What does digital sovereignty mean under the CADA proposal?

Summary In the proposed Cloud and AI Development Act (CADA), digital sovereignty is not isolation or protectionism. It is the ability of the Union and its Member States to retain control over their infrastructure, data, assets and technology systems under Union and national jurisdiction. The draft regulation frames this as an "imperative policy objective" (recital 46), driven by the risk that third-country laws with extraterritorial effect could compel access to EU data or disrupt services. CADA would operationalise sovereignty through a four-tier "Union assurance level" framework (Article 16) that lets public buyers verify a provider's control and autonomy before procuring cloud services, while deliberately staying open to international cooperation.

Detail

"Digital sovereignty" is used loosely in public debate, but in the Cloud and AI Development Act (CADA) — proposed by the European Commission as COM(2026) 502 final, and still only a proposal — it carries a specific, grounded meaning. CADA aims to reduce the Union's dependence on a limited number of non-European cloud providers and to protect public order by keeping critical digital infrastructure under EU control.

What digital sovereignty means in CADA

Recital 46 of the proposal sets out the core idea. It states that the Union remains "critically dependent on a limited number of cloud computing service providers subject to the control of third countries or legal entities established in third-countries", which exposes the EU to "vulnerabilities arising from the extraterritorial application of third-country laws", to potential disruptions of service continuity, to "reduced control and oversight over personal and non-personal data and infrastructure", and to "undue economic or political influence". Against that background, the recital concludes, "the ability of the Union and its Member States to retain control over infrastructure, data, assets and technology systems under Union and national jurisdiction has become an imperative policy objective."

That control is the essence of digital sovereignty as CADA uses the term. It is broader than data protection: it covers operational autonomy (can the service keep running if a foreign government intervenes?) and technological control (who governs the underlying software and supply chain?), not just whether personal data is processed lawfully.

The proposal also explains why a Union-level measure is needed rather than national fixes. Recital 47 acknowledges that existing Union law already addresses cybersecurity, data protection, interoperability and data portability, but observes that "there is no cross-cutting Union regulatory framework establishing a harmonised understanding of what constitutes a trusted cloud computing service for mitigating such risks." It warns that diverging national definitions of "sovereign" services "risk fragmenting the Union internal market and undermining common goals of autonomy and sovereignty." Digital sovereignty, in CADA, is therefore as much about a common EU standard as about control itself. The explanatory memorandum sets the scale of the dependence the proposal responds to: three non-EU hyperscalers control over 70% of the European cloud market, and the EU providers' share fell from 29% in 2017 to 15% in 2022.

How CADA would put sovereignty into practice

CADA would establish a Union cloud computing sovereignty framework comprising four Union assurance levels (Article 16), with the detailed criteria set out in Annex II. The framework works on two sides.

Supply side. A provider that wants to be recognised as offering a given assurance level applies to the national competent authority of establishment (Article 17). Level 1 rests on a conformity self-assessment (Article 19); levels 2, 3 and 4 require an independent third-party audit (Article 20). Recognised services are published in a central repository maintained by the Commission (Article 22).

Demand side. Member States and Union entities would carry out risk assessments (Article 29) to identify which public-sector activities contribute to the preservation of public order. For those activities, contracting authorities could only procure services recognised at Union assurance levels 2, 3 or 4 (Article 30(3)). For activities not identified as public-order relevant, a minimum of level 1 would apply (Article 30(2)).

Sovereignty is not autarky

CADA's drafters are explicit that sovereignty does not mean a closed European internet. Recital 61 states that the Union's objective of strengthening its autonomy "should be pursued in a manner that remains open, cooperative and consistent with the Union's international commitments and partnerships", and that the objectives pursued through assurance levels 1, 2 and 3 should be understood as "the Union's capacity to act autonomously where necessary, while remaining engaged with its international partners".

That openness is concrete. Under Article 18, the Commission could designate "associated third countries" whose providers — even when subject to that country's control — may be audited against the criteria for Union assurance level 3, provided the country meets cumulative conditions including an adequacy decision under Article 45 of the GDPR and an absence of measures that would conflict with lawful-access requirements or compel service disruption. Sovereignty, in CADA's design, is about retaining the capacity to act, not about excluding foreign providers by nationality.

Proportionality runs through the framework too. Recital 52 stresses that the assurance levels "should provide for a proportionate framework", that "most public services would not require the highest levels of assurance", and that only "in some specific cases" would levels 3 or 4 be "necessary and proportionate in preserving public order." Digital sovereignty under CADA is thus graduated and risk-based: the point is to apply the strongest controls where the stakes for public order are highest, not everywhere by default. The proposal's general aims, set out in its explanatory memorandum, include "address[ing] concerns regarding data sovereignty and operational continuity of cloud and AI" and helping "protect public order by making the supply of cloud computing services more resilient, in particular in the public sector."

What this means for you

If you work in or buy for the public sector, the proposal would change how cloud services are evaluated:

1. Risk assessments first. Before procuring, your Member State or entity would assess whether the activity contributes to public order in sectors covered by the NIS2 Directive or in fields such as national security, defence, justice or law enforcement (Article 29). The Commission would issue a methodology and templates.
2. Procure recognised services. Based on that assessment, you would procure services recognised at the appropriate level — level 1 as a baseline, or levels 2 to 4 for public-order activities — and check the central repository (Article 22) to confirm a provider's status rather than relying on marketing.
3. Sovereignty beyond cybersecurity. A "secure" service is not automatically a "sovereign" one. You would assess legal control, operational autonomy and supply-chain dependence, not just security certifications.

These obligations would only take effect once CADA is adopted and starts to apply; today it remains a proposal.

Common misconceptions

CADA bans non-European cloud providers. It would not. Recognition turns on meeting the assurance-level criteria, not on a provider's nationality. A non-EU-controlled provider could qualify at lower levels, and providers from designated associated third countries could be eligible for level 3 (Article 18).

Digital sovereignty just means data must stay in the EU. Data localisation is one criterion, but sovereignty in CADA also covers who controls the provider, where personnel and support sit, and the software supply chain. Even at level 1, data may leave the Union where the public sector body explicitly requires it (Annex II).

CADA would replace the GDPR. It would complement it. The GDPR governs personal-data processing; CADA addresses the sovereignty and resilience of cloud services. Providers would have to satisfy both.

Sovereignty is the same as cybersecurity. Cybersecurity is one component. A provider can be technically secure yet still legally compellable by a foreign government — which is precisely the gap CADA's assurance levels target.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Digital Decade Policy Programme (Decision (EU) 2022/2481)

Related

• Cloud Sovereignty & Digital Decade 2030: How CADA Links Capacity to Autonomy
• What is cloud sovereignty under the EU CADA proposal?
• What does cloud sovereignty mean for public-sector buyers under CADA?
• What does CADA cloud sovereignty mean for CTOs and architects?
• What does cloud sovereignty mean for cloud providers under CADA?

This is general information about a draft EU regulation, not legal advice.