Summary As proposed, the Cloud and AI Development Act (CADA) links cloud sovereignty to the protection of EU fundamental rights, treating sovereignty not just as an economic goal but as a way to safeguard data confidentiality and operational autonomy against extraterritorial third-country laws. The proposal argues that dependence on third-country-controlled providers exposes the Union to unauthorised data access and service disruption that can threaten fundamental rights and complement — not duplicate — the GDPR. To mitigate these risks, CADA would establish four "Union assurance levels" (Article 16, with criteria in Annex II) and require public-sector bodies to procure cloud services that match the assurance level identified by a risk assessment.

Detail

The relationship between sovereignty and fundamental rights in the proposed CADA rests on the premise that technological dependence on third-country-controlled providers creates strategic vulnerabilities that can undermine the Union's legal order and citizens' rights. The proposal identifies a gap: while instruments such as the GDPR and the EU-US Data Privacy Framework address transatlantic data transfers, they do not, on their own, resolve sovereignty concerns about operational autonomy and the extraterritorial reach of third-country legislation.

The conflict: extraterritorial laws and fundamental rights

Recital 46 sets out the core tension: the Union's dependence on a limited number of providers subject to third-country control exposes it to "critical strategic dependencies and concentration risks," including "vulnerabilities arising from the extraterritorial application of third-country laws, potential disruptions affecting the continuity, quality and resilience of cloud computing services, reduced control and oversight over personal and non-personal data and infrastructure, and the risk of undue economic or political influence."

Recital 50 elaborates the categories of risk: "misuse (i.e. manipulation, remote access and control, sabotage, weaponisation), access to information (i.e. access to sensitive information, unauthorised communication, technology leakage, data manipulation or exfiltration, espionage) and dependency vulnerabilities." Such risks bear directly on rights in the Charter of Fundamental Rights of the European Union — in particular the protection of personal data (Article 8 of the Charter) and respect for private life.

Recital 47 notes that while existing Union law addresses cybersecurity, data protection, interoperability and data portability, "there is no cross-cutting Union regulatory framework establishing a harmonised understanding of what constitutes a trusted cloud computing service for mitigating such risks," and that fragmented national approaches "risk fragmenting the Union internal market and undermining common goals of autonomy and sovereignty." CADA, as proposed, aims to complement existing data-protection law with a harmonised mechanism strengthening long-term technological autonomy and control.

The solution: the Union cloud computing sovereignty framework

To protect public order — and, with it, fundamental rights — CADA would introduce a "Union cloud computing sovereignty framework" of four assurance levels.

  • Article 16(1) establishes the framework "comprising four Union assurance levels, the criteria for which are set out in Annex II," that providers must meet to serve Union entities and public sector bodies.
  • Article 16(2) empowers the Commission to adopt delegated acts to amend the assurance levels in Annex II (and the audit evidence in Annex III).
  • Article 16(3) requires the Commission to review Annexes II and III at least every 18 months to keep them up to date with new legal or technical developments.

The levels are calibrated to the layered nature of sovereignty: most public services would not need the highest levels, but specific cases of public-order risk may warrant levels 3 or 4 (Recital 52). The Annex II criteria cover infrastructure and personnel location, personnel Union citizenship at higher levels, and freedom from third-country control — for example, Union assurance level 4 requires that the audited provider and relevant subcontractors are not subject to the control of a third country or a legal entity established in a third country (Annex II, point 4.1(g)).

Risk assessments and public procurement

Article 29 obliges Member States and Union entities to carry out risk assessments identifying public-sector activities that contribute to the preservation of public order — particularly in NIS2 sectors (Directive (EU) 2022/2555) and in national security, internal security, border management, defence, justice or law enforcement — and to determine the appropriate level (2, 3 or 4).

Article 30 then ties procurement to the result: contracting authorities whose activities are identified as contributing to public order must only procure services recognised at Union assurance level 2, 3 or 4 (Article 30(3)); for other activities, level 1 is required (Article 30(2)). This is intended to stop public-sector bodies inadvertently exposing sensitive data or critical operations to third-country access risks.

Link to the GDPR and the Charter

The proposal is presented as consistent with the GDPR and the Charter. Its explanatory memorandum states that while the EU-US Data Privacy Framework addresses transatlantic data transfers, it "does not remove sovereignty concerns about dependence on third-country providers," because sovereignty "goes beyond data transfers and relates to operational autonomy too." CADA is thus framed as complementing existing data-protection law rather than replacing it.

What this means for you

For in-house counsel and compliance officers, the proposed CADA would add significant obligations on cloud procurement and data sovereignty, especially for public-sector entities and critical-infrastructure operators.

1. Mandatory risk assessments (Article 29). If your organisation is a Member State or Union entity, by one year after entry into force and every two years thereafter you must conduct risk assessments weighing the sensitivity, criticality and magnitude of data processed, the risk of unlawful access by a third country, and the risk of service disruption, and determine the appropriate assurance level.

2. Procurement restrictions (Article 30). If your activities are identified as contributing to public order (e.g. national security, defence, critical infrastructure), you must procure only level 2, 3 or 4 services; otherwise at least level 1. Verify recognised status in the Article 22 central repository.

3. Due diligence and vendor selection. Confirm that providers meet the criteria for the required level: establishment in the Union; infrastructure and personnel located in the Union (levels 2–4); and freedom from third-country control that could compromise data access or continuity. Request recognition evidence and, for levels 2–4, audit reports.

4. Penalties and compensation (Article 24). Member States must lay down effective, proportionate and dissuasive penalties for infringements of the sovereignty Chapter. Relevant criteria include the nature, gravity, scale and duration of the infringement, any financial benefit and turnover.

5. Transition and migration. Where a risk assessment requires migration, Article 29(6) sets a reasonable transition period not exceeding 12 months, accounting for technical feasibility, continuity of service and data portability.

Common misconceptions

  • "CADA replaces the GDPR." It does not. As proposed, it complements the GDPR by addressing sovereignty and operational-autonomy risks that data-protection law alone does not fully mitigate; providers remain bound by all applicable data-protection obligations.
  • "Only non-EU providers are affected." EU-based providers must also meet strict criteria on establishment, infrastructure and personnel location, personnel citizenship and freedom from third-country control, demonstrated through self-assessment (level 1) or independent audit (levels 2–4).
  • "Sovereignty means data must never leave the EU." At lower levels, customer data may be processed or stored outside the Union only where the public sector body explicitly requires it, with legal, technical and organisational measures in place (Annex II, points 1.1(c) and (d)); at higher levels the default is exclusive location within the Union.
  • "The EU-US Data Privacy Framework solves all sovereignty issues." The explanatory memorandum states it addresses transatlantic transfers but does not remove sovereignty concerns about dependence on third-country providers; CADA complements it by addressing operational autonomy and disruption risks not covered by adequacy alone.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.