Summary The proposed Cloud and AI Development Act (CADA) seeks to distinguish itself from protectionism by establishing a risk-based sovereignty framework that mandates safeguards for public order while preserving market openness. Unlike protectionist measures that close markets based on origin, CADA would turn on technical and legal criteria — such as data residency, personnel citizenship and absence of third-country control — to ensure operational autonomy. Crucially, the proposal would allow third-country-controlled providers to be audited for the higher levels if their home jurisdictions meet specific rule-of-law and reciprocity standards, signalling an open, cooperative approach rather than isolationism.

Detail

Debate over "sovereignty" in EU cloud policy often conflates technological autonomy with economic protectionism. Protectionism typically restricts market access by nationality to shield domestic industry, producing fragmented, closed markets. By contrast, CADA as proposed pursues sovereignty "in an open manner", aiming to reinforce the Union's capacity to act autonomously while remaining engaged with international partners. This distinction is built into the proposal's structure, recitals and third-country mechanisms.

Sovereignty as risk mitigation, not market exclusion

CADA's core mechanism is the Union cloud computing sovereignty framework under Article 16, defining four "Union assurance levels" with cumulative criteria in Annex II. These criteria are technical and legal, focusing on:

  • Data residency: customer data, metadata and telemetry remaining within the Union (subject to the public sector body explicitly requiring otherwise at the lower levels).
  • Personnel requirements: Union citizenship for personnel involved in service provision (levels 3 and 4).
  • Control: ensuring providers are not improperly subject to third-country control that could compel data access or service disruption.
  • Cybersecurity: a European cybersecurity certificate (at least "substantial" for levels 2–3, "high" for level 4), where such a scheme exists.

These criteria are designed to mitigate specific public-order risks, not to ban non-EU providers per se. A non-EU group could, in principle, meet level 1 by operating through an EU-established entity whose infrastructure, data and operations satisfy the criteria.

The openness mandate

The proposal expressly rejects a closed-market approach. Recital 61 states: "The Union's objective of strengthening its autonomy should be pursued in a manner that remains open, cooperative and consistent with the Union's international commitments and partnerships. The policy objectives pursued through Union assurance levels 1, 2, and 3 should therefore be understood as the Union's capacity to act autonomously where necessary, while remaining engaged with its international partners and fostering mutually beneficial cooperation."

This openness is operationalised through Article 18, which lets the Commission, by implementing act, identify third countries whose controlled providers may be audited against the criteria for Union assurance level 3. Under Article 18(1), the Commission may do so only where the third country meets cumulative criteria, including:

  • a relevant adequacy decision under Article 45 of Regulation (EU) 2016/679 (GDPR);
  • no measures enabling control over the provider that would conflict with lawful-access rules for non-personal data;
  • no measures to compel the provider to degrade or disrupt service continuity, or to enforce sanctions/embargoes (unless legitimate under Member State or Union law);
  • no measures impeding the provision of state-of-the-art technologies;
  • an open market to Union cloud computing services;
  • equivalent access to public procurement for Union-controlled providers.

This reciprocal, criteria-based approach is a key distinction from protectionism: it rewards third countries that uphold comparable standards of data protection, rule of law and market openness, rather than excluding them by origin.

Protectionism vs proportionality

Protectionism often applies blanket bans regardless of risk. CADA instead ties sovereignty requirements to risk assessments. Article 29 would oblige Member States and Union entities to determine the appropriate assurance level for specific public sector activities. Recital 52 notes that "Most public services would not require the highest levels of assurance. In some specific cases Union assurance levels 3 or 4 may be considered necessary and proportionate in preserving public order." This proportionality avoids unnecessary barriers for low-risk applications.

Addressing market fragmentation

CADA also aims to reduce fragmentation from divergent national sovereignty definitions. Recital 47 notes that national sovereign-service approaches "do not adequately address the cross-border issues related to the Union's lack of sovereignty in the cloud computing ecosystem and risk fragmenting the Union internal market." Harmonising the criteria at EU level would create a larger, more predictable market for any provider — EU or non-EU — that meets the standards, fostering competition on quality and security rather than origin.

What this means for you

For in-house counsel and compliance officers:

  1. Procurement strategy. Align cloud choices with the assurance level set by your organisation's risk assessment (Article 29). If your activities contribute to public order, you may be required to procure only services recognised at levels 2, 3 or 4 (Article 30(3)) — a requirement to use audited, recognised services, not a ban on non-EU providers.
  2. Third-country provider engagement. If you rely on non-EU providers, monitor the Commission's decisions under Article 18. If the provider's home country is recognised, the provider's services may be audited for level 3; if not, you may need an EU-established provider or one recognised through the level 1 self-assessment or independent audit (Article 17).
  3. Compliance costs. Levels 2–4 require independent third-party audits at the provider's own expense (Article 20); those costs may be passed on. The trade-off is reduced disruption risk and legal uncertainty over data access.
  4. Deadlines. Member States must carry out risk assessments by one year after entry into force (Article 29(1)), then procure accordingly.
  5. Penalties. Article 24 would require effective, proportionate and dissuasive penalties on providers for infringements. Although the chapter focuses on provider liability, public authorities face operational and reputational risk if they fail to procure at the required level.

Common misconceptions

  • CADA bans all non-EU cloud providers. It does not. It sets criteria providers must meet to serve the public sector. Non-EU groups can comply through EU-established entities meeting the criteria, or have their home country recognised under Article 18.
  • Sovereignty means data must never leave the EU. Data residency is a key criterion, but at level 1 the public sector body may explicitly require otherwise. The framework emphasises control and access alongside location.
  • CADA is a protectionist tool to boost EU market share. Its stated legal basis is risk mitigation and public-order protection. The Article 18 recognition pathway and the "open, cooperative" language of Recital 61 point to secure autonomy rather than market isolation.
  • All public sector cloud use requires the highest sovereignty level. Risk assessments (Article 29) set the level; most public services would require only level 1, with levels 3 and 4 reserved for high public-order relevance such as defence or critical infrastructure.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.