What CADA cloud sovereignty means for SMEs using the cloud

Summary Under the proposed Cloud and AI Development Act (CADA), cloud sovereignty would give SMEs a single, harmonised EU framework instead of fragmented national rules. SMEs would benefit from a streamlined self-assessment for the baseline Union assurance level 1 — with automatic, Union-wide recognition of SME conformity statements (Article 17(3)) — and could use the central repository (Article 22) to identify recognised providers. Most SME workloads would not require the highest tiers, in line with the proportionality the proposal sets out (recital 52).

Detail

CADA would introduce a unified "Union cloud computing sovereignty framework" to reduce dependence on non-European providers and strengthen the EU's digital resilience. For small and medium-sized enterprises (SMEs), it would clarify what "sovereignty" requires in practice, replacing fragmented national definitions with a single EU-wide standard.

The Union assurance levels

At the core are four Union assurance levels (Article 16), defining the criteria a service must meet to serve Union entities and public sector bodies. The levels run from level 1 (baseline) to level 4 (the highest assurance, which the proposal indicates should allow secure hosting of EU classified information — recital 62).

• Union assurance level 1: the entry tier. Providers demonstrate compliance through a conformity self-assessment and an EU statement of conformity (Articles 19 and 17(3)).
• Union assurance levels 2, 3 and 4: these require independent third-party audits (Article 20). Levels 3 and 4 add Union citizenship requirements for personnel and prohibitions on third-country control, with level 4 being the most stringent.

Proportionality for SMEs

Proportionality matters most to SMEs. Recital 52 states that "most public services would not require the highest levels of assurance," and that levels 3 or 4 "may be considered necessary and proportionate in preserving public order" only in specific cases. For the bulk of workloads involving non-sensitive administrative data, internal communications or standard business applications, level 1 would generally be the relevant tier — sparing SMEs the cost and burden of the highest audits unless their specific risk assessment requires them.

The central repository

To simplify procurement, Article 22 would require the Commission to establish a central repository of cloud services recognised at the Union assurance levels. Publicly available and regularly updated by the Commission and national competent authorities (Article 22(4)), it would serve as a single source of truth: SMEs and procurement officers could check whether a provider is recognised, instead of relying on marketing claims or running their own sovereignty due diligence.

Streamlined recognition for SMEs

CADA recognises SMEs' limited resources. Under Article 17(3), for Union assurance level 1, an EU statement of conformity issued by an SME is "directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority." This removes a significant administrative hurdle, letting SME providers offer level 1 services across the EU more quickly.

What this means for you

For public-sector procurement officers and SME cloud providers, the framework translates into a few practical actions:

1. Understand the risk-based duty. The formal risk-assessment obligation under Article 29 falls on Member States and Union entities, who determine which activities contribute to the preservation of public order. If an activity does not involve national security, law enforcement or comparable concerns, level 1 services would generally be sufficient (Article 30(2)).
2. Use the central repository. Rather than relying on marketing claims, use the repository under Article 22 to confirm a provider has been formally recognised, simplifying compliance and reducing legal risk.
3. Leverage automatic recognition for level 1. If you are an SME providing cloud services, an EU statement of conformity for level 1 would be automatically recognised across the EU (Article 17(3)), letting you compete without waiting for national approval.

Common misconceptions

• "Sovereignty means all data must stay in one country." Incorrect. As proposed, CADA focuses on Union-level assurance: data can generally be processed across the EU where the provider meets the relevant level. The aim is to prevent third-country access, not to fragment the internal market.
• "SMEs need the highest sovereignty tier to be compliant." Incorrect. Recital 52 makes clear most public services do not require levels 3 or 4. Applying the highest tier to low-risk workloads would be disproportionate; the framework is risk-based.
• "Sovereignty is only about cybersecurity." Incorrect. Cybersecurity is one component, but CADA's framework also addresses operational autonomy, data confidentiality, and protection against third-country legal reach — a broader concept than technical security alone.

Related

• Why is cloud sovereignty important for critical infrastructure? CADA
• Why is sovereignty described as layered or nuanced in CADA?
• CADA Sovereignty: Why Assessment is Per Service, Not Per Provider
• Why is sovereignty a competitiveness issue, not just a security one? | CADA
• Why data residency is not enough for cloud sovereignty under CADA

This is general information about a draft EU regulation, not legal advice.