Cloud sovereignty vs portability

Summary Cloud portability and cloud sovereignty solve two different problems: the technical ability to move data versus legal and operational control over it. As proposed in the Cloud and AI Development Act (CADA), sovereignty mitigates risks from third-country jurisdictional reach and protects operational autonomy through a four-tier "Union assurance level" framework (Article 16). Portability, governed mainly by the Data Act (Regulation (EU) 2023/2854), reduces vendor lock-in and enables switching. Portability makes it technically easier to change providers, but it does not shield your data from foreign laws if the new provider is still subject to third-country jurisdiction. The two are complementary enablers of genuine technological sovereignty.

Detail

To understand the difference, distinguish technical mobility from jurisdictional control. For CTOs and architects, this matters because solving one problem does not automatically solve the other.

Portability: the technical lever

Portability is the technical and contractual ability to transfer data and applications from one cloud provider to another with minimal friction. In the EU this is driven primarily by the Data Act (Regulation (EU) 2023/2854), which introduces rules on switching between data processing services so providers compete on quality, innovation, and price rather than on the difficulty of leaving.

The core mechanism is reducing vendor lock-in through interoperability and reasonable switching costs, enabling users to choose freely or combine providers in a multi-cloud approach. As the CADA explanatory memorandum frames it, the Data Act removes key sources of lock-in but, on its own, "does not contain elements to shape up a more competitive offer of European cloud computing services."

Portability answers: "Can I move my data to a different provider?" It does not answer: "Who has legal access to my data once it is moved?"

Sovereignty: the jurisdictional shield

Cloud sovereignty, as proposed in CADA, addresses the risks of dependence on providers subject to third-country control. CADA would establish a Union cloud computing sovereignty framework comprising four Union assurance levels, the criteria for which are set out in Annex II (Article 16). This is about control over data and infrastructure, not the ease of moving them.

The primary risk CADA targets is the extraterritorial application of third-country laws. Under the US CLOUD Act, for example, US-based providers can be compelled to disclose data in their "possession, custody, or control" regardless of where it is stored. A provider could offer excellent portability yet, because it is subject to US jurisdiction, still leave your data exposed to US legal demands.

As proposed, the assurance levels in Annex II would require, among other things:

• Data residency: customer data remaining exclusively within the Union (subject to the public sector body deciding otherwise at lower levels).
• Jurisdictional control: at higher levels, that the provider and its subcontractors are not subject to third-country control in a way that permits access to customer data or service disruption.
• Operational autonomy: that the provider can continue to deliver the service without third-country interference.

For instance, at the highest level (Union assurance level 4), Annex II would require that the provider and its subcontractors are not subject to the control of a third country, with no derogation. Level 3 allows a narrow derogation only where the Commission has recognised the third country under Article 18.

Why they are complementary

Portability and sovereignty are interdependent, not mutually exclusive.

1. Portability without sovereignty is insufficient. If you can switch easily but the only viable providers sit under foreign jurisdictions with broad data-access laws, you have mobility without protection—moving from one exposure to another.
2. Sovereignty without portability is fragile. If you choose a sovereign provider but are locked in by proprietary formats or high exit costs, you lose bargaining power. Portability keeps the sovereign market competitive.

The CADA proposal recognises this synergy: the Data Act enables switching, but CADA aims to build the trust framework—the assurance levels—that users would need to feel confident moving to European providers.

What this means for you

For CTOs and architects, your cloud strategy must address technical interoperability and legal jurisdiction together.

• Evaluate providers on both axes. Do not rely on API compatibility and export tooling alone. As proposed, you would also assess a provider's recognised Union assurance level. High portability with low or no sovereignty assurance may still expose data to third-country legal risk.
• Plan for multi-cloud sovereignty. Use portability to distribute workloads across providers that meet your required assurance level. If a risk assessment under Article 29 points to, say, Union assurance level 3, ensure every provider in your architecture would meet that criterion.
• Leverage the Data Act for exit strategy. Switching rights strengthen your hand in negotiating with sovereign providers and reduce the risk of being trapped in a suboptimal solution.
• Tie portability to risk assessments. Under CADA, public sector bodies (and, optionally, certain private entities) would determine the appropriate assurance level. Build a pre-defined migration path to a compliant alternative into your portability planning.

Common misconceptions

• "Data residency equals sovereignty." Storing data in an EU data centre is not, by itself, sufficient. As proposed, CADA treats sovereignty as a matter of control: a third-country-controlled provider with a Frankfurt data centre may still be exposed to foreign legal orders. Higher assurance levels require evidence about control, not just location.
• "Portability solves the CLOUD Act problem." Exporting data does not prevent a provider subject to foreign jurisdiction from being compelled to disclose it. Portability addresses technical dependency; CADA's sovereignty framework addresses legal exposure.
• "Sovereign clouds are less innovative." CADA aims to counter this by fostering a competitive European market—reducing lock-in via the Data Act and building trust via assurance levels—so that innovation is not constrained by geopolitical risk.

Official sources

• Data Act (Regulation (EU) 2023/2854)

Related

• What is the difference between sovereignty washing and real sovereignty under CADA?
• What is the difference between sovereignty and cybersecurity in cloud regulation (CADA)?
• Data residency vs data sovereignty: the difference under CADA
• Why is cloud sovereignty important for critical infrastructure? CADA
• Why is sovereignty described as layered or nuanced in CADA?

This is general information about a draft EU regulation, not legal advice.