What is the difference between sovereignty and cybersecurity in cloud regulation (CADA)?

Summary Under the proposed Cloud and AI Development Act (CADA), cybersecurity and sovereignty are distinct. Cybersecurity — addressed by the Cybersecurity Act and the planned European cybersecurity certification scheme for cloud services (EUCS) — concerns technical security controls. Sovereignty, established by CADA's Union assurance levels (Article 16), addresses non-technical, jurisdictional risks such as third-country data access and loss of operational autonomy. As proposed, CADA fills the non-technical gap that technical certification cannot cover.

Detail

The EU framework distinguishes technical security from strategic autonomy. Cybersecurity protects cloud infrastructure against unauthorised access, breaches and cyberattacks; sovereignty keeps infrastructure under the legal and operational control of the Union, free from extraterritorial interference.

Cybersecurity: the technical baseline

EU cybersecurity regulation runs primarily through the Cybersecurity Act and the forthcoming European cybersecurity certification scheme for cloud services (EUCS). These focus on technical resilience — security controls, incident handling and risk management to protect the confidentiality, integrity and availability of data.

The CADA explanatory memorandum is explicit on the limit: certification under the Cybersecurity Act can "address technical cybersecurity criteria but is not suited for addressing sovereignty concerns that go beyond these technical elements." A cloud service can be encrypted, patched and monitored, yet still be subject to a third country's laws that compel disclosure or disruption. Technical security does not mitigate the risk of a foreign authority obtaining data through legal compulsion rather than technical intrusion.

Sovereignty: the jurisdictional and operational layer

CADA would introduce a "Union cloud computing sovereignty framework" (Article 16) to address these non-technical risks. As proposed, sovereignty is a legal and operational condition, aimed at mitigating risks from reliance on third-country providers, notably:

• Extraterritorial access: third-country laws compelling providers to hand over data stored in the EU.
• Operational autonomy: the risk that a provider unilaterally degrades, disrupts or terminates a service, or is compelled to apply restrictive measures such as sanctions or embargoes mandated by a third country.
• Supply-chain control: third-country control over hardware or software components, creating dependencies open to coercion.

Article 16 establishes four Union assurance levels, with cumulative criteria in Annex II — a higher level must also satisfy all the criteria of the levels below it (Article 20(1)). The criteria focus on legal and operational boundaries:

• Establishment and control: at levels 3 and 4, the audited provider and its subcontractors must not be subject to the control of a third country or a legal entity established in a third country (at level 3 with a narrow derogation for "associated third countries" under Article 18; at level 4 with none). At level 2, third-country control is permitted only if the provider can demonstrate it is contained so it cannot restrain the service, reach customer data, or disrupt continuity (Annex II, point 2.1(g)).
• Data localisation: customer data, including metadata and telemetry, must remain exclusively within the Union (levels 1 to 3); at level 4 this applies to data identified as sensitive through a risk assessment (Annex II, point 4.1(c)).
• Personnel: at levels 3 and 4, personnel involved in service provision must be Union citizens (with security clearances where classified information is handled); at level 2, citizenship and extra screening apply only if the public sector body determines they are necessary.
• Cybersecurity certification: the service must obtain a European cybersecurity certificate of at least "substantial" assurance (levels 2 and 3) or "high" assurance (level 4) under EUCS once established — illustrating that the two regimes are complementary, not interchangeable.

Filling the non-technical gap

The memorandum notes the proposal and the Cybersecurity Act revision together "fill long-standing gaps in sovereignty and non-technical risks." EUCS would confirm a service meets high cybersecurity standards, but not whether the provider is exposed to foreign jurisdictional reach. CADA's framework complements EUCS by requiring independent audits (Article 20) that examine legal structures, ownership chains and contractual safeguards against third-country interference.

For example, a provider may have robust encryption yet still face a third-country law requiring it to report software vulnerabilities to foreign authorities before they are known to have been exploited. The Annex II criteria require the provider to guarantee that no such law or practice applies (for instance, Annex II, point 1.1(g) at level 1). Similarly, where EUCS checks for secure data centres, CADA checks that the operator is not under third-country control able to disrupt continuity (Annex II, point 2.1(g)(iii)).

The role of audits and recognition

Providers seeking recognition at Union assurance levels 2, 3 or 4 must undergo independent third-party audits (Article 20) against the Annex II criteria. Annex III sets out the indicative audit evidence, including:

• Ownership and control: analysis of shareholders, voting rights and governance to confirm no third-country control (Annex III, audit criterion G).
• Legal separation: evidence of effective legal, technical and organisational separation between a Union parent and any third-country subsidiary (Annex III, audit criterion K).
• Supply-chain transparency: a complete software bill of materials (SBOM) and evidence that third-country software components cannot be remotely tampered with (Annex III, audit criterion I).

The national competent authority of establishment then recognises the service at the appropriate level (Article 17), and recognition is effective EU-wide.

What this means for you

For in-house counsel and compliance officers, the cybersecurity/sovereignty distinction implies two parallel compliance tracks.

1. Dual compliance obligations

Services should meet both technical and sovereignty requirements.

• Cybersecurity: ensure providers hold valid EUCS certification (once adopted) or applicable national certification.
• Sovereignty: verify recognised Union assurance levels under CADA. For public sector activities contributing to public order (for example defence, justice, critical infrastructure), procurement would be limited to level 2, 3 or 4 (Article 30(3)); for other public sector activities, level 1 is the minimum (Article 30(2)).

2. Risk assessments are mandatory

Member States and Union entities must conduct risk assessments to determine the appropriate level (Article 29), considering the sensitivity and criticality of data, the risk of unlawful third-country access, and the risk of service disruption. Align procurement accordingly; if a risk assessment requires migration, it must occur within a transition period not exceeding 12 months (Article 29(6)).

3. Audit readiness

Providers should prepare for independent audits, documenting ownership structures, supply-chain controls and legal safeguards, and submit the evidence to their national competent authority for recognition (Article 17).

4. Penalties and liability

Member States must set penalties for infringements of the sovereignty Chapter that are effective, proportionate and dissuasive (Article 24(1)), weighing factors such as the nature, gravity, scale and duration of the infringement and any financial benefits gained. Recipients of cloud services also have the right to seek compensation for damage caused by a provider's infringement of its obligations under that Chapter (Article 24(3)).

Common misconceptions

• "EUCS certification is enough for sovereignty." EUCS certifies technical cybersecurity. It does not assess foreign jurisdictional reach or operational control. CADA's framework addresses those non-technical risks.
• "Sovereignty means data must never leave the EU." Data localisation is a key criterion, but sovereignty also covers operational autonomy, supply-chain control and personnel. A service can keep data in the EU yet fail if it is third-country controlled or relies on third-country software that can be remotely disabled.
• "Only public sector bodies need to worry about sovereignty." CADA's procurement mandate targets the public sector, but private entities in NIS2 high-criticality sectors may carry out similar impact assessments (Article 31), and public procurement signals will likely shape private demand.
• "Sovereignty is the same as data protection." GDPR protects personal-data privacy; sovereignty protects the Union's operational autonomy and public order. A service can comply with GDPR yet still pose sovereignty risks if exposed to third-country laws allowing data access or disruption.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• What is the difference between sovereignty washing and real sovereignty under CADA?
• Cloud sovereignty vs portability: the difference under CADA
• Data residency vs data sovereignty: the difference under CADA
• Why is cloud sovereignty important for critical infrastructure? CADA
• Why is sovereignty described as layered or nuanced in CADA?

This is general information about a draft EU regulation, not legal advice.