What is open strategic autonomy in EU digital policy, and how does CADA reflect it?

Summary In EU digital policy, "open strategic autonomy" means strengthening Europe's technological sovereignty and cutting critical dependencies on third-country providers while remaining an open, cooperative and non-discriminatory market for international partners. As proposed in the Cloud and AI Development Act (CADA), it is not full self-sufficiency or isolation. CADA would operationalise it through harmonised Union assurance levels (Article 16) that let public bodies procure cloud services guaranteeing operational autonomy and data confidentiality, while Article 18 keeps the door open to trusted third countries — so the Union can act autonomously where necessary without closing itself off.

Detail

"Open strategic autonomy" addresses the tension between the need for technological sovereignty — particularly in cloud and AI — and the EU's commitment to an open, rules-based international order. Under the proposed CADA, the principle is operationalised through a framework that mitigates dependence on non-European providers while preserving market access for entities that meet strict assurance criteria.

Reducing dependence while staying open. CADA recognises that the Union is critically dependent on a limited number of third-country cloud providers (Recital 46), creating strategic risks including vulnerabilities from the extraterritorial application of third-country laws, potential service disruption and reduced control over data and infrastructure. The proposal aims to reduce these dependencies by fostering a competitive European ecosystem, while explicitly rejecting protectionism.

Recital 61 sets out the balance: "The Union's objective of strengthening its autonomy should be pursued in a manner that remains open, cooperative and consistent with the Union's international commitments and partnerships." It adds that the policy objectives pursued through Union assurance levels should be understood as the Union's "capacity to act autonomously where necessary, while remaining engaged with its international partners and fostering mutually beneficial cooperation."

The role of assurance levels. CADA would introduce a Union cloud computing sovereignty framework of four Union assurance levels (Article 16), with criteria in Annex II. They are not designed to ban third-country providers outright but to ensure that services used in sensitive public-sector activities meet specific standards for data localisation, personnel, cybersecurity and freedom from third-country control.

• Union assurance level 1 would require establishment in the Union, with infrastructure and customer data remaining exclusively within the Union unless the public-sector body requires otherwise.
• Levels 2, 3 and 4 would impose progressively stricter requirements, including independent third-party audits and European cybersecurity certification (where available); from level 3, all personnel involved in providing the service must be Union citizens; and at level 4 the provider and subcontractors must not be subject to third-country control.

Crucially, Article 18 would allow the Commission to recognise third countries whose providers may be audited for level 3 if the country meets cumulative criteria — such as a GDPR adequacy decision and no measures compelling providers to degrade service or to access data in conflict with EU law. This embodies "open" autonomy: third-country providers can compete where they demonstrate equivalent safeguards.

Contrast with full self-sufficiency. Open strategic autonomy is distinct from autarky. The EU does not aim for a closed ecosystem using only EU-born technology; it seeks to avoid being held hostage by external actors. The explanatory memorandum frames the proposal as protecting public order by making the supply of cloud services more resilient and addressing data-sovereignty and operational-continuity concerns.

The focus is on resilience and control rather than origin. A third-country provider can qualify for higher levels where it is not subject to its home country's control in a way that compromises EU interests; conversely, an EU-based provider controlled by a third country may fail the criteria if it cannot demonstrate effective legal and technical separation.

Public procurement and risk assessment. The framework ties to procurement. Article 29 requires risk assessments to determine which assurance level is appropriate for specific activities. For activities contributing to the preservation of public order, contracting authorities must procure services recognised at level 2, 3 or 4 (Article 30(3)); other activities use level 1 (Article 30(2)). This risk-based approach keeps the measures proportionate and avoids unnecessary barriers for low-risk services.

What this means for you

For public-sector and procurement officers, open strategic autonomy translates into concrete obligations.

1. Mandatory risk assessments. Under Article 29, you would assess which activities contribute to the preservation of public order and determine the appropriate level — repeated at least every two years, or whenever necessary.
2. Procurement criteria. For public-order activities, you could not simply pick the cheapest provider; you would procure services recognised at level 2, 3 or 4. For other activities, you would use level 1.
3. Verify recognition. Before awarding contracts, check that the service is listed in the central repository of recognised services (Article 22). Levels 2–4 require independent audit reports, not self-declarations.
4. Consider multi-cloud strategies. Article 29(9) requires you to consider whether a multi-vendor or multi-cloud strategy is appropriate, enhancing resilience.
5. Plan transition periods. Where migration to a higher level is required, do so within a reasonable transition period not exceeding 12 months (Article 29(6)).

Common misconceptions

• "CADA bans all non-EU cloud providers." As proposed, it does not. Article 18 provides a route for third-country providers to be audited and recognised for level 3 where their home country meets strict criteria. The focus is on assurance, not nationality.
• "Open strategic autonomy means the EU will become digitally isolated." Recital 61 stresses remaining "open, cooperative and consistent with the Union's international commitments." The aim is to reduce critical dependencies that pose security risks, not to end international trade in cloud services.
• "All public-sector cloud use requires the highest level." The framework is risk-based. Most public services would require only level 1; higher levels are reserved for activities contributing to the preservation of public order (Article 30).
• "'Sovereign cloud' is the same as 'EU-only cloud.'" A service can meet the assurance levels even if the provider has global operations, provided it demonstrates effective separation from third-country control and keeps data and infrastructure within the Union as required. Conversely, an EU-established provider controlled by a third country may not qualify.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Digital Decade Policy Programme (Decision (EU) 2022/2481)

Related

• Cloud Sovereignty & Digital Decade 2030: How CADA Links Capacity to Autonomy
• What is strategic autonomy and how does CADA support it?
• How does open source support digital sovereignty under CADA?
• Why does CADA call cloud dependence a strategic dependency?
• Sovereignty vs Protectionism in EU Cloud Policy: Is CADA Protectionist?

This is general information about a draft EU regulation, not legal advice.