Summary As proposed, the Cloud and AI Development Act (CADA) addresses critical non-technical risks that technical cybersecurity standards cannot resolve: extraterritorial data access, political or economic coercion, and unilateral service disruption. By establishing a four-level Union cloud computing sovereignty framework under Article 16, CADA targets legal and geopolitical vulnerabilities to safeguard the Union's public order and ensure operational autonomy. Unlike the Cybersecurity Act, which focuses on technical resilience, CADA explicitly fills the gap regarding "sovereignty and non-technical risks" by assessing provider control, third-country laws, and supply-chain independence.

Detail

The Cloud and AI Development Act (CADA), proposed by the European Commission on 3 June 2026 (COM(2026) 502 final), introduces a regulatory framework designed to strengthen Europe's cloud and AI ecosystem. A central pillar of this proposal is the mitigation of non-technical risks arising from dependence on cloud computing service providers subject to the control of third countries. While existing EU legislation, such as the NIS2 Directive and the Cybersecurity Act, addresses technical cybersecurity, CADA explicitly targets the legal, jurisdictional, and geopolitical vulnerabilities that technical controls alone cannot resolve.

Defining Non-Technical Risks in CADA

The proposal defines non-technical risks as those stemming from the legal jurisdiction, ownership structures, and control mechanisms of third countries over cloud service providers. These risks are distinct from technical failures, malware, or cyberattacks and include three primary categories identified in the proposal's recitals:

  1. Jurisdictional and Extraterritorial Access: The risk that third-country laws may mandate access to data stored in the EU, potentially conflicting with EU fundamental rights and data protection frameworks. The explanatory memorandum notes that "large market incumbents are subject to third-country jurisdictions where laws with an extraterritorial effect apply, including laws mandating data access and transfer that may conflict with EU fundamental rights and data protection frameworks."
  2. Coercion and Influence: The risk of political or economic coercion, such as vendor lock-ins, embargoes, sanctions, or monopoly pricing that could damage the financial interests of the Union and Member States. Recital 50 specifies that these risks include "dependency vulnerabilities (i.e. political and/or economic coercion, for example by using vendor or technology lock-ins, embargos or sanctions, monopoly pricing damaging the financial interest of the Union and Member States)."
  3. Operational Disruption: The risk of unilateral decisions by third-country actors disrupting service provision, leading to operational discontinuity. Recital 50 further highlights risks of "misuse (i.e. manipulation, remote access and control, sabotage, weaponisation)" and "access to information (i.e. access to sensitive information, unauthorised communication, technology leakage, data manipulation or exfiltration, espionage)."

Recital 46 underscores the severity of these issues, stating that the Union's critical dependence on a limited number of providers subject to third-country control "exposes the Union to critical strategic dependencies and concentration risks, including vulnerabilities arising from the extraterritorial application of third-country laws, potential disruptions affecting the continuity, quality and resilience of cloud computing services, reduced control and oversight over personal and non-personal data and infrastructure, and the risk of undue economic or political influence being exercised through the control by third countries."

The Sovereignty Framework: Article 16

To address these specific non-technical risks, CADA establishes a Union cloud computing sovereignty framework comprising four assurance levels, as detailed in Article 16. This framework provides harmonised and auditable criteria for cloud computing services to be recognised at specific levels of sovereignty, ensuring that providers meet requirements regarding establishment, infrastructure location, personnel, and third-country control.

Article 16(1) states:

"This Chapter establishes a Union cloud computing sovereignty framework comprising four Union assurance levels, the criteria for which are set out in Annex II, that cloud computing service providers shall meet in order to provide their cloud computing services to Union entities and public sector bodies."

The four levels (Union Assurance Levels 1–4) escalate in strictness. Higher levels require greater operational autonomy, stricter data localisation, and more rigorous personnel and subcontractor controls. For instance, Annex II stipulates that for Union Assurance Levels 3 and 4, personnel involved in service provision must be Union citizens, and providers must not be subject to the control of a third country (unless a specific derogation under Article 18 applies). This structure directly targets the risks of foreign legal compulsion and political interference.

Why Cybersecurity Certification Is Insufficient

A common misconception is that existing cybersecurity certifications, such as those under the Cybersecurity Act or the upcoming European Cybersecurity Certification Scheme for Cloud Services (EUCS), are sufficient to mitigate sovereignty risks. The CADA proposal explicitly distinguishes between technical cybersecurity and sovereignty.

The explanatory memorandum states clearly:

"Certification under the Cybersecurity Act can address technical cybersecurity criteria but is not suited for addressing sovereignty concerns that go beyond these technical elements."

Technical certifications verify that a system is secure against cyber threats, such as malware, unauthorised technical access, or system vulnerabilities. However, they do not verify whether a provider's home country can legally compel the provider to hand over data, nor do they assess the risk of a third country forcing a provider to degrade service quality or cease operations entirely.

The Commission frames CADA as filling a specific gap:

"Together, the proposal and the CSA2 fill long-standing gaps in sovereignty and non-technical risks."

CADA introduces a legal and operational assessment framework that complements, rather than replaces, technical cybersecurity standards. It ensures that even a technically secure system is not rendered useless by a foreign government's legal order or a geopolitical sanction.

Obligations for Member States and Public Sector Bodies

Under CADA, Member States and Union entities are obliged to conduct risk assessments to determine which public sector activities require specific assurance levels. Article 29 mandates that Member States and Union entities carry out risk assessments to identify public sector activities that contribute to the preservation of public order. These assessments must consider:

  • The sensitivity, criticality, and magnitude of the non-personal and personal data processed.
  • The risk and consequent impact on public order of unlawful access by a third country or a legal entity established in a third country.
  • The risk and consequent impact on public order of possible service disruption.

Based on these assessments, contracting authorities must procure cloud services that meet the appropriate Union Assurance Level. Article 30(2) sets a baseline: entities whose activities do not contribute to public order must use services recognised at Union Assurance Level 1. However, Article 30(3) imposes a stricter requirement:

"Contracting authorities... whose activities have been identified as contributing to the preservation of public order... shall only procure and use services that have been recognised as offering Union assurance levels 2, 3, or 4."

This procurement mandate ensures that critical public functions are shielded from the non-technical risks identified in Recitals 46 and 50.

What this means for you

For in-house counsel, compliance officers, and public procurement teams, CADA introduces new due diligence and procurement obligations that extend far beyond traditional technical security reviews.

1. Updated Risk Assessment Methodologies

You must integrate non-technical risk factors into your existing risk assessment frameworks. This includes evaluating the legal jurisdiction of cloud providers, their ultimate ownership structures, and the potential for extraterritorial data access under foreign laws. The Commission will provide guidance on these assessments, but organisations must proactively identify which of their activities fall under "public order relevance" (e.g., law enforcement, defence, critical infrastructure) and may require higher assurance levels.

2. Procurement Criteria and Assurance Levels

Public sector bodies and entities in critical sectors (as defined in Annex I of the NIS2 Directive) must align their cloud procurement strategies with the Union Assurance Levels.

  • Minimum Requirement: All public sector bodies must procure services recognised at least at Union Assurance Level 1.
  • Higher Assurance: For activities identified as contributing to the preservation of public order, procurement must be limited to services recognised at Union Assurance Levels 2, 3, or 4.

Ensure your procurement documents explicitly reference these assurance levels and require providers to demonstrate compliance through the recognition process established in Article 17.

3. Provider Due Diligence and Transparency

Cloud providers seeking to serve the public sector must undergo conformity self-assessment (for Level 1) or independent third-party audits (for Levels 2–4). Compliance officers should verify that providers have obtained the necessary recognition from national competent authorities. Providers must also report material changes that could affect their assurance level status, as per Article 23.

4. Penalties and Enforcement

Member States must lay down rules on penalties for infringements of the sovereignty framework. Article 24 requires penalties to be "effective, proportionate and dissuasive." Factors considered include the nature, gravity, and duration of the infringement, as well as any financial benefits gained. While specific fine amounts are to be determined by national implementation, the framework ensures that non-compliance with sovereignty obligations carries significant legal and financial consequences.

Common misconceptions

Misconception 1: GDPR adequacy decisions solve sovereignty risks. Reality: While GDPR adequacy decisions facilitate data transfers, they do not address operational autonomy or the risk of service disruption. CADA's sovereignty framework goes beyond data protection to ensure that EU users are not subject to unilateral third-country decisions that could disrupt services or compromise operational independence.

Misconception 2: EUCS certification is sufficient for public sector procurement. Reality: EUCS focuses on technical cybersecurity. CADA's Union Assurance Levels address non-technical risks such as jurisdictional control and political coercion. A provider may be EUCS-certified but still fail to meet Union Assurance Level 3 or 4 if it is subject to third-country control or if its personnel are not Union citizens.

Misconception 3: Only the public sector is affected. Reality: While the mandatory procurement requirements apply to public sector bodies, the proposal also encourages private sector entities in critical sectors (under NIS2) to conduct similar impact assessments. Furthermore, cloud providers aiming to serve the public sector must comply with the framework to access this significant market segment.

Misconception 4: CADA replaces the Cybersecurity Act. Reality: CADA complements the Cybersecurity Act. As the explanatory memorandum states, the two instruments "fill long-standing gaps in sovereignty and non-technical risks" together. CADA does not replace technical cybersecurity standards but adds a layer of legal and geopolitical assurance.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.