Summary In the EU's digital strategy, economic security refers to the resilience of the Union's cloud and AI ecosystem against external coercion, dependency vulnerabilities and service disruption. As proposed, the Cloud and AI Development Act (CADA) treats this as a matter of public order: it would require public-sector bodies to mitigate risks from third-country-controlled providers through a harmonised sovereignty framework (Article 16, with criteria in Annex II) and mandatory risk assessments (Article 29). The aim is to keep critical infrastructure under Union control and prevent operational discontinuity or political leverage by non-EU actors.

Detail

The Commission's proposed CADA frames economic security not merely as market competitiveness but as a component of public order and strategic autonomy. The proposal addresses the EU's pronounced dependence on a limited pool of third-country cloud providers: as the explanatory memorandum notes, the market share of EU providers has fallen over recent years, and three non-EU hyperscalers now control over 70% of the European cloud market. This concentration creates structural vulnerabilities that extend beyond data privacy into operational continuity and economic coercion.

Economic security as resilience against coercion

CADA explicitly links economic security to the protection of public order. Recital 49 states that "the significant increase in public order concerns – including, for example, economic security risks – requires effective and coherent implementation of safeguards for activities supported by the Union budget." This framing elevates economic security from a commercial concern to a matter of sovereign integrity.

The proposal identifies the specific threats. Recital 50 details the risks of dependence on providers subject to third-country control, in three categories:

  1. Misuse: "manipulation, remote access and control, sabotage, weaponisation."
  2. Access to information: "unauthorised communication, technology leakage, data manipulation or exfiltration, espionage."
  3. Dependency vulnerabilities: "political and/or economic coercion, for example by using vendor or technology lock-ins, embargos or sanctions, monopoly pricing damaging the financial interest of the Union and Member States."

By naming these risks, the proposal establishes that economic security is compromised when the Union loses agency over its digital supply chain. It argues that existing safeguards — cybersecurity, data protection, interoperability and portability rules — do not, on their own, prevent the degradation or disruption of service by third-country providers (Recital 47, Recital 48).

The Union assurance levels framework

To operationalise economic security, CADA would introduce a "Union cloud computing sovereignty framework" under Article 16, establishing four "Union assurance levels" (1 through 4). The detailed criteria live in Annex II; they are cumulative, so a Level 3 service must also meet all Level 1 and 2 criteria (Article 20(1)).

The criteria progressively mitigate the risks of coercion and disruption:

  • Level 1: provider established in the Union; infrastructure and assets in the Union; customer data (including metadata and telemetry) kept exclusively within the Union unless the public sector body requires otherwise.
  • Level 2: adds that infrastructure, assets and personnel are located in the Union; that data generated by using the service is not used to train or fine-tune any AI system operated by a third country; and a European cybersecurity certificate of at least "substantial" assurance. (Additional personnel screening and Union-citizenship requirements apply only where the public sector body determines they are necessary.)
  • Level 3: mandates that personnel are Union citizens and that the provider is not subject to third-country control — subject to a narrow derogation for "associated third countries" recognised by the Commission under Article 18.
  • Level 4: the highest level, requiring effective separation from third-country subsidiaries, a "high" cybersecurity certificate, and that no third country holds or exercises effective control over the design, development, maintenance and evolution of the software components.

Article 17 would establish the recognition mechanism: providers apply to the national competent authority of establishment, which assesses the evidence (a self-assessment for Level 1, or an independent audit report for Levels 2–4). This creates a harmonised, EU-wide standard rather than fragmented national definitions of sovereignty.

Risk assessments and procurement obligations

Economic security would be enforced through procurement. Article 29 would oblige Member States and Union entities to carry out risk assessments (at least every two years) to identify which public sector activities contribute to the preservation of public order. The assessments must consider data sensitivity, the risk of unlawful access by a third country, and the risk of possible service disruption.

Based on those assessments, Article 30 would require:

  1. Bodies whose activities are not identified as contributing to public order to use services with at least Union assurance level 1 (Article 30(2)).
  2. Bodies whose activities are so identified (NIS2 sectors, or national security, defence, justice, law enforcement) to procure only services with Union assurance levels 2, 3, or 4 (Article 30(3)).

This tiered approach keeps economic-security measures proportionate — avoiding unnecessary burdens on low-risk services while imposing strict requirements on critical functions, guarding against the "dependency vulnerabilities" of Recital 50.

What this means for you

For public-sector procurement officers, CADA would turn economic security from a theoretical concept into a binding requirement. You would shift from evaluating providers mainly on price and features to assessing their sovereignty profile.

  1. Conduct risk assessments. Under Article 29, you would align with your Member State's assessment to determine whether your activities are linked to public order. If they are, tenders must be restricted to providers recognised at Levels 2–4 (Article 30(3)).
  2. Verify assurance levels. Check the central repository the Commission would maintain under Article 22 to confirm a provider holds valid recognition for the required level. Self-declarations or national certifications that do not align with CADA's Union assurance levels would not suffice for Levels 2–4.
  3. Plan for transition. If your current provider does not meet the required level, you would plan a migration. Article 29(6) would allow a transition period not exceeding 12 months, taking account of technical feasibility, continuity of service and data portability.
  4. Evaluate supply chains. Annex II would require providers to demonstrate control over their software components — including an SBOM and controls to block remote features that could tamper with or disrupt the service — so that no third country can remotely degrade it during geopolitical tension.

Common misconceptions

Economic security is the same as data privacy. They are distinct. The GDPR protects personal-data rights but does not prevent a provider from degrading service or cutting access due to third-country sanctions. CADA's economic-security framework targets operational autonomy and resilience against coercion.

Only national security agencies are affected. Economic-security risks apply broadly. While higher levels are mandatory for critical sectors, Article 30(2) would require all in-scope public sector bodies to use at least Union assurance level 1, so even non-critical services are not exposed to uncontrolled third-country dependencies.

Open source automatically guarantees economic security. CADA would promote open source to reduce lock-in (Article 41), but open source alone does not mitigate service-disruption or third-country-control risks. A provider must still meet the specific Annex II criteria — location of assets, personnel requirements, and absence of third-country control — regardless of software licence.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.