What does cloud sovereignty mean for public-sector buyers under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), cloud sovereignty for public-sector buyers means choosing services by four standardised "Union assurance levels" rather than vague national definitions. Procurement officers would run risk assessments to determine the level required for each activity: as proposed, most standard services need only level 1, while public-order functions require levels 2, 3, or 4. The framework is designed to protect public order, ensure operational autonomy, and reduce dependence on third-country providers whose laws may conflict with EU rights. CADA is a proposal and not yet in force.

Detail

CADA would introduce a harmonised EU-wide framework for cloud sovereignty, replacing fragmented national approaches with a unified set of criteria. For public-sector buyers, "sovereignty" would not be a single binary state but a tiered system of four Union assurance levels (1 to 4), established in Article 16, with criteria in Annex II covering data location, personnel citizenship, cybersecurity certification, and freedom from third-country control.

The four assurance levels

The framework is designed to be proportionate. Recital 52 states that "most public services would not require the highest levels of assurance", adding that "in some specific cases Union assurance levels 3 or 4 may be considered necessary and proportionate in preserving public order." In outline:

• Level 1. The baseline for most public-sector activities. The provider must be established in the EU, with infrastructure and customer data remaining in the Union unless the public body explicitly requires otherwise. Providers must show state-of-the-art cybersecurity and give full transparency on subcontractors.
• Level 2. Adds stricter requirements: infrastructure, assets, and personnel involved in the service located in the Union; a European cybersecurity certificate of at least "substantial" assurance (or an applicable national scheme until the EU scheme exists); and a ban on using service-generated data to train AI systems operated by third countries.
• Level 3. For higher-risk activities. Personnel involved, including subcontractors', must be Union citizens and, where appropriate, hold national security clearance. The provider and its subcontractors must, in principle, not be subject to third-country control, unless the Commission has recognised an associated third country (Article 18).
• Level 4. The highest level, for the most sensitive activities. Requires a "high" European cybersecurity certificate, the strictest software-supply-chain controls, and an absolute prohibition on third-country control with no derogation.

Linking risk assessment to procurement

The core mechanism for buyers is the risk assessment. Under Article 29, Member States and Union entities would carry out risk assessments to identify which activities contribute to the preservation of public order, and which Union assurance level (2, 3, or 4) is appropriate for them.

Article 30 then links those assessments to procurement obligations:

1. Default rule (level 1). Where a body's activities have not been identified as contributing to public order, it must use services recognised at Union assurance level 1 (Article 30(2)).
2. Public-order rule (levels 2–4). Where activities are identified as contributing to public order — in NIS2 sectors or in areas such as national security, internal security, external border management, defence, justice, or law enforcement — the contracting authority must only procure services recognised at levels 2, 3, or 4 (Article 30(3)).

So you could not choose a cloud provider without first knowing the sovereignty classification of your specific use case.

Why governments need control

CADA addresses two primary risks of relying on non-European providers:

1. Extraterritorial data access. Many major providers are subject to third-country laws (such as the US CLOUD Act) that may compel disclosure of data to foreign authorities, bypassing EU safeguards.
2. Operational disruption. Dependence on third-country providers creates risks of service degradation or interruption from geopolitical tension, sanctions, or unilateral foreign decisions — a risk recital 46 lists among the EU's concentration risks.

By providing for sovereign cloud options, CADA aims to keep critical government functions under EU jurisdiction, protecting both citizen data and the continuity of essential services.

What this means for you

As a public-sector procurement officer, your role would shift from evaluating technical specifications alone to evaluating sovereignty compliance. A practical checklist:

1. Conduct or review your risk assessment. Before launching a tender, ensure your organisation has completed the Article 29 risk assessment and determined whether your use case contributes to public order.
   • If no: you would procure level 1 services. A non-EU-headquartered provider can still qualify if it is established in the EU and meets the level 1 criteria.
   • If yes: you would procure level 2, 3, or 4 services, verifying which level your sector requires (the Article 29(3) methodology is to direct the highest level to the most critical activities, including defence).
2. Verify recognition status. Do not accept self-declared sovereignty claims. Providers are recognised by a national competent authority (Article 17); check the Commission's central repository (Article 22) to confirm the provider holds the level you require.
3. Update tender documents. Include the required Union assurance level as a mandatory criterion. Separately, for innovative cloud and AI procurements, Article 32 requires non-price award criteria assessing the tenderer's contribution to a European cloud and AI ecosystem — including the use of "software or hardware designed or manufactured in the Union" (Article 32(3)).
4. Plan for migration. If your current provider does not meet the required level, Article 29(6) provides a transition period not exceeding 12 months, taking account of technical feasibility, continuity, and data portability. Start planning early.

Common misconceptions

"Sovereignty means all data must stay in my country." CADA would establish an EU-wide framework, not a national one. Annex II requires data to remain within the Union, not necessarily within a single Member State — preventing fragmentation and letting providers scale across Europe while meeting sovereignty criteria.

"All government data requires the highest security level." Recital 52 makes the framework proportionate: "most public services would not require the highest levels of assurance." Levels 3 and 4 are reserved for activities identified through the risk assessment as critical to public order. Applying level 4 to a simple internal tool would be disproportionate.

"I can still use my preferred global hyperscaler if it promises compliance." If your use case requires level 2, 3, or 4, the provider must be formally recognised under CADA. For levels 3 and 4, the provider and its subcontractors generally cannot be under third-country control, so many global hyperscalers may not qualify unless they establish legally and operationally separate EU entities that meet the criteria.

"Sovereignty is just about cybersecurity." Cybersecurity is one component. CADA's concept also covers operational autonomy (could a foreign government disrupt the service?), protection against extraterritorial data access, and supply-chain resilience (dependence on foreign hardware or software that could be withdrawn).

Related

• Why most public services don't need the highest CADA sovereignty tier
• What does digital sovereignty mean under the CADA proposal?
• What does CADA cloud sovereignty mean for CTOs and architects?
• What does cloud sovereignty mean for cloud providers under CADA?
• Why is cloud sovereignty important for critical infrastructure? CADA

This is general information about a draft EU regulation, not legal advice.