What Is Operational Sovereignty in Cloud Computing? CADA Guide

Summary Under the proposed Cloud and AI Development Act (CADA), operational sovereignty (operational autonomy) is a provider's ability to deliver services without being subject to the control, laws or disruptive actions of a third country. It is about ensuring service continuity is not degraded or interrupted by external geopolitical pressures such as sanctions or data-access mandates. As proposed, this concept is central to the Union assurance framework: providers would have to demonstrate they can resist third-country interference to qualify for the higher assurance levels.

Detail

CADA as proposed distinguishes technical security from broader geopolitical risk. Cybersecurity standards address breaches and malware; operational sovereignty addresses the risk that a provider subject to foreign jurisdiction could be forced to degrade, disrupt or deny service to EU customers because of extraterritorial laws, sanctions or political coercion.

Defining operational autonomy

Operational autonomy is the capacity of a provider to maintain the quality, continuity and availability of its services independently of third-country influence. It is not merely about where data is stored, but about who controls the infrastructure and the legal frameworks governing the provider.

Recital 48 of the proposal highlights the limits of current market offers, noting that providers' "tailored versions" of their services "do not address the core sovereignty issues allowing for the extraterritorial reach of third-country laws and the possible degradation or disruption of the service". Without addressing these operational risks, the proposal argues, the Union cannot ensure autonomy or control over its digital infrastructure.

The risk of service disruption

The proposal links operational sovereignty to public order and economic security. Recital 50 identifies dependency vulnerabilities including "political and/or economic coercion, for example by using vendor or technology lock-ins, embargos or sanctions, monopoly pricing damaging the financial interest of the Union and Member States". These can lead to degradation or disruption of service continuity, threatening critical public functions and essential industries.

To mitigate these risks, CADA would establish a Union cloud computing sovereignty framework of four assurance levels (Article 16), with criteria in Annex II. Operational-sovereignty requirements tighten as the level rises:

• Union assurance level 1: where a provider is subject to third-country control, it must guarantee that there are no laws in that third country requiring it to report software vulnerabilities to that country's authorities before those vulnerabilities are known to have been exploited (Annex II, point 1.1(g)).
• Union assurance level 2: providers subject to third-country control must demonstrate measures ensuring the control does not restrain or restrict the provider's ability to perform and deliver the service or undermine the capabilities and standards necessary, and that disruption of service continuity or degradation of service quality by the third country is prevented (Annex II, point 2.1(g)).
• Union assurance levels 3 and 4: as a rule, providers and subcontractors must not be subject to third-country control. A derogation exists only at level 3, where the Commission has adopted an implementing act recognising a third country as providing sufficient assurances (Article 18); even then, the provider must still demonstrate the safeguards against disruption and degradation (Annex II, point 3.1(g)). There is no such derogation at level 4 (Annex II, point 4.1(g)).

The role of risk assessments

Operational sovereignty is not a one-size-fits-all mandate. Article 29 would require Member States and Union entities to conduct risk assessments to determine which activities require higher assurance levels, considering "the risk and consequent impact on public order of possible service disruption" (Article 29(2)(c)). Where an activity contributes to public order, the contracting authority would be required to procure services recognised at Union assurance levels 2, 3 or 4 (Article 30).

What this means for you

For CTOs, architects and SMEs, operational sovereignty moves vendor risk beyond SLAs and security certificates to include geopolitical resilience.

1. Evaluate third-country control. If your provider is headquartered in or controlled by a non-EU entity, assess whether its home-country laws could compel it to disrupt your service. Higher assurance levels would require the provider to prove it has measures to resist such coercion.
2. Review subcontractor chains. Operational sovereignty extends to subcontractors involved in service provision, who must also meet the location and control criteria at level 2 and above. Check for hidden third-country dependencies.
3. Prepare for public-sector procurement. Many public-order-relevant functions would require level 2 or higher, meaning an independent third-party audit (Article 20). Note that an SME's EU statement of conformity for level 1 would be directly and automatically recognised in all Member States without prior recognition by the evaluating authority (Article 17(3)); higher levels still require audits.
4. Add contractual safeguards. Beyond the regulatory baseline, robust continuity clauses addressing sanctions or legal conflicts can clarify liability and mitigation during disruptions.

Common misconceptions

• Operational sovereignty is the same as data localisation. Localisation keeps data in the EU but does not stop a provider shutting down or degrading the service under external legal pressure. Operational sovereignty is about the continuity and control of the service itself.
• Only non-EU providers are affected. An EU-established provider can still be subject to third-country control through ownership or other influence. All providers seeking the higher levels would have to demonstrate they are free of controlling influences that could cause disruption.
• Operational sovereignty is optional for private companies. CADA would primarily mandate risk assessments for public sector bodies (Article 29), but entities listed in Annex I of the NIS2 Directive that are not public sector bodies may carry out similar impact assessments (Article 31). Market demand for higher assurance levels is also likely to influence private buyers.

Related

• Why is cloud sovereignty important for critical infrastructure? CADA
• Why is sovereignty described as layered or nuanced in CADA?
• CADA Sovereignty: Why Assessment is Per Service, Not Per Provider
• Why is sovereignty a competitiveness issue, not just a security one? | CADA
• Why data residency is not enough for cloud sovereignty under CADA

This is general information about a draft EU regulation, not legal advice.