Summary Under the proposed Cloud and AI Development Act (CADA), a "sovereign cloud" is not a product but a service that meets harmonised criteria designed to safeguard the Union's public order. CADA would establish a four-tier "Union assurance" framework (Article 16) classifying cloud services by their level of data confidentiality and operational autonomy. Public-sector bodies would have to procure services matching the assurance level set by their risk assessments, helping keep critical data under EU control and shielded from third-country interference.

Detail

The proposed Cloud and AI Development Act (CADA) responds to the EU's heavy reliance on non-European cloud providers by introducing a legal framework for "sovereign" cloud computing. As proposed, CADA does not merely encourage European providers; it would create a binding mechanism to ensure public-sector cloud usage aligns with the Union's strategic autonomy and public-order interests.

The legal basis: safeguarding public order

One of the regulation's stated measures, in Article 1(1)(c), is:

"enabling the availability of a sovereign cloud and artificial intelligence (AI) offer to safeguard the Union's public order;"

This framing shifts "sovereign cloud" from a marketing term to a legal benchmark. The public-order concern stems from dependence on providers subject to third-country jurisdictions, where laws may compel data access or service disruption. As proposed, a sovereign cloud is one that offers guarantees of operational autonomy and data confidentiality against such extraterritorial pressures.

The four-tier Union assurance framework

To operationalise this, Article 16 would establish the "Union cloud computing sovereignty framework," comprising four Union assurance levels (1, 2, 3 and 4) that cloud computing service providers must meet in order to provide their services to Union entities and public-sector bodies. These are cumulative criteria, not voluntary badges.

The criteria are set out in Annex II of the proposal. While requirements escalate by tier, they broadly address:

  1. Establishment and control: higher levels require the provider (and, where relevant, its subcontractors) to be established in the Union and not subject to the control of a third country or of a legal entity established in a third country.
  2. Data localisation: customer data, including metadata and telemetry, must remain within the Union, with stricter constraints at higher tiers.
  3. Personnel and Union citizenship: higher levels require that personnel involved in providing the service are Union citizens, and where appropriate hold the necessary clearances.
  4. Cybersecurity certification: the service must obtain a European cybersecurity certificate at assurance level "substantial" (lower tiers) or "high" (the top tier) under a European cybersecurity certification scheme covering cloud services; where no Union or national scheme exists, the provider is to demonstrate equivalent measures.
  5. Software supply chain: providers must show control over their software supply chain, including a software bill of materials (SBOM), and guard against third-country software components with features that could tamper with or disrupt the service.

Recognition and auditing

A service does not become "sovereign" by self-declaration alone. Article 17 sets out the recognition mechanism: providers apply to the national competent authority of their place of establishment.

  • Level 1: the provider self-assesses and issues an EU statement of conformity (Article 19).
  • Levels 2, 3 and 4: the provider must undergo independent third-party audits (Article 20), and an auditing organisation issues a "positive" audit opinion against the Annex II criteria.

Once recognised, the service is entered in a central repository maintained by the Commission (Article 22), so public buyers can identify which providers meet which assurance level.

Linking assurance to public procurement

The framework is tied directly to procurement. Under Article 29, Member States and Union entities would conduct risk assessments to identify which activities contribute to the preservation of public order (in sectors under Annex I or II of NIS2, or in national security, internal security, external border management, defence, justice or law enforcement).

Based on those assessments, Article 30 would require:

  • Public-sector bodies and Union entities whose activities are not identified as contributing to public order to use services recognised at Union assurance level 1.
  • Contracting authorities whose activities are identified as contributing to public order to only procure services recognised at Union assurance level 2, 3 or 4.

This channels the most sensitive public data onto infrastructure with the strongest guarantees of autonomy and confidentiality.

What this means for you

For public-sector procurement officers and IT directors, the proposed CADA would add a mandatory layer of due diligence to cloud procurement.

  1. Conduct risk assessments. Determine whether your activities fall under the "preservation of public order" categories in Article 29. This is recurring: as proposed, the first assessment is due by the date of application (entry into force plus one year), then at least every two years, or whenever necessary.
  2. Check the central repository. When tendering, verify the provider's status in the Commission's central repository (Article 22) rather than relying on marketing claims of "sovereignty."
  3. Match assurance to risk. If your activities do not affect public order, procure at least level 1 services. If they do affect public order, you would be restricted to level 2, 3 or 4 services.
  4. Plan for migration. Where a risk assessment requires moving to another service, Article 29(6) allows a reasonable transition period not exceeding 12 months, taking account of technical feasibility, service continuity and data portability. Start planning exit and portability measures early.
  5. Consider multi-cloud strategies. Under Article 29(9), Member States and Union entities would consider whether a multi-vendor or multi-cloud strategy is appropriate as part of their procurement.

Common misconceptions

Misconception 1: "Sovereign cloud" means data must stay in one specific Member State. Correction: Under CADA, data must remain within the Union, not a single Member State. The proposal supports the free flow of data within the Union (Recital 64); data may be stored and processed across Member States, provided it does not leave the Union's jurisdiction.

Misconception 2: Only EU-headquartered companies can offer sovereign cloud services. Correction: Generally the provider must be established in the Union and free of third-country control. But Article 18 allows the Commission to identify "associated third countries" whose providers may be audited against the criteria for Union assurance level 3, where the country meets cumulative conditions — including a GDPR adequacy decision and the absence of measures that would compel unlawful data access or service disruption.

Misconception 3: Cybersecurity certification is the same as sovereignty. Correction: Technical security and legal/operational autonomy are distinct. A service can be highly secure yet still subject to third-country laws permitting data access. CADA's framework requires both strong cybersecurity (via certification) and structural guarantees of autonomy (via the assurance-level criteria in Annex II).

Misconception 4: I can freely choose any assurance level for my procurement. Correction: The level is dictated by your risk assessment. If your activities are identified as contributing to public order, you are obliged to procure level 2, 3 or 4 — you cannot opt for a lower level on cost grounds. If your activities are not critical, you need only procure at least level 1, though you may choose higher.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.