Summary Under the proposed Cloud and AI Development Act (CADA), Union assurance level 4 represents the apex of cloud sovereignty, effectively mandating that cloud computing services be established, operated, and controlled exclusively within the European Union. As proposed, this tier strictly prohibits any control by third countries or legal entities established in third countries, with no derogation mechanism available. This stands in sharp contrast to level 3, which allows for a Commission-adopted derogation for "associated third countries." Contracting authorities conducting risk assessments under Article 29 must procure level 4 services for activities deemed critical to public order (e.g., defence, national security), ensuring that the most sensitive data and operations remain insulated from extraterritorial foreign influence.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a harmonised Union cloud computing sovereignty framework comprising four distinct assurance levels. These levels are designed to provide a proportionate response to varying degrees of risk regarding data confidentiality, operational autonomy, and the preservation of public order. Union assurance level 4 is the highest tier, reserved for the most sensitive public sector activities where the consequences of foreign interference or service disruption would be catastrophic.

The defining characteristic of level 4 is the absolute exclusion of third-country influence over the provider's governance and operations. This requirement is not merely a preference but a cumulative criterion that must be met for recognition.

The Absolute Prohibition of Third-Country Control

The core of the level 4 requirement is found in Annex II, Section 4.1(g). For a cloud computing service to be recognised at Union assurance level 4, the regulation stipulates that:

"the audited provider and the subcontractors which are involved in the provision of the audited service are not subject to the control of a third country or a legal entity established in a third-country."

This criterion is non-negotiable. Unlike the lower tiers, there is no mechanism within the text of the proposal to waive this requirement based on diplomatic agreements, adequacy decisions, or contractual safeguards. The prohibition extends to both the primary provider and any subcontractors involved in the service provision.

This strict stance directly addresses the policy concerns articulated in Recital 46 of the proposal. The recital notes that the Union remains "critically dependent on a limited number of cloud computing service providers subject to the control of third countries or legal entities established in third-countries." It identifies specific risks arising from this dependence, including:

  • The extraterritorial application of third-country laws;
  • Potential disruptions affecting the continuity, quality, and resilience of services;
  • Reduced control and oversight over personal and non-personal data;
  • The risk of undue economic or political influence.

By mandating an absence of third-country control, level 4 ensures that no foreign jurisdiction can legally compel a provider to access data, disrupt services, or degrade service quality. It effectively creates a "sovereign island" where the provider's decision-making chain is entirely contained within the EU legal order.

EU Establishment, Infrastructure, and Personnel

Beyond the prohibition on control, Article 16 and Annex II impose rigorous physical and legal presence requirements for level 4. The criteria in Section 4.1 require that:

  1. Establishment: The audited provider and relevant subcontractors must be established in the Union.
  2. Location: The infrastructure, assets, and personnel involved in the service must be located in the Union.
  3. Support: Technical and operational support must be initiated and performed exclusively within the Union by personnel who are Union residents and by third parties not subject to third-country control.

Crucially, Annex II, Section 4.1(d) mandates that the personnel involved, including those of subcontractors, must be Union citizens. Furthermore, where appropriate, these personnel must hold the necessary national security clearance issued by a Member State when handling classified information. This requirement for Union citizenship is a significant escalation from lower tiers and underscores the "human" element of sovereignty in the highest assurance level.

The Critical Contrast: Level 4 vs. Level 3

The most significant distinction in the CADA sovereignty framework lies in the treatment of third-country control between level 3 and level 4.

Level 3: The Derogation Mechanism Union assurance level 3 is designed to be robust but flexible enough to accommodate international partnerships. Annex II, Section 3.1(g) states that providers subject to third-country control are generally ineligible. However, it immediately provides a derogation:

"By way of derogation to this criterion, a cloud computing service provider... that are subject to the control of a third country... may be audited for Union assurance level 3 where the Commission has adopted an implementing act under Article 18."

Article 18 establishes the mechanism for "associated third countries." It allows the Commission to adopt decisions identifying third countries whose providers may be audited against level 3 criteria, provided the third country meets cumulative criteria, such as having an adequacy decision under the GDPR and lacking measures that enable control over the provider in a way that conflicts with EU law.

Level 4: No Derogation In stark contrast, Annex II, Section 4.1(g) contains no such derogation. The text is absolute: providers subject to third-country control are simply not eligible. Even if a third country is deemed "associated" under Article 18, its providers cannot achieve level 4 recognition. This structural difference means that level 4 is the only tier that guarantees a complete break from third-country jurisdictional reach, making it the sole option for activities where the risk assessment determines that any potential for foreign control is unacceptable.

Operationalising Control: Risk Assessments and Procurement

The role of EU control in level 4 is operationalised through the procurement obligations in Title IV, Chapter II.

Article 29 obliges Member States and Union entities to conduct risk assessments to identify public sector activities that contribute to the preservation of public order. These assessments must determine which assurance level (2, 3, or 4) is appropriate. The recitals and the text of Article 29(1) explicitly list sectors such as national security, internal security, external border management, defence, justice, and law enforcement as areas where public order preservation is critical.

Once a risk assessment identifies an activity as requiring level 4, Article 30(3) triggers a mandatory procurement obligation. Contracting authorities must:

"only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4."

While this article sets a floor, the specific requirement for level 4 arises when the risk assessment concludes that the sensitivity of the data or the criticality of the function necessitates the highest level of assurance. In such cases, authorities are legally bound to select providers that meet the stringent "no third-country control" criteria. This ensures that the most sensitive data and operations remain under exclusive EU jurisdiction.

Penalties and Enforcement

Compliance with these sovereignty requirements is enforceable. Article 24 requires Member States to lay down rules on penalties for infringements by cloud computing service providers. These penalties must be "effective, proportionate and dissuasive." The article lists non-exhaustive criteria for imposing penalties, including the nature, gravity, scale, and duration of the infringement, as well as the financial benefits gained.

Furthermore, Article 24(3) grants recipients of cloud services the right to seek compensation for any damage or loss suffered due to a provider's infringement of their obligations under the sovereignty chapter. This creates a dual enforcement mechanism: administrative penalties imposed by national authorities and civil liability towards the public sector bodies relying on the service.

What this means for you

For in-house counsel, compliance officers, and public procurement teams, the proposed CADA introduces a new, rigorous layer of due diligence for public sector contracts and critical infrastructure.

  • Conduct Rigorous Risk Assessments: You must participate in or support the risk assessments mandated by Article 29. These assessments, which must be carried out within one year of the Regulation's entry into force and repeated every two years, will determine whether your organisation's activities require level 4 assurance. If your sector involves national security, defence, or critical public order functions, level 4 will likely be mandatory.
  • Verify Provider Control Structures: When selecting cloud providers for level 4 services, you must verify that the provider and its subcontractors are not subject to third-country control. This requires a deep dive into ownership structures, voting rights, and corporate governance, as detailed in the audit evidence requirements of Annex III (specifically Audit Criterion G). Standard contractual clauses may not be sufficient; you will need to request audited evidence of compliance and potentially review the provider's ultimate beneficial ownership.
  • Avoid Third-Country Controlled Providers for Critical Workloads: Even if a third-country provider achieves level 3 recognition under Article 18 (via an associated third-country decision), they are ineligible for level 4. Ensure that your procurement specifications explicitly exclude providers subject to third-country control for any workload classified as requiring level 4 assurance. Do not rely on "adequacy decisions" as a substitute for the level 4 control requirement.
  • Prepare for Penalties and Liability: Be aware that non-compliance can lead to significant administrative fines and liability for damages. Ensure that your cloud contracts include robust indemnity clauses and that your providers can demonstrate compliance with the sovereignty framework. The right to compensation under Article 24(3) means that a failure to secure a level 4 provider for a critical function could result in direct financial liability for the contracting authority.

Common misconceptions

"Level 4 allows third-country providers if they have an adequacy decision." This is incorrect. Adequacy decisions under the GDPR are relevant for Article 18 and level 3 recognition, but they do not override the strict no-third-country-control requirement for level 4. Level 4 requires exclusive EU control, regardless of the third country's data protection status.

"Level 4 is only about data location." While data must remain in the Union, level 4 also mandates that the provider, its subcontractors, its infrastructure, and its personnel are established and located in the Union, and free from third-country control. It is a holistic sovereignty requirement, not just a data residency rule. The requirement for Union citizens in Annex II, Section 4.1(d) is a key differentiator.

"We can choose any level for our cloud services." No. Article 30 mandates minimum assurance levels based on risk assessments. If your activities are deemed critical to public order, you must procure at least level 2, 3, or 4 services. You cannot opt for level 1 if a higher level is required by the risk assessment. For the most critical activities, level 4 is the only compliant option.

"Level 3 and Level 4 are effectively the same for third-country providers." They are fundamentally different. Level 3 allows for a Commission-adopted derogation for providers controlled by "associated third countries" under Article 18. Level 4 contains no such derogation; it is an absolute bar on third-country control.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.