The history behind the EU's cloud sovereignty push and CADA

Summary The EU's cloud sovereignty push grew from a realisation that reliance on a few non-EU hyperscalers creates risks for public order and economic security. The arc runs from fundamental-rights concerns under Schrems II, through voluntary industry initiatives such as Gaia-X, to the proposed Cloud and AI Development Act (CADA). As proposed, CADA would turn fragmented efforts into a binding framework, requiring public authorities to procure cloud services against standardised, auditable sovereignty criteria—the four Union assurance levels set out in Article 16 and Annex II.

Detail

The EU's legislative push for cloud sovereignty is the culmination of more than a decade of legal, economic, and geopolitical change. For public-sector procurement officers, the history explains why CADA's obligations are framed as they are. It runs through three phases: a judicial awakening to data-access risk, a market-driven attempt at self-regulation, and the current legislative turn to strategic autonomy.

Phase 1: The judicial awakening (2015–2020)

The modern EU concept of cloud sovereignty was catalysed by the Court of Justice of the EU through the Schrems rulings. While the GDPR set the data-protection framework, the 2020 Schrems II decision exposed the tension between EU data-protection standards and third-country surveillance laws, particularly in the United States.

The core issue was the extraterritorial reach of third-country law. As the CADA explanatory memorandum describes, the EU has become increasingly dependent on a limited number of third-country cloud providers, many of which are subject to jurisdictions whose laws have extraterritorial effect and can mandate data access in conflict with EU fundamental rights and data-protection frameworks.

The US CLOUD Act (2018) crystallised the point: by compelling US-based providers to disclose data wherever stored, it showed that data localisation alone does not protect EU users. CADA's recitals frame this dependence as exposing the Union to extraterritorial legal reach, reduced control over data and infrastructure, and potential service disruption. The lesson: sovereignty is about who controls the infrastructure and which jurisdiction governs the provider, not just where data sits.

Phase 2: The market response and Gaia-X (2019–2024)

In response, the EU first leaned on a market-based approach. The Commission's analysis records a stark trend: the market share of EU cloud providers fell from 29% in 2017 to 15% in 2022 and has remained stagnant since, while three non-EU hyperscalers control over 70% of the European cloud market.

That concentration prompted Gaia-X, a voluntary initiative to build a federated data and cloud infrastructure with shared trust and interoperability standards. But voluntary measures have limits: Gaia-X fostered dialogue and technical standards yet lacked binding force, so it could neither compel public authorities to change procurement nor mandate sovereignty criteria.

The memorandum likewise notes that while the Data Act introduced rules on switching between data processing services to cut vendor lock-in, it "does not contain elements to shape up a more competitive offer of European cloud computing services or encourage the entry into the market of a more diverse set of cloud computing service providers." Gaia-X laid technical groundwork but did not resolve extraterritorial legal reach or guarantee operational autonomy for critical services.

Phase 3: The strategic imperative and the Draghi report (2024–2026)

The final catalyst was the reframing of cloud infrastructure as a matter of economic security and strategic autonomy, crystallised in Mario Draghi's report, The Future of European Competitiveness. The CADA proposal cites the report's call for the EU to "maintain a foothold in areas where technological sovereignty is required, such as security and encryption ('sovereign cloud' solutions) and thus reduce critical external dependencies."

The report argued that computing infrastructure is no longer a mere technical asset but a strategic resource for the Union's economic security, resilience, and competitiveness, and it called for targeted action to regain control over data and cloud services. That economic argument merged with the earlier fundamental-rights concerns to form CADA's basis. The proposal was advanced alongside the broader "AI Continent" agenda, addressing limited and geographically concentrated EU computing capacity and dependence on non-European providers, and marking a shift from voluntary trust frameworks to a harmonised, EU-wide mandatory approach.

CADA as the binding step: Article 16 and the sovereignty framework

CADA represents the legislative culmination by introducing a binding mechanism. Article 16 would establish a "Union cloud computing sovereignty framework" comprising four assurance levels, with criteria set out in Annex II that providers must meet to serve Union entities and public sector bodies. The framework is designed to be auditable and harmonised across the EU, replacing fragmented national approaches.

The history explains the strictness. Because earlier measures did not mitigate third-country legal risk, CADA's higher assurance levels (2, 3, and 4) would require independent audits and—at the top levels—Union citizenship for personnel involved in the service and the absence of third-country control over the provider and its subcontractors.

Article 29 would oblige Member States and Union entities to carry out risk assessments (within a year of entry into force and at least every two years thereafter) to identify which public sector activities contribute to the preservation of public order and which assurance level applies. This links directly back to the Schrems-era concern: protecting public order by ensuring critical services are not subject to unilateral disruption or unauthorised third-country access.

By making these criteria binding for public procurement, CADA would convert reactive litigation (Schrems) and voluntary effort (Gaia-X) into a proactive, enforceable strategy—operationalising the Draghi report's call for a single EU-wide sovereignty framework that lets contracting authorities use their buying power to reduce dependency.

What this means for you

For public-sector procurement officers, the history explains why the requirements are stringent and represent a genuine shift.

1. From voluntary to mandatory. As proposed, you could no longer rely on voluntary trust labels or self-declarations alone for higher-assurance needs. CADA introduces a formal recognition process; you would procure services recognised under the Union assurance levels (Article 16, Article 17).
2. Risk assessments are central. Schrems and the Draghi report both show one size does not fit all. Article 29 would require your authority to assess which activities contribute to public order and may need the higher levels (2, 3, or 4).
3. "Sovereignty" is more than localisation. It spans operational autonomy, protection from extraterritorial law, and resilience against disruption. Evaluate tenders on legal structure, control, and audit status—not just price and specs.
4. Plan for transition. Where a risk assessment requires migration, Article 29(6) provides a reasonable transition period not exceeding 12 months. Begin planning early to maintain continuity while moving to recognised providers.

Common misconceptions

• "CADA is just the GDPR for cloud." GDPR protects personal data; CADA, as proposed, addresses broader sovereignty and operational risks. The memorandum notes the EU-US Data Privacy Framework addresses transatlantic transfers but "does not remove sovereignty concerns about dependence on third-country providers." CADA covers operational autonomy, supply-chain resilience, and protection against disruption—outside GDPR's scope.
• "Gaia-X solved cloud sovereignty." Gaia-X was voluntary and lacked binding force. CADA is the step that would make sovereignty criteria mandatory for public procurement.
• "Sovereignty means all data must stay in the EU at all times." Data localisation is a key criterion, but CADA's sovereignty is multi-layered: establishment, personnel citizenship (at higher levels), software supply-chain transparency, and protection against third-country legal orders. It is a holistic framework, not a single geographic rule.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• Why is cloud sovereignty important for critical infrastructure? CADA
• Why is sovereignty described as layered or nuanced in CADA?
• CADA Sovereignty: Why Assessment is Per Service, Not Per Provider
• Why is sovereignty a competitiveness issue, not just a security one? | CADA
• Why data residency is not enough for cloud sovereignty under CADA

This is general information about a draft EU regulation, not legal advice.