Summary As proposed in COM(2026) 502 final, the Cloud and AI Development Act (CADA) would mandate that public sector bodies procure cloud services meeting specific "Union assurance levels" (Levels 1–4) based on sovereignty risk assessments (Article 29). For CTOs, this means you must verify a vendor's claimed tier against the cumulative criteria in Annex II and demand their latest independent audit opinion for Levels 2–4 (Article 20). Key questions must focus on data residency, the physical location of technical support, third-country control structures, and the vendor's ability to legally resist extraterritorial data requests.

Detail

The CADA proposal introduces a four-tier sovereignty framework (Union Assurance Levels 1–4) designed to mitigate risks from third-country jurisdiction and operational dependency. As a CTO or architect evaluating a vendor, you cannot rely solely on marketing claims of "sovereign cloud." You must validate compliance with the specific, cumulative criteria in Annex II and verify the procedural validity of their recognition under Article 17.

Below are the critical questions to ask, grounded in the proposed text.

1. Which Union Assurance Level are you recognized for, and what is the audit status?

Under Article 16, cloud computing service providers must meet criteria set out in Annex II to be recognized at a specific level. Level 1 requires a conformity self-assessment (Article 19), while Levels 2, 3, and 4 require independent third-party audits (Article 20).

  • Ask: "Are you recognized at Assurance Level 1, 2, 3, or 4? For Levels 2–4, please provide the 'positive' audit opinion and the full audit report issued by an accredited auditing organization under Article 20."
  • Why it matters: Article 20(5) requires the audit report to include a declaration of interests, methodology, findings, and a clear 'positive' or 'negative' opinion. A 'positive' opinion is only valid if all evidence shows compliance with the criteria for that specific level. Check the date of the audit; Article 20(8) requires an annual review to confirm continued compliance. If the last review is older than 12 months, the vendor may not currently hold a valid recognition. Furthermore, Article 23 mandates that providers notify authorities of any material changes that could affect their recognition status.

2. Where is the technical and operational support located?

A common misconception is that data residency alone ensures sovereignty. CADA goes further. For Levels 2, 3, and 4, Annex II strictly limits where support can be performed and by whom.

  • Ask: "Is all technical and operational support, including incident response, backup handling, and disaster recovery, initiated and performed exclusively within the Union? Who performs this support, and are they Union residents?"
  • Why it matters: For Level 2, Annex II, Section 2.1(h) requires that support be initiated and performed exclusively within the Union. For Levels 3 and 4, this is reinforced by Annex II, Section 3.1(h) and Section 4.1(h), which further require that support be provided by personnel who are Union residents and by third parties not subject to third-country control. If a vendor's Level 3 claim relies on a support center in a non-EU country, they are non-compliant. Article 20(2) also requires audited providers to cooperate with auditors by granting access to all relevant data and premises necessary to verify these operational realities.

3. How do you handle third-country control and extraterritorial laws?

This is the core of the sovereignty framework. The proposal aims to prevent third-country laws (such as the US CLOUD Act) from compelling data access or service disruption.

  • Ask: "Is your service provider or any subcontractor subject to the control of a third country or a legal entity established in a third country? If so, how do you demonstrate compliance with Annex II criteria regarding third-country control, and do you have an implementing act under Article 18?"
  • Why it matters:
    • Level 1: Annex II, Section 1.1(g) requires that if subject to third-country control, there must be no laws requiring the provider to report software vulnerabilities to third-country authorities before they are exploited.
    • Level 2: Annex II, Section 2.1(g) requires measures to ensure third-country control does not restrict service performance, prevent access to customer data, or disrupt service continuity. It also requires a documented migration plan if a third-country vendor fails or imposes restrictions.
    • Level 3: Annex II, Section 3.1(g) generally prohibits third-country control. Exceptions are only possible if the Commission has adopted an implementing act under Article 18 for that specific third country, confirming it meets strict criteria (e.g., no measures to compel data access or service degradation). Note that Article 18 is the correct cross-reference for third-country derogations, not Article 19.
    • Level 4: Annex II, Section 4.1(g) strictly prohibits any third-country control over the provider or subcontractors.

4. Where are your personnel and infrastructure located?

  • Ask: "Are all personnel involved in the provision of the service, including subcontractors, located in the Union? For Levels 3 and 4, are they Union citizens? Can you provide proof of citizenship and security clearances?"
  • Why it matters: Annex II, Section 2.1(b) requires infrastructure and personnel to be in the Union for Level 2. Section 3.1(d) and 4.1(d) require personnel to be Union citizens for Levels 3 and 4, with national security clearances where handling classified information. Note that for Level 2, the requirement for Union citizenship is conditional: it applies only "if the public sector body determines that imposing additional personnel screening and Union citizenship requirements are necessary" (Annex II, Section 2.1(d)). For Levels 3 and 4, it is mandatory.

5. Do you use customer data to train AI systems?

  • Ask: "Do you use data generated by using our service to train or fine-tune any AI system operated by a third country or a legal entity established in a third country? Can you provide contractual clauses prohibiting this?"
  • Why it matters: For Levels 2, 3, and 4, Annex II, Sections 2.1(f), 3.1(f), and 4.1(f) explicitly prohibit using customer data to train AI systems operated by third-country entities. This data must not be transferred outside the Union in any case. Annex III, Criterion F details the evidence required, including contractual clauses and data flow diagrams showing that AI pipelines do not connect with customer data outside the Union.

6. What is your software supply chain transparency?

  • Ask: "Can you provide a complete and up-to-date Software Bill of Materials (SBOM) and a list of identified dependencies? How do you block remote features that could tamper with the system, and do you have a migration plan for third-country components?"
  • Why it matters: For Levels 2, 3, and 4, Annex II, Sections 2.1(i), 3.1(i), and 4.1(i) require an SBOM and documented controls to block remote tampering features. For Level 4, you must also demonstrate that a third country does not hold effective control over the design and evolution of critical software components (Annex II, Section 4.1(i)(ii)). Annex III, Criterion I specifies that auditors must verify the existence of a migration plan in the event a vendor fails or a third country imposes restrictions.

What this means for you

For CTOs and architects, CADA shifts the burden of proof from the buyer to the vendor, but only if the vendor has undergone the correct recognition process.

  1. Verify the Repository: Check the central repository established by the Commission under Article 22. Only services listed here with a valid recognition status should be considered for public sector contracts requiring Levels 2–4. The repository must be publicly available and regularly updated.
  2. Scrutinize the Audit Report: Do not accept a simple "yes/no" compliance statement. Request the full audit report under Article 20. Look for the "positive opinion" and check for any "negative opinions" or unresolved findings from previous annual reviews. Article 20(5)(g) mandates that the report explicitly state the Union assurance level that needs to be recognized.
  3. Assess Migration Risk: If your current vendor is non-compliant, Article 29(6) mandates a migration period not exceeding 12 months if a risk assessment requires switching to a higher assurance level. Plan your architecture for portability now.
  4. Check Subcontractors: Sovereignty extends to subcontractors. Annex II applies the same location and control criteria to subcontractors involved in service provision. Ensure your vendor's supply chain is transparent, as Article 20(2) requires audited providers to cooperate with auditors regarding subcontractors.

Common misconceptions

  • "GDPR compliance is enough for sovereignty." No. GDPR protects personal data privacy but does not prevent third-country governments from accessing data under laws like the US CLOUD Act. CADA addresses operational autonomy and data confidentiality against extraterritorial jurisdiction.
  • "Level 1 is the same as Level 2." No. Level 1 is a self-assessment (Article 19). Level 2 requires an independent audit (Article 20) and stricter criteria, including prohibitions on using data for third-country AI training and stricter supply chain controls.
  • "Data residency equals sovereignty." Incorrect. CADA requires data to remain in the Union, but also mandates that infrastructure, personnel, support, and control structures remain free from third-country influence. A vendor can store data in the EU but still be non-compliant if their support team is in a non-EU country or if they are controlled by a third-country entity without adequate safeguards.
  • "L3 cybersecurity certification is 'high'." No. Under Annex II, Level 3 requires a European cybersecurity certificate of at least assurance level 'substantial'. Only Level 4 requires a 'high' assurance level (Annex II, Section 4.1(e)).

Official sources

Related

This is general information about a draft EU regulation, not legal advice.