What is data sovereignty, and how does the EU's CADA define it?

Summary Data sovereignty means data is subject to the laws and governance of the jurisdiction that controls it, not merely where it is physically stored. As proposed in the Cloud and AI Development Act (CADA), this idea sits at the heart of a "Union cloud computing sovereignty framework" designed to reduce the EU's dependence on a small number of third-country cloud providers whose home jurisdictions could compel data access or service disruption. It is distinct from data residency, which concerns only physical location.

Detail

To understand data sovereignty in the context of the proposed Cloud and AI Development Act (CADA), you have to look beyond geography. Data sovereignty is the principle that data is subject to the laws and governance structures of the jurisdiction in which it is controlled. That control spans legal authority, operational autonomy, and the ability to prevent unauthorised access or service disruption by foreign entities.

CADA would establish a "Union cloud computing sovereignty framework" (Article 16). The framework is designed to mitigate the risks of the EU's reliance on a limited number of cloud computing service providers subject to the control of third countries. Recital 46 of the proposal sets out those risks, citing "vulnerabilities arising from the extraterritorial application of third-country laws, potential disruptions affecting the continuity, quality and resilience of cloud computing services, reduced control and oversight over personal and non-personal data and infrastructure, and the risk of undue economic or political influence."

So under CADA, as proposed, data sovereignty is not just about keeping data inside EU borders; it is about ensuring the entities controlling that data are not subject to laws that could compromise the Union's public order. The framework defines four "Union assurance levels," with criteria set out in Annex II, ranging from a baseline tier to high-assurance services suited to the most sensitive public-sector activities.

Distinction from data residency

A common point of confusion is the difference between data sovereignty and data residency. Data residency refers strictly to the physical location of data storage. A data centre in Germany delivers EU data residency. But residency does not guarantee sovereignty: if the provider controlling that data centre is subject to the laws of a third country (for example, a country whose law compels disclosure regardless of where data sits), the data is not sovereign.

CADA recognises this distinction. Annex II requires customer data — including metadata and telemetry — to remain exclusively within the Union for the assurance levels, but that is only one component. As proposed, genuine sovereignty also requires that the provider and its subcontractors are not exposed to third-country control that could compel data access or service disruption. At Union assurance level 3, the audited provider and its subcontractors must not be subject to the control of a third country or a legal entity established in a third country, save for a narrow derogation route for "associated third countries" (Article 18 and Annex II).

The CADA sovereignty framework

Article 16 establishes the core mechanism, with the detailed criteria for each of the four levels set out in Annex II. Higher levels add progressively stricter requirements so that public sector bodies can match the service to the sensitivity of their data and activities.

• Union assurance level 1 would require the provider to be established in the Union, with infrastructure and assets located in the Union, and customer data kept exclusively within the Union unless the public sector body explicitly requires otherwise. It is self-assessed (Article 19).
• Union assurance level 2 is audited and adds, among other things, that data generated by using the service is not used to train or fine-tune AI systems operated by a third country, that technical support is performed within the Union, and that any third-country control cannot restrain the service, reach customer data, or disrupt continuity.
• Union assurance level 3 requires that the provider and its subcontractors are not subject to third-country control (with a limited derogation for associated third countries under Article 18), and that personnel involved in the service are Union citizens with security clearances where classified information is handled.
• Union assurance level 4 is the highest tier: it requires that sensitive data identified through a risk assessment remains exclusively within the Union, that personnel are Union citizens (with clearances where appropriate), and that there is no third-country control at all — with no derogation.

Note that under Annex II, requiring personnel to be Union citizens is a feature of levels 3 and 4; at level 2, citizenship and extra screening apply only if the public sector body determines they are necessary.

Member States and Union entities would conduct risk assessments (Article 29) to decide which assurance level fits each activity, keeping sovereignty measures proportionate to the risk to public order.

What this means for you

For public-sector and procurement officers, data sovereignty would become central to compliant cloud procurement. As proposed, CADA shifts you from price-and-features vendor selection toward a risk-based approach that weighs the sovereignty profile of each service.

1. Conduct risk assessments. Under Article 29, Member States and Union entities would carry out risk assessments to identify which public sector activities contribute to the preservation of public order — including activities in sectors under Annex I or II of the NIS2 Directive and in national security, internal security, external border management, defence, justice or law enforcement.
2. Procure by assurance level. Under Article 30, activities identified as contributing to public order could only be served by services recognised at Union assurance level 2, 3 or 4; other public-sector activities would require at least level 1.
3. Evaluate control, not just location. Look past where the data centres sit and assess who controls the provider. A provider exposed to a third country's compulsory-access laws may not meet the higher levels even with EU data centres.
4. Use the central repository. The Commission would maintain a central repository (Article 22) of recognised services. Use it to confirm which providers have been formally recognised at which assurance level.

Common misconceptions

• "Data residency equals data sovereignty." Residency is physical location; sovereignty is legal control and jurisdiction. A provider can have EU data centres yet still be exposed to foreign laws that undermine sovereignty.
• "Sovereignty means all data must stay in the EU." Strict data localisation is a core criterion, but the Annex II requirements allow exceptions where the public sector body explicitly requires otherwise, and at level 4 the exclusive-EU rule attaches specifically to data identified as sensitive through a risk assessment.
• "Only government agencies need to worry about sovereignty." CADA's procurement mandate targets the public sector, but the proposal also lets private entities in high-criticality sectors carry out similar assessments (Article 31), so companies in fields such as energy or finance may need to weigh sovereignty risks too.

Related

• Why data residency is not enough for cloud sovereignty under CADA
• Why the EU-US Data Privacy Framework doesn't solve CADA sovereignty
• Data residency vs data sovereignty: the difference under CADA
• Cloud vs AI Sovereignty: How CADA Distinguishes Control Over Data, Compute and Models
• Is data localisation the same as digital sovereignty under CADA?

This is general information about a draft EU regulation, not legal advice.