How does CADA protect EU data confidentiality and sovereignty?

Summary As proposed, the Cloud and AI Development Act (CADA) would protect EU data confidentiality through a harmonised sovereignty framework built on four "Union assurance levels" that go beyond traditional data-transfer rules. Under Article 29, Member States and Union entities would carry out risk assessments to map public-sector activities to the appropriate assurance level, so that sensitive data is processed only by services offering sufficient safeguards against third-country access and operational disruption. The aim is to secure both data confidentiality and operational autonomy — both treated as essential to preserving public order.

Detail

The proposed CADA reflects a view that existing EU laws, such as the GDPR, do not address the full spectrum of risks created by cloud-computing dependencies. While the GDPR regulates the processing of personal data and transfers to third countries, it does not squarely address operational disruption, service degradation, or the extraterritorial reach of third-country laws that may compel cloud providers to hand over non-personal data or disable services. As proposed, CADA would address these gaps by establishing a Union cloud computing sovereignty framework (Title IV) designed to safeguard the Union's public order, data confidentiality, and operational autonomy.

The Union assurance levels

At the core of CADA's data-confidentiality protection would be a tiered system of Union assurance levels (Levels 1 through 4), with criteria set out in Annex II of the proposal. These define cumulative criteria that cloud-computing service providers would have to meet to be recognised as offering a given level of sovereignty.

• Union assurance level 1 would require the provider to be established in the Union and that infrastructure, assets, and customer data (including metadata and telemetry data) remain exclusively within the Union, unless the public sector body explicitly requires otherwise. It would also require state-of-the-art cybersecurity standards and full transparency about subcontractors.
• Union assurance level 2 would add independent third-party audits and progressively stricter controls. For example, data generated by using the service could not be used to train or fine-tune any AI system operated by a third country (or a third-country entity) and could not be transferred outside the Union. Level 2 would also impose software supply-chain controls — including documenting a software bill of materials (SBOM) and implementing controls to block remote features from third-country software that could tamper with or disrupt systems.
• Levels 3 and 4 would add further constraints, such as requiring that personnel involved in providing the service are Union citizens. For Level 4, the provider and its subcontractors must not be subject to the control of a third country or a legal entity established in a third country. These levels are aimed at the most critical public-sector activities, where the risk to public order is highest.

Risk assessments under Article 29

The mechanism that links these assurance levels to actual public-sector activities would be the risk-assessment obligation in Article 29. As proposed, Member States and Union entities would carry out risk assessments — within one year of entry into force and thereafter every two years, or whenever necessary — to identify public-sector activities that contribute to the preservation of public order. These would include activities in sectors falling under Annex I or II of the NIS2 Directive, as well as in the areas of national security, internal security, external border management, defence, justice, and law enforcement.

Under Article 29, authorities would have to consider at least:

1. The sensitivity, criticality, and magnitude of the non-personal data processed, plus the nature, scope, context, and purpose of any personal-data processing.
2. The risk and consequent impact on public order of unlawful access (under Union law) to such data by a third country or a legal entity established in a third country.
3. The risk and consequent impact on public order of possible service disruption.

Based on the assessment, authorities would determine which Union assurance level (2, 3, or 4) is appropriate. Article 30 would then require that, for activities identified as contributing to public order, contracting authorities procure only cloud-computing services recognised as offering Union assurance levels 2, 3, or 4. For activities not identified as contributing to public order, Union assurance level 1 would be the minimum.

Beyond GDPR and transfer rules

As the explanatory memorandum notes, instruments such as the EU-US Data Privacy Framework address transatlantic data transfers but do not remove sovereignty concerns about dependence on third-country providers. CADA's sovereignty framework would go beyond data transfers by focusing on operational autonomy — aiming to ensure that cloud services cannot be disrupted or degraded by third-country actors, thereby protecting the continuity of essential public services. This would be achieved through criteria on infrastructure location, personnel citizenship (at higher levels), and the absence of third-country control, which are not covered by standard data-protection adequacy decisions.

What this means for you

For public-sector procurement officers, CADA as proposed would introduce a structured, mandatory approach to cloud procurement that prioritises sovereignty and confidentiality.

1. Conduct mandatory risk assessments. You would carry out risk assessments under Article 29 to identify which cloud-dependent activities contribute to the preservation of public order. This is a prerequisite for determining the required assurance level.
2. Map activities to assurance levels. Based on the risk assessment, you would determine whether an activity requires Union assurance level 1, 2, 3, or 4. High-risk activities in defence, justice, or critical infrastructure are likely to require levels 3 or 4.
3. Procure only recognised services. When tendering, you would have to procure services recognised under the CADA framework at the required level, unless a specific derogation applies (for example, no adequate alternative exists).
4. Verify recognition status. You would use the central repository maintained by the Commission (Article 22) to confirm that a provider has been recognised at the necessary Union assurance level — through self-assessment for Level 1 or independent third-party audits for Levels 2-4.
5. Consider multi-cloud strategies. Article 29 would require authorities to consider whether a multi-vendor or multi-cloud strategy is appropriate as part of their procurement.

Common misconceptions

• Misconception: CADA replaces the GDPR.
  • Reality: As proposed, CADA would complement the GDPR. The GDPR continues to apply to the processing of personal data; CADA would address broader sovereignty risks, including operational continuity and non-personal data, that the GDPR does not fully cover.
• Misconception: Data localisation is enough.
  • Reality: While CADA would require customer data to remain in the Union, it also addresses third-country control and operational disruption. A provider established in the EU but controlled by a third-country entity may not meet the criteria for the highest levels — Level 4 strictly prohibits third-country control.
• Misconception: Only high-risk AI systems are affected.
  • Reality: The sovereignty framework would apply to cloud-computing services broadly, not just those hosting high-risk AI systems. Any cloud service used by the public sector would have to meet the relevant assurance level based on the risk assessment.
• Misconception: Private-sector entities are directly regulated.
  • Reality: CADA's mandatory procurement rules apply to contracting authorities. Private entities in NIS2 Annex I sectors may carry out similar assessments under Article 31, but those are not, in themselves, mandatory unless the Commission acts under its delegated powers.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• Why can't existing EU laws already solve cloud sovereignty? (CADA)
• What is the EU Tech Sovereignty package and how does CADA fit in?
• What is the EU data-centre capacity gap that CADA addresses?
• CADA vs SecNumCloud: what is the difference between CADA and a national sovereignty label?
• What is the CADA sovereignty risk assessment (Article 29)?

This is general information about a draft EU regulation, not legal advice.