The Geopolitical Case for EU Cloud Sovereignty Under CADA

The geopolitical case for EU cloud sovereignty, as set out in the proposed Cloud and AI Development Act (CADA), rests on reducing the Union's critical dependence on a limited number of non-EU cloud providers. That dependence is said to expose the EU to strategic risks, including the extraterritorial application of third-country laws that may conflict with EU fundamental rights, potential service disruptions and loss of operational autonomy. By establishing a harmonised sovereignty framework, CADA would aim to reposition Europe from a consumer of digital technologies into a global hub for trusted, sovereign and scalable digital infrastructure.

Detail

The Commission's proposal, COM(2026) 502 final, is driven by a geopolitical imperative: securing the Union's technological sovereignty and economic security in a fragmented global digital landscape. The explanatory memorandum points to a "pronounced dependence on a limited pool of third-country providers" in the European cloud market.

The geopolitical context and strategic dependencies

The proposal frames reliance on non-European cloud infrastructure as a matter of strategic autonomy, not just commerce. According to the explanatory memorandum, three non-EU hyperscalers control over 70% of the European cloud market, while the market share of EU providers fell from 29% in 2017 to 15% in 2022 and has remained stagnant since. This concentration creates significant vulnerabilities, because large incumbents are subject to third-country jurisdictions whose laws can have extraterritorial effect, potentially mandating data access in ways that conflict with EU fundamental rights and data-protection rules such as the GDPR.

The proposal cites the Draghi report, "The future of European competitiveness", which states that the EU must maintain a foothold in areas where technological sovereignty is required, such as security and encryption ("sovereign cloud" solutions), and calls for targeted action to regain and retain control over data and cloud services and to strengthen homegrown cloud and AI capabilities. CADA would operationalise this by building a framework that lets the EU act autonomously where necessary, particularly on data confidentiality and operational continuity.

Protecting public order and operational autonomy

A core objective is to protect public order by making the supply of cloud services more resilient, especially in the public sector. Recital 50 identifies specific risks arising from dependence on third-country-controlled providers:

• Misuse: manipulation, remote access and control, sabotage, weaponisation.
• Access to information: unauthorised communication, technology leakage, data manipulation or exfiltration, espionage.
• Dependency vulnerabilities: political and/or economic coercion through vendor or technology lock-ins, embargoes, sanctions, or monopoly pricing.

To mitigate these, CADA would introduce a Union cloud computing sovereignty framework of four "Union assurance levels" (Article 16) — a harmonised, auditable set of criteria to assess the sovereignty of cloud services and help public sector bodies retain control and agency over their data and infrastructure.

From consumer to global hub

The proposal seeks to reposition Europe not only as a consumer of advanced digital technologies but as a "global hub for trusted, sovereign and scalable digital infrastructure capable of shaping the standards, capabilities and markets of the next technological wave". Fostering a competitive single market where providers are fully bound by EU law would, the proposal argues, embed fundamental-rights protections into the digital ecosystem.

The geopolitical case is framed as open rather than closed. The framework is designed to remain open and cooperative (Recital 61), while the Union retains the right — consistent with its WTO Government Procurement Agreement commitments — to adopt necessary and proportionate measures to protect public morals, order or safety.

What this means for you

For public-sector procurement officers, the geopolitical case translates into concrete obligations:

• Mandatory risk assessments. Under Article 29, Member States and Union entities must carry out risk assessments to identify which public sector activities contribute to the preservation of public order and which Union assurance level is appropriate. Build these into your tender processes.
• Procurement requirements. Article 30 would require contracting authorities whose activities contribute to public order — for example in national security, defence, justice or critical infrastructure sectors under the NIS2 Directive — to procure only services recognised at Union assurance levels 2, 3 or 4. Other public bodies must use services recognised at least at level 1. Price and features alone would no longer be enough.
• EU added-value criteria. In procurement for innovative cloud and AI services, Article 32 would require non-price award criteria evaluating a tenderer's contribution to a European cloud and AI ecosystem, including strengthening the Union's digital supply chain and using EU-designed or -manufactured hardware. These criteria must be ancillary and not decisive.
• Multi-cloud strategies. Article 29(9) would require risk assessments to consider whether a multi-vendor or multi-cloud strategy is appropriate, reducing single-provider dependence.
• Transition periods. Where a risk assessment requires migration to another service, the Member State or Union entity must migrate within a reasonable transition period not exceeding 12 months (Article 29(6)). Plan early for data portability and continuity.

Common misconceptions

• Sovereignty means data localisation only. Data residency is one component, but sovereignty under CADA would also cover operational autonomy, protection against extraterritorial legal access and resilience against disruption. A service can sit in the EU yet still be subject to third-country control and fail the criteria.
• CADA is protectionist. The proposal presents the framework as open and non-discriminatory: third-country-controlled providers can be audited for the higher levels where their home country meets the cumulative criteria in Article 18, including no laws compelling unauthorised access to Union data or service disruption.
• All public sector activities require the highest level. The framework is risk-based; most public services would require only level 1, with levels 2–4 reserved for public-order-relevant activities.
• Sovereignty replaces cybersecurity. CADA would complement, not replace, frameworks such as the Cybersecurity Act and NIS2. Sovereignty addresses legal and geopolitical dependency; cybersecurity addresses technical threats. Both are needed for a trusted service.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• Why is cloud sovereignty important for critical infrastructure? CADA
• Why is sovereignty described as layered or nuanced in CADA?
• CADA Sovereignty: Why Assessment is Per Service, Not Per Provider
• Why is sovereignty a competitiveness issue, not just a security one? | CADA
• Why data residency is not enough for cloud sovereignty under CADA

This is general information about a draft EU regulation, not legal advice.