Summary The simplest way to explain the proposed Cloud and AI Development Act (CADA) to a board is to frame it as a risk-based menu for public procurement, not a technical certification. As proposed in COM(2026) 502 final, the Act establishes a Union cloud computing sovereignty framework under Article 16 comprising four tiers of verified EU cloud sovereignty. These range from Level 1 (a basic baseline for all public sector use) to Level 4 (the strictest controls, designed to protect the most sensitive data). The framework does not require every service to be Level 4; instead, a mandatory risk assessment determines which tier is necessary to safeguard public order and operational autonomy.

Detail

The proposed Cloud and AI Development Act (CADA) introduces a harmonised framework to mitigate the strategic risks associated with dependence on third-country cloud providers. For a board or executive committee, the core concept is that CADA shifts cloud procurement from a purely financial decision to a strategic security decision. The framework is anchored in Article 16, which establishes the scope of the Union cloud computing sovereignty framework and mandates that cloud computing service providers meet specific criteria to be recognised at one of four Union assurance levels.

To explain this to non-technical stakeholders, use the "four-tier sovereignty framework" analogy. The levels are cumulative: to achieve Level 2, a provider must first meet all Level 1 criteria; to achieve Level 3, they must meet Levels 1 and 2, and so on. The criteria are detailed in Annex II of the proposal.

Level 1: The Baseline (Self-Assessment)

This is the minimum standard for any cloud service used by the public sector. It requires the provider to be established in the Union, with infrastructure and customer data remaining exclusively within the Union (unless the public sector body explicitly requires otherwise). Compliance is demonstrated through a conformity self-assessment and an EU statement of conformity. It ensures basic data localisation and operational autonomy but does not require a third-party audit. This level is suitable for non-critical administrative functions.

Level 2: The Audited Standard (Independent Verification)

Level 2 introduces independent third-party audits. Beyond the Level 1 criteria, it requires stricter controls on personnel (e.g., the provider must ensure personnel meeting Union citizenship requirements are available if the public sector body determines this is necessary) and prohibits the use of customer data to train or fine-tune AI systems operated by a third country. It also mandates that technical and operational support is initiated and performed exclusively within the Union. This level is designed for services where data sensitivity is moderate but operational continuity is critical.

Level 3: The Sovereign Standard (No Third-Country Control)

Level 3 is where the framework becomes strict regarding ownership and control. Providers and their subcontractors must not be subject to the control of a third country or a legal entity established in a third country, unless the Commission has adopted a specific implementing act under Article 18 granting an exception (e.g., for countries with adequacy decisions and specific safeguards). Personnel must be Union citizens, and infrastructure must be located in the Union. This level is typically required for sectors listed in Annex I or II of the NIS2 Directive, such as energy or transport, where service disruption could harm public order.

Level 4: The Highest Assurance (Most Sensitive Data)

Level 4 protects the most sensitive data. It shares the strict ownership and personnel requirements of Level 3 but adds the highest cybersecurity certification standards: the service must obtain a European cybersecurity certificate of at least assurance level 'high' (whereas Level 2 and 3 require 'substantial'). It is reserved for the most critical public sector activities, such as national security, defence, justice, or law enforcement, where the risk of unauthorised access or service degradation would have severe consequences for public order.

The Mechanism: Risk Assessment Drives Procurement

Crucially, CADA does not force every public body to buy Level 4 services. Article 29 requires Member States and Union entities to conduct risk assessments to determine which assurance level is appropriate for their specific activities. If a risk assessment identifies that an activity contributes to the preservation of public order, the contracting authority must procure services recognised at Level 2, 3, or 4. For all other activities, Level 1 is the mandatory minimum.

This approach ensures proportionality. A local library's website may only need Level 1, while a national health database handling sensitive medical records would likely require Level 3 or 4. The framework provides the criteria; the risk assessment provides the decision.

What this means for you

For public-sector procurement officers and board members, this framework changes how you evaluate cloud vendors and structure tender documents.

  1. Conduct a Risk Assessment First: Before issuing a tender, you must determine the sensitivity of the data and the criticality of the service. As proposed, this assessment dictates whether you are legally required to seek a Level 2, 3, or 4 service. If you fail to conduct this assessment, you may inadvertently procure a service that does not meet the required sovereignty standard.
  2. Check the Central Repository: CADA proposes a central repository of recognised services (Article 22). You should only procure from providers listed in this repository with the appropriate assurance level. If a provider claims to be "sovereign" but is not in the registry, they do not meet the CADA standard.
  3. Update Your Award Criteria: Article 32 allows you to include "Union added value" as a non-price award criterion in your procurement procedures. You can give points to providers who strengthen the European digital supply chain, use hardware designed in the Union, or integrate Union-developed technologies. This helps steer the market toward European providers.
  4. Plan for Migration: If your current provider does not meet the required assurance level, you must migrate. Article 29 provides a transition period of up to 12 months for migration, depending on technical feasibility and data portability. Start planning this early.
  5. Leverage EuroCloud: Consider joining the EuroCloud Federation (Article 34), which allows public sector bodies to share idle cloud capacity and services. This can reduce costs and increase resilience by allowing you to tap into sovereign capacity from other Member States.

Common misconceptions

Misconception 1: "Level 4 is the only 'real' sovereign cloud." Reality: All four levels are part of the sovereignty framework. Level 1 is a legally recognised sovereign baseline for non-critical services. Forcing Level 4 for all services would be disproportionate, costly, and unnecessary for many public functions. The framework is designed to be risk-based, not one-size-fits-all.

Misconception 2: "CADA bans all non-EU providers." Reality: CADA does not ban non-EU providers outright. A provider controlled by a third country can still qualify for Level 3 if the Commission adopts an implementing act recognising that third country as providing sufficient assurances (Article 18). This requires an adequacy decision and specific safeguards against unauthorised data access or service disruption. However, for Level 4, third-country control is generally prohibited.

Misconception 3: "Cybersecurity certification equals sovereignty." Reality: While high cybersecurity is a component of Levels 2–4, sovereignty is broader. It includes data localisation, personnel nationality, legal jurisdiction, and freedom from third-country control. A provider can have excellent cybersecurity (e.g., EUCS certified) but still fail Level 3 if they are controlled by a third country with extraterritorial data access laws.

Misconception 4: "The risk assessment is a one-time box-ticking exercise." Reality: Article 29 requires risk assessments to be carried out every two years, or whenever necessary. As threats evolve and services change, the required assurance level may change. Continuous monitoring is essential to maintain compliance.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.