What does 'reducing dependencies on critical technologies' mean in CADA?

Summary As proposed, "reducing dependencies on critical technologies" — one of CADA's stated measures (Article 1(1)(d)) — means steering public-sector cloud and AI use away from services exposed to third-country control toward services that meet EU-defined sovereignty criteria. It is not a blanket ban on non-EU technology. Instead, Member States and Union entities would run risk assessments (Article 29) to identify public-order activities, and contracting authorities would then have to procure at the matching Union assurance level (UAL 1 generally; UAL 2, 3 or 4 for public-order activities). The aim is to mitigate risks of unlawful data access, service disruption and loss of operational autonomy.

Detail

CADA lists "reducing dependencies on critical technologies" among its measures in Article 1(1)(d). In context, this is a structured, risk-based approach to ensuring the EU public sector and critical infrastructure are not exposed to the extraterritorial laws or unilateral decisions of third-country providers — rather than an origin-based prohibition.

The problem: extraterritorial control and operational risk

The explanatory memorandum notes that three non-EU hyperscalers control over 70% of the European cloud market, and that incumbents subject to third-country jurisdictions may be compelled to grant data access or could disrupt service continuity. A frequently cited example is the US CLOUD Act (the Clarifying Lawful Overseas Use of Data Act), which addresses the disclosure of electronic data held by US-subject communications-service providers regardless of where the data is stored. CADA would address these "sovereignty risks" with a harmonised framework that distinguishes services by their exposure to third-country control.

The solution: Union assurance levels and risk assessments

To operationalise dependency reduction, CADA would introduce a Union cloud computing sovereignty framework of four Union assurance levels, the criteria for which are set out in Annex II (Article 16). As proposed, the criteria become progressively stricter: UAL 1 requires, among other things, establishment in the Union and that customer data remain exclusively within the Union (subject to a public sector body explicitly requiring otherwise); the higher levels add audited requirements such as Union-located personnel and, where applicable as an audit criterion, Union citizenship of personnel, and that the provider is not subject to third-country control.

The trigger for the higher levels is the risk assessment under Article 29. Under Article 29(1), Member States and Union entities must:

1. identify public-sector activities using cloud services that contribute to the preservation of public order — in sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2) and in national security, internal security, external border management, defence, justice or law enforcement; and
2. determine which Union assurance level (2, 3 or 4) is appropriate for those activities.

Under Article 29(2), the assessment must consider at least the sensitivity, criticality and magnitude of the data processed; the risk and public-order impact of unlawful access under Union law by a third country or third-country-established entity; and the risk and impact of possible service disruption.

Procurement levers and sovereignty tiers

Once the assessment is done, Article 30 sets the procurement obligations. Contracting authorities whose activities are identified as contributing to the preservation of public order "shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4" (Article 30(3)). Public-sector bodies and Union entities whose activities are not so identified must use services recognised at Union assurance level 1 (Article 30(2)). This creates a tiered landscape:

• Baseline (UAL 1): all in-scope public-sector procurement at least meets Level 1, requiring Union establishment and Union-only customer data (subject to the public-sector-body caveat) under Annex II, Section 1.
• Public-order (UAL 2–4): critical activities require higher, audited assurance, with the strictest levels requiring that the provider and subcontractors are not subject to third-country control, save for derogations for associated third countries (Article 18).

Associated third countries

CADA recognises that full isolation is not always feasible. Article 18 allows the Commission, by implementing act, to identify "associated third countries" whose controlled providers may be audited against the criteria for Union assurance level 3, provided the third country meets cumulative criteria — including a relevant adequacy decision under Article 45 GDPR, and the absence of measures enabling control conflicting with EU lawful-access rules or enabling it to compel the provider to degrade or disrupt service.

What this means for you

For public-sector procurement officers, CADA would turn cloud procurement into a sovereignty-and-risk process, not just a commercial or technical one.

1. Run mandatory risk assessments. Under Article 29, map your cloud usage to determine whether it supports public-order activities; this dictates your minimum assurance level.
2. Check the central repository. Before tendering, verify that providers are recognised and listed in the central repository (Article 22) — recognition is by formal decision, not assumption.
3. Specify the right level in tenders. If your activity is identified as public-order under Article 29, specify UAL 2, 3 or 4; you could not accept a provider holding only UAL 1 recognition for such use cases.
4. Monitor for changes. Providers must notify material changes affecting their recognition (Article 23); watch the repository for amendments or revocations, which may trigger migration.
5. Consider multi-cloud strategies. Article 29(9) requires you to consider whether a multi-vendor or multi-cloud strategy is appropriate, reducing single-provider dependency.

Common misconceptions

Misconception 1: CADA bans all non-European cloud providers. As proposed, no. CADA does not ban providers by origin; it constrains dependencies on providers subject to third-country control for critical public-order activities. A non-EU-controlled provider can still qualify if it meets the Annex II criteria, and providers controlled by an "associated third country" may be audited for UAL 3 under Article 18.

Misconception 2: Only defence and intelligence are affected. The scope of "public order" is broader. Article 29(1) includes NIS2 sectors (such as energy, transport, health and digital infrastructure) alongside national security, defence, justice and law enforcement.

Misconception 3: GDPR compliance is enough. GDPR addresses data protection, not operational sovereignty. A GDPR-compliant provider could still be subject to a third-country law enabling data access or service disruption — which CADA's assurance levels are designed to address.

Misconception 4: UAL 1 is sufficient for all government services. No. Under Article 30(3), activities identified as contributing to public order must use UAL 2, 3 or 4. UAL 1 is the minimum baseline; defaulting to it for critical services would need a documented risk assessment justifying that level.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• What does CADA mean for the average EU citizen?
• What does CADA mean for SMEs and startups in the EU cloud market?
• What does CADA mean for public-sector cloud buyers?
• What does CADA mean for hyperscalers operating in Europe?
• What does CADA mean for data centre operators?

This is general information about a draft EU regulation, not legal advice.