What is the centrepiece of CADA's sovereignty rules?

Summary The centrepiece of the proposed Cloud and AI Development Act (CADA) is a harmonised, four-tier "Union assurance framework" designed to mitigate risks from third-country dependencies. As proposed, this mechanism (established in Article 16) requires cloud providers to undergo either conformity self-assessments or independent third-party audits to gain formal recognition for serving the public sector. This system ensures data confidentiality and operational autonomy, with Articles 17 through 21 detailing the rigorous recognition procedures, audit requirements, and the specific role of "associated third countries."

Detail

The Cloud and AI Development Act (CADA), proposed by the European Commission on 3 June 2026 (COM(2026) 502 final), introduces a comprehensive regulatory structure to strengthen Europe's cloud and AI ecosystem. At the heart of this proposal is a unified sovereignty framework intended to reduce the Union's reliance on non-European cloud providers and protect public order. This framework is not a single rule but a layered system of assurance, recognition, and verification, anchored by Article 16.

The Four-Tier Assurance Framework

The core mechanism of CADA's sovereignty rules is the establishment of four distinct "Union assurance levels" (Level 1 to Level 4). As set out in Article 16, these levels define the cumulative criteria that cloud computing service providers must meet to be considered as offering a specific level of Union assurance. The criteria, detailed in Annex II, address key sovereignty concerns including the location of infrastructure, the citizenship of personnel, the absence of third-country control, and strict data localisation requirements.

• Level 1 serves as the baseline. It requires providers to be established in the Union, with infrastructure and data remaining exclusively within the Union unless the public sector body explicitly requires otherwise. It relies on a self-assessment model.
• Levels 2, 3, and 4 introduce progressively stricter requirements. These levels mandate that personnel involved in service provision are Union citizens (conditional at Level 2, mandatory at Levels 3 and 4), that technical support is performed exclusively within the Union, and that providers are not subject to the control of third countries or legal entities established in third countries. Level 4 represents the highest standard, typically required for the most sensitive public sector activities involving classified information.

Recognition and Self-Assessment Procedures

To operate within the public sector, providers must demonstrate compliance with these levels through a formal recognition process established in Article 17. A cloud computing service provider aiming to be recognised as offering a specific Union assurance level must submit an application to the national competent authority of their establishment.

The proposal distinguishes sharply between the levels based on the rigor of verification:

• For Union assurance level 1, Article 19 outlines a conformity self-assessment process. Providers carry out this assessment themselves, issue an EU statement of conformity, and make it publicly available. Notably, for small and medium-sized enterprises (SMEs), this statement is directly and automatically recognised in all Member States without prior recognition by the competent authority, lowering barriers to entry.
• For Union assurance levels 2, 3, and 4, the requirement is significantly more stringent. Providers must undergo independent third-party audits. Article 20 details these independent audits, which must be performed by auditing organisations that are independent from the provider and possess proven technical competence. These audits result in an audit report and a 'positive' or 'negative' opinion. A 'positive' opinion is a prerequisite for recognition at these higher levels.

Audit Evidence and Independence

To ensure the integrity of the higher assurance levels, Article 21 specifies the content and quality of audit evidence. Auditing organisations must assess compliance based on evidence listed in Annex III of the proposal, ensuring that the audit is reliable and sufficient. The auditing organisations must adhere to strict independence requirements, including prohibitions on providing non-audit services to the provider shortly before or after the audit, to prevent conflicts of interest. The audit report must be substantiated in writing and include a clear opinion on whether the service complies with the applicable criteria.

Associated Third Countries

While the framework prioritises Union-based autonomy, Article 18 provides a specific mechanism for "associated third countries." The Commission may adopt decisions identifying third countries that fulfil specific cumulative criteria, such as having an adequacy decision under the GDPR and lacking measures that enable control over cloud providers in ways that conflict with EU law. Providers controlled by these third countries may be eligible for audit against the criteria for Union assurance level 3, provided they meet strict safeguards against unauthorised access and service disruption. This is a derogation from the general rule that Level 3 providers must not be subject to third-country control.

Central Repository and Transparency

To facilitate transparency and trust, Article 22 requires the Commission to establish a central repository of services recognised as offering Union assurance levels. This repository allows public sector buyers to verify the status of providers easily. Furthermore, Article 23 imposes transparency obligations on providers to report any material changes that may affect their recognised status, ensuring the registry remains accurate and up to date.

What this means for you

For public-sector procurement officers and cloud service providers, the introduction of these sovereignty rules fundamentally changes how cloud services are tendered and contracted.

1. Mandatory Assurance Levels: Under Article 30, which operationalises the sovereignty framework, contracting authorities must procure cloud computing services that have been recognised under a specific Union assurance level. Generally, services not identified as contributing to the preservation of public order must use Level 1 recognised services. However, if a risk assessment (conducted under Article 29) identifies activities as contributing to public order (e.g., in national security, defence, or justice), authorities must procure services recognised at Level 2, 3, or 4.
2. Simplified Verification: You no longer need to conduct deep-dive technical audits of providers yourself. Instead, you rely on the recognition granted by national competent authorities and the data in the central repository. For Level 1, you can accept the provider's EU statement of conformity. For higher levels, you verify the 'positive' audit opinion from an accredited auditing organisation.
3. Risk Assessment Obligations: Procurement officers must engage in regular risk assessments (every two years, or when necessary) to determine the appropriate assurance level for their specific use cases. This requires collaboration with legal, security, and data protection teams to evaluate the sensitivity and criticality of the data processed.
4. Support for SMEs: The automatic recognition of Level 1 conformity statements for SMEs (under Article 17) lowers barriers to entry for smaller European providers, potentially increasing competition in your procurement processes.

Common misconceptions

• "Sovereignty means data must never leave the EU." While data localisation is a key criterion for all assurance levels, the proposal allows for exceptions. Under Article 16 and the specific criteria in Annex II, data may remain outside the Union if the public sector body explicitly requires it otherwise. However, the default requirement is exclusive retention within the Union.
• "Only EU-owned companies can qualify." This is not entirely accurate. While Levels 3 and 4 generally require that providers are not subject to third-country control, Article 18 allows for exceptions for providers from "associated third countries" that meet strict legal and technical safeguards. Furthermore, Level 1 and 2 do not explicitly ban third-country ownership in all cases, provided specific legal and technical measures are in place to prevent third-country interference.
• "The AI Act replaces these sovereignty rules." The AI Act and CADA are complementary but distinct. The AI Act focuses on the safety, fundamental rights, and transparency of AI systems themselves. CADA's sovereignty framework focuses on the operational autonomy, data confidentiality, and resilience of the cloud infrastructure hosting those services. A provider can be AI Act-compliant but fail to meet CADA's Level 3 sovereignty criteria if it is subject to third-country control.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)

Related

• Why is CADA Level 4 the highest sovereignty tier?
• Why does CADA create a four-tier cloud sovereignty framework?
• CADA Level 3 Support & Personnel Rules: Residents, Location & Control
• CADA Sovereignty Tiers: Protection Against Foreign Law Explained
• CADA Level 4 Personnel Rules: Union Citizens, Clearances & Subcontractors

This is general information about a draft EU regulation, not legal advice.