Summary Under the proposed Cloud and AI Development Act (CADA), divergent national "sovereign cloud" labels would give way to a single, harmonised EU-wide framework of four "Union assurance levels" to prevent market fragmentation. A service recognised at a Union assurance level in one Member State would be recognised across the entire EU. For in-house counsel, this means procurement decisions for public sector bodies would rest on EU-wide risk assessments and standardised audit criteria rather than divergent national definitions of sovereignty.

Detail

The Commission's proposal directly addresses the growing patchwork of national sovereignty initiatives. Several Member States have tried to define "sovereign cloud" through their own criteria, certifications and procurement rules. While well-intentioned, this decentralised approach has created internal-market barriers.

The problem with national sovereignty frameworks Recital 47 of the proposal identifies the risk: some Member States "have developed or are in the process of developing national approaches to identifying national sovereign services. However, national measures do not adequately address the cross-border issues related to the Union's lack of sovereignty in the cloud computing ecosystem and risk fragmenting the Union internal market and undermining common goals of autonomy and sovereignty." A provider deemed "sovereign" in one Member State might not qualify in another, hampering European providers and forcing public authorities to navigate inconsistent standards.

The CADA solution: a single EU-wide framework CADA would replace these disparate labels with a unified, legally binding framework built on four "Union assurance levels" (1 to 4), the criteria for which are set out in Annex II.

  • Union assurance level 1: based on a conformity self-assessment by the provider (Article 19) — a baseline for general public sector use.
  • Union assurance levels 2, 3 and 4: based on independent third-party audits (Article 20) against progressively stricter criteria, including data residency in the Union, Union-citizenship requirements for personnel (levels 3 and 4) and freedom from third-country control. These levels are reserved for activities contributing to the preservation of public order.

Mutual recognition and centralised oversight A cornerstone of CADA is mutual recognition. Under Article 17, a provider submits an application for recognition to the national competent authority of its establishment. Once that evaluating authority issues a recognition decision, the recognition is valid across the Union.

Article 17(7) provides that where no reasoned objection or request for clarification is submitted by other Member States within the review period, "the conclusions by the evaluating national competent authority shall be deemed accepted by all Member States, the evaluating national competent authority shall adopt the recognition decision and the audited service shall be recognised throughout the Union at the appropriate Union assurance level."

To aid transparency, Article 22 would require the Commission to establish and maintain a central repository of recognised cloud computing services, so public sector bodies can identify compliant providers regardless of national location.

The role of national risk assessments While the criteria would be harmonised at EU level, application remains partly decentralised through risk assessments. Article 29 would oblige Member States and Union entities to identify which public sector activities contribute to the preservation of public order and which Union assurance level (2, 3 or 4) is appropriate. Article 30 then links those assessments to procurement: level 1 for activities not identified as contributing to public order, and levels 2–4 for those that are. This creates a hybrid model: an EU-wide definition of sovereignty, with national (or Union-entity) risk assessments determining which services need the higher levels.

What this means for you

For in-house counsel and compliance officers, the shift from national to EU-level standards introduces several obligations:

1. Procurement compliance and deadlines Article 30 would require Union entities and public sector bodies whose activities are not identified as contributing to public order to use services recognised at Union assurance level 1, and contracting authorities whose activities are so identified to procure only services recognised at levels 2, 3 or 4. Member States must conduct their initial risk assessments by one year after entry into force (Article 29(1)), then adjust procurement accordingly.

2. Provider recognition and audits

  • Level 1: issue an EU statement of conformity following a self-assessment (Article 19).
  • Levels 2–4: undergo independent third-party audits resulting in a "positive" audit opinion, submitted to the national competent authority of establishment (Article 20).
  • Timelines: within 60 days of accepting an application, the evaluating authority must assess the evidence and either prepare a draft recognition decision (triggering a 60-day Member State review period), request further information, or reject the application (Article 17(5)).

3. Penalties and liability Article 24 would require Member States to lay down effective, proportionate and dissuasive penalties for infringements of the sovereignty chapter, taking into account factors such as the nature, gravity, scale and duration of the infringement and financial benefits gained. Recipients of cloud services would also have a right to compensation for damage caused by a provider's infringement (Article 24(3)).

4. Transparency and reporting Recognised providers would have to notify the auditing organisation and the national competent authority of any material change that may affect the audit opinion or recognition (Article 23). Failure to report can lead to amendment or revocation of recognition.

5. Strategic sourcing Article 32 would require contracting authorities, in procurement for innovative cloud and AI services, to include non-price award criteria evaluating the tenderer's contribution to a European cloud and AI ecosystem — such as the use of hardware or software designed or manufactured in the Union. These criteria must be ancillary and not decisive.

Common misconceptions

Misconception 1: CADA abolishes national sovereignty concerns. Reality: It harmonises how they are addressed. Member States would still conduct risk assessments (Article 29) to identify public-order-critical services, but the criteria for what counts as a sovereign service would be set uniformly by the EU framework.

Misconception 2: A national sovereign label is sufficient for EU-wide public procurement. Reality: National labels would be superseded by the Union assurance levels. A service recognised only under a national scheme would not automatically qualify; the central repository (Article 22) would list only services recognised under the CADA framework.

Misconception 3: Providers can choose which Member State's rules to follow. Reality: Providers apply for recognition in their Member State of establishment (Article 17), but the criteria are the EU-wide Annex II. Mutual recognition means a service recognised in one Member State is recognised in all; providers cannot "shop" for a weaker national standard.

Misconception 4: The private sector is excluded from sovereignty requirements. Reality: The mandatory procurement obligations (Article 30) apply to public sector bodies, but Article 31 allows entities listed in Annex I of the NIS2 Directive that are not public sector bodies to carry out similar impact assessments, and the Commission may by delegated act require such assessments for entities in sectors of high criticality (Article 31(3)).

Related

This is general information about a draft EU regulation, not legal advice.