Summary As proposed, the Cloud and AI Development Act (CADA) explicitly affirms that the free flow of data within the Union is an essential condition for the internal market, mandating that data must not be confined to the territory of a single Member State (Recital 64). However, this principle is balanced by a sovereignty framework that restricts who may access data and under whose control it is processed, rather than restricting where data flows within the EU. Contracting authorities must conduct risk assessments under Article 29 to determine the appropriate Union assurance level, ensuring that public order is protected through justified, proportionate measures rather than blanket data localization bans. The tension is managed by distinguishing between geographic flow (permitted) and third-country control (restricted).

Detail

The Cloud and AI Development Act (CADA) proposal, COM(2026) 502 final, seeks to reconcile two seemingly competing objectives: the EU's commitment to a digital single market characterized by the free flow of data, and the urgent need for technological sovereignty to mitigate risks from third-country dependencies. For in-house counsel and compliance officers, understanding how these principles interact is critical for navigating public procurement, cloud service selection, and cross-border data governance.

The Free Flow Principle vs. Sovereignty Tiers

Recital 64 of the CADA proposal explicitly affirms that "the free flow of data within the Union is an essential condition for the proper functioning of the internal market." It mandates that Member States ensure data is "not confined to the territory of a single Member State and may be stored and processed across the Union without unjustified restrictions." This provision is designed to prevent the resurgence of national data silos that fragment the single market and increase costs for businesses and public bodies.

However, this free flow principle does not create an unconditional right to process data anywhere in the EU without oversight. Instead, CADA introduces a tiered sovereignty framework consisting of four Union assurance levels (Levels 1–4), detailed in Article 16 and Annex II. These levels do not restrict the geographic movement of data within the EU; rather, they restrict the identity, jurisdiction, and control structures of the cloud computing service providers and their subcontractors.

For example, at Union Assurance Level 1, the provider must be established in the Union, and infrastructure must be located in the Union unless the public sector body explicitly requires otherwise (Annex II, Section 1.1(b)). At Levels 2, 3, and 4, the requirements become progressively stricter regarding personnel citizenship, cybersecurity certification, and the prohibition of third-country control. Crucially, even at the highest levels, data may flow across Member States, provided the processing entities meet the stringent sovereignty criteria. The restriction is on access and control, not on location within the EU borders.

Risk-Based Assessment Under Article 29

The mechanism that bridges the free flow principle and sovereignty requirements is the risk assessment obligation set out in Article 29. Member States and Union entities are required to carry out risk assessments to identify public sector activities that contribute to the preservation of public order. These assessments must determine which Union assurance level (2, 3, or 4) is appropriate for specific activities.

Article 29(1) specifies that these assessments must identify activities in sectors falling under Annex I or II of the NIS2 Directive, as well as areas of national security, internal security, external border management, defence, justice, or law enforcement. The assessment must consider:

  1. The sensitivity, criticality, and magnitude of the non-personal data processed.
  2. The risk and impact on public order of unlawful access by a third country or legal entity established in a third country.
  3. The risk and impact on public order of possible service disruption.

This risk-based approach ensures that sovereignty measures are proportionate. Not all public sector data requires the highest level of assurance. Recital 52 notes that "most public services would not require the highest levels of assurance." Only when a risk assessment determines that activities have "public order relevance" must contracting authorities procure services recognized as offering Union assurance levels 2, 3, or 4 (Article 30(3)). For activities not identified as contributing to public order, the baseline of Level 1 applies (Article 30(2)).

Managing Tension Through Justified Measures

The tension between free flow and sovereignty is managed through the principle of proportionality and the protection of public order. Recital 64 acknowledges that while the Union maintains an open and non-discriminatory framework, it retains the right to adopt measures necessary to protect public morals, order, or safety. This is consistent with Article III:2(a) of the WTO Agreement on Government Procurement (GPA), which allows for necessary and proportionate restrictions on access to public procurement procedures to protect public order.

CADA clarifies that identifying and addressing risks such as critical dependencies, unauthorized access to Union data, technology leakage, sabotage, and espionage is fundamental for preserving Union public order. Therefore, restricting procurement to sovereign-certified services for critical sectors is not viewed as a barrier to the internal market, but as a necessary safeguard. The sovereignty framework provides a harmonized, auditable set of criteria, preventing Member States from adopting divergent, fragmented national rules that would otherwise hinder the internal market.

Implications for Data Localization and Third-Country Transfers

It is important to distinguish CADA's sovereignty framework from data localization rules. CADA does not generally prohibit the transfer of data outside the EU, but it imposes strict conditions. For instance, under Union Assurance Level 1, customer data must remain exclusively within the Union unless the public sector body explicitly requires otherwise (Annex II, Section 1.1(c)).

For Levels 2, 3, and 4, the requirement is stricter: customer data must remain exclusively within the Union unless the public sector body explicitly requires otherwise (Annex II, Sections 2.1(c), 3.1(c)). However, Level 4 imposes an absolute requirement: customer data identified as sensitive "remain exclusively within the Union and at any time" without the explicit exception clause found in the lower tiers (Annex II, Section 4.1(c)).

Furthermore, for Levels 2, 3, and 4, the data generated by using the audited service are not used to train or fine-tune any AI system operated by a third country or a legal entity established in a third-country, and are not transferred outside the Union in any case (Annex II, Sections 2.1(f), 3.1(f), 4.1(f)).

Additionally, Article 18 provides a derogation mechanism for third-country control at Level 3. The Commission may adopt decisions identifying third countries where providers subject to their control may be audited against Level 3 criteria, provided the third country has an adequacy decision under GDPR Article 45 and no measures enabling control over data or service disruption. This creates a pathway for international cooperation while maintaining strict sovereignty safeguards.

What this means for you

For in-house counsel and compliance officers, the interaction between free flow and sovereignty in CADA translates into specific operational obligations:

  1. Conduct Robust Risk Assessments: You must actively participate in or support the risk assessments mandated by Article 29. These assessments determine the minimum assurance level required for your cloud services. Failure to correctly classify the sensitivity of your data and the public order relevance of your activities could lead to non-compliance. The assessments must be carried out by the date of entry into force plus one year, and thereafter every two years or whenever necessary (Article 29(1)).
  2. Verify Provider Assurance Levels: When procuring cloud services, you must verify the provider's recognized Union assurance level. For activities identified as contributing to public order, you may only procure services recognized as offering Levels 2, 3, or 4 (Article 30(3)). Relying on a provider with only Level 1 recognition for critical functions would be a breach of Article 30.
  3. Monitor for Material Changes: Under Article 23, recognized providers must report material changes that could affect their assurance status. Compliance officers should monitor these notifications to ensure continued compliance. If a provider's status is revoked or requires migration, the Member State or Union entity shall migrate within a reasonable transition period that shall not exceed 12 months (Article 29(6)).
  4. Avoid Unjustified Data Silos: While sovereignty is paramount, you must not impose unjustified restrictions on data flow within the EU. If your risk assessment does not mandate a higher assurance level, you should not restrict data to a single Member State if it hinders efficiency or increases costs without legal basis, in line with Recital 64.
  5. Prepare for Penalties: Article 24 empowers Member States to impose effective, proportionate, and dissuasive penalties for infringements. While CADA does not set fixed EU-wide fines, it provides criteria for their imposition, including the nature, gravity, and duration of the infringement. Non-compliance with procurement obligations could result in significant administrative and reputational risks.

Common misconceptions

  • "CADA bans all data transfers outside the EU." This is incorrect. CADA focuses on sovereignty within the EU and strict conditions for third-country access. While higher assurance levels prohibit data transfer outside the Union for specific data types, Level 1 allows for transfers if the public sector body explicitly requires it. Furthermore, Article 18 provides a mechanism for third-country recognition at Level 3 under strict conditions.
  • "Sovereignty means data must stay in one country." Recital 64 explicitly rejects this. Data must be able to flow across the Union. Sovereignty in CADA is about who controls the data and the infrastructure, not where it is physically stored within the EU. A provider can operate infrastructure in multiple Member States as long as it meets the assurance criteria.
  • "All public sector cloud services require the highest sovereignty level." No. Recital 52 states that most public services do not require the highest levels of assurance. The risk assessment under Article 29 is designed to ensure proportionality. Only activities with public order relevance require Levels 2, 3, or 4.
  • "Data localization is the only way to ensure sovereignty." CADA explicitly moves away from simple data localization. The framework focuses on "Union assurance levels" which verify the legal and operational control of the provider, rather than just the physical location of the server. This allows for a more flexible, cross-border EU cloud market.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.