Sovereignty Framework

Are metadata and telemetry covered by CADA data-residency rules? Yes, under the proposed Cloud and AI Development Act (CADA), metadata and telemetry are explicitly covered by data residency rules. Are the CADA sovereignty tiers mandatory for cloud providers? No, the Cloud and AI Development Act (CADA) does not mandate that all cloud providers obtain sovereignty recognition. Associated Third Countries under CADA: Article 18 and Level 3 Eligibility Under the proposed Cloud and AI Development Act (CADA), "associated third countries" are non-EU nations designated by the European Commission via implement CADA and EUCS: How the EU Cybersecurity Certification Scheme fits the Sovereignty Framework As proposed, the Cloud and AI Development Act (CADA) would make the European Cybersecurity Certification Scheme for Cloud Services (EUCS) a mandatory techn CADA Annual Audit Review: How It Protects Buyers Over Time Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers recognized at Union assurance levels 2, 3, or 4 are subject to a CADA Article 18: How the 'Associated Third Country' Mechanism Works for Providers Under the proposed Cloud and AI Development Act (CADA), the "associated third country" mechanism creates a narrow, conditional pathway for cloud providers CADA Article 18: How the Commission designates associated third countries Under the proposed Cloud and AI Development Act (CADA), the European Commission may designate specific "associated third countries" through implementing ac CADA Article 18: Lawful Access Conditions for Associated Third Countries Under the proposed Cloud and AI Development Act (CADA), the Commission may designate an "associated third country" allowing its cloud providers to qualify CADA Associated Third Countries vs. GDPR Adequacy: Key Differences Under the proposed Cloud and AI Development Act (CADA), an "associated third country" is a specific legal status that permits cloud providers controlled by CADA Associated Third Countries: Why GDPR Adequacy Is Not Enough Under the proposed Cloud and AI Development Act (CADA), a cloud service provider controlled by a third country can only qualify for Union assurance level 3 CADA Associated Third Country: What if GDPR Adequacy is Lost? Under the proposed Cloud and AI Development Act (CADA), the status of an "associated third country" is inextricably linked to the validity of its GDPR adeq CADA Assurance Levels: The Roadmap from Level 1 to Level 4 Under the proposed Cloud and AI Development Act (CADA), a provider cannot simply "upgrade" from Union assurance level 1 to level 4; each tier represents a CADA Assurance Levels: The Simplest Board-Level Explanation The simplest way to explain the proposed Cloud and AI Development Act (CADA) to a board is to frame it as a risk-based menu for public procurement, not a t CADA Assurance Levels: The Simplest Tier for Non-Technical Stakeholders The easiest Cloud and AI Development Act (CADA) tier to explain to non-technical stakeholders is Union Assurance Level 1. CADA Assurance Levels: What 'Self-Assessed' vs 'Audited' Means for Cloud Providers Under the proposed Cloud and AI Development Act (CADA), cloud providers must prove they meet specific sovereignty criteria to serve the public sector. CADA Audit Confidentiality: How Article 20 Protects Trade Secrets Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers seeking Union assurance levels 2, 3, or 4 must undergo independen CADA Audit Evidence: What is Annex III and how is it assessed? Annex III of the proposed Cloud and AI Development Act (CADA) defines the specific audit evidence that independent auditing organisations must request from CADA Audit Fees: Can They Depend on the Outcome? Under the proposed Cloud and AI Development Act (CADA), auditing organisations cannot charge fees that depend on the outcome of an audit. CADA Auditing Independence: Article 20 Conflict Rules Explained Under the proposed Cloud and AI Development Act (CADA), an auditing organisation is only considered independent if it strictly adheres to the conflict-of-i CADA Audit Opinions: Positive vs Negative Outcomes Explained Under the proposed Cloud and AI Development Act (CADA), an independent auditing organisation issues a "positive" opinion only if all evidence confirms that CADA Auditor Independence: What Non-Audit Services Disqualify an Auditor? Under the proposed Cloud and AI Development Act (CADA), an auditing organisation is strictly disqualified from auditing a cloud computing service provider CADA Audit Report Requirements: What Must Be Included? Under the proposed Cloud and AI Development Act (CADA), an independent audit report for Union assurance levels 2, 3, or 4 must be a "substantiated, in writ CADA Audit Reports: Documenting Third-Party Consultations Under the proposed Cloud and AI Development Act (CADA), the documentation of third-party consultations is a mandatory, non-negotiable component of the inde CADA Audit Reports: What Declaration of Interests is Required? Under the proposed Cloud and AI Development Act (CADA), an audit report for Union assurance levels 2, 3, or 4 must include a specific "declaration of inter CADA Audit Reports: What if an auditor cannot audit certain aspects? Under the proposed Cloud and AI Development Act (CADA), if an independent auditor is unable to assess specific aspects of a cloud computing service, they a CADA Audit Report vs. Audit Opinion: Key Differences Explained Under the proposed Cloud and AI Development Act (CADA), the audit report and the audit opinion are distinct but inseparable components of the independent t CADA Audit Review Frequency: Annual Obligations for Levels 2-4 Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers holding Union assurance levels 2, 3, or 4 are subject to a mandat CADA Audit Rule: Why Higher Assurance Levels Require Lower-Tier Compliance Under the proposed Cloud and AI Development Act (CADA), the cumulative-criteria rule mandates that cloud computing service providers seeking higher Union a CADA Central Repository: How to Find Recognised Cloud Services As proposed in COM(2026) 502 final, the Cloud and AI Development Act (CADA) mandates the European Commission to establish and maintain a central repository CADA Conformity Self-Assessment: The Level 1 Pathway Explained Under the proposed Cloud and AI Development Act (CADA), conformity self-assessment is the exclusive compliance mechanism for cloud computing service provid CADA Cross-Border Recognition: The 60-Day Review Period Explained Under the proposed Cloud and AI Development Act (CADA), the cross-border review period for the recognition of a cloud computing service provider's Union as CADA Cumulative Criteria: How Higher Sovereignty Levels Build on Lower Tiers Under the proposed Cloud and AI Development Act (CADA), the "cumulative criteria" rule means that cloud providers seeking higher Union assurance levels mus CADA Cybersecurity: What if no EU scheme exists yet? As proposed, if the European Cybersecurity Certification Scheme for Cloud Services (EUCS) under the Cybersecurity Act is not yet established, cloud provide CADA Data Residency: How Rules Differ Across Assurance Levels 1–4 Under the proposed Cloud and AI Development Act (CADA), data residency obligations escalate significantly across the four Union assurance levels. CADA Data Training Ban: Can Cloud Providers Train AI on Customer Data? As proposed, the Cloud and AI Development Act (CADA) imposes a strict prohibition on cloud computing service providers using customer data to train or fine CADA Data Training Ban: How the EU Cloud Act Protects AI Data Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers seeking Union assurance levels 2, 3, or 4 are strictly prohibited CADA Delegated & Implementing Acts: How the Sovereignty Framework Evolves The proposed Cloud and AI Development Act (CADA) does not freeze the definition of "sovereign" cloud services in its primary text. CADA Establishment Requirement: EU Domicile for All Assurance Levels Under the proposed Cloud and AI Development Act (CADA), a cloud computing service provider must be legally "established in the Union" to qualify for any of CADA foreign-control safeguards: What providers must prove for UAL 2 & 3 Under the proposed Cloud and AI Development Act (CADA), cloud providers subject to the control of a third country or a third-country legal entity face a hi CADA: How providers with third-country subsidiaries must separate to qualify Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers that maintain a subsidiary in a third country must demonstrate "e CADA Level 1 Data Residency: What the Proposal Requires Under the proposed Cloud and AI Development Act (CADA), Union Assurance Level 1 imposes a strict territorial confinement rule: all customer data, explicitl CADA Level 1 vs Level 2: What Public Buyers Must Know For public-sector buyers, the distinction between CADA Union Assurance Level 1 and Level 2 is defined by the verification mechanism and the depth of operat CADA Level 2 Cybersecurity: The 'Substantial' EUCS Certificate Requirement Under the proposed Cloud and AI Development Act (CADA), cloud computing services seeking Union Assurance Level 2 must obtain a European cybersecurity certi CADA Level 2 Personnel: Can a Buyer Require EU Citizenship? Under the proposed Cloud and AI Development Act (CADA), a public-sector buyer procuring cloud services at Union assurance level 2 has the discretion to imp CADA Level 2: Third-Country Control Safeguards Explained As proposed, the Cloud and AI Development Act (CADA) allows cloud providers subject to third-country control to achieve Union assurance level 2, but only i CADA Level 2: What Legal Teams Must Verify in Vendor Audits Under the proposed Cloud and AI Development Act (CADA), Union Assurance Level 2 represents a critical mid-tier sovereignty standard requiring cloud provide CADA Level 3 & 4: The Business Case for Sovereign Cloud Providers Pursuing Union Assurance Level 3 or 4 under the proposed Cloud and AI Development Act (CADA) is a strategic investment to access exclusive, high-value publ CADA Level 3: Handling Classified Information and Personnel Requirements As proposed in the Cloud and AI Development Act (CADA), Union Assurance Level 3 is explicitly designed to enable the secure hosting of EU classified inform CADA Level 3: SBOM, Source Code Audits & Third-Country Controls Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers seeking Union assurance level 3 recognition must maintain a compl CADA Level 3: Sovereignty Requirements for Public Sector Buyers Under the proposed Cloud and AI Development Act (CADA), Union assurance level 3 represents a high tier of sovereignty designed for public-sector bodies han CADA Level 3 Support & Personnel Rules: Residents, Location & Control Under the proposed Cloud and AI Development Act (CADA), achieving Union Assurance Level 3 imposes strict constraints on how cloud services are supported. CADA Level 3 vs Level 2: Critical Architecture & Personnel Changes As proposed, the Cloud and AI Development Act (CADA) Level 3 imposes significantly stricter architectural and operational constraints than Level 2. CADA Level 4 Cybersecurity: The 'High' EUCS Certificate Requirement As proposed, the Cloud and AI Development Act (CADA) requires cloud computing service providers seeking Union Assurance Level 4 to obtain a European cybers CADA Level 4 Data Residency: Strict Rules for Sensitive Data Under the proposed Cloud and AI Development Act (CADA), Union Assurance Level 4 imposes the strictest data residency regime in the framework. CADA Level 4 Personnel Rules: Union Citizens, Clearances & Subcontractors Under the proposed Cloud and AI Development Act (CADA), Union Assurance Level 4 imposes the most stringent personnel requirements for cloud services safegu CADA Level 4: Sensitive Data Risk Assessment & Strict Residency Rules As proposed in COM(2026) 502 final, the Cloud and AI Development Act (CADA) establishes a strict regime for Union Assurance Level 4, the highest tier of cl CADA Level 4: The Sovereign Standard for Defence and Classified Workloads As proposed, CADA Level 4 represents the apex of the Union cloud computing sovereignty framework, specifically engineered for the most sensitive public-sec CADA Level 4: What 'Effective Control' Over Software Means Under the proposed Cloud and AI Development Act (CADA), achieving Union assurance level 4 requires that no third country or legal entity established in a t CADA Levels 2-4: Strict Infrastructure, Asset & Personnel Location Rules Under the proposed Cloud and AI Development Act (CADA), cloud providers seeking Union assurance levels 2, 3, or 4 must ensure that their infrastructure, as CADA ongoing obligations: Annual audits, material changes & revocation Under the proposed Cloud and AI Development Act (CADA), achieving recognition as a Union-assured cloud provider is not a one-time event but the start of a CADA Open Source Controls: Remote Tampering Rules for Levels 2-4 Under the proposed Cloud and AI Development Act (CADA), the use of open-source software (OSS) in cloud services does not grant immunity from strict soverei CADA Open-Source Controls: Remote Tampering Rules for Levels 2–4 As proposed, the Cloud and AI Development Act (CADA) imposes strict, escalating controls on open-source software (OSS) for cloud providers seeking Union As CADA Outsourcing Rules: Technical Support by Assurance Level Under the proposed Cloud and AI Development Act (CADA), the rules for outsourcing technical and operational support are strictly tiered by the Union assura CADA personnel requirements: How Union citizenship and support location escalate across tiers Under the proposed Cloud and AI Development Act (CADA), personnel requirements for cloud service providers escalate significantly across the four Union ass CADA Personnel Rules: When is National Security Clearance Required? Under the proposed Cloud and AI Development Act (CADA), national security clearance is not a blanket requirement for all cloud service personnel. CADA Public Procurement: How Recognition Levels Drive Tender Requirements As proposed, the Cloud and AI Development Act (CADA) would fundamentally restructure public procurement by making cloud service recognition a mandatory eli CADA public sector body: definition, data residency powers & assurance tiers Under the proposed Cloud and AI Development Act (CADA), a 'public sector body' is defined by reference to the Open Data Directive (Directive (EU) 2019/1024 CADA Recognition and Transparency: How Material Changes Affect Your Status Under the proposed Cloud and AI Development Act (CADA), recognition as a sovereign cloud service is not a static certificate but a dynamic status contingen CADA Recognition Clock: How Long Can the Assessment Be Suspended? Under the proposed Cloud and AI Development Act (CADA), the 60-day assessment period for recognizing a cloud computing service as meeting a Union assurance CADA Recognition Disputes: How Objections and Commission Decisions Work Under the proposed Cloud and AI Development Act (CADA), the recognition of a cloud computing service provider as offering a specific Union assurance level CADA Recognition Disputes: What Happens When a Member State Objects? Under the proposed Cloud and AI Development Act (CADA), the recognition of a cloud computing service as offering a specific "Union assurance level" is a Un CADA Recognition: How One Approval Opens the Entire EU Market Under the proposed Cloud and AI Development Act (CADA), a single recognition of a cloud computing service as meeting a specific Union assurance level is va CADA Recognition Process: Step-by-Step Guide for Cloud Providers The proposed Cloud and AI Development Act (CADA) establishes a mandatory, harmonised recognition procedure for cloud computing service providers (CSPs) see CADA Recognition Revocation: What Happens if a Provider Supplies False Information? Under the proposed Cloud and AI Development Act (CADA), a cloud computing service provider's recognition as offering a Union assurance level would be revok CADA Recognition: SMEs vs Large Providers – Automatic Level 1 vs Full Audit As proposed in the Cloud and AI Development Act (CADA), small and medium-sized enterprises (SMEs) benefit from a unique "fast track" for Union assurance le CADA Recognition: The Role of the National Competent Authority Under the proposed Cloud and AI Development Act (CADA), the national competent authority (NCA) of a cloud provider's main establishment acts as the sole "e CADA Recognition Timeline: How long does the process take? Under the proposed Cloud and AI Development Act (CADA), the standard recognition process for a cloud computing service provider takes approximately 120 day CADA Recognition Validity: Is a Cloud Service Approved Across the Whole EU? Yes, under the proposed Cloud and AI Development Act (CADA), a recognition of a cloud computing service as meeting a specific Union assurance level is vali CADA Recognition vs. Certification: What's the Difference? Under the proposed Cloud and AI Development Act (CADA), recognition is the formal administrative act by which a national competent authority grants a cloud CADA Recognition vs EUCS: Key Differences for Cloud Providers As proposed, CADA recognition under Article 17 is a legal mechanism that grants a cloud computing service a specific "Union assurance level" (1–4), valid a CADA Recognition: What Evidence Must Accompany Your Application? Under the proposed Cloud and AI Development Act (CADA), cloud service providers (CSPs) must submit distinct evidence packages to national competent authori CADA Recognition: What if your application lacks evidence? If your application for recognition under the proposed Cloud and AI Development Act (CADA) lacks sufficient evidence, the evaluating national competent aut CADA Recognition: What it means for a provider's go-to-market Under the proposed Cloud and AI Development Act (CADA), "recognition" is the mandatory legal gateway for cloud providers wishing to sell to EU public autho CADA Recognition: What Public Buyers Need to Know About Sovereignty Tiers Under the proposed Cloud and AI Development Act (CADA), CADA recognition serves as a standardized, EU-wide signal that a cloud service meets specific, grad CADA Recognition: When is a cloud service deemed accepted across the EU? Under the proposed Cloud and AI Development Act (CADA), a cloud computing service provider's recognition for a Union assurance level is deemed accepted acr CADA Self-Assessment vs. Audited Tiers: A Legal Guide Under the proposed Cloud and AI Development Act (CADA), the choice between self-assessed Union Assurance Level 1 and independently audited Levels 2–4 is no CADA Self-Assessment vs Independent Audit: Rigour, Evidence & Revocation Under the proposed Cloud and AI Development Act (CADA), the rigour of compliance verification is strictly tiered by Union assurance level. CADA SME Route: How Startups Get Automatic Level 1 Recognition Under the proposed Cloud and AI Development Act (CADA), startup cloud providers classified as small and medium-sized enterprises (SMEs) gain a decisive mar CADA SME Self-Assessment: Automatic Recognition for Level 1 Cloud Services Under the proposed Cloud and AI Development Act (CADA), small and medium-sized enterprises (SMEs) seeking to supply cloud services to the EU public sector CADA Software Supply Chain: SBOM, Kill Switches & Level 4 Control As proposed, the Cloud and AI Development Act (CADA) imposes rigorous software supply chain controls on cloud providers seeking Union assurance levels 2, 3 CADA software supply chain: Third-country components, audits & Level 4 control Under the proposed Cloud and AI Development Act (CADA), cloud providers seeking Union assurance levels 2, 3, or 4 must implement rigorous controls over thi CADA software supply chain: What migration plan is required? As proposed, the Cloud and AI Development Act (CADA) requires cloud computing service providers seeking Union assurance levels 2, 3, or 4 to maintain a doc CADA Sovereignty Tiers: Protection Against Foreign Law Explained The proposed Cloud and AI Development Act (CADA) establishes a four-tiered "Union assurance level" framework to shield EU public sector activities from thi CADA Subcontractor Rules: What Providers Must Declare for Level 1 Under the proposed Cloud and AI Development Act (CADA), cloud service providers seeking Union assurance level 1 must provide full transparency regarding th CADA Support & Operations Rules by Tier: Location, Residency & Control The proposed Cloud and AI Development Act (CADA) establishes a tiered sovereignty framework where requirements for support and operations teams tighten sig CADA Support Rules: What 'Initiated and Performed Within the Union' Means Under the proposed Cloud and AI Development Act (CADA), cloud providers seeking Union assurance levels 2, 3, or 4 must ensure that all technical and operat CADA third-country subsidiary separation: rules for global providers Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers operating globally must demonstrate effective legal, technical, a CADA Tiers vs. Sovereign Cloud Marketing: The Legal Reality Under the proposed Cloud and AI Development Act (CADA), "sovereignty" is no longer a marketing slogan but a legally defined, audited status. CADA Transparency: Reporting Material Changes & Annual Audit Reviews Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers recognised as offering a specific Union assurance level must main CADA Union Assurance Level 1: What CTOs Need to Know for Cloud Selection Under the proposed Cloud and AI Development Act (CADA), Union Assurance Level 1 serves as the mandatory baseline for all public sector cloud procurement wh CADA vs the Data Act: How Article 18 Blocks Foreign Data Access The proposed Cloud and AI Development Act (CADA) and the Data Act (Regulation (EU) 2023/2854) function as complementary pillars of EU digital sovereignty, CADA Vulnerability Disclosure Rule: What the Draft Requires Across Tiers Under the proposed Cloud and AI Development Act (CADA), cloud providers seeking Union assurance levels 1 through 4 must guarantee that no laws in a control CADA: What happens to an assurance level if a provider is acquired by a non-EU company? Under the proposed Cloud and AI Development Act (CADA), an acquisition by a non-EU company constitutes a "material change in circumstances" that triggers a CADA: What 'subject to the control of a third country' means for cloud providers Under the proposed Cloud and AI Development Act (CADA), a cloud provider is "subject to the control of a third country" if a foreign state or legal entity Can a CADA associated third country status be suspended? Yes, under the proposed Cloud and AI Development Act (CADA), the European Commission has the explicit power—and obligation—to suspend, amend, or repeal the Can a CADA auditor revoke its audit opinion? Article 20 explained Yes, under the proposed Cloud and AI Development Act (CADA), an independent auditing organisation has the explicit power to revoke its audit report and aud Can a CADA Level 1 provider serve sensitive government data? As proposed, a CADA Level 1 provider cannot serve sensitive, critical, or classified government data. Can a CADA recognition application be rejected? Article 17 explained Yes, under the proposed Cloud and AI Development Act (CADA), a national competent authority may reject an application for recognition of a cloud computing Can a CADA recognition be revoked? Grounds, process and consequences Yes, as proposed under the Cloud and AI Development Act (CADA), a Union assurance recognition for a cloud computing service can be revoked. Can a different auditor do the annual CADA review? Yes, under the proposed Cloud and AI Development Act (CADA), a cloud service provider seeking Union assurance levels 2, 3, or 4 may switch auditing organis Can a non-EU-controlled provider ever reach CADA level 4? As proposed under the Cloud and AI Development Act (CADA), a cloud computing service provider subject to the control of a third country or a legal entity e Can a non-EU-controlled provider qualify for CADA Union assurance level 1? Yes, a cloud computing service provider subject to the control of a third country or a legal entity established in a third country can qualify for CADA Uni Can a provider appeal a refused CADA recognition? Yes, a cloud computing service provider has a specific procedural right to challenge a potential refusal of Union assurance recognition under the proposed Can a provider hold different CADA assurance levels for different services? Yes, under the proposed Cloud and AI Development Act (CADA), a cloud computing service provider can hold different Union assurance levels for different ser Can a public body require data outside the EU under CADA? Under the proposed Cloud and AI Development Act (CADA), public bodies possess a specific, conditional right to require that customer data be stored or proc Can a public body require extra personnel screening under CADA? Yes, under the proposed Cloud and AI Development Act (CADA), a public body may impose additional personnel screening and Union citizenship requirements whe Can CADA Level 1 support be outsourced outside the EU? Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers seeking Union assurance level 1 can outsource technical and opera Can other Member States collaborate on a CADA recognition? Under the proposed Cloud and AI Development Act (CADA), the recognition of cloud computing services as offering a specific Union assurance level is not a p Can support staff be outside the EU at CADA level 2? No, under the proposed Cloud and AI Development Act (CADA), support staff for Union Assurance Level 2 services cannot be located outside the EU. Can the Commission change CADA audit evidence requirements? Yes, as proposed, the European Commission would have the power to update the specific audit evidence requirements under the Cloud and AI Development Act (C Can the Commission change the CADA assurance levels by delegated act? Yes, as proposed, the European Commission would have the power to amend the specific technical and legal criteria for the four Union assurance levels (leve Can the Commission overrule a CADA recognition dispute? Yes, as proposed under the Cloud and AI Development Act (CADA), the European Commission possesses the authority to overrule a national competent authority Can the Commission request information during CADA recognition? Yes, under the proposed Cloud and AI Development Act (CADA), the European Commission holds specific authority to request information from national competen Does a CADA provider need a new audit to upgrade tiers? Under the proposed Cloud and AI Development Act (CADA), a cloud service provider seeking to upgrade its sovereignty tier to Union assurance levels 2, 3, or Does a provider take legal responsibility under CADA self-assessment? Under the proposed Cloud and AI Development Act (CADA), a cloud computing service provider that issues an EU statement of conformity via the self-assessmen Does CADA allow a level 3 provider controlled from a non-associated country? As proposed, the Cloud and AI Development Act (CADA) generally prohibits cloud computing service providers controlled by a third country or a legal entity Does CADA let a public body waive EU data residency? Under the proposed Cloud and AI Development Act (CADA), public bodies possess a limited, conditional power to waive EU data residency requirements, but onl Does CADA Level 1 cover infrastructure location? Yes, as proposed, the Cloud and AI Development Act (CADA) Union Assurance Level 1 explicitly requires that a cloud provider's infrastructure and assets be Does CADA Level 1 require the cloud provider to be established in the EU? Yes, as proposed in the Cloud and AI Development Act (CADA), a cloud computing service provider must be established in the European Union to achieve Union Does CADA level 2 allow a third-country-controlled cloud provider? Yes — as proposed in the Cloud and AI Development Act (CADA), a cloud computing service provider subject to third-country control could qualify for Union a Does CADA Level 2 allow customer data to leave the EU? Under the proposed Cloud and AI Development Act (CADA), customer data processed by a cloud service provider seeking Union assurance level 2 recognition mus Does CADA Level 3 bar control by a non-EU company? As proposed, Union assurance level 3 under the Cloud and AI Development Act (CADA) generally bars cloud computing services from providers or subcontractors Does CADA level 3 require personnel to be EU citizens? Yes. Does CADA Level 3 require source code access? Sovereignty criteria explained Yes, as proposed in the Cloud and AI Development Act (CADA), Union Assurance Level 3 (UAL 3) would require cloud providers to grant independent auditors ac Does CADA recognition expire? Annual audit rules explained As proposed, CADA recognition does not carry a fixed calendar expiration date (e.g., "valid for 5 years"). Does CADA require a European cybersecurity certificate? As proposed, the Cloud and AI Development Act (CADA) does not mandate a European cybersecurity certificate for all cloud providers. Does CADA require GDPR adequacy for associated third countries? Yes, as proposed, the Cloud and AI Development Act (CADA) strictly requires a GDPR adequacy decision as one of six cumulative criteria for a third country Does CADA require ongoing monitoring of subcontractors? Yes, as proposed, the Cloud and AI Development Act (CADA) explicitly requires cloud computing service providers to subject subcontractors to ongoing oversi Does CADA require reciprocal market access from associated third countries? As proposed, the Cloud and AI Development Act (CADA) does not impose a blanket reciprocity requirement on all third-country cloud providers. Does CADA require source-code audits of third-country components? As proposed, the Cloud and AI Development Act (CADA) does not mandate source-code audits for all third-country software components. How CADA prevents service disruption by a foreign government As proposed, the Cloud and AI Development Act (CADA) prevents service disruption by foreign governments through a tiered sovereignty framework that imposes How CADA references the Cyber Resilience Act for software definitions As proposed, the Cloud and AI Development Act (CADA) does not create its own definition of "software." Instead, it explicitly anchors the term to the Cyber How CADA tiers prevent foreign access to customer data The proposed Cloud and AI Development Act (CADA) prevents foreign access to customer data through a four-tier "Union cloud computing sovereignty framework" How can a non-EU-controlled provider reach CADA Level 3? Under the proposed Cloud and AI Development Act (CADA), a cloud provider that is subject to third-country control could reach Union assurance Level 3 only How do CADA sovereignty tiers help reduce foreign cloud dependency? The proposed Cloud and AI Development Act (CADA) introduces a four-tier "Union cloud computing sovereignty framework" designed to systematically reduce the How does a buyer compare two providers at the same CADA tier? When two cloud providers hold the same Union assurance level under the proposed Cloud and AI Development Act (CADA), they meet the identical baseline sover How does a cloud provider get recognised at CADA assurance level 1? Under the proposed Cloud and AI Development Act (CADA, COM(2026) 502 final — a proposal, not yet in force), a cloud computing service provider would reach How does a cloud provider get recognised under CADA? Under the proposed Cloud and AI Development Act (CADA), cloud service providers (CSPs) must obtain formal recognition to sell sovereign cloud services to E How does a cloud provider move up a CADA sovereignty tier? To move up a sovereignty tier under the proposed Cloud and AI Development Act (CADA), a cloud provider must demonstrate cumulative compliance: meeting ever How does a CTO choose a CADA assurance level for an architecture? Under the proposed Cloud and AI Development Act (CADA), CTOs do not unilaterally "choose" an assurance level; they must architect to the level mandated by How does a legal team check a non-EU vendor's CADA level 3 eligibility? Under the proposed Cloud and AI Development Act (CADA), a cloud computing service provider subject to the control of a third country can only qualify for U How does an auditor assess data-residency criteria under CADA? Under the proposed Cloud and AI Development Act (CADA), an auditor assesses data-residency criteria by rigorously mapping the legal requirements of Annex I How does a provider evidence operational autonomy under CADA? Under the proposed Cloud and AI Development Act (CADA), a provider evidences operational autonomy by demonstrating that outsourcing technical support to th How does a provider get recognised at CADA assurance level 2? As proposed in the Cloud and AI Development Act (CADA), a provider would reach Union assurance level 2 by undergoing, at its own expense, an independent th How does a provider get recognised at CADA assurance level 3? As proposed, to be recognised at Union assurance level 3 under the Cloud and AI Development Act (CADA), a provider must undergo an independent third-party How does a provider get recognised at CADA assurance level 4? To obtain Union Assurance Level 4 recognition under the proposed Cloud and AI Development Act (CADA), a cloud computing service provider must undergo a rig How does a provider maintain its CADA recognition over time? Under the proposed Cloud and AI Development Act (CADA), maintaining a Union assurance level recognition is not a one-time event but a continuous obligation How does a provider self-assess for CADA level 1? Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers seeking recognition at Union assurance level 1 must conduct a con How does a public buyer find CADA-recognised cloud services? Public buyers will locate CADA-recognised cloud services through a single, centralised online repository established and maintained by the European Commiss How does a third country become associated under CADA? Under the proposed Cloud and AI Development Act (CADA), a third country becomes "associated" only through a formal decision by the European Commission, ado How does CADA affect a multi-cloud or hybrid architecture? As proposed, the Cloud and AI Development Act (CADA) does not prohibit multi-cloud or hybrid architectures; however, it imposes a strict, service-by-servic How does CADA balance sovereignty with provider availability? As proposed, the Cloud and AI Development Act (CADA) balances sovereignty with provider availability through a graduated Union cloud computing sovereignty How does CADA define the boundary between levels 2 and 3 on foreign control? Under the proposed Cloud and AI Development Act (CADA), the boundary between Union assurance levels 2 and 3 regarding foreign control is defined by a funda How does CADA protect against the US CLOUD Act through its tiers? As proposed, the Cloud and AI Development Act (CADA) establishes a four-tier sovereignty framework designed to mitigate the risks of extraterritorial data How does CADA recognition support trust in the EU cloud market? As proposed, the Cloud and AI Development Act (CADA) would transform trust in the EU cloud market by replacing vague marketing claims with a standardized, How does CADA tiering support EU digital sovereignty goals? The proposed Cloud and AI Development Act (CADA) establishes a Union cloud computing sovereignty framework under Article 16 to directly support EU digital How does the CADA framework define the boundary of an audited service? Under the proposed Cloud and AI Development Act (CADA), the "audited service" is not merely a software interface but a comprehensive ecosystem defined by s How does the CADA independent audit work? Levels 2–4 explained Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers seeking recognition for Union assurance levels 2, 3, or 4 must un How do software supply-chain controls differ across CADA tiers? Under the proposed Cloud and AI Development Act (CADA), software supply-chain controls intensify significantly across the four Union assurance levels. How do the four CADA assurance levels differ from each other? — As proposed, the Cloud and AI Development Act (CADA), COM(2026) 502 final, would establish "a Union cloud computing sovereignty framework comprising four How much does a CADA audit cost and how long does it take? Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers seeking Union assurance levels 2, 3, or 4 must bear the full fina How often are the CADA assurance level criteria reviewed and updated? As proposed in the Cloud and AI Development Act (CADA), the European Commission is legally required to review the criteria for Union assurance levels at le How should a compliance team document a CADA tier decision? Under the proposed Cloud and AI Development Act (CADA), compliance teams must document tier decisions by anchoring them in a mandatory risk assessment unde How should a legal team assess a cloud vendor's CADA assurance level? As proposed, the Cloud and AI Development Act (CADA) mandates that public sector bodies procure only cloud services formally recognised under a four-tier U How should a non-EU cloud provider approach CADA recognition? Non-EU cloud providers can pursue recognition under the proposed Cloud and AI Development Act (CADA), but the path is strictly segmented by sovereignty lev How should a provider pick a CADA auditing organisation? As proposed in the Cloud and AI Development Act (CADA), cloud service providers seeking recognition for Union assurance levels 2, 3, or 4 must select an au How should a provider prepare for a CADA audit? Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers seeking Union assurance levels 2, 3, or 4 must undergo independen How to prove EU-only support delivery under CADA: Level 2 vs Level 3 rules Under the proposed Cloud and AI Development Act (CADA), cloud providers seeking Union Assurance Levels 2, 3, or 4 must prove that all technical and operati How to verify a CADA cloud recognition is current: Audit, repository & revocation As proposed, the Cloud and AI Development Act (CADA) requires compliance teams to verify that a cloud provider's Union assurance recognition is current by Is a higher CADA tier always better for a buyer? Cost, choice & risk No, a higher Cloud and AI Development Act (CADA) assurance level is not always better for a buyer. Is CADA Level 1 self-assessment trustworthy for buyers? Under the proposed Cloud and AI Development Act (CADA), Union Assurance Level 1 relies on a conformity self-assessment rather than an independent third-par Is CADA recognition automatic for SMEs at Level 1? Yes, under the proposed Cloud and AI Development Act (CADA), recognition for Union Assurance Level 1 is automatic for small and medium-sized enterprises (S Is hardware covered by the CADA assurance level criteria? No, physical hardware is explicitly excluded from the Cloud and AI Development Act (CADA) assurance level criteria. Must a provider cooperate with a CADA auditor? Yes. Must the CADA EU statement of conformity be public? Yes, under the proposed Cloud and AI Development Act (CADA), cloud computing service providers seeking recognition at Union assurance level 1 must make the What are the four CADA tiers called and what do their names mean? The four tiers in the proposed Cloud and AI Development Act (CADA) are officially named Union assurance levels 1, 2, 3, and 4. What are the four CADA Union assurance levels in the sovereignty framework? The Cloud and AI Development Act (CADA) is a proposed EU regulation, not yet in force. What are the subcontractor rules for CADA Level 1? As proposed in the Cloud and AI Development Act (CADA), cloud service providers seeking recognition at Union Assurance Level 1 must adhere to strict rules What CADA due-diligence checklist should compliance teams use? As proposed in COM(2026) 502 final, the Cloud and AI Development Act (CADA) would transform cloud procurement into a rigorous sovereignty verification exer What CADA evidence can a buyer ask a vendor to disclose? Under the proposed Cloud and AI Development Act (CADA), buyers—specifically public sector contracting authorities and Union entities—have a defined right t What conflict-of-interest rules apply to CADA auditors? As proposed, the Cloud and AI Development Act (CADA) imposes strict independence requirements on auditing organisations to prevent conflicts of interest wh What contractual terms must reflect a CADA assurance level? As proposed, the Cloud and AI Development Act (CADA) does not mandate a single standard contract form, but it legally obliges public sector bodies and Unio What counts as a subcontractor under the CADA tiers? Under the proposed Cloud and AI Development Act (CADA), a "subcontractor" is strictly defined as a third party that holds a direct contractual relationship What counts as 'software' for the purpose of CADA tiers? Under the proposed Cloud and AI Development Act (CADA), the Union cloud computing sovereignty framework explicitly assesses "software" while excluding "har What criteria must a provider meet for CADA assurance level 1? Under the proposed Cloud and AI Development Act (CADA), a cloud computing service provider seeking Union assurance level 1 would have to meet seven cumulat What criteria must a provider meet for CADA assurance level 2? Under the proposed Cloud and AI Development Act (CADA), a provider seeking recognition at Union assurance level 2 would have to satisfy all eleven cumulati What criteria must a provider meet for CADA assurance level 3? As proposed, CADA Union assurance level 3 would require a cloud provider to keep infrastructure, assets and personnel within the EU, with the personnel inv What criteria must a provider meet for CADA assurance level 4? As proposed in the Cloud and AI Development Act (CADA), a provider seeking recognition at Union assurance level 4 must meet a set of cumulative criteria in What criteria must a third country meet to be associated under CADA? Under the proposed Cloud and AI Development Act (CADA), a third country can only be "associated" — opening the door for providers under its control to be a What cybersecurity standard does CADA Level 1 require? Under the proposed Cloud and AI Development Act (CADA), Union Assurance Level 1 does not mandate a specific, named cybersecurity certification scheme like What data rule applies at CADA Level 3? Residency & AI Training Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers seeking recognition at Union Assurance Level 3 must adhere to two What delegated acts govern CADA audit procedures? Under the proposed Cloud and AI Development Act (CADA), the European Commission is empowered to adopt delegated acts to specify the detailed procedural rul What does a 'negative' CADA audit opinion mean for recognition? Under the proposed Cloud and AI Development Act (CADA), a 'negative' audit opinion is a definitive finding that a cloud computing service provider does not What does 'associated third country' status mean for a US cloud provider under CADA? Under the proposed Cloud and AI Development Act (CADA), "associated third country" status is a specific legal designation that allows cloud computing servi What does CADA level 2 mean for a healthcare cloud buyer? Under the proposed Cloud and AI Development Act (CADA), a "Union assurance level 2" designation provides a robust mid-tier sovereignty guarantee suitable f What does CADA Level 4 mean for a CTO choosing a provider? Under the proposed Cloud and AI Development Act (CADA), Union Assurance Level 4 represents the absolute peak of the sovereignty framework, designed exclusi What does CADA mean by a 'recognised cloud computing service'? Under the proposed Cloud and AI Development Act (CADA), a "recognised cloud computing service" is a service that has undergone a formal assessment and been What does CADA mean by 'relevant and sufficient' audit evidence? Under the proposed Cloud and AI Development Act (CADA), "relevant and sufficient" audit evidence is the legal standard required for an auditing organisatio What does 'operational autonomy' mean in CADA? Under the proposed Cloud and AI Development Act (CADA), "operational autonomy" ensures that a cloud computing service provider retains full, unrestricted c What does reliable audit evidence mean under CADA? Under the proposed Cloud and AI Development Act (CADA), "reliable" audit evidence is not merely a checklist of documents; it is information that is relevan What evidence does CADA require for personnel citizenship and clearance? Under the proposed Cloud and AI Development Act (CADA), cloud providers seeking Union Assurance Level 3 or 4 must prove that all personnel involved in the What evidence proves data stays in the EU under CADA? Under the proposed Cloud and AI Development Act (CADA), cloud providers seeking Union Assurance Levels 2, 3, or 4 must prove that all customer data—includi What evidence proves no foreign control under CADA? Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers seeking Union assurance levels 2, 3, or 4 must prove they are not What happens to a cloud provider without CADA recognition? As proposed, a cloud computing service provider without formal recognition under the Cloud and AI Development Act (CADA) is effectively barred from supplyi What happens to existing public-sector cloud contracts under CADA tiers? Under the proposed Cloud and AI Development Act (CADA), existing public-sector cloud contracts are not automatically voided, but they must align with the n What implementing acts govern the CADA recognition procedure? The practical arrangements for the recognition of cloud computing service providers under the proposed Cloud and AI Development Act (CADA) are governed by What is Annex II of CADA and why does it matter? Annex II of the proposed Cloud and AI Development Act (CADA) is the definitive technical checklist that defines the cumulative criteria cloud providers mus What is a Union assurance level under CADA? Under the proposed Cloud and AI Development Act (CADA), a Union assurance level is a standardized, graded guarantee of sovereignty and trust for cloud comp What is a 'Union entity' for the purpose of CADA assurance levels? Under the proposed Cloud and AI Development Act (CADA), a "Union entity" is strictly defined as an EU institution, body, office, or agency established by t What is CADA Union assurance level 1? Under the proposed Cloud and AI Development Act (CADA), Union assurance level 1 would be the baseline tier of the Union cloud computing sovereignty framewo What is CADA Union assurance level 2? Union assurance level 2 is the mid-tier sovereignty standard in the proposed EU Cloud and AI Development Act (CADA). What is CADA Union assurance level 3? As proposed in the Cloud and AI Development Act (CADA), Union assurance level 3 is a high-tier sovereignty standard for cloud computing services used in pu What is CADA Union assurance Level 4? Union assurance Level 4 would be the highest tier of the proposed Cloud and AI Development Act's (CADA) cloud sovereignty framework, reserved for the most What is 'sensitive data' under CADA Level 4? Under the proposed Cloud and AI Development Act (CADA), "sensitive data" for Union Assurance Level 4 is not a static, predefined list but is dynamically id What is the centrepiece of CADA's sovereignty rules? The centrepiece of the proposed Cloud and AI Development Act (CADA) is a harmonised, four-tier "Union assurance framework" designed to mitigate risks from What is the cheapest CADA tier for a cloud provider to enter? The most cost-effective entry point for cloud providers into the proposed Cloud and AI Development Act (CADA) framework is Union assurance level 1. What is the difference between CADA level 1 and level 2? Under the proposed Cloud and AI Development Act (CADA), Union assurance level 1 and level 2 are the two lowest of four assurance levels in the Union cloud What is the difference between CADA level 2 and level 3? As proposed in the Cloud and AI Development Act (CADA), the primary difference between Union assurance level 2 and level 3 lies in personnel and control re What is the difference between CADA Level 3 and Level 4? Under the proposed Cloud and AI Development Act (CADA), Levels 3 and 4 share an EU-only baseline but differ in three ways: Level 4 requires a "high"-level What is the EU statement of conformity under CADA? Under the proposed Cloud and AI Development Act (CADA), the EU statement of conformity is the formal legal instrument used by cloud computing service provi What is the four-tier sovereignty framework in CADA in plain English? The proposed Cloud and AI Development Act (CADA) introduces a "Union cloud computing sovereignty framework" to address the EU's reliance on non-European cl What is the required quality of CADA audit evidence? As proposed, the Cloud and AI Development Act (CADA) mandates that audit evidence used to verify a cloud service's sovereignty assurance level must be rele What is the role of professional scepticism in CADA audits? Under the proposed Cloud and AI Development Act (CADA), professional scepticism is a mandatory, non-negotiable component of the audit evidence assessment f What is the Union cloud computing sovereignty framework under CADA? As proposed, the Cloud and AI Development Act (CADA) would create a Union cloud computing sovereignty framework: a single, EU-wide set of trust criteria fo What methodology must a CADA audit report describe? Under the proposed Cloud and AI Development Act (CADA), an audit report for Union assurance levels 2, 3, and 4 must explicitly describe "a description of t What must a US hyperscaler do to reach a CADA assurance level? As proposed in COM(2026) 502 final, a US hyperscaler is effectively barred from achieving Union assurance levels 1, 2, and 4 due to strict prohibitions on What questions should a CTO ask a vendor about its CADA tier? As proposed in COM(2026) 502 final, the Cloud and AI Development Act (CADA) would mandate that public sector bodies procure cloud services meeting specific What requirements must a CADA auditing organisation meet? Under the proposed Cloud and AI Development Act (CADA), an auditing organisation must satisfy rigorous independence, expertise, and ethical requirements to What SBOM requirement does CADA level 2 impose? As proposed, the Cloud and AI Development Act (CADA) mandates that cloud providers seeking Union assurance level 2 recognition must maintain a complete and What should a buyer check in the CADA central repository? Under the proposed Cloud and AI Development Act (CADA), public-sector buyers must verify cloud services in the Commission-maintained central repository bef When does CADA require self-assessment versus an independent audit? Under the proposed Cloud and AI Development Act (CADA), the method for demonstrating compliance with sovereignty requirements depends strictly on the Union Where are the criteria for the CADA assurance levels defined? The specific criteria for the four Union assurance levels under the proposed Cloud and AI Development Act (CADA) are defined in Annex II of the regulation, Where is the list of CADA associated third countries published? The European Commission publishes the official list of "associated third countries" on its website, as mandated by Article 18(3) of the proposed Cloud and Which authority do I apply to for CADA recognition? As proposed in the Cloud and AI Development Act (CADA), you must submit your application for Union assurance level recognition to the national competent au Which CADA assurance level do I need for my cloud workload? Under the proposed Cloud and AI Development Act (CADA), the assurance level your workload would need is driven by what the data is for and how sensitive it Which CADA assurance levels require an independent audit? Under the proposed Cloud and AI Development Act (CADA), independent third-party audits are mandatory for cloud computing service providers seeking recognit Which CADA tier protects against foreign sanction compulsion? Under the proposed Cloud and AI Development Act (CADA), protection against foreign sanction compulsion is a mandatory criterion for Union Assurance Level 2 Which CADA tier should a public-sector buyer require? A guide to Union Assurance Levels As proposed in the Cloud and AI Development Act (CADA), public-sector buyers must require a minimum of Union Assurance Level 1 for all cloud computing serv Which CADA tier suits a financial services workload? As proposed, the Cloud and AI Development Act (CADA) does not mandate a single fixed tier for all financial services; instead, it requires a risk-based det Which CADA tier suits defence and intelligence workloads? As proposed, the Cloud and AI Development Act (CADA) designates Union assurance level 4 as the exclusive tier for defence, intelligence, and classified wor Who can act as a CADA auditing organisation? Under the proposed Cloud and AI Development Act (CADA), only independent organisations with proven expertise, technical competence, and capabilities in aud Who is the evaluating national competent authority under CADA? Under the proposed Cloud and AI Development Act (CADA), the "evaluating national competent authority" is strictly defined as the national competent authori Who must meet CADA Union assurance levels? Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers must meet specific Union assurance levels if they wish to offer s Who pays for the CADA audit? Provider costs explained Under the proposed Cloud and AI Development Act (CADA), the cloud computing service provider seeking recognition for Union assurance levels 2, 3, or 4 must Why choose a CADA Level 1 provider? The baseline for public procurement Public-sector buyers would choose a Cloud and AI Development Act (CADA) Union Assurance Level 1 provider because it serves as the mandatory baseline for al Why does CADA create a four-tier cloud sovereignty framework? The proposed Cloud and AI Development Act (CADA) creates a four-tier Union cloud computing sovereignty framework to replace fragmented national standards w Why does CADA exclude foreign control entirely at Level 4? As proposed in COM(2026) 502 final, the Cloud and AI Development Act (CADA) establishes Union Assurance Level 4 as the apex of the sovereignty framework, e Why does CADA only allow associated third countries at Level 3? Under the proposed Cloud and AI Development Act (CADA), cloud computing services controlled by third countries can only achieve Union Assurance Level 3; th Why is CADA Level 4 the highest sovereignty tier? Under the proposed Cloud and AI Development Act (CADA), Union Assurance Level 4 is the highest sovereignty tier because it imposes the strictest cumulative Why would a public body require CADA Level 4 over Level 3? A public body would require CADA Union Assurance Level 4 over Level 3 only when its risk assessment identifies that the cloud service handles the most sens