Summary As proposed in COM(2026) 502 final, the Cloud and AI Development Act (CADA) establishes a strict regime for Union Assurance Level 4, the highest tier of cloud sovereignty. This level is triggered only after a risk assessment under Article 29 identifies specific public sector activities as critical to preserving public order. Crucially, Annex II 4.1(c) mandates that any data "identified as sensitive" following this assessment must "remain exclusively within the Union" at all times, with no exceptions. Unlike lower levels, Level 4 prohibits any third-country control over the provider (Annex II 4.1(g)) and offers no derogation for third-country entities, even if they hold an adequacy decision. This creates a "sovereign-only" zone for the EU's most critical data, requiring independent audits and strict architectural isolation.

Detail

The proposed CADA framework is designed to address the strategic dependency on non-EU cloud providers by creating a tiered assurance system. While Levels 1 through 3 offer varying degrees of flexibility regarding data location and provider control, Level 4 represents a "sovereign fortress" intended for the most critical public order functions. The operationalization of this level hinges on a precise interplay between the risk assessment mechanism and the specific criteria for data residency and control.

The Trigger: Article 29 Risk Assessments

The journey to Level 4 begins not with the cloud provider, but with the public sector body or Union entity. Under Article 29, Member States and Union entities are required to carry out risk assessments to determine which public sector activities contribute to the preservation of public order. These assessments must be conducted at least every two years or whenever necessary.

The assessment is not a generic review; it must specifically evaluate:

  1. The sensitivity, criticality, and magnitude of the non-personal and personal data processed.
  2. The risk of unlawful access by a third country or legal entity established in a third country.
  3. The risk of service disruption that could undermine public order.

The output of this assessment is twofold: it determines the appropriate Union assurance level (2, 3, or 4) for the activity, and it produces a specific classification of data. It is this classification that activates the strictest rules in the regulation. As stated in the proposal, the risk assessment determines "which Union assurance level 2, 3, or 4... is appropriate for the identified public sector activities."

The Core Requirement: Annex II 4.1(c) and Sensitive Data

Once an activity is deemed to require Level 4, the criteria in Annex II become binding. The most significant operational constraint is found in Annex II 4.1(c). This provision states:

"the customer data, including metadata and telemetry data, which, following a risk assessment, is identified as sensitive, that is processed, stored and transferred by the audited provider and the subcontractors which are involved in the provision of the service, remain exclusively within the Union and at any time, including before, during or after the configuration or use of the service."

This clause introduces a conditional but absolute residency requirement. Unlike Level 1 or 2, where data residency might be subject to explicit requirements by the public sector body or allow for certain exceptions, Level 4 ties the "exclusively within the Union" mandate directly to the risk assessment's identification of sensitivity.

Key implications of Annex II 4.1(c) include:

  • Scope of Data: The rule covers not just the primary customer data but also metadata and telemetry data. This prevents "side-channel" leakage where operational data could reveal sensitive patterns or locations.
  • Temporal Scope: The data must remain in the Union "at any time," covering the entire lifecycle: before configuration, during use, and after the service is terminated. This eliminates the possibility of data being archived or backed up outside the EU.
  • No Exceptions: The text does not include the "unless the public sector body explicitly requires otherwise" clause found in lower levels. Once identified as sensitive under a Level 4 assessment, the data is locked within the Union.

The "No Third-Country Control" Barrier

A defining feature of Level 4 is the absolute prohibition on third-country influence. Annex II 4.1(g) states that the audited provider and its subcontractors "are not subject to the control of a third country or a legal entity established in a third-country."

This is a critical distinction from Level 3. Under Level 3 (Annex II 3.1(g)), a provider subject to third-country control may still qualify if the Commission has adopted an implementing act under Article 18 (the "associated third countries" mechanism) recognizing that specific third country as providing sufficient assurances. Level 4 has no such derogation.

The absence of a derogation for Level 4 means that even if a third country has an adequacy decision under the GDPR, or if the Commission has recognized it under Article 18, a provider controlled by that country cannot offer Level 4 services. This ensures that for the most critical public order functions, the EU retains full operational autonomy and legal jurisdiction over the infrastructure, free from any extraterritorial legal pressures or potential service disruptions mandated by foreign governments.

High-Risk Dependency and Procurement

The risk assessment under Article 29 is the gateway to the procurement rules in Article 30. If the assessment identifies an activity as contributing to public order and requiring Level 4, Article 30(3) mandates that contracting authorities "shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3, or 4."

In practice, for the specific data identified as sensitive under the Level 4 assessment, the authority must procure a service that meets the Level 4 criteria. This creates a direct link between the risk assessment and the market supply. Providers must undergo independent third-party audits under Article 20 to demonstrate compliance with the strict criteria of Annex II 4.1, including the sensitive data residency and the ban on third-country control.

What this means for you

For technology leaders, cloud architects, and public sector procurement officers, the Level 4 regime represents a fundamental shift in how critical data is handled.

1. For Cloud Providers: The "Sovereign-Only" Architecture

To offer Level 4 services, you must architect your infrastructure to guarantee that no data identified as sensitive ever leaves the Union. This requires:

  • Physical and Logical Isolation: Dedicated infrastructure zones within the EU that are physically separated from any global operations.
  • Governance Restructuring: You must prove that no third-country entity holds control. This may require establishing a fully independent EU subsidiary with no voting rights or strategic influence from parent companies outside the Union.
  • Audit Preparation: You will face rigorous third-party audits under Article 20. Auditors will verify your data flows, your ownership structure, and your ability to prevent any third-country access. The burden of proof is on you to demonstrate that no "remote features" or "mechanisms" exist that could allow tampering or disruption from outside the EU.

2. For Public Sector Bodies: The Assessment is Key

Your Article 29 risk assessment is the most critical document in your compliance strategy.

  • Precision in Classification: You must clearly define which data is "sensitive" in your assessment. This definition triggers the Annex II 4.1(c) residency lock. If you fail to identify data as sensitive, you may inadvertently procure a lower-level service that does not meet your security needs.
  • Justification for Level 4: You must document why the activity requires Level 4 rather than Level 3. This justification must explicitly link the data sensitivity to the risk of third-country control or service disruption undermining public order.
  • Procurement Constraints: Once you identify a need for Level 4, your procurement options shrink significantly. You can only tender to providers who have successfully completed the Level 4 recognition process, which excludes many global hyperscalers with third-country control.

3. For SMEs and Innovators: A Niche Opportunity

While Level 4 is a high barrier, it creates a protected market for EU-based providers who can demonstrate full sovereignty. If you are an EU-based provider with no third-country control, Level 4 represents a strategic opportunity to serve critical public sector clients (e.g., defence, justice, border management) where global providers are legally disqualified.

Common misconceptions

"Level 4 is just about data localization." Incorrect. While data residency is a major component, Level 4 is equally about control. A provider could store all data in the EU but still be disqualified if they are subject to third-country control (Annex II 4.1(g)). The "sovereignty" in Level 4 is both territorial and structural.

"All data must stay in the EU for Level 4." Technically, Annex II 4.1(c) applies to data "identified as sensitive" following the risk assessment. While it is highly probable that all data in a Level 4 context will be classified as sensitive due to the nature of the activities (e.g., national security), the regulation technically ties the strict residency rule to the output of the Article 29 assessment. However, given the "at any time" clause, the operational reality is a total lock.

"Third-country providers can qualify for Level 4 if they have an adequacy decision." No. The Level 4 criteria in Annex II 4.1(g) contain no derogation for third-country control. Unlike Level 3, which allows for a Commission decision under Article 18 to recognize a third country, Level 4 is strictly reserved for providers not subject to third-country control. An adequacy decision under the GDPR does not override this sovereignty requirement.

"The risk assessment is a one-time event." Article 29 requires risk assessments to be carried out "every two years, or whenever necessary." This means your data classification and the resulting assurance level requirements are dynamic. A change in the threat landscape or a change in the data being processed could trigger a re-assessment and a requirement to migrate to a higher assurance level.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.