Summary As proposed, the Cloud and AI Development Act (CADA) would make the European Cybersecurity Certification Scheme for Cloud Services (EUCS) a mandatory technical prerequisite for its higher sovereignty tiers. Specifically, cloud providers seeking Union assurance levels 2, 3, or 4 must obtain a European cybersecurity certificate of at least the 'substantial' or 'high' assurance level under Regulation (EU) 2019/881 (the Cybersecurity Act). Until the EUCS scheme is fully established and available, national cybersecurity certification schemes shall apply where they exist. This creates a direct, legally binding dependency: a cloud service cannot be recognised as "sovereign" at levels 2–4 without first proving its technical security robustness via EUCS (or an equivalent national interim scheme).

Detail

The proposed Cloud and AI Development Act (CADA) establishes a four-tier "Union cloud computing sovereignty framework" designed to mitigate risks associated with dependence on non-European cloud providers and to safeguard the Union's public order. While the framework addresses legal and operational sovereignty (such as data location and personnel citizenship), it explicitly anchors technical security in the existing EU cybersecurity certification infrastructure.

The Mandatory Link: EUCS for Assurance Levels 2, 3, and 4

Under CADA, the relationship with the EUCS scheme is not merely complementary; it is a prescriptive condition for recognition. The specific criteria are detailed in Annex II of the proposal.

For Union assurance level 2, Annex II, Section 2.1(e) explicitly mandates that the audited service must obtain a European cybersecurity certificate of at least assurance level 'substantial'. This certificate must be issued under a European cybersecurity certification scheme covering cloud computing services to be established under Regulation (EU) 2019/881.

For Union assurance level 3, the requirement remains consistent regarding the baseline security standard. Annex II, Section 3.1(e) repeats the mandate, requiring a European cybersecurity certificate of at least assurance level 'substantial'. This ensures that even at this higher tier of sovereignty, the technical security baseline is uniform across the Union.

For Union assurance level 4, which represents the highest level of sovereignty intended for the most sensitive public sector activities (including those handling classified information), the security bar is raised. Annex II, Section 4.1(e) requires the audited service to obtain a European cybersecurity certificate of at least assurance level 'high' under the same scheme established by Regulation (EU) 2019/881.

This structure ensures that technical cybersecurity robustness is a non-negotiable prerequisite for sovereignty recognition. A provider cannot claim high sovereignty (levels 3 or 4) without first demonstrating that its service meets the rigorous technical security standards defined by the EUCS. The distinction between 'substantial' (Levels 2 & 3) and 'high' (Level 4) aligns the cybersecurity assurance with the sensitivity of the public order risks being mitigated.

The Role of Regulation (EU) 2019/881

Regulation (EU) 2019/881, commonly known as the Cybersecurity Act, provides the legal basis for the EUCS. It empowers the European Union Agency for Cybersecurity (ENISA) to develop certification schemes for ICT products, services, and processes. The EUCS specifically targets cloud services, defining requirements for confidentiality, integrity, availability, and other security properties at different assurance levels: basic, substantial, and high.

CADA leverages this existing legal instrument rather than creating a new, standalone cybersecurity standard. By referencing Regulation (EU) 2019/881, CADA aligns its sovereignty goals with the EU's broader cybersecurity strategy. This alignment ensures that the "sovereign" cloud services recognised under CADA are also technically secure according to EU-wide standards. It prevents a scenario where a cloud service is deemed "sovereign" based on data location alone but lacks the necessary technical resilience against cyber threats.

Interim Application of National Schemes

A critical practical consideration is the timeline. The EUCS scheme is currently in the process of being developed and adopted under Regulation (EU) 2019/881. CADA explicitly acknowledges this gap to ensure the regulation can be applied without waiting for the finalisation of the EUCS scheme.

Annex II, Sections 2.1(e), 3.1(e), and 4.1(e) all include an identical transitional provision: "Until the establishment of such a scheme, national cybersecurity certification schemes shall apply, where they exist."

This means that in the period between CADA's entry into application and the full operationalization of EUCS, cloud providers would need to rely on national cybersecurity certifications to meet the criteria for assurance levels 2, 3, and 4. This creates a potentially fragmented landscape in the short term, where a service might be certified as sovereign in one Member State based on its national scheme (e.g., France's SecNumCloud or Germany's C5) but not in another, until EUCS provides a harmonized EU-wide benchmark.

Once the EUCS scheme is established and available to cloud service providers, the reference to national schemes would likely cease to apply for new recognitions, ensuring a single market for sovereign cloud services.

Assurance Level 1: No EUCS Requirement

It is important to note that Union assurance level 1, the baseline level for all public sector cloud procurement, does not require an EUCS certificate. Annex II, Section 1.1(e) only requires that the provider demonstrates that the service complies with "state-of-the-art cybersecurity standards."

This distinction allows for a broader market of providers to enter the sovereign cloud space at the entry level. Providers seeking Level 1 recognition do not need to undergo the formal EUCS certification process (or its national interim equivalent) but must still demonstrate robust security practices. This lowers the barrier to entry for smaller providers or those serving less critical public functions, while reserving the more stringent EUCS-linked requirements for services handling sensitive data or critical public order functions.

Audit and Verification

The certification is not self-declared. For levels 2, 3, and 4, CADA requires independent third-party audits under Article 20. The auditing organisation must verify that the provider has obtained the relevant EUCS (or national interim) certificate. This certificate becomes a critical piece of audit evidence (as outlined in Annex III) that supports the provider's recognition under the sovereignty framework.

The audit process ensures that the certificate is valid, covers the specific service in question, and matches the required assurance level ('substantial' for levels 2/3, 'high' for level 4). If the EUCS scheme is not yet established, the auditor must verify the validity of the national certification against the criteria set out in the relevant national scheme.

What this means for you

For CTOs and Cloud Architects: If your organization is building or procuring cloud infrastructure intended for public sector use in the EU, you must plan for EUCS compliance as a core architectural requirement. Designing for Union assurance level 2 or higher means your security controls must map directly to the 'substantial' or 'high' assurance requirements of the EUCS scheme. You cannot treat cybersecurity and sovereignty as separate compliance tracks; they are legally intertwined under CADA. Start mapping your current security posture to the draft EUCS requirements now, even if the scheme is not yet final, to reduce future refactoring costs. If you are targeting Level 4, your security architecture must be ready for the 'high' assurance level, which implies stricter controls than 'substantial'.

For SMEs and Startups: The EUCS certification process can be resource-intensive and costly. However, CADA provides a tiered approach. If your services are suitable for Union assurance level 1, you are not required to obtain an EUCS certificate. You only need to demonstrate "state-of-the-art cybersecurity standards." This lowers the barrier to entry for SMEs wanting to participate in the sovereign cloud market. Focus on robust security documentation and best practices for Level 1, while monitoring the development of EUCS for future growth into higher assurance levels where the market demand for sensitive public sector data may shift.

For Providers Evaluating Market Entry: Be aware of the transitional period. Until EUCS is fully established, you may need to pursue multiple national certifications to operate across the EU, as different Member States may have different national schemes in place. This increases compliance costs and complexity. Engage with your national competent authority to understand which national schemes are currently accepted as interim equivalents to EUCS 'substantial' or 'high' assurance levels. Once EUCS is launched, you will likely need to migrate to the EU-wide scheme to maintain your recognition across the single market.

For Public Sector Procurement Officers: When drafting tender specifications for cloud services, you must align your requirements with the risk assessment outcomes under Article 29. If your activity is identified as contributing to the preservation of public order, you must procure services recognised at levels 2, 3, or 4. This means your tender must explicitly require the provider to hold a valid EUCS certificate (or national equivalent) at the appropriate assurance level ('substantial' or 'high'). Do not accept self-declarations of security; require proof of the relevant certification as part of the technical evaluation.

Common misconceptions

Misconception: CADA replaces EUCS. False. CADA does not replace EUCS. It depends on it. EUCS provides the technical cybersecurity certification; CADA uses that certification as one of several criteria (alongside data localization, personnel screening, and absence of third-country control) to grant a sovereignty assurance level. Without EUCS (or a national interim), the technical pillar of the sovereignty framework cannot be verified for levels 2–4.

Misconception: Level 1 requires EUCS. False. Union assurance level 1 does not require an EUCS certificate. It only requires a demonstration of "state-of-the-art cybersecurity standards." EUCS becomes mandatory only from level 2 upwards. This distinction is crucial for providers targeting the broader public sector market where not all data is sensitive.

Misconception: EUCS is already fully operational. False. The EUCS scheme is still being developed under Regulation (EU) 2019/881. CADA explicitly allows for the use of national cybersecurity certification schemes in the interim. Providers should not assume a single EU-wide EUCS certificate is available for immediate use for all purposes. Until the scheme is established, national schemes are the valid pathway.

Misconception: National certifications are permanently valid. False. National certifications are a stopgap measure. Once EUCS is established and available, the reference to national schemes in Annex II will likely cease to apply for new recognitions. Providers will likely need to migrate to EUCS to maintain their Union assurance level recognition across the EU, ensuring harmonization and avoiding fragmentation.

Misconception: 'Substantial' and 'High' are interchangeable. False. The distinction is critical. Levels 2 and 3 require 'substantial' assurance. Level 4 requires 'high' assurance. A provider with only a 'substantial' certificate cannot be recognised at Level 4. This ensures that the highest sovereignty tier is reserved for services with the highest technical security posture.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.