What does cloud sovereignty mean for cloud providers under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), cloud sovereignty would be a legally defined status requiring formal recognition by national authorities, not a marketing claim. As proposed, providers must meet strict, cumulative criteria across four assurance levels, with higher levels demanding stricter data localisation, personnel requirements and independence from third-country control. For providers, this creates a mandatory compliance pathway to the EU public-sector market and a competitive advantage for those who can demonstrate genuine sovereignty.

Detail

CADA would introduce a harmonised Union cloud computing sovereignty framework to reduce the EU's dependence on non-European providers and protect public order. For providers, "sovereignty" is operationalised through four Union assurance levels (Article 16). These are not voluntary certifications but thresholds that determine which public-sector bodies can procure your services.

The four levels of assurance

The criteria are in Annex II and are cumulative: a provider seeking level 3 must also meet all level 1 and level 2 criteria (Article 20(1)).

• Union assurance level 1: Baseline for all public-sector procurement. Providers must be established in the Union; customer data, including metadata and telemetry, must remain exclusively within the Union, and infrastructure and assets must be located in the Union, unless the public-sector body explicitly requires otherwise. Providers must demonstrate state-of-the-art cybersecurity and full subcontractor transparency. If third-country-controlled, the provider must show no third-country law forces pre-exploitation disclosure of vulnerabilities (Annex II, point 1.1(g)).
• Union assurance level 2: Adds that infrastructure, assets and personnel involved in the service be located in the Union. Customer data must not be used to train or fine-tune third-country AI systems, nor transferred outside the Union. Providers must implement software supply-chain measures including an SBOM. Third-country-controlled providers must demonstrate legal and technical measures to prevent unauthorised access or disruption (Annex II, point 2).
• Union assurance level 3: All personnel involved in the service must be Union citizens. The provider and subcontractors must not be subject to third-country control, unless the Commission has adopted an implementing act recognising that third country under Article 18. Technical and operational support must be performed exclusively within the Union by Union residents (Annex II, point 3).
• Union assurance level 4: The highest level, for the most critical public-order activities. It mirrors level 3 and adds stricter handling of sensitive data, personnel security clearance where classified information is handled, and effective control over software components, ensuring no third country controls their design, development or maintenance. There is no Article 18 derogation at this level (Annex II, point 4).

The recognition mechanism: Articles 16 and 17

Meeting the criteria is not enough; providers must undergo formal recognition. Article 16 establishes that providers must meet the Annex II criteria to provide services to Union entities and public-sector bodies. Article 17 sets out the recognition mechanism:

1. Application: A provider submits an application to the national competent authority of its establishment.
2. Evidence: For level 1, the provider submits an EU statement of conformity based on self-assessment (Article 19). For SMEs, that statement is directly and automatically recognised in all Member States without prior evaluation. For levels 2, 3 and 4, the provider must submit an audit report and a "positive" audit opinion from an independent auditing organisation meeting the requirements of Article 20.
3. Evaluation: The evaluating national competent authority has 60 days to assess the evidence, then notifies other Member States' competent authorities for a 60-day review period.
4. Objections: Other Member States may submit reasoned objections during the review period. If none are raised, the recognition is adopted and valid throughout the Union. If objections stand, the matter may be referred to the Commission, which adopts a binding decision.
5. Central repository: Once recognised, the service is registered in the central repository maintained by the Commission (Article 22), visible to procurers across the EU.

Competitive opportunity for EU-based providers

While the compliance burden is significant, the framework is designed to level the playing field for European providers. By mandating sovereignty criteria for public procurement, CADA creates a market segment where European providers can compete on quality, innovation and trust rather than price alone. Providers achieving level 2, 3 or 4 recognition would gain access to sensitive contracts in areas such as healthcare, justice and defence. The proposal also establishes the EuroCloud Federation (Article 34), a European public-sector cloud federation to facilitate sharing of public-sector cloud capabilities among Member States.

What this means for you

If you target the EU public sector, treat sovereignty as a core product feature.

1. Conduct a gap analysis: Map your operations against the Annex II criteria, identifying gaps in data localisation, personnel and third-country control. A support team outside the EU, for instance, precludes level 2 or higher.
2. Prepare for audit: For levels 2–4, engage an independent auditing organisation early. The audit evidence requirements in Annex III are detailed, covering governance and technical infrastructure.
3. Engage national competent authorities: Each Member State designates a national competent authority (Article 25). Engage early to understand application procedures.
4. Leverage SME status: SMEs benefit from automatic cross-border recognition of the level 1 statement of conformity (Article 17(3)), a useful foothold while working toward higher levels.
5. Monitor third-country developments: If you are non-EU or have third-country shareholders, track the Commission's Article 18 decisions; level 3 recognition may become possible if your home country meets the adequacy and sovereignty safeguards.

Common misconceptions

• "Sovereignty is just about data location." Sovereignty under CADA is multidimensional: it includes personnel, absence of third-country control, supply-chain transparency and resistance to extraterritorial demands. A provider can host data in the EU yet fail level 3 if a third-country entity controls it.
• "Only large hyperscalers can achieve high assurance levels." The criteria are technology-neutral. SMEs and mid-caps can achieve level 1 (with automatic recognition) and can compete for levels 2 and 3 with robust governance and localised operations.
• "Once recognised, the status is permanent." Recognition is dynamic. Providers must notify material changes affecting the recognition (Article 23), and audits for levels 2–4 are reviewed annually (Article 20(8)). Recognition can be revoked.
• "Non-EU providers are completely excluded." They are not banned. For level 3 they can be recognised only if the Commission recognises their home country under Article 18; this requires the country to have no measures enabling unauthorised data access or service disruption.

Related

• What does digital sovereignty mean under the CADA proposal?
• What does cloud sovereignty mean for public-sector buyers under CADA?
• What does CADA cloud sovereignty mean for CTOs and architects?
• Can non-EU cloud providers meet CADA's sovereignty levels?
• Why is cloud sovereignty important for critical infrastructure? CADA

This is general information about a draft EU regulation, not legal advice.