Sovereignty vs trust in cloud services

Summary Under the proposed Cloud and AI Development Act (CADA), sovereignty and trust are distinct but linked. Sovereignty is the policy objective — the Union's strategic autonomy and control over its data and infrastructure. Trust is the auditable, recognised evidence that a service meets specific sovereignty criteria. CADA would translate the objective into four concrete "Union assurance levels" — described in Recital 51 as four "levels of trusted offers" — that providers prove through a conformity self-assessment (level 1) or independent third-party audits (levels 2–4). For public-sector procurement, this means trust would become a legally recognised status tied to risk assessments and procurement rules, not a marketing claim.

Detail

The CADA proposal seeks to resolve the long-standing ambiguity between "sovereign" and "trusted" cloud services with a harmonised, EU-wide framework. These terms have often been used interchangeably, contributing to market fragmentation as Member States developed divergent national approaches. As proposed, CADA treats sovereignty as the overarching objective — technological autonomy, control over data and infrastructure, operational resilience — and trust as the measurable, verifiable mechanism to demonstrate it.

Sovereignty as strategic autonomy

The proposal frames the sovereignty challenge as reducing critical dependencies on a limited number of providers subject to third-country control. Recitals 46–48 set out the risks: extraterritorial application of third-country laws, disruption to service continuity and quality, reduced control over data and infrastructure, and the risk of undue economic or political influence. Sovereignty, in this framing, is not just data localisation; it is the Union's ability to retain control over infrastructure, data, assets and technology under Union and national jurisdiction (Recital 46).

Trust as auditable assurance

If sovereignty is the goal, trust is the verification method. Recital 51 frames the four Union assurance levels as "four different levels of trusted offers." That wording matters: trust is not an inherent property of a provider but a status earned by demonstrating compliance with specific, auditable criteria set out in Annex II, which escalate across the four levels.

• Union assurance level 1 — the baseline for non-public-order procurement. The provider must be established in the Union, keep customer data exclusively within the Union (unless the public sector body explicitly requires otherwise), and demonstrate state-of-the-art cybersecurity. Trust here is operationalised through a conformity self-assessment under Article 19, where the provider issues an EU statement of conformity and assumes responsibility for compliance.
• Union assurance levels 2, 3 and 4 — progressively stricter requirements on personnel (Union citizenship at levels 3–4), cybersecurity certification, supply-chain transparency, and freedom from third-country control. Trust at these levels is operationalised through independent third-party audits under Article 20, which must yield a "positive" audit opinion.

Risk assessment and recognition

The link between sovereignty and trust runs through the Article 29 risk-assessment mechanism. Member States and Union entities must identify which public-sector activities contribute to the preservation of public order — in sectors under the NIS2 Directive (Directive (EU) 2022/2555) and in national security, internal security, border management, defence, justice or law enforcement — and determine the appropriate assurance level (2, 3 or 4) for them. Article 30 then ties procurement to the result: entities whose activities are not identified as contributing to public order must use level 1 services; those whose activities are so identified must only procure level 2, 3 or 4 services.

Recognition (Article 17) formalises the trust. A provider applies to the national competent authority of its establishment to have a specific service recognised at a given assurance level. Once recognised, the audited service is recognised throughout the Union and registered in the central repository the Commission maintains (Article 22) — turning "trust" into a transparent, EU-wide status rather than a subjective national preference.

Operationalising trust through audits

For levels 2–4, Article 20 requires providers to undergo, at their own expense, independent third-party audits producing an audit report and opinion. Among the Annex II criteria the auditor must check:

• Data residency: customer data, metadata and telemetry remain exclusively within the Union (point (c) at each level).
• Freedom from third-country control: at levels 3–4 the provider and relevant subcontractors must not be subject to third-country control (point (g)), subject only to the narrow Article 18 derogation for associated third countries at level 3.
• Supply-chain transparency: an SBOM and controls to block remote features that could materially tamper with or disrupt the service (point (i)).

A "negative" audit opinion precludes recognition at that level. Trust is therefore evidence-based: either the audit confirms compliance, or it does not.

What this means for you

For public-sector procurement officers, separating sovereignty from trust under the proposed CADA simplifies decisions while raising accountability. You would no longer assess vague "sovereignty" claims; you rely on recognised assurance levels.

1. Match the level to the risk. Procurement is driven by the Article 29 risk assessment. Activities not identified as contributing to public order use level 1 (Article 30(2)); those that are identified must procure level 2, 3 or 4 (Article 30(3)). You cannot opt for a lower level in high-risk domains.
2. Verify in the central repository. Before awarding, check the provider's status in the Article 22 central repository, the single source of truth for recognised services.
3. Rely on audit evidence. For higher levels, the independent audit report and "positive" opinion provide the evidence that the sovereignty criteria — including freedom from third-country control — have been met.
4. Know the narrow exceptions. Article 30(4) allows, exceptionally and where duly justified, procuring a non-recognised service (for example, where no recognised alternative exists or cost would be disproportionate).

Common misconceptions

• "Sovereignty just means data never leaves the EU." Data residency is one Annex II criterion. Sovereignty as proposed also covers operational autonomy, supply-chain security and freedom from third-country legal control. A service can have EU data residency yet still fail sovereignty criteria if it remains subject to extraterritorial control.
• "Trust is subjective or reputation-based." Under CADA it would be a legally defined status: conformity self-assessment for level 1 (Article 19) or independent audit for levels 2–4 (Article 20), confirmed by a recognition decision (Article 17).
• "All EU-based cloud services are equivalent." CADA distinguishes levels by risk. An EU-based provider may meet level 1 yet fail level 3 — for example because of third-country control or insufficient personnel screening. Officers must match the level to the use case's risk profile.

Related

• Why most public services don't need the highest CADA sovereignty tier
• National vs EU-Level Cloud Sovereignty: What CADA Changes
• What is sovereignty by design in cloud services under CADA?
• Why is cloud sovereignty important for critical infrastructure? CADA
• Why is sovereignty described as layered or nuanced in CADA?

This is general information about a draft EU regulation, not legal advice.