Summary No. Data localisation simply means storing data within specific geographic borders, such as inside the EU. Digital sovereignty, as approached in the proposed Cloud and AI Development Act (CADA), is broader: it concerns whether the EU retains control over its data and infrastructure, preventing third-country laws from compelling access or disrupting services. Localisation is one necessary technical component, but sovereignty addresses the legal and operational risks of external control that localisation alone cannot solve.

Detail

To see why these concepts differ, look at how CADA structures trust and security. The proposal moves away from treating geographic location as the sole determinant of safety. It introduces a Union cloud computing sovereignty framework of four assurance levels (Article 16, with criteria in Annex II).

Data localisation: where the data sits

Data localisation refers to the physical or logical storage of data within a jurisdiction. Under CADA it is a baseline element of the lowest assurance level. Annex II, point 1.1(c) requires that for Union assurance level 1, customer data, including metadata and telemetry, "remain exclusively within the Union, unless the public sector body explicitly requires otherwise." But CADA treats this alone as insufficient for high-risk public-sector activities.

Digital sovereignty: who can compel access

Digital sovereignty addresses the risk that, even with data in Europe, a third country may still compel access, often because the provider is subject to that country's laws through ownership or jurisdiction.

Recital 48 highlights this gap, noting that providers have launched "tailored versions" of their services but "those versions do not address the core sovereignty issues allowing for the extraterritorial reach of third-country laws and the possible degradation or disruption of the service." It adds that, consequently, "the Union will not ensure autonomy or control over its data, assets and digital infrastructure." Sovereignty is thus about operational autonomy and legal insulation from extraterritorial laws, such as the US CLOUD Act, which can require US-controlled companies to disclose data regardless of where it is stored.

How CADA goes beyond localisation

As the assurance level rises, requirements move beyond localisation to address control, personnel and supply-chain integrity.

  1. Level 1 (baseline): Requires EU establishment and data localisation within the Union unless the public-sector body requires otherwise (Annex II, points 1.1(a) and (c)). Where the provider is third-country-controlled, it must show no third-country law forces pre-exploitation disclosure of software vulnerabilities (point 1.1(g)).
  2. Level 2: Requires that infrastructure, assets and personnel of the provider and its subcontractors are located in the Union (Annex II, point 2.1(b)), and that service-generated data is not used to train or fine-tune third-country AI systems (point 2.1(f)).
  3. Level 3: Requires personnel involved in the service to be Union citizens (Annex II, point 3.1(d)) and generally prohibits providers subject to third-country control (point 3.1(g)), unless the Commission recognises the home country under Article 18.
  4. Level 4: Similar to level 3 but with stricter software supply-chain and component-control requirements, ensuring no third country holds effective control over the design or maintenance of the software (Annex II, point 4.1), and with no Article 18 derogation.

The role of risk assessments

Because sovereignty is about risk mitigation, Article 29 requires Member States and Union entities to conduct risk assessments to determine the appropriate level for specific activities, considering the sensitivity and criticality of the data, the risk of unlawful third-country access, and the risk of service disruption. A non-critical internal tool might need only level 1 (localisation), while a defence-related system would require level 3 or 4.

What this means for you

For public-sector procurement officers, the distinction is vital for compliant decisions.

1. Localisation is not enough for critical systems. Do not assume a provider is "sovereign" because its data centres are in Frankfurt or Dublin. If it is third-country-controlled, extraterritorial laws may still apply. Under Article 30(3), contracting authorities whose activities contribute to public order must procure services recognised at Union assurance level 2, 3 or 4.

2. Use the central repository. To verify status, consult the central repository established under Article 22, which lists services recognised at each level. Do not rely on "EU-hosted" marketing claims.

3. Conduct risk assessments. Your organisation must perform the Article 29 assessments, which set the minimum level you may procure. A level 1 service (localisation only) would likely be non-compliant for sensitive or public-order activities.

4. Watch for supply-chain requirements. Higher levels bring stricter supply-chain rules; for example, Annex II, point 2.1(i) requires a Software Bill of Materials (SBOM). As a procurer, you may need evidence of these controls during the tender.

Common misconceptions

Misconception 1: "If the data is in the EU, it is safe from foreign access." Incorrect. As Recital 48 notes, extraterritorial laws can reach providers regardless of data location. Sovereignty frameworks address the legal ability of a third country to compel access or disruption, which localisation does not prevent.

Misconception 2: "Sovereignty means only EU companies can provide cloud services." Not necessarily. Article 18 allows recognition of third countries that provide sufficient assurances; if a country meets the cumulative criteria, providers subject to its control may be audited for Union assurance level 3. This is an exception requiring a specific Commission decision.

Misconception 3: "Data localisation is the highest level of security." Localisation is the lowest threshold. Level 1 requires it, but levels 2, 3 and 4 add controls over personnel, infrastructure and software supply chains.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.