What sovereign-cloud pressure does CADA create for research?

Summary As proposed, the Cloud and AI Development Act (CADA) would impose strict procurement obligations on public-sector contracting authorities, including public universities and research institutes. Under Article 30, these bodies must procure cloud services meeting specific "Union assurance levels." While baseline research may only require Level 1, activities deemed to contribute to the "preservation of public order"—such as defense, critical infrastructure, or sensitive health research—would be mandated to use services at Union assurance levels 2, 3, or 4. This framework, reinforced by Recital 24, aims to reduce dependence on non-EU providers, potentially forcing a migration away from global hyperscalers for sensitive projects and increasing compliance complexity for academic institutions.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, represents a significant shift in how the EU regulates the infrastructure underpinning its digital ecosystem. Unlike the AI Act, which governs the software layer, CADA targets the "sovereignty" of the cloud itself. For the research sector, the primary pressure point is the intersection of Article 30 (public procurement), Article 29 (risk assessments), and the tiered "Union assurance levels" defined in Annex II.

The Procurement Mandate: Article 30 and Public Universities

Public universities and research institutes often act as "contracting authorities" under EU public procurement law. Under Article 30(1) of the CADA proposal, this status triggers specific obligations when procuring cloud computing services for exclusive use. The regulation establishes a binary procurement path based entirely on the outcome of a risk assessment:

1. The Baseline (Level 1): Under Article 30(2), contracting authorities whose activities have not been identified as contributing to the preservation of public order must use cloud services recognized as offering Union assurance level 1. This level requires the provider to be established in the Union, with infrastructure and data located within the Union, and can be achieved via a self-assessment.
2. The Sovereign Requirement (Levels 2–4): Under Article 30(3), contracting authorities whose activities have been identified as contributing to the preservation of public order must only procure cloud services recognized as offering Union assurance levels 2, 3, or 4.

The critical question for research institutions is: Which research activities trigger the "public order" designation?

Defining "Public Order" in Research: The Role of Article 29

The determination of whether a research project falls under the higher procurement tier is not made by the university alone but is guided by Article 29. Member States and Union entities must conduct risk assessments to identify public sector activities that contribute to preserving public order. Article 29(1) explicitly lists the sectors and areas where this applies:

• Sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2).
• Areas of national security, internal security, external border management, defence, justice, or law enforcement.

For research institutions, this creates a clear divide. Basic academic research (e.g., humanities, general social sciences) likely falls outside these categories and remains at Level 1. However, applied research in strategic sectors—such as defense technologies, critical energy infrastructure, advanced health data, or AI models with dual-use potential—is highly likely to be flagged. If a university's research project involves data or systems relevant to these areas, the institution is legally bound under Article 30(3) to procure only from providers meeting the higher assurance levels (2, 3, or 4).

Assurance Levels and Sensitive Research Data

The "Union assurance levels" are not merely marketing labels; they are rigorous, auditable criteria detailed in Annex II. For research involving sensitive data, the jump from Level 1 to Levels 2–4 introduces significant operational constraints:

• Level 1 (Self-Assessment): Requires EU establishment and data localization. No independent audit is required.
• Level 2 (Substantial Cybersecurity): Requires an independent third-party audit and a European cybersecurity certificate of at least "substantial" assurance. Crucially, it mandates that data generated by the service must not be used to train or fine-tune any AI system operated by a third country (Annex II, 2.1(f)).
• Level 3 (High Sovereignty): Builds on Level 2 but adds a mandatory requirement that personnel (including subcontractors) involved in service provision must be Union citizens (Annex II, 3.1(d)). It also requires that technical support be performed exclusively within the Union by Union residents.
• Level 4 (Maximum Autonomy): The highest tier requires that the provider and its subcontractors are not subject to the control of a third country or a legal entity established in a third country (Annex II, 4.1(g)). This effectively excludes providers controlled by non-EU entities, regardless of their local infrastructure.

For research projects handling classified information or sensitive industrial data, Level 4 may be the only compliant option. This creates a "sovereign cloud pressure" where widely used global hyperscalers (often controlled by US entities) may be ineligible for these specific projects unless they can demonstrate a complete separation from third-country control—a high bar under Annex II.

The Legislative Intent: Reducing Non-EU Dependence

The pressure to migrate is not accidental; it is the core objective of the proposal. Recital 24 explicitly states that the Cloud and AI Leadership Initiatives should "ensure the uptake of cloud computing services provided by European cloud computing service providers across the public and private sectors to ensure that cloud adoption is consistent with the objective of strengthening the Union's technological autonomy."

The recital highlights that this is particularly critical in sectors involving "critical data." By mandating higher assurance levels for public-order-relevant activities, CADA aims to shift market share away from non-EU incumbents and foster a resilient, EU-controlled supply chain. This aligns with the broader goal of reducing dependencies on third-country providers, as noted in the proposal's general objectives.

The Risk Assessment Mechanism

The pressure on research institutions is dynamic. Article 29 requires Member States to carry out these risk assessments within one year of the Regulation's entry into force and every two years thereafter. The assessment must consider:

• The sensitivity, criticality, and magnitude of the data processed.
• The risk of unlawful access by a third country.
• The risk of service disruption.

If a university's research portfolio evolves (e.g., a new defense grant is awarded), the risk assessment may change, triggering a requirement to migrate to a higher assurance level. Article 29(6) provides a transition period of up to 12 months for migration, but this requires proactive planning.

What this means for you

For public universities, research administrators, and procurement officers, CADA introduces a new layer of compliance that goes beyond GDPR.

1. Map Your Research to "Public Order"

You must work with your national competent authority to determine which of your research activities fall under the Article 29 risk assessment.

• Action: Conduct an internal audit of research projects. Flag those in defense, energy, health, or critical infrastructure.
• Implication: If flagged, you cannot procure from providers that do not hold Union assurance levels 2, 3, or 4.

2. Verify Provider Recognition

Do not rely on a provider's general marketing claims of "EU data residency." Under Article 30, you must procure services that have been formally recognized by a national competent authority.

• Action: Check the central repository established under Article 22 to verify a provider's specific assurance level recognition.
• Implication: A provider may be GDPR-compliant but fail CADA recognition if they lack the required cybersecurity certification or personnel screening.

3. Prepare for Vendor Migration

If your current cloud provider is controlled by a third country (e.g., a US hyperscaler), they may be ineligible for your sensitive research projects under Level 4 or even Level 3 (due to personnel requirements).

• Action: Identify EU-based or EU-controlled alternatives that can meet the "Union citizen" and "no third-country control" criteria.
• Implication: You may face higher costs or reduced feature sets, as the sovereign cloud market is currently less mature than the global market.

4. Leverage Open Source and Innovation

Article 41 encourages the use of open-source solutions to reduce vendor lock-in. For research, this offers a strategic pathway: hosting open-source models on sovereign infrastructure may satisfy the "European added value" criteria in Article 32 and reduce dependency on proprietary stacks.

5. Plan for the Transition

If a risk assessment mandates a change in assurance levels, Article 29(6) allows a maximum 12-month transition period.

• Action: Initiate migration planning immediately upon notification of a new risk assessment outcome.
• Implication: Failure to migrate within the transition period could result in non-compliance with Article 30.

Common misconceptions

"All research data requires the highest assurance level." No. CADA is risk-based. Only research activities identified as contributing to the preservation of public order (e.g., defense, national security, critical infrastructure) require levels 2–4. Basic academic research not linked to these sensitive areas may only require Level 1, which has lower barriers to entry.

"GDPR compliance is sufficient for CADA." Incorrect. GDPR addresses data privacy; CADA addresses sovereignty and operational autonomy. A provider can be fully GDPR-compliant but still fail CADA if it is controlled by a third-country entity or if its personnel are not Union citizens (for Levels 3/4).

"Non-EU providers are banned entirely." Non-EU providers are not banned, but they face high hurdles. Under Article 18, the Commission may recognize third countries as providing sufficient assurances for Level 3 if they meet strict criteria (e.g., adequacy decisions, no unauthorized access laws). However, Level 4 explicitly excludes providers subject to third-country control.

"CADA applies only to new procurements." While new procurements must comply immediately, existing contracts may need to be migrated if the risk assessment changes or if the transition period expires. Article 30(4) allows for derogations in exceptional cases (e.g., no adequate alternative exists), but these are narrowly defined and require justification.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)

Related

• What sovereign-cloud pressure does CADA create for the energy sector?
• What sovereign-cloud pressure does CADA create for telecoms?
• What sovereign-cloud pressure does CADA create for healthcare?
• What sovereign-cloud pressure does CADA create for financial services?
• What sovereign-cloud pressure does CADA create for automotive?

This is general information about a draft EU regulation, not legal advice.