADA vs National Sovereignty Schemes: SecNumCloud, C5, ENS & EU Recognition

This is general information about a draft EU regulation, not legal advice.