Summary The proposed Cloud and AI Development Act (CADA) does not replace the EU Cybersecurity Act (CSA, Regulation (EU) 2019/881); instead, it adds a critical "sovereignty layer" on top of existing technical security standards. While the CSA provides the framework for technical certifications like the European Cybersecurity Certification Scheme for Cloud Services (EUCS), CADA introduces a four-tier Union assurance framework that mandates additional criteria regarding data localisation, personnel nationality, and third-country control. As the Commission states in the explanatory memorandum, "Certification under the Cybersecurity Act can address technical cybersecurity criteria but is not suited for addressing sovereignty concerns that go beyond these technical elements." Consequently, a cloud provider holding a high-level EUCS certificate may still fail CADA compliance if it cannot meet the specific sovereignty requirements for public-order-relevant services.

Detail

The interaction between the proposed CADA (COM(2026) 502 final) and the established Cybersecurity Act is defined by complementarity. The CSA focuses on the technical integrity, resilience, and security of ICT products and services. CADA, by contrast, addresses the strategic risks of dependence on non-EU providers, ensuring that the infrastructure underpinning critical public functions remains under Union control.

Distinct but Linked Mandates

The explanatory memorandum explicitly delineates the scope of each instrument. The CSA (and its ongoing revision, often referred to as CSA2) addresses supply chain risks and technical cybersecurity. CADA fills the gap regarding "sovereignty and non-technical risks." The proposal clarifies this distinction: "Certification under the Cybersecurity Act can address technical cybersecurity criteria but is not suited for addressing sovereignty concerns that go beyond these technical elements."

This means that technical security is a prerequisite for CADA compliance, but it is not sufficient. A provider must satisfy the technical benchmarks of the CSA (via EUCS) and the sovereignty benchmarks of CADA to be recognised for higher assurance levels.

Integration of EUCS into CADA Assurance Levels

CADA establishes four Union assurance levels (Level 1 to Level 4). The requirement for cybersecurity certification is tiered, becoming more stringent as the assurance level increases. These requirements are codified in Annex II of the proposal:

  • Union Assurance Level 1: This baseline level requires the provider to demonstrate that the service complies with "state-of-the-art cybersecurity standards." It does not explicitly mandate a specific EUCS assurance level in the text, relying instead on general compliance with applicable Union law.
  • Union Assurance Level 2: Requires the audited service to obtain a European cybersecurity certificate of at least assurance level 'substantial' under a scheme established under Regulation (EU) 2019/881 (Annex II, Section 2.1(e)). The text notes that until such a Union scheme is fully established and available, national cybersecurity certification schemes shall apply where they exist. If no Union or national schemes exist, the provider must demonstrate compliance with the highest cybersecurity standards under applicable Union law.
  • Union Assurance Level 3: Mirrors Level 2 regarding cybersecurity, requiring a European cybersecurity certificate of at least assurance level 'substantial' under Regulation (EU) 2019/881 (Annex II, Section 3.1(e)).
  • Union Assurance Level 4: Demands the highest technical standard, mandating a European cybersecurity certificate of at least assurance level 'high' under Regulation (EU) 2019/881 (Annex II, Section 4.1(e)).

It is crucial to note that the cybersecurity certification is just one of many cumulative criteria. For Levels 2, 3, and 4, providers must also meet requirements regarding the location of infrastructure, the citizenship of personnel, and the absence of third-country control.

The Role of ENISA and the EUCS Timeline

The proposal acknowledges that the European Union Agency for Cybersecurity (ENISA) is currently developing the EUCS. The text states: "When finalised, it could be leveraged in the framework for sovereign cloud computing services as a way of ensuring that an audited service meets the highest cybersecurity standards."

This creates a transitional dynamic. Until the EUCS is formally adopted and operational, providers may rely on national schemes or demonstrate adherence to the highest available standards. However, once the EUCS is live, compliance with CADA's higher tiers (Levels 2–4) will effectively become conditional on holding the specific EUCS assurance levels ('substantial' or 'high'). Providers cannot bypass the technical rigor of the CSA to achieve sovereignty status; they must satisfy both the technical security benchmarks of EUCS and the sovereignty criteria defined in CADA.

A Note on Drafting Errors in the Proposal

Readers should be aware of a specific drafting inconsistency in the proposal text regarding third-country derogations. Annex II, Section 3.1(g) (governing Level 3) states that a provider subject to third-country control may be audited for Level 3 "where the Commission has adopted an implementing act under Article 19."

However, Article 19 of the proposal concerns "Conformity self-assessment" for Level 1. The correct reference for third-country adequacy decisions is Article 18 ("Associated third countries"). This appears to be a drafting slip in the proposal text itself. In practice, the legal mechanism for third-country derogations at Level 3 is governed by Article 18, which sets out the cumulative criteria (e.g., adequacy decisions, no laws compelling data access) that a third country must meet.

What this means for you

For in-house counsel, compliance officers, and cloud providers, the interaction between CADA and the Cybersecurity Act creates a dual-compliance obligation. You cannot rely on a single certificate to satisfy both regimes.

1. Audit and Certification Strategy

If your organisation provides cloud services to EU public sector bodies, you must prepare for a two-pronged assessment:

  • Technical Security: You must align with the EUCS scheme under the Cybersecurity Act. For public contracts involving public order relevance, this means targeting at least the 'substantial' assurance level (for CADA Levels 2 and 3) or the 'high' assurance level (for CADA Level 4).
  • Sovereignty Criteria: You must simultaneously meet CADA's Annex II criteria. This includes strict rules on data localisation (data must remain in the Union), personnel citizenship (Union citizens required for Levels 3 and 4, conditional for Level 2), and the absence of third-country control.

2. Deadlines and Transition

CADA proposes that Member States designate national competent authorities within one year of the Regulation's entry into force (Article 25). The Commission is empowered to adopt delegated acts to amend the Union assurance levels and audit criteria (Article 16(2)). Compliance officers should monitor the finalisation of EUCS, as CADA's higher tiers explicitly reference it. Until EUCS is fully operational, national schemes may apply, but the long-term standard is the EU-wide scheme.

3. Penalties and Enforcement

CADA introduces its own penalty regime for infringements of its Chapter on Autonomy (Article 24). Member States must lay down rules on penalties that are "effective, proportionate and dissuasive." While the Cybersecurity Act has its own enforcement mechanisms for technical cybersecurity failures, CADA adds liability for failing to maintain sovereignty assurances. For example, providers must report any material changes that affect their assurance level status under Article 23. Failure to do so, or providing incorrect information, can lead to the revocation of recognition and potential penalties. Recipients of cloud services also have the right to seek compensation for damages caused by a provider's infringement of these obligations (Article 24(3)).

4. Procurement Implications

Public sector buyers will use CADA's risk assessments (Article 29) to determine the required assurance level. If a risk assessment identifies that an activity contributes to the preservation of public order (e.g., law enforcement, defence), authorities must procure only services recognised at Union Assurance Levels 2, 3, or 4 (Article 30(3)). This means your EUCS certification alone is insufficient; you must also undergo the CADA recognition process via a national competent authority (Article 17).

Common misconceptions

Misconception 1: Having an EUCS certificate means you are CADA-compliant. This is incorrect. EUCS addresses technical cybersecurity. CADA requires additional sovereignty criteria, such as ensuring that infrastructure, assets, and personnel are located in the Union, and that the provider is not subject to the control of a third country (Annex II). A provider can have a 'high' EUCS certification but fail CADA Level 4 if, for example, its data is stored outside the Union or its personnel are not Union citizens.

Misconception 2: CADA replaces the Cybersecurity Act. CADA does not repeal or replace the Cybersecurity Act. The proposal explicitly states it "complements" the Cybersecurity Act. Providers must comply with both regimes. The Cybersecurity Act remains the source of the technical certification schemes (EUCS), while CADA dictates which of those certifications are required for specific public sector use cases based on sovereignty risk.

Misconception 3: Only EU-based providers can achieve sovereignty. While CADA strongly favours EU establishment, it provides a mechanism for third-country providers. Under Article 18, the Commission may adopt decisions identifying third countries whose providers may be audited for Union Assurance Level 3, provided they meet strict cumulative criteria (e.g., no laws compelling data access or service disruption). However, this is an exception, not the rule, and requires a specific Commission implementing act. Furthermore, Level 4 generally requires no third-country control at all.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.