How does CADA tiering support EU digital sovereignty goals?

Summary The proposed Cloud and AI Development Act (CADA) establishes a Union cloud computing sovereignty framework under Article 16 to directly support EU digital sovereignty goals. This framework introduces four graduated "Union assurance levels" that allow public sector bodies to match cloud services to their specific risk profiles. By mandating independent audits for higher tiers and requiring strict EU-based controls for critical public order activities, the proposal ensures operational autonomy and reduces dependency on non-EU hyperscalers. This structured, audited approach prevents the "over-sovereignization" of low-risk services while securing the infrastructure underpinning the EU's most sensitive functions.

Detail

The proposed Cloud and AI Development Act (CADA), as set out in COM(2026) 502 final, places a Union cloud computing sovereignty framework at the very center of its strategy to strengthen Europe's digital ecosystem. This framework, explicitly established by Article 16 and elaborated in the Regulation's recitals, is designed to mitigate the strategic risks associated with the EU's heavy reliance on a limited number of non-European cloud providers. The core mechanism is a tiered system of "Union assurance levels" that categorizes cloud services based on their ability to guarantee data confidentiality, operational autonomy, and protection against third-country interference.

The Legal Basis: Article 16 and the Sovereignty Framework

Article 16(1) of the proposal states that the Regulation "establishes a Union cloud computing sovereignty framework comprising four Union assurance levels." These levels are not arbitrary labels; they are cumulative criteria set out in Annex II that cloud computing service providers must meet to be recognized as offering services to Union entities and public sector bodies.

The framework is designed to be graduated. Recital 51 explains that to address the nuanced nature of sovereignty, the framework provides for "four different levels of trusted offers." This allows for a proportionate approach where the stringency of requirements matches the sensitivity of the public sector activity. Recital 52 further clarifies that "most public services would not require the highest levels of assurance," ensuring that the framework does not stifle innovation or impose unnecessary costs on low-risk activities.

The Four Union Assurance Levels

The four levels represent a ladder of increasing sovereignty and security requirements:

1. Union Assurance Level 1 (Baseline): This is the minimum requirement for all public sector procurement. Under Annex II, Section 1, providers must be established in the Union, with infrastructure and customer data remaining exclusively within the Union unless the public sector body explicitly requires otherwise. It requires compliance with state-of-the-art cybersecurity standards and full transparency regarding subcontractors. Crucially, Level 1 relies on a conformity self-assessment by the provider, as outlined in Article 19, rather than an independent audit.

2. Union Assurance Level 2 (Audited & Personnel): This tier introduces the requirement for independent third-party audits under Article 20. It mandates that personnel involved in service provision are located in the Union and that data generated by the service is not used to train AI systems operated by third countries. It also requires a European cybersecurity certificate of at least assurance level "substantial" (or equivalent national standards until a Union scheme is established).

3. Union Assurance Level 3 (High Control & Citizenship): Targeting higher-risk activities, this level requires that the provider and its subcontractors are not subject to the control of a third country or a legal entity established in a third country, unless a specific derogation under Article 18 applies. It mandates that personnel, including those of subcontractors, are Union citizens and, where appropriate, hold national security clearance. It also requires a "substantial" European cybersecurity certificate.

4. Union Assurance Level 4 (Maximum Sovereignty): The highest tier, reserved for the most critical public order activities (e.g., handling classified information). It imposes the strictest controls, including a European cybersecurity certificate of at least assurance level "high" (Annex II, Section 4.1(e)). It requires absolute prohibition of third-country control, rigorous supply chain transparency (including Software Bills of Materials), and ensures that technical support is performed exclusively within the Union by Union residents.

Graduated and Audited Sovereignty

A defining feature of CADA's approach is that sovereignty is both graduated and audited. The proposal recognizes that a "one-size-fits-all" approach would be inefficient. Recital 52 explicitly states that the risk assessment mechanism ensures "the principles of proportionality and subsidiarity are complied with."

The audited nature of the framework is critical for trust. While Level 1 relies on self-declaration, Article 20 mandates that providers seeking recognition at Levels 2, 3, or 4 must undergo independent third-party audits. Recital 55 emphasizes that "independent audits are an important tool for monitoring the compliance," requiring providers to give auditors access to all relevant data and premises. This ensures that claims of sovereignty are verified against objective, harmonized criteria rather than being mere marketing statements.

The results of these audits feed into a central repository established under Article 22, which the Commission must maintain. This repository lists all services recognized as offering Union assurance levels 1–4, providing transparency for contracting authorities.

Supporting Digital Sovereignty Goals

The tiering system directly addresses the EU's strategic goal of reducing critical external dependencies. Recital 46 highlights that dependence on providers subject to third-country control exposes the Union to risks such as "unauthorised access to Union data, technology leakage, sabotage and espionage." By mandating that contracting authorities procure services aligned with the appropriate assurance level based on risk assessments (Article 29 and Article 30), CADA creates a powerful demand-pull for sovereign European cloud services.

Furthermore, the framework supports the development of a competitive European cloud market. By harmonizing sovereignty criteria across the Union, CADA removes the fragmentation caused by divergent national standards. Recital 47 notes that national measures risk fragmenting the internal market, whereas CADA's harmonized framework allows European providers to scale across borders with a single recognition. This fosters a "trusted cloud computing service" ecosystem that is resilient, innovative, and aligned with EU values.

What this means for you

For public-sector procurement officers, CADA's tiering system fundamentally changes how you evaluate and select cloud computing services.

• Conduct Risk Assessments: You are required to carry out risk assessments to determine which Union assurance level is appropriate for your activities. Article 29 mandates that Member States and Union entities identify public sector activities contributing to the preservation of public order and map them to assurance levels 2, 3, or 4. Activities not identified as contributing to public order must still use services recognized at Union assurance level 1 (Article 30(2)).
• Procure Based on Assurance Levels: Your procurement documents must reflect these requirements. Article 30(3) states that contracting authorities whose activities are identified as contributing to public order in sectors falling under the NIS2 Directive or in areas of national security, defense, and justice, shall only procure services recognized as offering Union assurance levels 2, 3, or 4.
• Verify Recognition: Before awarding contracts, you must verify that the provider has been recognized by the national competent authority of establishment and is listed in the central repository maintained by the Commission (Article 22). Relying on self-declared sovereignty is no longer sufficient for higher-tier services.
• Plan for Migration: If your current cloud provider does not meet the required assurance level, you must plan for migration. Article 29(6) allows for a reasonable transition period, not exceeding 12 months, to migrate to a compliant service, taking into account technical feasibility and data portability.
• Leverage EuroCloud Federation: Consider participating in the European public sector cloud federation (EuroCloud Federation) established under Article 34. This allows for the sharing of secure, resilient public sector cloud capacities, potentially offering cost-effective access to high-assurance services without the need for individual large-scale procurements.

Common misconceptions

• "All public sector cloud services must be at the highest sovereignty level."

  • Correction: This is incorrect. CADA adopts a proportionate approach. Recital 52 clarifies that most public services do not require the highest levels of assurance. Only activities identified as contributing to the preservation of public order in critical sectors require levels 2, 3, or 4. All other public sector bodies must use at least Union assurance level 1.

• "Sovereignty is just about data location."

  • Correction: While data localization is a component (e.g., Annex II, Level 1(c)), sovereignty under CADA is broader. It includes operational autonomy, protection against third-country legal orders (e.g., Annex II, Level 2(g)), supply chain transparency, and personnel citizenship requirements for higher tiers. It addresses the risk of third-country laws with extraterritorial effect, such as the US CLOUD Act, which can compel data access regardless of where data is stored.

• "Non-EU providers can never qualify for sovereign status."

  • Correction: While the framework favors EU-established providers, Article 18 provides a mechanism for the Commission to recognize third countries as providing sufficient assurances for Union assurance level 3. This requires the third country to meet strict criteria, including having an adequacy decision for data protection and no measures enabling control over the provider that conflicts with EU law. However, for levels 2 and 4, the requirements for EU establishment and lack of third-country control are more stringent.

• "The AI Act replaces CADA's sovereignty requirements."

  • Correction: The AI Act and CADA are complementary but distinct. The AI Act focuses on the safety, fundamental rights, and transparency of AI systems. CADA focuses on the sovereignty, resilience, and operational autonomy of the underlying cloud infrastructure and services. Recital 24 explicitly states that the AI Act "does not cover aspects of sovereignty," which is why CADA is necessary.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)

Related

• Why is CADA Level 4 the highest sovereignty tier?
• Why does CADA create a four-tier cloud sovereignty framework?
• CADA Level 3 Support & Personnel Rules: Residents, Location & Control
• CADA Sovereignty Tiers: Protection Against Foreign Law Explained
• What is the Union cloud computing sovereignty framework under CADA?

This is general information about a draft EU regulation, not legal advice.