Summary As proposed, the Cloud and AI Development Act (CADA) would create a single EU-wide cloud sovereignty framework of four "Union assurance levels," instead of relying on fragmented national labels such as France's SecNumCloud. SecNumCloud is a voluntary national certification with no automatic legal effect in other Member States. CADA, by contrast, would establish a harmonised framework under Article 16 and tie it to mandatory public-procurement obligations under Article 30, so that sovereignty requirements are uniform across the Union. National labels like SecNumCloud would not be automatically equivalent to any CADA level.

Detail

The core differences between the proposed CADA framework and national labels such as SecNumCloud lie in legal nature, geographic scope and enforceability. SecNumCloud is a voluntary certification scheme run by France's Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI). It shows that a cloud service meets specific French security and sovereignty requirements, but it is a national instrument with no automatic legal effect in other EU Member States.

CADA is a proposed EU Regulation. As set out in Article 16, it would establish a "Union cloud computing sovereignty framework comprising four Union assurance levels," the criteria for which are in Annex II, that providers must meet to supply cloud computing services to Union entities and public-sector bodies. Recognition under this framework would, once granted, be valid throughout the Union (Article 17), removing the need to navigate divergent national regimes.

Harmonisation and the end of fragmentation

CADA's single-market objective rests on Article 114 of the Treaty on the Functioning of the European Union (TFEU). The explanatory memorandum notes that some Member States have developed national approaches to identifying sovereign services, but that these "do not adequately address cross-border issues," risking fragmentation of the internal market. By setting a harmonised, auditable set of criteria at different levels of sovereignty, the proposal aims to improve the functioning of the internal market and let cloud providers grow beyond their national markets.

Mandatory vs voluntary compliance

SecNumCloud is voluntary: a provider chooses to seek it. CADA, by contrast, would introduce mandatory procurement rules linked to its assurance framework.

Under Article 30 of the proposal, contracting authorities and Union entities procuring cloud computing services for their exclusive use would be subject to assurance-level requirements:

  • Bodies whose activities have not been identified as contributing to the preservation of public order under the Article 29 risk assessment must use services recognised under Article 17 as having Union assurance level 1.
  • Authorities whose activities have been so identified — in sectors under Annex I or II of the NIS2 Directive (Directive (EU) 2022/2555), or in national security, internal security, external border management, defence, justice or law enforcement — must only procure services recognised at Union assurance level 2, 3 or 4.

This is a hard legal requirement for public-sector buyers, with limited exceptions under Article 30(4). SecNumCloud, by contrast, serves as a national benchmark. National criteria may inform technical requirements, but CADA's framework would be the legal determinant for EU public procurement.

The four assurance levels

Under Article 16 and Annex II, the four tiers, as proposed, differ in strictness:

  1. Level 1: the provider must be established in the Union (Annex II). It relies on a conformity self-assessment and an EU statement of conformity (Article 19).
  2. Levels 2–4: require independent third-party audits (Article 20). These levels add cumulative controls. Annex II requires personnel involved in providing the audited service to hold Union citizenship at Level 3 and Level 4 (at Level 2 only where necessary), and requires a European cybersecurity certificate of at least assurance level "substantial" at Levels 2 and 3 and "high" at Level 4. Level 4 is the highest tier, for the most sensitive public-order activities.

What this means for you

For in-house counsel and compliance officers, moving from national labels to a harmonised EU framework would change both strategy and obligations.

1. Procurement strategy and due diligence Public-sector entities would need to align procurement with CADA's assurance levels. A SecNumCloud label alone would not satisfy CADA: you would need to verify that a provider has formal recognition under Article 17 at the appropriate level. Article 29 would require Member States and Union entities to carry out risk assessments to determine the appropriate level — as proposed, within one year of entry into force and thereafter every two years.

2. Provider compliance and audits For providers, SecNumCloud may no longer be sufficient to win EU public contracts; recognition under CADA's framework would be needed.

  • Level 1: issue an EU statement of conformity based on a self-assessment (Article 19).
  • Levels 2–4: undergo independent third-party audits to obtain an audit report and a positive audit opinion (Article 20), submitted to the evaluating national competent authority for recognition (Article 17).

3. Penalties and enforcement Article 24 would require Member States to lay down penalties for infringements that are "effective, proportionate and dissuasive," and would give recipients of cloud services a right to seek compensation for damage caused by a provider's infringement. Specific fine levels would be set in national implementation; CADA itself does not fix a figure.

4. Transition periods As proposed, CADA would apply one year after its entry into force (Article 48). Providers and public bodies should begin mapping current services against the assurance criteria. National labels may help demonstrate certain technical criteria, but would not replace formal CADA recognition.

Common misconceptions

Misconception 1: SecNumCloud will be automatically recognised as CADA Level 3 or 4. There is no automatic equivalence in the proposal. CADA requires recognition via the national competent authority procedure (Article 17) and, for Levels 2–4, a positive audit opinion under Article 20. Holding a national label does not confer CADA status.

Misconception 2: CADA replaces all national cybersecurity certifications. CADA's framework focuses on trust, control and autonomy. It complements existing cybersecurity certification: as proposed, Levels 2 and 3 require a European cybersecurity certificate of at least "substantial" assurance, and Level 4 of "high" — these are components of the broader sovereignty assessment, not replacements for it.

Misconception 3: Only the public sector is affected. The mandatory procurement rules target the public sector, but there are spillovers. Under Article 31, entities in scope of Annex I of the NIS2 Directive that are not public-sector bodies may carry out similar assessments, and the Commission may, in defined circumstances, make such assessments mandatory by delegated act. Providers may also adopt CADA-aligned offerings across their portfolio.

Related

This is general information about a draft EU regulation, not legal advice.