Summary As proposed in the Cloud and AI Development Act (CADA), technical sovereignty in the cloud stack refers to the EU's ability to maintain control, autonomy, and resilience over the entire technology stackβ€”from physical hardware and chips to middleware, operating systems, and application software. It moves beyond simple data privacy to address operational independence, ensuring European entities are not subject to unilateral disruptions, extraterritorial data access laws, or supply-chain vulnerabilities from third-country providers. The Commission's explanatory memorandum explicitly identifies "autonomy across the cloud stack" as a key domain for the Cloud and AI Leadership Initiatives. Achieving this would require a mix of sovereign cloud assurance levels, strategic investment in open-source components, and the deployment of European-designed hardware and software stacks.

Detail

The concept of technical sovereignty is central to the Commission's proposal for the Cloud and AI Development Act (CADA), COM(2026) 502 final. While earlier frameworks like the GDPR focused heavily on data protection, CADA addresses the broader technological dependencies that threaten the Union's economic security. The explanatory memorandum states that the proposal aims to reduce critical external dependencies by strengthening homegrown capabilities, specifically calling for "autonomy across the cloud stack" as a core operational objective.

Defining Technical and Software Sovereignty

In the context of CADA, technical sovereignty is not merely about where data is stored, but who controls the technology that processes it. It encompasses the entire cloud stack: from the physical infrastructure (servers, chips, data centres) to the middleware, operating systems, and application software.

The proposal defines a "cloud computing service" broadly, encompassing on-demand access to AI systems and scalable computing resources (Article 2(1)). Technical sovereignty ensures that the provider of these services operates under Union jurisdiction, with infrastructure and assets located within the Union, and with personnel and subcontractors subject to Union oversight. This control prevents third-country lawsβ€”such as the US CLOUD Act, which can compel data disclosure regardless of storage locationβ€”from overriding EU legal protections.

Crucially, the proposal places a specific focus on open source as a lever to boost technological sovereignty. The explanatory memorandum notes that the proposal "places a specific focus on open source as a lever to boost technological sovereignty, in line with the EU Open Source Strategy." By promoting open standards and components, the EU aims to reduce vendor lock-in and increase transparency, ensuring that the foundational layers of the cloud ecosystem are not dependent on proprietary, closed-source technologies from non-EU providers.

The Sovereignty Framework: Union Assurance Levels

The core mechanism for achieving technical sovereignty under CADA is the Union cloud computing sovereignty framework, established in Article 16. This framework creates four "Union assurance levels" (Level 1 to Level 4), each with cumulative criteria that providers must meet to be recognised as offering a specific level of sovereignty. These criteria are detailed in Annex II.

  • Union Assurance Level 1: Requires the provider to be established in the Union, with infrastructure and assets (including those of subcontractors) located in the Union. Customer data must remain exclusively within the Union unless explicitly required otherwise by the public sector body. The provider must also demonstrate compliance with state-of-the-art cybersecurity standards and provide full transparency around subcontractors (Annex II, Section 1).
  • Union Assurance Levels 2–4: These higher levels introduce stricter requirements, including independent third-party audits (Article 20), mandatory European cybersecurity certifications (where available), and stricter controls on personnel.
    • Level 2: Requires the service to obtain a European cybersecurity certificate of at least assurance level 'substantial' (Annex II, Section 2.1(e)).
    • Level 3: Requires the service to obtain a European cybersecurity certificate of at least assurance level 'substantial' (Annex II, Section 3.1(e)) and mandates that personnel are Union citizens (conditional on public body requirements).
    • Level 4: Requires the service to obtain a European cybersecurity certificate of at least assurance level 'high' (Annex II, Section 4.1(e)) and mandates that personnel are Union citizens.

At Level 4, the provider and its subcontractors must not be subject to the control of a third country or a legal entity established in a third country (Annex II, Section 4.1(g)).

This tiered approach allows public authorities to match the level of sovereignty to the sensitivity of their operations. For instance, Article 30 mandates that contracting authorities whose activities contribute to the preservation of public order (e.g., defence, justice, critical infrastructure) must only procure services recognised as offering Union Assurance Levels 2, 3, or 4.

Open Source as a Sovereignty Lever

The CADA proposal places significant emphasis on open source as a strategic lever for boosting technological sovereignty. The explanatory memorandum states that the proposal "places a specific focus on open source as a lever to boost technological sovereignty, in line with the EU Open Source Strategy."

By promoting open standards and open-source components, the EU aims to reduce vendor lock-in and increase transparency. Article 41 encourages Union entities and public sector bodies to use and facilitate the reuse of open standards and components released under an open-source licence. This approach supports the development of "open cloud computing stacks" (Operational Objective 2, Article 4(2)), which are critical for achieving autonomy. When software components are open source, their code can be audited for backdoors or vulnerabilities, and they can be maintained independently if a third-country vendor withdraws support or imposes restrictions.

Furthermore, the Cloud and AI Leadership Initiatives support the creation of open-source software foundations and the development of secure, resilient, and performant open cloud computing stacks covering edge, connectivity, data, and AI tools (Article 4(2)(a)). This ensures that the foundational layers of the cloud ecosystem are not dependent on proprietary, closed-source technologies from non-EU providers.

Strategic Projects and Infrastructure

Technical sovereignty also relies on physical infrastructure. CADA introduces mechanisms to accelerate the deployment of data centres in the EU through "data centre acceleration zones" (Article 10). These zones offer streamlined permitting and support for projects that contribute to the Union's digital and energy sectors. The Commission can designate "data centre strategic projects" (Article 14) that include highly sustainable or innovative features, or that integrate chips, processors, and accelerators designed and manufactured in the Union. This supports the goal of building end-to-end European cloud stacks, from semiconductor design to software deployment.

What this means for you

For CTOs, architects, and SMEs evaluating cloud providers, the CADA proposal signals a shift in procurement criteria and architectural decisions.

  1. Procurement Requirements: If your organization is a public sector body or a regulated entity in a critical sector (e.g., energy, transport, healthcare), you will soon be required to conduct risk assessments (Article 29) to determine the appropriate Union Assurance Level for your cloud services. You cannot simply choose the cheapest or most feature-rich provider; you must verify their sovereignty status in the central repository (Article 22).
  2. Vendor Due Diligence: You will need to scrutinize your cloud providers' supply chains. Providers must provide full transparency on subcontractors (Annex II, Section 1.1(f)). For higher assurance levels, you may need to verify that the provider is not subject to third-country control and that their software stack includes components designed or manufactured in the Union (Article 32).
  3. Open Source Strategy: Embracing open-source solutions will become a strategic advantage. Architects should prioritize interoperable, open-standard-based solutions to avoid lock-in. The EU will provide an Open Source Solutions Catalogue (Article 43) to facilitate the reuse of software developed by public bodies, which could offer cost-effective and sovereign alternatives to proprietary software.
  4. Multi-Cloud Strategies: To mitigate risk, the proposal encourages considering multi-vendor or multi-cloud strategies (Article 29(9)). This diversification reduces dependency on a single provider and enhances resilience against service disruptions.

Common misconceptions

  • "Sovereignty means data localization only."
    • Correction: While data localization is a component (data must remain in the Union for Levels 1–4), sovereignty also encompasses control over the provider, the hardware, the software code, and the personnel. A provider could store data in the EU but still be subject to third-country laws that allow remote access or service disruption, which violates higher assurance levels.
  • "Open source automatically equals sovereignty."
    • Correction: Open source is a powerful tool, but it is not a guarantee. The code must be maintained by entities under Union control or with sufficient transparency. CADA promotes open source as part of a broader strategy that includes auditing, certification, and supply chain transparency.
  • "This only applies to large hyperscalers."
    • Correction: The framework applies to all cloud computing service providers seeking to serve the public sector. SMEs and European providers can compete by achieving Union Assurance Level 1 recognition through self-assessment (Article 19), which can be directly recognised for SMEs without prior national authority recognition (Article 17(3)).

Official sources

Related

This is general information about a draft EU regulation, not legal advice.