Summary "Public cloud" describes a delivery model — shared, multi-tenant computing resources delivered over the internet, often by providers controlled outside the EU. "Sovereign cloud" describes a set of guarantees about control, jurisdiction and operational autonomy. The two are not opposites: a public-cloud service can be sovereign if it meets the right criteria. Under the proposed Cloud and AI Development Act (CADA), that question stops being a marketing claim and becomes a graded, verifiable standard. Article 16 would establish a Union cloud computing sovereignty framework of four "Union assurance levels," letting public-sector bodies match the assurance of a service to the sensitivity of what they run on it.

Detail

The useful distinction is not "public versus sovereign" but "what is the delivery model" versus "what control and autonomy does the service guarantee." CADA gives the second question a legal answer, moving the debate from vague promises of "local data" to auditable criteria.

What is public cloud?

Public cloud refers to computing resources — servers, storage, applications — delivered over the internet by a third-party provider. Its defining feature is multi-tenancy: infrastructure is shared across many customers to maximise efficiency and reduce cost. The model is strong on scalability, speed and cost, but on its own says nothing about jurisdiction or who can compel access. Many dominant providers are headquartered in third countries and subject to those countries' laws, which can create a risk of extraterritorial data access regardless of where data is physically stored. For a public body handling sensitive information, that lack of guaranteed autonomy is the vulnerability.

What is sovereign cloud?

Sovereignty is more than data residency (storing data inside the EU). It is the assurance that no third country, or entity established in a third country, can exercise control over the service in a way that compromises its operation, security or the confidentiality of its data. CADA treats sovereignty not as a yes/no badge but as a spectrum, so that an organisation can choose the level of assurance that matches the sensitivity of its activity. That graded approach is set out in Article 16, which establishes a Union cloud computing sovereignty framework comprising four Union assurance levels, with the criteria in Annex II.

The CADA framework: Article 16 and the assurance levels

Article 16 is the cornerstone of the EU's proposed approach. It would let cloud services be assessed and formally recognised at a specific level of sovereignty, replacing fragmented national approaches with one EU-wide standard. The criteria are cumulative: a service seeking a higher level must meet every criterion of the levels below it. Drawing on Annex II:

  1. Union assurance level 1 (baseline). The provider is established in the Union; infrastructure and assets are located in the Union; customer data (including metadata and telemetry) remains exclusively in the Union "unless the public sector body explicitly requires otherwise"; the service meets state-of-the-art cybersecurity standards; and there is full transparency over subcontractors. A third-country-controlled provider may still reach level 1, but must guarantee there are no laws in that country forcing it to report software vulnerabilities to that country's authorities before they are exploited. Level 1 is verified by self-assessment.
  2. Union assurance level 2. Adds independent third-party audit; personnel and subcontractors located in the Union; a European cybersecurity certificate of at least "substantial" level; data generated by the service not used to train or fine-tune AI operated by a third country; technical support performed exclusively within the Union; and software supply-chain controls including a complete SBOM. Union citizenship of personnel is required only where the public-sector body determines it necessary.
  3. Union assurance level 3. For sensitive activities. Personnel (including subcontractors' personnel) involved in the service must be Union citizens, with national security clearance where classified information is handled. The cybersecurity certificate remains at least "substantial." Critically, the provider and its subcontractors must not be subject to third-country control — with a single exception under Article 18 (the "associated third country" route, which can reach level 3 only).
  4. Union assurance level 4 (highest). For the most critical activities. It requires a "high"-level cybersecurity certificate, Union citizenship of personnel, and an absolute prohibition on third-country control — there is no Article 18 derogation. Customer data identified as sensitive through a risk assessment must remain exclusively within the Union.

Why the distinction matters for the public sector

For procurement officers, the difference is decisive because it drives compliance with public-order requirements. Article 29 would require Member States and Union entities to carry out risk assessments identifying which activities "contribute to the preservation of public order." Based on those, Article 30 would set the level a contracting authority must procure: level 1 for activities not identified as public-order-relevant (Article 30(2)), and level 2, 3 or 4 for those that are (Article 30(3)). A municipality running routine administration might need only level 1; a police force investigating cybercrime would likely need level 3 or 4. The framework replaces ad-hoc security judgments with a standardised, legally recognised benchmark.

What this means for you

For public-sector buyers and legal teams, CADA would change how cloud services are evaluated and bought.

  1. From marketing claims to recognised levels. Instead of trusting a "European" or "secure" label, you would rely on a service's formal recognition at a specific Union assurance level — giving legal certainty and auditability.
  2. Risk assessments are mandatory and recurring. Under Article 29(1), assessments would be carried out within one year of entry into force and "thereafter every two years, or whenever necessary," to identify which activities are public-order-relevant and the level they require.
  3. A central repository for verification. Under Article 22, the Commission would maintain a public central repository of recognised services, kept up to date by the Commission and national authorities — a single place to confirm a provider's recognised level before awarding.
  4. Transition periods for migration. Where a risk assessment requires moving to another service, Article 29(6) allows "a reasonable transition period that shall not exceed 12 months," taking account of technical feasibility, continuity and data portability.
  5. Supply-chain sovereignty. Higher levels reach beyond the headline provider to subcontractors, software components and (at levels 3 and 4) the citizenship of personnel. Your due diligence would need to go that deep.

Common misconceptions

"Sovereign cloud means data may never leave the EU." Data localisation is central, but Annex II allows customer data to leave the Union where "the public sector body explicitly requires otherwise" (at levels 1 to 3). At level 4, data identified as sensitive through risk assessment must remain in the Union. Sovereignty is fundamentally about control and preventing unauthorised access, not only physical location.

"Public cloud cannot be sovereign." It can. "Public cloud" is a delivery model (shared resources); "sovereign" describes the legal and technical controls. A multi-tenant public-cloud service can be recognised at a Union assurance level if it meets the Annex II criteria.

"Only large hyperscalers can offer sovereign cloud." The framework is designed to be neutral. Clear, standardised criteria let smaller European providers compete for public contracts by demonstrating compliance with a specific level, rather than relying on brand.

"Sovereignty is just cybersecurity." Cybersecurity is necessary but not sufficient. A service can be technically secure yet still subject to foreign legal compulsion or operational disruption. CADA's higher levels add precisely the controls — freedom from third-country control, prevention of foreign data access and service disruption — that cybersecurity certification alone does not guarantee.

Related

This is general information about a draft EU regulation, not legal advice.