What is cloud sovereignty under the EU CADA proposal?

Summary Cloud sovereignty is the ability to keep control over data, operations and technology when those depend on a cloud service. In the proposed Cloud and AI Development Act (CADA), it is treated as broader than cybersecurity: it covers non-technical risks such as foreign legal access, service disruption and loss of operational autonomy. CADA would express it through four "Union assurance levels" (Article 16), with cumulative criteria in Annex II, ranging from a basic, self-assessed level 1 up to an independently audited level 4. The aim is to let public buyers match the level of control to the sensitivity of what they run, instead of relying on a vendor's "sovereign" label.

Detail

Defining cloud sovereignty under CADA

In the Cloud and AI Development Act (CADA), proposed as COM(2026) 502 final and not yet in force, cloud sovereignty goes well beyond data residency or encryption. The proposal frames sovereignty as a layered concept addressing the Union's strategic dependence on a small number of non-European providers.

The explanatory memorandum notes that three non-EU hyperscalers control over 70% of the European cloud market and that EU providers' share fell from 29% in 2017 to 15% in 2022. That concentration creates three kinds of risk that cloud sovereignty is meant to address:

1. Data access — third-country laws with extraterritorial effect could compel a provider to disclose data (recital 46 cites "vulnerabilities arising from the extraterritorial application of third-country laws").
2. Operational continuity — a third-country actor could degrade or disrupt the service for political or economic reasons.
3. Technological autonomy — limited control over the underlying software supply chain.

Crucially, CADA separates cybersecurity (technical protection against attackers) from sovereignty (protection against legal, political and operational coercion by a foreign state). The explanatory memorandum positions CADA alongside the revision of the Cybersecurity Act, saying that together they "fill long-standing gaps in sovereignty and non-technical risks". Cloud sovereignty, in CADA's design, is precisely about those non-technical risks.

Recital 47 reinforces this. It notes that existing Union law already covers "cybersecurity, data protection, interoperability and data portability requirements", but that "there is no cross-cutting Union regulatory framework establishing a harmonised understanding of what constitutes a trusted cloud computing service for mitigating such risks." Recital 50 then lists the kinds of harm the framework guards against — "misuse (i.e. manipulation, remote access and control, sabotage, weaponisation)", "access to information ... espionage", and "dependency vulnerabilities (i.e. political and/or economic coercion ... by using vendor or technology lock-ins, embargos or sanctions ...)" — none of which is captured by a security certificate alone.

The four Union assurance levels (Article 16)

Article 16 establishes a Union cloud computing sovereignty framework "comprising four Union assurance levels, the criteria for which are set out in Annex II". The levels give public authorities a graduated way to match protection to the sensitivity of their data and operations. Annex II sets out the criteria as cumulative requirements that tighten at each level. In broad terms:

• Level 1 — the baseline. The provider is established in the Union; infrastructure, assets and customer data (including metadata and telemetry) remain in the Union unless the public sector body explicitly requires otherwise; subcontractor use is transparent; and where the provider is under third-country control, it guarantees that no third-country law forces early reporting of software vulnerabilities to that country's authorities.
• Level 2 — adds an independent audit, requires a European cybersecurity certificate of at least "substantial" assurance (or, until such a scheme exists, applicable national or highest Union standards), prohibits using service data to train or fine-tune AI systems operated by a third country, and requires measures preventing any third-country control from restricting the service, accessing data or disrupting continuity.
• Level 3 — for sensitive activities. Personnel involved in the service must be Union citizens (with national security clearance where classified information is handled); providers must in principle not be under third-country control, with a narrow derogation only where the Commission has designated an associated third country (Article 18); and support must be performed within the Union by Union residents.
• Level 4 — the highest tier. It requires a "high" cybersecurity certificate, allows no third-country-control derogation, and requires the provider to show that no third country holds effective control over the design, development, maintenance and evolution of software components.

Why sovereignty is more than cybersecurity

A provider can be highly secure against attackers yet still be legally compelled by its home government to hand over data or shut down a service. Recital 48 makes the point directly: tailored "sovereign" versions launched by non-EU providers "do not address the core sovereignty issues allowing for the extraterritorial reach of third-country laws and the possible degradation or disruption of the service." That is why CADA would add a distinct recognition and audit mechanism (Articles 17–21) for sovereignty criteria, separate from technical security audits.

The role of risk assessments

Sovereignty under CADA would not be a uniform mandate. Article 29 would require Member States and Union entities to carry out risk assessments to identify public-sector activities that contribute to the preservation of public order, considering the sensitivity, criticality and magnitude of the data, the risk of unlawful third-country access, and the risk of service disruption. Article 30 would then require level 1 as a minimum, and levels 2, 3 or 4 for public-order-relevant activities. Recital 52 frames this as deliberately proportionate: "most public services would not require the highest levels of assurance", and levels 3 or 4 would be reserved for "specific cases" where they are "necessary and proportionate in preserving public order."

How sovereignty is recognised

A claim of sovereignty would not be self-certified for the higher tiers. Under Article 17, a provider applies to the national competent authority of establishment, which evaluates the evidence and, for levels 2–4, relies on the independent audit and "positive" audit opinion under Article 20. Once concluded, recognition applies across the Union at the relevant level, and the service is listed in the Commission's central repository (Article 22). For SMEs at level 1, an EU statement of conformity is "directly and automatically recognised in all Member States" without prior recognition (Article 17(3)). Providers must report material changes that could affect their recognition (Article 23), so sovereignty status is monitored over time rather than granted once.

What this means for you

For public-sector buyers, the proposal would reshape how cloud services are evaluated:

1. From technical to holistic evaluation. Security certificates alone would not suffice. You would weigh legal jurisdiction, ownership and control, personnel location, and supply-chain dependence against the Annex II criteria.
2. Mandatory recognised services. You would procure services recognised under the framework — level 1 as a baseline, higher levels for critical functions — and confirm them in the Commission's central repository (Article 22).
3. Risk assessment built in. You would determine the appropriate level before tendering, using the methodology the Commission would set out in implementing acts (Article 29(3)).
4. Deeper supplier due diligence. Questions would move from "where is the data?" to "who controls the company, where do support staff sit, and is the software supply chain free from third-country coercion?"
5. Transition time. Where a risk assessment requires migrating to a different service, Article 29(6) allows a transition period not exceeding 12 months, taking account of technical feasibility, continuity and data portability.

Common misconceptions

Cloud sovereignty is just data residency. Data must stay in the Union for the higher levels, but sovereignty also requires the provider to be established in the Union, personnel to be Union citizens at levels 3 and 4, and the company not to be subject to coercive third-country control. Residency is necessary but not sufficient.

A cybersecurity certificate equals sovereignty. A service can resist hackers yet remain vulnerable to legal coercion by its home government. CADA keeps technical security and sovereignty as separate requirements; higher levels demand both.

Only EU-owned companies can qualify. Levels 1 and 2 can accommodate providers with some third-country links if they implement the required legal, technical and organisational measures, and the Commission can recognise associated third countries for level 3 (Article 18).

Sovereignty means blocking all international data transfers. The framework targets unauthorised access and coercive transfers. Data may leave the Union where the public sector body explicitly requires it. The goal is control and autonomy, not isolation.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• What does digital sovereignty mean under the CADA proposal?
• Why is cloud sovereignty important for critical infrastructure? CADA
• Why is sovereignty described as layered or nuanced in CADA?
• CADA Sovereignty: Why Assessment is Per Service, Not Per Provider
• Why is sovereignty a competitiveness issue, not just a security one? | CADA

This is general information about a draft EU regulation, not legal advice.