What is operational autonomy and why can't a foreign provider guarantee it under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), operational autonomy is the capacity of a cloud service to maintain continuity and quality without interference from third-country laws or entities. Foreign providers struggle to guarantee it because their parent companies or ultimate controllers remain subject to extraterritorial legislation that may compel them to degrade, disrupt or grant access to data — undermining the Union's public order. As proposed, CADA would require critical public sector activities to use services recognised at higher Union assurance levels (Article 16, with criteria in Annex II), several of which prohibit third-country control.

Detail

CADA would introduce a framework to address the EU's strategic dependence on non-European cloud services. A central pillar is operational autonomy, which goes beyond data localisation to the broader capacity of a service to function independently of foreign geopolitical pressure.

Defining operational autonomy in CADA

Operational autonomy encompasses the legal, technical and organisational independence of the provider, not just the physical location of servers. The proposal observes that reliance on a limited number of third-country providers exposes the Union to "critical strategic dependencies and concentration risks," including "potential disruptions affecting the continuity, quality and resilience of cloud computing services" and "the risk of undue economic or political influence being exercised through the control by third countries" (Recital 46).

CADA would establish a Union cloud computing sovereignty framework of four "Union assurance levels" (Article 16), with detailed criteria in Annex II. The levels are layered: Level 1 sets a baseline of Union establishment and data residency, while higher levels (2, 3 and 4) impose increasingly strict criteria on personnel, supply chains and the absence of third-country control.

Why foreign providers cannot easily guarantee operational autonomy

The core reason lies in the legal jurisdiction of a provider's ultimate controllers. Even an EU subsidiary may remain subject to its home country's laws.

1. Extraterritorial legal reach. Recital 48 states that tailored "sovereign" service versions "do not address the core sovereignty issues allowing for the extraterritorial reach of third-country laws and the possible degradation or disruption of the service." This is the concern behind laws such as the US CLOUD Act, which can compel US-based providers to disclose data in their "possession, custody, or control" regardless of where it is stored. A provider that cannot lawfully refuse such orders cannot guarantee uninterrupted service or that data will stay inaccessible to foreign authorities.

2. Personnel and support dependencies. Operational autonomy also depends on who runs the service.

• Personnel: Annex II requires, for Union assurance levels 3 and 4, that personnel involved in providing the service are Union citizens (Annex II, Sections 3.1(d) and 4.1(d)). For Level 2, additional personnel screening and Union-citizenship requirements apply only where the public sector body determines they are necessary (Annex II, Section 2.1(d)). Foreign providers that rely on global support teams may have critical administrative access handled by staff subject to foreign jurisdiction.
• Technical support: For Levels 2, 3 and 4, technical and operational support must be initiated and performed exclusively within the Union (Annex II, Sections 2.1(h), 3.1(h), 4.1(h)). For Levels 3 and 4, that support must additionally be provided by personnel who are Union residents and by third parties not subject to third-country control. A global support model cannot meet this.

3. Supply chain and software control. Annex II requires providers to demonstrate control over their software components — including an SBOM and, where third-country software is used, controls to "block any remote features that could materially tamper with or disrupt a device, system, or software" (Annex II, Section 2.1(i)). For Level 4, the provider must show that no third country holds or exercises effective control over the design, development, maintenance and evolution of those components (Annex II, Section 4.1(i)). A provider whose key components are controlled by a third-country entity cannot guarantee they will not be used to degrade or disrupt the service.

Risk assessments and public order

CADA links operational autonomy directly to public order. Article 29 would require Member States and Union entities to carry out risk assessments to identify public sector activities that contribute to the preservation of public order — in sectors under Annex I or II of the NIS2 Directive (Directive (EU) 2022/2555) and in national security, internal/external security, defence, justice or law enforcement.

Where an activity is identified as public-order relevant, Article 30(3) would require contracting authorities to procure only services recognised at Union assurance levels 2, 3 or 4. That is a hard barrier for foreign providers unable to meet the strict criteria — in particular the requirement that the provider and its subcontractors are not subject to third-country control (Annex II, Sections 3.1(g) and 4.1(g)).

Continuity of service as a sovereignty objective

The objective is not only data privacy but continuity of service. Recital 50 highlights "dependency vulnerabilities (i.e. political and/or economic coercion, for example by using vendor or technology lock-ins, embargos or sanctions)." A provider subject to third-country law might be compelled to cease operations or degrade quality in response to sanctions or political pressure. CADA's framework aims to ensure that services critical to public order are provided by entities able to operate autonomously.

What this means for you

For CTOs, architects and SMEs, CADA would shift cloud procurement from a technical-and-financial evaluation toward a sovereignty assessment.

1. Procurement for public sector and critical infrastructure. If you are a public sector body — or, in some cases, an entity in a NIS2 high-criticality sector — you may need to conduct risk assessments under Article 29 (public sector) or Article 31 (private entities may carry out similar impact assessments). Where activities are public-order relevant, you must procure Levels 2, 3 or 4, which excludes most non-EU hyperscalers unless they can meet Annex II, including separation of EU operations from third-country control.

2. Evaluating "sovereign" claims from foreign providers. Be skeptical of foreign "sovereign" EU offerings. Under CADA, a service would not be sovereign at the higher levels if the provider remains subject to third-country control. Look for:

• Legal separation: effective legal, technical and organisational separation between the EU entity and any third-country subsidiary (Annex II, Section 2.1(k)).
• Personnel independence: for the higher levels, personnel who are Union citizens/residents and support performed within the Union.
• Supply-chain control: no third-country entity holding effective control over the software components.

3. Multi-cloud and exit strategies. CADA would encourage considering multi-vendor or multi-cloud strategies for resilience (Recital 65; Article 29(9)). For SMEs, this may mean diversifying away from a single foreign hyperscaler toward EU-based providers with recognised assurance levels. Ensure your architecture supports portability and switching.

4. Private-sector impact. Private entities in NIS2 high-criticality sectors may carry out similar impact assessments (Article 31(1)); the Commission may issue guidance (Article 31(2)) and, in duly justified cases, adopt delegated acts requiring such assessments (Article 31(3)). Assessing your provider's operational autonomy now can future-proof against regulatory and geopolitical change.

Common misconceptions

Data localization is enough for operational autonomy. Reality: Localisation keeps data in the EU, but it does not prevent a foreign provider from being compelled to degrade service, cut access or provide access to data. Operational autonomy requires legal and organisational independence from third-country control, not just data residency.

Foreign providers can easily comply by setting up an EU subsidiary. Reality: For Levels 3 and 4, the provider and its subcontractors must not be subject to third-country control. A subsidiary controlled by a foreign parent fails this unless the strict separation measures are demonstrated and audited — often difficult to achieve.

CADA bans all foreign cloud providers. Reality: It would not ban them outright. It creates a tiered system: foreign providers may still serve non-critical public sector activities (Level 1) or the private market; only for public-order-relevant activities are Levels 2, 3 or 4 required.

Operational autonomy is only about cybersecurity. Reality: Cybersecurity is one component. Operational autonomy is primarily about geopolitical and legal independence — resilience against sanctions, embargoes and extraterritorial access laws — which is distinct from traditional cyber threats.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Digital Decade Policy Programme (Decision (EU) 2022/2481)

Related

• CADA Sovereignty: Why Assessment is Per Service, Not Per Provider
• Why is EU dependence on foreign cloud providers seen as a risk under CADA?
• Why can't GDPR deliver cloud sovereignty? CADA and the gap
• Cloud Sovereignty & Digital Decade 2030: How CADA Links Capacity to Autonomy
• Lawful vs. Unlawful Access: Why 'Lawful' Foreign Orders Threaten EU Cloud Sovereignty under CADA

This is general information about a draft EU regulation, not legal advice.