What is the four-tier sovereignty framework in CADA in plain English?

Summary The proposed Cloud and AI Development Act (CADA) introduces a "Union cloud computing sovereignty framework" to address the EU's reliance on non-European cloud providers. As established in Article 16, this framework defines four ascending Union assurance levels (1 to 4). These levels range from a baseline of EU establishment and data localisation (Level 1) to the strictest requirements: mandatory "high" cybersecurity certification, mandatory Union citizenship for personnel, and a total prohibition on third-country control (Level 4). Public-sector bodies would be required to procure services at the level mandated by their specific risk assessments, ensuring that critical public-order activities are shielded from foreign interference.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, aims to reduce strategic dependencies and safeguard the Union's public order. A central pillar of this proposal is the Union cloud computing sovereignty framework, detailed in Article 16. This framework creates a harmonised, auditable set of criteria for cloud computing services, allowing Member States and Union entities to select services based on their specific risk profiles.

The framework consists of four distinct tiers, known as Union assurance levels. Each level is cumulative; to qualify for a higher level, a provider must meet all criteria of the lower levels plus additional, stricter requirements.

The Four Union Assurance Levels

1. Union Assurance Level 1: The Baseline Level 1 serves as the minimum entry point for any cloud service procured by the public sector. It focuses on establishing a legal and physical presence within the EU.

• Establishment: The provider must be established in the Union.
• Infrastructure & Data: Infrastructure, assets, and customer data (including metadata and telemetry) must remain exclusively within the Union, unless the public sector body explicitly requires otherwise.
• Cybersecurity: The provider must demonstrate compliance with state-of-the-art cybersecurity standards.
• Transparency: Full transparency regarding subcontractors is required, along with due diligence and ongoing oversight.
• Third-Country Control: If the provider is subject to the control of a third country, it must guarantee that no laws in that country require the reporting of software vulnerabilities to foreign authorities before they are exploited.
• Assessment Method: Compliance is demonstrated through a conformity self-assessment by the provider, resulting in an "EU statement of conformity" (Article 19). No independent audit is required for Level 1.

2. Union Assurance Level 2: Enhanced Operational Control Level 2 introduces stricter controls on personnel, data usage, and the software supply chain. It requires independent third-party verification.

• Personnel: Infrastructure, assets, and personnel involved in the service must be located in the Union. Crucially, if the public sector body determines it is necessary, the provider must ensure that personnel meeting Union citizenship requirements are available. This is a conditional requirement at this level.
• Data Usage: Data generated by the service cannot be used to train or fine-tune AI systems operated by a third country, nor can it be transferred outside the Union.
• Cybersecurity Certification: The service must obtain a European cybersecurity certificate of at least assurance level "substantial" under the European cybersecurity certification scheme (Regulation (EU) 2019/881). Until such a scheme is fully established, national schemes or the highest applicable Union standards apply.
• Software Supply Chain: Providers must maintain a complete Software Bill of Materials (SBOM) and implement controls to block remote features that could tamper with systems.
• Support: Technical and operational support must be initiated and performed exclusively within the Union.
• Assessment Method: Requires an independent third-party audit resulting in a "positive" audit opinion (Article 20).

3. Union Assurance Level 3: Sovereign Personnel and Strict Separation Level 3 is designed for activities contributing to the preservation of public order. It tightens rules on citizenship and third-country influence.

• Personnel: All personnel involved in providing the service, including those of subcontractors, must be Union citizens. Where appropriate, they must also hold national security clearances.
• Third-Country Control: Generally, providers and subcontractors cannot be subject to the control of a third country. However, Article 18 provides a specific derogation: a provider subject to third-country control may qualify if the Commission has adopted an implementing act recognising that third country as providing sufficient safeguards (e.g., via an adequacy decision and specific legal guarantees).
• Support Personnel: Technical support must be performed by Union residents who are not subject to third-country control.
• Cybersecurity: Like Level 2, the service must obtain a European cybersecurity certificate of at least assurance level "substantial".
• Legal Separation: If the provider has subsidiaries in third countries, it must prove effective legal, technical, and organisational separation between the EU parent and the foreign subsidiary.

4. Union Assurance Level 4: Maximum Sovereignty Level 4 is the strictest tier, reserved for the most critical public-order activities (e.g., defence, intelligence). It removes almost all flexibility regarding foreign influence.

• No Third-Country Control: Providers and subcontractors must not be subject to the control of a third country. The derogation for "associated third countries" available at Level 3 does not apply here.
• Personnel: All personnel must be Union citizens, with security clearances where appropriate.
• Cybersecurity: The service must obtain a European cybersecurity certificate of at least assurance level "high". This is a critical distinction: Level 2 and 3 require "substantial," while Level 4 requires "high."
• Effective Control over Software: Providers must demonstrate that third countries do not hold effective control over the design, development, maintenance, or evolution of the software components used.
• Strict Data Localisation: Sensitive data identified through risk assessment must remain exclusively within the Union.

How the Levels Are Applied

The framework is not voluntary for public procurement. Under Article 29, Member States and Union entities must conduct risk assessments to identify which public sector activities contribute to the preservation of public order (e.g., national security, defence, justice, law enforcement).

• Non-Critical Activities: For activities not identified as contributing to public order, contracting authorities must procure at least Union assurance level 1 (Article 30(2)).
• Critical Activities: For activities identified as contributing to public order, contracting authorities must procure only services recognised at Union assurance levels 2, 3, or 4, as determined by the risk assessment (Article 30(3)).

What this means for you

For public-sector procurement officers, cloud providers, and compliance teams, this framework fundamentally changes the procurement landscape.

1. Verify the Level: You cannot simply ask if a provider is "EU-based." You must verify their specific Union assurance level via the central repository (Article 22). A provider may be established in the EU but only hold Level 1 status, which would be insufficient for a defence contract.
2. Conduct Risk Assessments: Your first step is the Article 29 risk assessment. This determines your minimum procurement requirement. If your activity is deemed critical, Level 1 is legally insufficient.
3. Check Personnel Requirements: For Levels 2–4, verify if the provider can guarantee Union citizenship for personnel if your specific risk assessment demands it. At Level 3, this becomes a mandatory baseline.
4. Audit Evidence: For Levels 2–4, expect to review independent audit reports. For Level 1, verify the EU statement of conformity.
5. Migration Planning: If your current provider does not meet the required level, Article 29(6) provides a transition period of up to 12 months to migrate to a compliant service.

Common misconceptions

"Level 1 means the provider is European-owned." No. Level 1 allows providers established in the EU that may still be controlled by a third country, provided they meet transparency and vulnerability reporting criteria. Strict prohibitions on third-country control only apply at Level 4 (and generally at Level 3, with a specific derogation).

"All public sector bodies must use Level 4." No. The framework is proportionate. Only activities identified as contributing to the preservation of public order require Levels 2–4. General administrative tasks typically only require Level 1.

"Level 3 and Level 4 have the same cybersecurity requirements." No. A key distinction is the cybersecurity certification level. Levels 2 and 3 require a certificate of at least "substantial" assurance. Level 4 requires a certificate of at least "high" assurance.

"Third-country providers are completely banned." Not entirely. Under Article 18, a derogation exists for Level 3 where the Commission recognises a third country as providing sufficient safeguards. However, this derogation is not available for Level 4, which strictly prohibits third-country control.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• Why does CADA create a four-tier cloud sovereignty framework?
• What are the four CADA Union assurance levels in the sovereignty framework?
• Why is CADA Level 4 the highest sovereignty tier?
• What is the Union cloud computing sovereignty framework under CADA?
• CADA Delegated & Implementing Acts: How the Sovereignty Framework Evolves

This is general information about a draft EU regulation, not legal advice.