What sovereign-cloud pressure does CADA place on the public sector?

Summary As proposed, the Cloud and AI Development Act (CADA) would mandate that all EU public bodies procure cloud services with at least Union Assurance Level 1, requiring infrastructure and data to remain exclusively within the EU. For activities deemed critical to public order, contracting authorities would be required to conduct risk assessments and procure only services meeting Union Assurance Levels 2, 3, or 4. This framework is designed to reduce dependence on non-EU providers by ensuring operational autonomy and data confidentiality through a harmonised sovereignty standard.

Detail

The proposed Cloud and AI Development Act (CADA) introduces a mandatory sovereignty framework for cloud computing services procured by public sector bodies across the European Union. The legislation aims to address the Union's heavy reliance on a limited number of non-EU cloud providers, a dependency that poses risks to operational autonomy, data confidentiality, and public order.

The Legal Basis for Sovereignty Pressure

The pressure on the public sector to shift towards sovereign cloud solutions is grounded in the proposal's broader strategic objectives. Recital 23 of the proposal explicitly states that the Cloud and AI Leadership Initiatives should ensure the uptake of cloud computing services provided by European cloud computing service providers across the public and private sectors. This is intended to ensure that cloud adoption is consistent with the objective of strengthening the Union's technological autonomy, particularly in sensitive sectors such as healthcare and education. The proposal argues that current market dynamics, where three non-EU hyperscalers control over 70% of the European cloud market, expose European users to risks related to operational discontinuity and extraterritorial data access laws.

To operationalise this strategic goal, CADA establishes a "Union cloud computing sovereignty framework" consisting of four assurance levels (Union Assurance Levels 1 through 4), as detailed in Article 16 and Annex II. These levels define cumulative criteria regarding the location of infrastructure, the citizenship of personnel, cybersecurity certifications, and freedom from third-country control.

Article 30: Mandatory Procurement Rules

Article 30 of the proposal places direct obligations on contracting authorities and Union entities when procuring cloud computing services. The article distinguishes between general public sector activities and those identified as contributing to the preservation of public order.

1. Baseline Requirement (Level 1): Article 30(2) stipulates that Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognised as having Union Assurance Level 1.

   • What Level 1 Requires: According to Annex II, Section 1.1, Level 1 requires that the cloud provider is established in the Union, and that infrastructure, assets, and customer data (including metadata and telemetry) remain exclusively within the Union unless the public sector body explicitly requires otherwise. It also requires the provider to demonstrate compliance with state-of-the-art cybersecurity standards and provide full transparency around the use of subcontractors.

2. Enhanced Requirement for Public Order (Levels 2–4): Article 30(3) imposes stricter requirements on contracting authorities whose activities have been identified as contributing to the preservation of public order. This includes sectors falling under Annex I or II of Directive (EU) 2022/2555 (the NIS2 Directive), as well as national security, internal security, external border management, defence, justice, and law enforcement.

   • These authorities must only procure cloud computing services recognised as having Union Assurance Level 2, 3, or 4.
   • Level 2 adds requirements for personnel located in the Union, European cybersecurity certification (at least "substantial" assurance level), and bans on using customer data to train third-country AI systems.
   • Level 3 and Level 4 introduce even stricter criteria, including requirements for Union citizenship for personnel (mandatory at these levels), higher cybersecurity assurance levels ("substantial" for Level 3, "high" for Level 4), and strict prohibitions on third-country control over the provider or its subcontractors.

Risk Assessments Drive the Tier

The determination of whether a public sector body must use Level 1 or Levels 2–4 is driven by risk assessments mandated under Article 29. Member States and Union entities must carry out these assessments to identify public sector activities that contribute to the preservation of public order. The assessment must consider the sensitivity, criticality, and magnitude of data processed, as well as the risk of unlawful access by third countries. If the risk assessment identifies public order relevance, the procurement is restricted to higher assurance levels.

Exceptions and Derogations

Article 30(4) provides limited derogations from these requirements. Contracting authorities may decide not to procure recognised services if:

• The subject matter cannot be supplied by recognised services available in the central repository, and no adequate alternative exists.
• A similar procurement process launched within the previous year received no suitable tenders.
• Applying the requirements would result in disproportionate costs.

EuroCloud Federation as a Sovereign Option

To facilitate compliance and foster shared sovereignty, CADA establishes the EuroCloud Federation (Article 34). This is a European public-sector cloud federation designed to facilitate the sharing of data centre services and cloud computing services between Union entities and public sector bodies.

As noted in Recital 69, the EuroCloud Federation brings together national and European cloud initiatives that provide highly trusted and secure public-sector cloud capabilities. It allows public bodies to share idle capacity and services, thereby increasing resilience and reducing dependency on commercial hyperscalers. Participation is voluntary, but the federation is presented as a key mechanism for public authorities to access sovereign cloud infrastructure that meets the high assurance levels required by Article 30.

What this means for you

For public-sector procurement officers and IT directors, CADA would fundamentally change how cloud services are sourced and evaluated.

1. Mandatory Sovereignty Checks: You can no longer treat cloud procurement as purely a commercial decision based on price and functionality. You must verify that any potential provider holds recognition for at least Union Assurance Level 1. This means checking the central repository maintained by the Commission (Article 22) to see if a provider is listed.
2. Risk Assessment Integration: Procurement teams must work closely with security and legal departments to conduct the Article 29 risk assessments. You need to determine if your specific use case involves "public order" activities. If it does, you are legally barred from using Level 1 services and must seek Level 2, 3, or 4 providers.
3. Vendor Landscape Shift: Many current cloud providers, particularly non-EU hyperscalers, may not meet Levels 2–4 due to criteria regarding third-country control and personnel citizenship. Procurement officers should expect a smaller pool of eligible bidders for high-assurance contracts.
4. Consider EuroCloud: For standardised public sector workloads, consider the EuroCloud Federation. It offers a pathway to access sovereign capacity without building infrastructure from scratch, potentially simplifying compliance with Level 2–4 requirements.
5. Transition Planning: Article 29(6) notes that if a risk assessment requires migration to another cloud service, the migration must occur within a reasonable transition period not exceeding 12 months. Procurement officers should begin identifying compliant alternatives now to avoid rushed migrations.

Common misconceptions

• "CADA bans all non-EU cloud providers." This is incorrect. Non-EU providers can still offer services at Union Assurance Level 1 if they meet the criteria (e.g., established in the EU, data stays in the EU). However, for high-security "public order" activities (Levels 2–4), the criteria become much stricter, effectively excluding many non-EU controlled entities unless specific safeguards are in place (Article 18 allows for associated third countries under strict conditions for Level 3).
• "Level 1 is optional for general public administration." No. Article 30(2) makes Level 1 the minimum requirement for all public sector bodies that are not classified as handling public-order-critical activities. There is no option to use unrecognised or lower-standard services for general cloud procurement.
• "Sovereignty is just about data location." While data localisation is a key part of Level 1, higher assurance levels (2–4) include broader sovereignty criteria. These include the citizenship of personnel, the absence of third-country control over the provider, cybersecurity certification levels, and bans on using customer data to train third-country AI models. Sovereignty under CADA is a multi-layered concept involving operational autonomy and supply chain security.
• "The EuroCloud Federation is mandatory." Participation in the EuroCloud Federation is voluntary (Article 34). However, it is a strategically important option for public bodies seeking to meet high-assurance requirements through shared public infrastructure rather than commercial contracts.

Related

• What sovereign-cloud pressure does CADA create for the energy sector?
• What sovereign-cloud pressure does CADA create for telecoms?
• What sovereign-cloud pressure does CADA create for research?
• What sovereign-cloud pressure does CADA create for healthcare?
• What sovereign-cloud pressure does CADA create for financial services?

This is general information about a draft EU regulation, not legal advice.