Is data stored in the EU automatically sovereign under CADA?

TL;DR

No. As proposed, storing data within the European Union would not automatically make a cloud service "sovereign" under the Cloud and AI Development Act (CADA). Data localisation is only the baseline. CADA's sovereignty framework would rely on a graded system of four Union assurance levels that assess operational control, personnel nationality, software supply chains, and exposure to foreign laws. To be recognised at the higher levels, a provider would have to demonstrate that third-country entities cannot access data or disrupt the service — a standard EU storage alone cannot satisfy.

Detail

Under CADA, sovereignty would not be a binary status but a tiered framework designed to mitigate risks from dependence on third-country providers. Article 16 would establish a Union cloud computing sovereignty framework comprising four Union assurance levels, the criteria for which are set out in Annex II. These levels define the cumulative criteria that cloud computing service providers would have to meet to provide their services to Union entities and public sector bodies.

The graded framework: Article 16 and Annex II

The core of CADA's sovereignty model is the recognition that data residency is necessary but insufficient for true sovereignty. Article 16(1) provides that the framework comprises four Union assurance levels, with the criteria set out in Annex II. Providers aiming to serve Union entities and public sector bodies would have to meet these criteria to gain recognition.

• Union Assurance Level 1: The baseline. Annex II, Section 1.1 would require that the provider be established in the Union and that infrastructure and assets remain in the Union. Criterion 1.1(c) requires that customer data, including metadata and telemetry data, remain exclusively within the Union unless the public sector body explicitly requires otherwise. Level 1 still allows subcontractors outside the Union where strict legal, technical and organisational measures ensure traceability and security, and permits providers subject to third-country control where they can demonstrate that no laws in that third country require them to report software vulnerabilities to foreign authorities before those vulnerabilities are known to have been exploited.
• Union Assurance Levels 2, 3 and 4: These higher levels would introduce progressively stricter requirements that go well beyond data storage.
  • Level 2: Annex II, Section 2.1 would require that the provider and its subcontractors be established in the Union, and that infrastructure, assets and personnel are located in the Union. Data generated by using the service must not be used to train or fine-tune any AI system operated by a third country. Where the provider is subject to third-country control, it must demonstrate that this control does not restrict its ability to perform the service, prevent third-country access to customer data, or enable disruption of service continuity.
  • Level 3: Annex II, Section 3.1 would tighten the criteria further. Personnel involved in the provision of the service must be Union citizens (with national security clearance where classified information is handled). The provider and its subcontractors must generally not be subject to the control of a third country or a legal entity established in a third country. An exception applies only where the Commission has adopted an implementing act on associated third countries under Article 18, confirming that the third country provides sufficient safeguards against unauthorised access and service disruption.
  • Level 4: Annex II, Section 4.1 would represent the highest level of assurance, requiring Union citizenship for personnel, strict Union localisation of sensitive data, and the absence of third-country control. It would also require the provider to retain effective control over software components, ensuring no third country holds or exercises effective control over their design, development or maintenance.

Why EU storage is not enough

The distinction between data residency and sovereignty is critical. A provider can store all data in an EU data centre (satisfying the localisation aspect of Level 1) yet still be subject to the extraterritorial laws of a third country, such as the US CLOUD Act. Recital 48 of the proposal notes that providers have launched tailored versions of their services that do not address core sovereignty concerns, including the extraterritorial reach of third-country laws.

Article 16 and its annexes would focus on operational autonomy. For example, Annex II, Section 2.1 would require the provider to demonstrate that any third-country control does not impose limitations on its capabilities, and that technical and operational support (including sub-outsourcing) be initiated and performed exclusively within the Union. So if a US-based hyperscaler stores EU data in Frankfurt but its US parent retains remote access capabilities or its EU subsidiary remains exposed to US legal demands for data access, it would fail the criteria for Levels 2–4, despite the data physically residing in the EU.

Furthermore, Article 17 would establish the recognition mechanism, under which a provider submits an application to the national competent authority of establishment. For Levels 2–4, recognition would require an independent third-party audit (Article 20), with audit evidence assessed against Annex III (Article 21). Auditors would examine ownership structures, corporate governance and software supply chains to verify that no third country can compel the provider to degrade service quality or access customer data.

What this means for you

For CTOs and architects evaluating cloud providers, the key takeaway is that "EU-hosted" would no longer be a sufficient compliance marker for public sector or high-criticality contracts.

1. Audit your provider's control structure. If you target public sector contracts or operate in critical sectors (e.g. energy, health, finance), look beyond data centre locations. Assess whether your provider is subject to third-country control. Under Annex II, even if data sits in the EU, a provider whose ultimate parent is in a non-EU country without an Article 18 associated-third-country decision would likely not meet Level 3 or 4.
2. Prepare for audits. CADA would introduce a rigorous audit regime for Levels 2–4. Ensure your provider can produce evidence of operational separation from third-country entities, including a software bill of materials (SBOM) and proof that technical support is exclusively EU-based.
3. Align with risk assessments. Under Article 29, Member States and Union entities would conduct risk assessments to determine the appropriate assurance level for public sector activities. Where activities contribute to the preservation of public order in sectors under Annex I or II of the NIS2 Directive, or in national security, defence, justice or law enforcement, Article 30(3) would require procurement of services recognised at Level 2, 3 or 4. Level 1 (EU storage) would not be compliant for those use cases.
4. Demand supply-chain transparency. Annex II would require detailed transparency around subcontractors and software components. Where a critical component is owned or licensed by a third-country entity, the provider must demonstrate controls to block remote features that could tamper with or disrupt the service.

Common misconceptions

• Misconception: "If my data is stored in an EU data centre, I am CADA-compliant."
  • Reality: That would only satisfy the baseline localisation requirement of Level 1. Higher levels require proof of operational autonomy, personnel nationality and absence of third-country control.
• Misconception: "Sovereignty is the same as cybersecurity."
  • Reality: As proposed, CADA distinguishes sovereignty from cybersecurity. A service can be highly secure yet still subject to foreign legal demands for data access, which would fail CADA's sovereignty criteria.
• Misconception: "Only non-EU providers are affected."
  • Reality: EU-based providers that are subsidiaries of non-EU parents would also have to prove legal, technical and organisational separation from their parent to reach Levels 3 and 4.

Related

• CLOUD Act vs EU-US Data Privacy Framework vs CADA: which addresses sovereignty?
• Sovereign cloud vs trusted cloud: do the terms mean the same under CADA?
• Sovereign cloud vs public cloud: what's the difference under CADA?
• Sovereign cloud vs private cloud under CADA: which gives more control?
• CADA national competent authority vs a data protection authority

This is general information about a draft EU regulation, not legal advice.