Summary The EuroCloud Federation, established under Article 34 of the proposed Cloud and AI Development Act (CADA), is a voluntary mechanism for public-sector bodies to share data centre and cloud computing services. It is legally and functionally distinct from the four-tier Union assurance framework (Articles 16–21) that defines cloud sovereignty levels. While EuroCloud facilitates the pooling of public capacity to reduce costs and dependencies, services shared within the Federation must still independently meet the specific technical, legal, and operational criteria of the relevant sovereignty tier (Levels 1–4) to be eligible for procurement by sensitive public entities. Both mechanisms serve the overarching Title IV objective of enhancing Union autonomy, but one acts as a distribution network while the other acts as a quality filter.

Detail

To understand the relationship between EuroCloud and CADA's sovereignty tiers, it is necessary to separate the mechanism of sharing from the standard of trust. CADA addresses the EU's strategic dependency on non-European cloud providers through two parallel but interconnected pillars in Title IV: a harmonised sovereignty framework (Articles 16–28) and a demand-side sharing mechanism via the EuroCloud Federation (Articles 34–36).

1. Distinct Legal Instruments and Objectives

The Union cloud computing sovereignty framework (Article 16) establishes four assurance levels based on cumulative criteria found in Annex II. These levels range from Level 1 (basic establishment and data residency requirements) to Level 4 (strictest controls, including Union citizenship for personnel and no third-country control). Recognition for these levels is granted by national competent authorities following self-assessment (Level 1) or independent third-party audits (Levels 2–4), as detailed in Articles 17–21. This framework is designed to ensure that cloud services are free from third-country coercion and operational disruption.

The EuroCloud Federation (Article 34) is a separate instrument designed to facilitate the sharing of public-sector data centre and cloud computing services between Union entities and public sector bodies. Its primary objective, as stated in Article 34(2), is to enable the exchange of idle capacity and foster interoperability among public clouds. It is a voluntary framework for public entities to pool resources, governed by specific sharing conditions in Article 35. Crucially, Article 34 does not define security postures; it defines the rules of engagement for sharing.

2. Sovereignty Tiers Apply to Shared Services

A critical nuance often missed is that membership in or participation in EuroCloud does not automatically confer a sovereignty level. Article 34 establishes the platform and rules for sharing, but it does not define the security or sovereignty posture of the services being shared.

When a public sector body (the "sharing entity") makes its services available to another member (the "using entity") via EuroCloud, those services must still comply with the sovereignty requirements applicable to the using entity's needs. The sovereignty tiers act as the quality filter for services entering the EuroCloud ecosystem, while EuroCloud acts as the distribution network for those qualified services.

  • The Procurement Mandate: If a national defence ministry (a contracting authority) requires a cloud service for activities identified as contributing to the preservation of public order under Article 29, it must procure a service recognised at Union assurance Level 2, 3, or 4 (Article 30(3)).
  • The Federation Constraint: If that ministry accesses capacity via the EuroCloud Federation, the underlying service provided by the sharing entity must already hold the requisite Union assurance level recognition. The Federation does not "upgrade" a Level 1 service to Level 3; it merely provides a channel for that Level 3 service to be accessed by another public body.
  • Verification: Before engaging via the Federation, the using entity must verify the provider's status in the central repository established under Article 22.

3. Administrative and Cost Implications

Article 35 outlines the conditions for sharing, emphasizing that fees charged by the sharing entity must be limited strictly to cost recovery (e.g., allocating resources, managing access, ensuring compliance). These fees do not constitute a pecuniary interest under public procurement rules, allowing for streamlined cooperation without triggering full tender procedures.

However, the administrative burden of maintaining the sovereignty tier remains with the service provider. The EuroCloud Federation does not relieve providers of their obligation to maintain audit trails, software bills of materials (SBOMs), or personnel screening records required by Annex II.

  • Audit Costs: For Levels 2–4, the provider must undergo independent third-party audits under Article 20. These costs are borne by the provider, not the Federation.
  • Transparency: Providers must notify the auditing organisation and competent authority of any material changes under Article 23, regardless of whether the service is shared via EuroCloud.

4. Strategic Alignment and Autonomy

Both mechanisms serve the broader Title IV objective of enhancing Union autonomy, but they address different market failures.

  • Sovereignty Tiers (Articles 16–21): Address the risk of third-country control and operational discontinuity by establishing a harmonised, auditable standard of trust. This mitigates risks associated with extraterritorial laws (such as the US CLOUD Act, as noted in the explanatory memorandum).
  • EuroCloud Federation (Articles 34–36): Addresses the fragmentation of public capacity. By allowing public bodies to share idle resources, it accelerates the uptake of trusted services and reduces the financial barrier for smaller authorities to access high-assurance capacity without negotiating individual contracts.

What this means for you

For CTOs and Cloud Architects: When designing your cloud architecture for public sector clients, do not assume that listing your service on a public cloud federation platform satisfies sovereignty requirements. You must explicitly map your service's compliance against Annex II criteria. If you aim to serve high-risk public sector use cases (e.g., healthcare, justice, defence), your service must be formally recognised at Level 2, 3, or 4. EuroCloud membership is a sales and distribution channel, not a compliance certification. Ensure your technical documentation (SBOMs, data flow diagrams) is audit-ready for the specific tier you target.

For SMEs and Cloud Providers: EuroCloud offers a pathway to scale without the overhead of massive individual procurement bids. However, the barrier to entry for high-value public contracts remains the sovereignty audit. If you are an SME, note that Article 17(3) provides a derogation: SME statements of conformity for Level 1 are automatically recognised across the Union without prior national authority review. This lowers the friction for SMEs to enter the EuroCloud ecosystem for non-sensitive public workloads. For Levels 2–4, you must budget for independent third-party audits (Article 20) regardless of your Federation participation.

For Public Sector Procurement Officers: You can use EuroCloud to access sovereign capacity more efficiently, but your risk assessment obligations under Article 29 remain unchanged. You must still determine the appropriate assurance level for your specific use case. If your risk assessment mandates Level 3, you can only procure services from EuroCloud members that have been formally recognised as offering Level 3 assurance. Verify the provider's status in the central repository (Article 22) before engaging via the Federation.

Common misconceptions

"EuroCloud is a sovereignty certification." Incorrect. EuroCloud is a sharing framework. Sovereignty certification comes from the Union assurance levels (Articles 16–21). A service can be in EuroCloud without being Level 3, and a Level 3 service can exist outside EuroCloud. The Federation does not grant assurance; it distributes services that already possess it.

"Sharing via EuroCloud simplifies compliance." Partially true administratively (no new procurement tender), but false technically. The provider must still maintain full compliance with the sovereignty tier criteria. The Federation does not waive audit requirements, data residency rules, or personnel screening obligations found in Annex II.

"Only EU-based providers can join EuroCloud." While EuroCloud is for public sector bodies, the underlying services must meet sovereignty criteria. For Level 3, third-country providers may be eligible if the Commission adopts an implementing act under Article 18 confirming the third country provides sufficient safeguards. Thus, a non-EU provider could theoretically provide services via EuroCloud if they meet the strict Level 3 criteria and associated third-country conditions, though Level 4 strictly prohibits third-country control.

Related

This is general information about a draft EU regulation, not legal advice.