The Draghi report and cloud sovereignty

Summary The Draghi report — The future of European competitiveness (Mario Draghi, September 2024) — identifies technological sovereignty, including "sovereign cloud" solutions, security and encryption, as essential to the EU's economic future and calls for reduced critical external dependencies. The proposed Cloud and AI Development Act (CADA) cites the report and, as proposed, would create a "Union cloud computing sovereignty framework" with four Union assurance levels (Article 16) and mandate risk-based public procurement (Articles 29 and 30) to strengthen operational autonomy and control over data and infrastructure.

Detail

The Draghi report: a call for technological sovereignty

The "Draghi report" refers to The future of European competitiveness, authored by Mario Draghi and published in September 2024. It argues that the EU must keep a foothold in areas where technological sovereignty is required, highlighting "sovereign cloud" solutions, security and encryption as ways to reduce critical external dependencies.

The CADA proposal's explanatory memorandum cites it directly:

"As Mario Draghi's report 'The future of European competitiveness' states, the EU must maintain a foothold in areas where technological sovereignty is required, such as security and encryption ("sovereign cloud" solutions) and thus reduce critical external dependencies by strengthening homegrown cloud and AI capabilities and infrastructure."

The memorandum adds that the Draghi report "calls on the European Commission to take targeted actions aimed at regaining and retaining control over data and cloud computing services, expanding domestic computational capacity and establishing a robust financial and talent flywheel to drive innovation." CADA, as proposed, would translate these strategic recommendations into binding legal mechanisms.

Linking dependencies to sovereignty in CADA

CADA addresses the risks the Draghi report flags by establishing a "Union cloud computing sovereignty framework." Recital 46 explains that dependence on a limited number of providers subject to third-country control exposes the Union to vulnerabilities from the extraterritorial application of third-country laws, potential disruptions to service continuity and quality, reduced control over data and infrastructure, and the risk of undue economic or political influence.

Article 1 sets out the subject matter, stating that the Regulation establishes a framework for strengthening the cloud and AI ecosystem, including:

• "(c) enabling the availability of a sovereign cloud and artificial intelligence (AI) offer to safeguard the Union's public order;"
• "(d) reducing dependencies on critical technologies;"

To operationalise this, Article 16 would establish four "Union assurance levels," with criteria in Annex II, categorising cloud services by their sovereignty and security guarantees.

The sovereignty framework and public procurement

The core mechanism is a risk-based approach to procurement:

1. Risk assessments (Article 29). By one year after entry into force and every two years thereafter (or whenever necessary), Member States and Union entities would identify public-sector activities that contribute to the preservation of public order — in sectors under the NIS2 Directive (Directive (EU) 2022/2555) and in national security, internal security, border management, defence, justice or law enforcement — and determine the appropriate assurance level (2, 3 or 4).
2. Mandatory assurance levels (Article 30). Entities whose activities are not identified as contributing to public order must use services recognised at Union assurance level 1 (Article 30(2)). Those whose activities are so identified must only procure services recognised at Union assurance levels 2, 3 or 4 (Article 30(3)).

This tiered approach concentrates the highest sovereignty guarantees on the most sensitive functions — directly addressing the Draghi report's concern about external dependencies.

Reducing external dependencies

CADA, as proposed, would also reduce reliance on non-European providers by:

• Harmonising criteria. A single EU-wide framework for sovereign cloud services, reducing market fragmentation (Recital 47).
• Union added value. Article 32 requires contracting authorities, in procurement of innovative cloud and AI, to include non-price award criteria evaluating a tenderer's contribution to the European cloud and AI ecosystem — including the use of software or hardware designed or manufactured in the Union.
• Common procurement. Article 37 and the related provisions on common procurement enable the Commission to carry out procurement activities on behalf of Member States, leveraging collective buying power.

What this means for you

For public-sector and procurement officers, the CADA proposal would signal a shift from voluntary best practice to mandatory compliance on cloud sovereignty.

• Conduct risk assessments. You would carry out the Article 29 risk assessment and determine whether your activities contribute to the preservation of public order (for example critical infrastructure, justice, defence).
• Adjust procurement specifications. Tender documents would need to specify the required assurance level; for public-order activities you could not procure from providers below levels 2–4.
• Use the central repository. Verify that a chosen provider is listed in the Commission's Article 22 central repository at the appropriate assurance level before awarding.
• Plan for migration. Where a risk assessment requires switching services, Article 29(6) allows a reasonable transition period not exceeding 12 months, accounting for technical feasibility, continuity of service and data portability.

Common misconceptions

• "Sovereignty means data must stay in the EU at all times." Data localisation is central (especially at higher levels), but CADA's notion of sovereignty is broader, covering operational autonomy, protection against extraterritorial legal reach and supply-chain resilience. Lower levels allow data outside the Union only where the public sector body explicitly requires it (Annex II, point (c)).
• "The Draghi report is legally binding." It is an advisory document that informs policy, not law. The binding obligations would come from CADA, not the report.
• "Only the public sector is affected." Mandatory procurement rules apply to the public sector, but Article 31 allows private entities in NIS2 sectors to carry out similar impact assessments (and lets the Commission, in duly justified cases, require them). Market pressure toward EU-assured providers would also affect private buyers.
• "CADA replaces the AI Act." They are complementary. The AI Act addresses the safety and fundamental-rights risks of AI systems; CADA addresses the infrastructure and sovereignty of the cloud and AI ecosystem.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)

Related

• Cloud sovereignty and EU fundamental rights: the CADA link
• Why is cloud sovereignty important for critical infrastructure? CADA
• Why is sovereignty described as layered or nuanced in CADA?
• CADA Sovereignty: Why Assessment is Per Service, Not Per Provider
• Why is sovereignty a competitiveness issue, not just a security one? | CADA

This is general information about a draft EU regulation, not legal advice.