Hyperscaler public cloud vs CADA-recognised sovereign cloud for public buyers

Summary Under the proposed Cloud and AI Development Act (CADA), public-sector buyers would have to procure cloud services recognised at least at Union assurance level 1 (Article 30(2)). That baseline requires infrastructure and data to remain in the Union, helping address the extraterritorial legal risk often associated with non-EU hyperscalers. For activities that contribute to the preservation of public order — such as national security, justice or critical sectors — Member States must conduct Article 29 risk assessments that would require higher levels (2, 3 or 4), which impose stricter controls on personnel, supply chains and third-country control.

Detail

As proposed, CADA introduces a structured sovereignty framework to reduce EU dependence on non-European cloud providers. For public-sector procurement officers, the key shift is from voluntary best practice to mandatory, recognition-based assurance levels. The core procurement rule sits in Article 30.

The baseline: Union assurance level 1

Article 30(2) provides that Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order under the Article 29 risk assessment must use cloud services recognised at Union assurance level 1.

This is the statutory floor. Under Annex II (Section 1), level 1 requires, cumulatively:

• Establishment: the provider is established in the Union.
• Location of assets: infrastructure and assets, including those of subcontractors involved in the service, are located in the Union unless the public sector body explicitly requires otherwise.
• Data residency: customer data, including metadata and telemetry, remains exclusively within the Union unless the public sector body explicitly requires otherwise.
• Cybersecurity: the service complies with state-of-the-art cybersecurity standards.
• Subcontractor transparency: the provider gives full transparency around subcontractors and subjects them to due diligence.

For many global hyperscalers, level 1 may be feasible through EU-established entities, EU-located data centres and contractual data-residency guarantees. But the exclusive-residency and establishment requirements still pose a challenge for globally interconnected architectures where data flows across borders for redundancy or processing.

The escalation: levels 2-4 for public-order relevance

Article 29 obliges Member States and Union entities to conduct risk assessments to identify public-sector activities that contribute to the preservation of public order — in sectors under Annex I or II of the NIS2 Directive, and in national security, internal security, external border management, defence, justice or law enforcement — and to determine the appropriate level.

Article 30(3) then provides that contracting authorities whose activities fall into those categories may only procure services recognised at Union assurance level 2, 3 or 4.

The higher-level criteria in Annex II introduce barriers most standard hyperscaler offerings cannot currently meet without significant change:

• Level 2: the provider and its subcontractors are established in the Union, and infrastructure, assets and personnel are located in the Union. Data generated by using the service must not be used to train or fine-tune any AI system operated by a third country or an entity established in a third country, and must not be transferred outside the Union. A European cybersecurity certificate of at least "substantial" level is required once the relevant scheme exists (national or fallback standards apply until then). Union citizenship for personnel is required only where the public sector body determines additional screening and citizenship requirements are necessary. Where the provider is subject to third-country control, it must demonstrate that such control cannot restrict the service, allow third-country access to customer data, or enable disruption.
• Level 3: all personnel involved in providing the service, including subcontractors, must be Union citizens (and, where handling classified information, hold the necessary national security clearance). Technical and operational support must be initiated and performed exclusively within the Union by Union residents. The provider and subcontractors must not be subject to third-country control, save for the narrow Article 18 derogation.
• Level 4: the highest tier, requiring a "high" cybersecurity certificate, the strictest software-supply-chain controls (no third country holding effective control over design, development or maintenance of software components), and that sensitive data identified through risk assessment remains exclusively within the Union.

Hyperscaler offerings vs CADA requirements

1. Data sovereignty vs legal jurisdiction: many hyperscalers guarantee EU data residency, but CADA's higher levels focus on control. A provider headquartered in a third country (for example the US) may be subject to laws such as the CLOUD Act that can compel disclosure regardless of storage location. Annex II's level 2-4 criteria require demonstrating that third-country control cannot compel data access or disrupt service. For providers subject to third-country control, Article 18 allows recognition at level 3 only where the Commission has adopted an implementing act finding the third country meets cumulative criteria (including a GDPR adequacy decision and procurement-market reciprocity).
2. AI-training restrictions: a key differentiator is the prohibition (Annex II, levels 2-4) on using data generated by the service to train or fine-tune AI systems operated by third countries. This directly affects hyperscalers that leverage customer data to improve global AI services.
3. Personnel and subcontracting: levels 3 and 4 require Union citizenship for personnel and that technical/operational support be performed exclusively within the Union by Union residents, which challenges globally distributed support models.

The role of risk assessments

Public buyers cannot simply choose level 1 for convenience. Article 29 requires risk assessments (one year after entry into force, then every two years or whenever necessary) considering the sensitivity and criticality of data, the risk of unlawful third-country access, and the risk of service disruption. Where an activity is public-order relevant, the buyer is bound to seek level 2, 3 or 4. The Commission would specify the methodology and templates via implementing acts and may, on review, specify the levels needed (Article 29(5)).

What this means for you

As a public-sector procurement officer, your role would shift from price-focused negotiation toward compliance-driven verification.

1. Audit your current contracts: review existing contracts against Article 30. Standard public bodies should ensure providers can show level 1 recognition; bodies in critical or public-order sectors should run the Article 29 risk assessment to determine whether levels 2-4 apply.
2. Request evidence, not promises: do not accept self-declared "sovereign" claims. Require the EU statement of conformity (level 1) or audit report and "positive" audit opinion (levels 2-4), and verify registration in the central repository under Article 22.
3. Plan for migration: where a risk assessment requires migration, Article 29(6) allows a transition period not exceeding 12 months.
4. Apply added-value criteria where relevant: in procurement of innovative cloud services and AI systems, Article 32 requires non-price award criteria assessing the tenderer's contribution to the European cloud and AI ecosystem (including Union-designed or -manufactured hardware and software). These criteria must be ancillary and not decisive in the award.
5. Consider multi-cloud strategies: Article 29(9) requires you to consider, in the risk assessment, whether a multi-vendor or multi-cloud strategy is appropriate.

Common misconceptions

• "All EU data centres are sovereign under CADA." Incorrect. A data centre in Germany does not by itself grant level 2, 3 or 4. Sovereignty under CADA turns on control and legal jurisdiction, not just physical location.
• "Level 1 is only for small providers." Incorrect. Large providers can achieve level 1 by establishing a Union entity, keeping data in the Union and meeting cybersecurity standards. Levels 2-4 are far harder for global providers because of personnel and supply-chain restrictions.
• "We can ignore this if we are a private entity." Largely, but with caveats. The mandatory procurement rules apply to public-sector bodies. Article 31 lets private entities in NIS2 Annex I sectors carry out similar (generally voluntary) impact assessments, and market demand may push higher assurance toward a de facto standard.
• "Open-source software automatically meets sovereignty requirements." No. CADA promotes open source (Article 41), but the assurance levels turn on the provider's operations, data handling and legal structure; using open source does not by itself satisfy the criteria.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• Sovereign cloud vs public cloud: what's the difference under CADA?
• Is a sovereign cloud just a public cloud hosted in the EU under CADA?
• CADA for cloud providers vs CADA for public buyers: who must do what?
• Sovereign cloud vs trusted cloud: do the terms mean the same under CADA?
• Sovereign cloud vs private cloud under CADA: which gives more control?

This is general information about a draft EU regulation, not legal advice.