What is cloud sovereignty and why does it matter for the EU under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), cloud sovereignty is about more than where data is stored — it covers the Union's ability to keep control over data, infrastructure, and operational autonomy. As proposed, it matters because it would help protect public order: keeping critical services resilient against disruption, unauthorised access, or coercion linked to third countries. The framework goes beyond traditional data-transfer rules to address the broader risk of dependency on non-European providers. CADA is a proposal (COM(2026) 502 final), so none of this is in force yet.

Detail

The concept of cloud sovereignty is central to the European Commission's proposal for the Cloud and AI Development Act (CADA). As proposed, CADA aims to establish a harmonised framework to reduce the Union's dependence on a limited number of third-country cloud providers and to safeguard public order.

What is cloud sovereignty under CADA?

As proposed, Article 1 establishes a framework for strengthening the cloud and AI ecosystem, with one of its measures being "enabling the availability of a sovereign cloud and artificial intelligence (AI) offer to safeguard the Union's public order."

Cloud sovereignty, in this context, is not merely about data localisation. As proposed, it is a multi-layered concept that encompasses:

1. Control over data and infrastructure: ensuring that customer data — including metadata and telemetry — remains within the Union, at the entry level "unless the public sector body explicitly requires otherwise."
2. Operational autonomy: ensuring the provider can deliver the service without external interference, such as remote shutdown or degradation of service quality driven by a third country.
3. Protection from extraterritorial laws: mitigating the risk that third-country laws compel a provider to hand over data or disrupt services, even where the data sits in the EU.

Why does it matter?

The EU currently faces significant strategic dependencies. As the explanatory memorandum notes, three non-EU hyperscalers control over 70% of the European cloud market, while the EU providers' market share fell from 29% in 2017 to 15% in 2022. This concentration creates vulnerabilities:

• Extraterritorial reach: large incumbents are often subject to third-country jurisdictions whose laws have extraterritorial effect, including laws mandating data access that may conflict with EU fundamental rights and data-protection frameworks.
• Operational discontinuity: dependence on non-European providers exposes European users to the risk that unilateral decisions by third-country actors could disrupt service provision.
• Public-order risks: for public sector bodies, reliance on non-sovereign clouds can jeopardise national security, internal security, and the continuity of essential services.

How does it differ from GDPR and data-privacy frameworks?

A common point of confusion is the relationship between cloud sovereignty and existing data-protection laws like the GDPR or the EU-US Data Privacy Framework (DPF).

As stated in the explanatory memorandum, while the GDPR and the DPF address transatlantic data transfers and the protection of personal data, they do not remove sovereignty concerns about dependence on third-country providers. The proposal complements these frameworks because sovereignty goes beyond data transfers and relates to operational autonomy too.

For example, even where data transfers are lawful under the DPF, the underlying infrastructure and the provider's operational control may still be subject to third-country laws allowing access or disruption. As proposed, CADA addresses this gap through a Union cloud computing sovereignty framework (Article 16) that sets harmonised, auditable criteria for trusted cloud services.

The four assurance levels

To operationalise these concepts, CADA proposes a framework of four Union assurance levels (Article 16), with the criteria set out in Annex II. As proposed, the criteria are cumulative and tighten level by level:

• Level 1 rests on a self-assessment and an EU statement of conformity (establishment, infrastructure and data in the Union, subject to limited conditions).
• Levels 2–4 require independent third-party audits and add stricter requirements — for example, protection against third-country control and remote tampering, with Union-citizen personnel and a prohibition on third-country control at Levels 3 and 4.

As proposed, Member States and Union entities would conduct risk assessments (Article 29) to determine which assurance level fits a given activity, especially activities contributing to the preservation of public order.

What this means for you

For public-sector procurement officers, the proposed CADA would introduce a new baseline for buying cloud services.

• Mandatory risk assessments: by one year after the Regulation's entry into force (and thereafter every two years, or whenever necessary), your organisation would carry out risk assessments to identify which activities contribute to the preservation of public order — in sectors such as national security, defence, justice, law enforcement, and the NIS2 critical sectors (Article 29).
• Procurement requirements (Article 30):
  • If your activities are not identified as contributing to public order, you would procure cloud services recognised at Union assurance level 1 (Article 30(2)).
  • If your activities are so identified, you would only procure services recognised at Union assurance levels 2, 3, or 4 (Article 30(3)).
• Central repository: you would verify a provider's recognised status through a public central repository maintained by the Commission (Article 22).
• Transition periods: where a risk assessment requires migration to a more sovereign service, the proposal allows a reasonable transition period not exceeding 12 months, taking into account technical feasibility, service continuity and data portability (Article 29(6)).

Common misconceptions

• "Sovereignty means all data must stay in one country." No. The proposal promotes the free flow of data within the Union. Data can be stored and processed across Member States, provided it stays within the Union and meets the assurance criteria.
• "GDPR compliance is enough for sovereignty." No. As noted above, the GDPR protects personal-data privacy but does not address operational autonomy or the risk of third-country laws compelling disruption or access.
• "Only government agencies need sovereign clouds." The mandatory procurement rules bind the public sector, but the proposal also lets private entities in NIS2 critical sectors carry out similar assessments (Article 31), which is likely to create demand pressure beyond the public sector.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• Why can't existing EU laws already solve cloud sovereignty? (CADA)
• What is the EU Tech Sovereignty package and how does CADA fit in?
• CADA vs SecNumCloud: what is the difference between CADA and a national sovereignty label?
• What is the CADA sovereignty risk assessment (Article 29)?
• What are the four sovereignty tiers (Union assurance levels) in CADA?

This is general information about a draft EU regulation, not legal advice.