Summary Under the proposed Cloud and AI Development Act (CADA), there is no pre-defined national list of "sovereign" cloud providers in Belgium. Instead, the Act establishes a Union cloud computing sovereignty framework with four Union assurance levels (Article 16). Belgian public bodies must procure services recognised at the appropriate level based on a risk assessment, verifying status exclusively via the Commission's central repository (Article 22). Providers subject to non-EU control or extraterritorial laws face strict limitations: Level 4 is generally inaccessible to them, and Level 3 requires a specific Commission derogation under Article 18.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, fundamentally shifts how "sovereign" cloud services are defined and verified in the EU. It does not grant automatic sovereign status to providers based on their physical location in Belgium or any other Member State. Instead, it creates a harmonised, auditable framework where market access to the public sector depends on achieving formal recognition at one of four Union assurance levels.

For Belgian cloud service providers, data centre operators, and public sector buyers, this means moving from marketing claims of "sovereignty" to legally verified compliance with cumulative criteria set out in Annex II of the proposal.

The Union Cloud Computing Sovereignty Framework (Article 16)

Article 16 establishes the framework comprising four Union assurance levels. These levels are cumulative; a provider seeking Level 3 must meet all criteria for Levels 1 and 2, plus the additional requirements for Level 3. The specific criteria are detailed in Annex II, and recognition is granted by the national competent authority of the provider's establishment (in Belgium, this would be the authority designated under Article 25).

1. Union Assurance Level 1: The Baseline

This level serves as the minimum requirement for all public sector procurement under Article 30(2).

  • Establishment: The provider must be established in the Union.
  • Data & Infrastructure: Infrastructure, assets, and customer data (including metadata and telemetry) must remain exclusively within the Union, unless the public sector body explicitly requires otherwise.
  • Cybersecurity: The provider must demonstrate compliance with state-of-the-art cybersecurity standards.
  • Third-Country Control: If the provider is subject to the control of a third country, it must guarantee that no existing laws in that third country require the reporting of software vulnerabilities to foreign authorities prior to those vulnerabilities being known to be exploited.
  • Recognition Method: This level is achieved via a conformity self-assessment and the issuance of an EU statement of conformity (Article 19). No independent audit is required for Level 1.

2. Union Assurance Level 2: Enhanced Autonomy

This level is designed for public sector activities requiring higher protection against third-country interference.

  • Location: Infrastructure, assets, and personnel (including those of subcontractors) must be located in the Union.
  • AI Training: Data generated by the service cannot be used to train or fine-tune any AI system operated by a third country or a legal entity established in a third country.
  • Cybersecurity: The service must obtain a European cybersecurity certificate of at least assurance level 'substantial' under a scheme established under Regulation (EU) 2019/881 (or demonstrate compliance with the highest standards if no scheme exists yet).
  • Third-Country Control: If subject to third-country control, the provider must prove that such control does not restrict service delivery, allow third-country access to data, or disrupt service continuity.
  • Recognition Method: Requires an independent third-party audit resulting in a 'positive' audit opinion (Article 20).

3. Union Assurance Level 3: Public Order Relevance

This level is mandatory for activities identified as contributing to the preservation of public order (e.g., law enforcement, justice, defence) under Article 30(3).

  • Personnel: All personnel involved in the provision of the service, including subcontractors, must be Union citizens. Where appropriate, they must hold necessary national security clearances.
  • Support: Technical and operational support must be initiated and performed exclusively within the Union by Union residents who are not subject to third-country control.
  • Cybersecurity: Requires a European cybersecurity certificate of at least assurance level 'substantial'.
  • Third-Country Control: Generally, providers subject to third-country control are excluded. However, Article 18 provides a derogation: the Commission may adopt an implementing act identifying a third country as providing sufficient assurances (e.g., via adequacy decisions and specific safeguards). Only if such an act exists can a third-country-controlled provider qualify for Level 3, provided they demonstrate effective separation and prevention of data access.
  • Recognition Method: Requires an independent third-party audit with a 'positive' opinion.

4. Union Assurance Level 4: Highest Sovereignty

This level is reserved for the most critical public order activities.

  • Cybersecurity: Requires a European cybersecurity certificate of at least assurance level 'high'.
  • Third-Country Control: The provider and its subcontractors must not be subject to the control of a third country. This is a strict prohibition; no derogation under Article 18 applies to Level 4.
  • Separation: If the provider has a subsidiary in a third country, there must be effective legal, technical, and organisational separation to prevent any access to Union customer data or control over the service.
  • Recognition Method: Requires an independent third-party audit with a 'positive' opinion.

Identifying Recognised Providers: The Central Repository (Article 22)

A critical operational change for Belgian buyers is the mechanism for verifying provider status. Under Article 22, the Commission is mandated to establish and maintain a central repository of cloud computing services recognised under the framework.

  • Single Source of Truth: Belgian public bodies cannot rely on national lists, informal certifications, or provider self-declarations. They must consult the Commission's central repository to verify that a service has been formally recognised at a specific assurance level.
  • Public Access: The repository will be publicly available and regularly updated by the Commission and the national competent authorities of establishment.
  • Transparency on Revocation: If a provider's recognition is revoked (e.g., due to supplying incorrect information or non-compliance), this revocation will be published in the repository and remain visible for five years.
  • Cross-Border Visibility: Once a Belgian provider is recognised by the Belgian competent authority, their service is listed in this EU-wide register, making them visible to public buyers across the entire Union, not just in Belgium.

Distinguishing EU-Controlled vs. Non-EU Exposed Providers

The framework explicitly differentiates providers based on their exposure to non-EU law and control, creating distinct pathways for eligibility.

EU/EEA-Controlled Providers

Providers established in the Union and not subject to the control of a third country have the clearest path to Levels 2, 3, and 4.

  • They must still demonstrate that their supply chain (subcontractors, software components) does not introduce third-country risks.
  • For Level 3 and 4, they must prove that no third-country entity has effective control over their design, development, or maintenance.
  • They are eligible for Level 4 without needing any Commission derogation.

Providers Exposed to Non-EU Law (Third-Country Control)

Providers subject to the control of a third country (e.g., through foreign ownership, legal jurisdiction, or extraterritorial laws like the US CLOUD Act) face significant barriers:

  • Level 1: They can qualify if they guarantee no third-country law requires pre-exploitation vulnerability reporting.
  • Level 2: They can qualify only if they demonstrate that third-country control does not restrict service delivery, allow data access, or disrupt continuity.
  • Level 3: They are generally excluded unless the Commission has adopted a specific implementing act under Article 18 recognising the third country as providing sufficient safeguards. This is a high bar, requiring the third country to have no measures compelling data access or service disruption.
  • Level 4: Providers subject to third-country control are strictly prohibited from achieving Level 4. The criteria explicitly state the provider must not be subject to third-country control.

What this means for you

For cloud service providers and data centre operators in Belgium, the proposed CADA framework requires a shift from marketing "sovereignty" to rigorous, audited compliance.

1. Audit Readiness and Evidence

If you aim for Levels 2, 3, or 4, you must prepare for independent third-party audits. Auditors will scrutinise:

  • Software Bill of Materials (SBOM): A complete list of dependencies and components.
  • Data Flow Diagrams: Proof that data remains exclusively within the Union.
  • Personnel Records: Evidence of Union citizenship and location for all staff involved in service provision (critical for Levels 3 and 4).
  • Control Structures: Documentation proving no third-country entity has effective control over your operations or data.

2. Supply Chain Transparency

You must map your entire supply chain, including subcontractors and third-country subsidiaries.

  • For Level 3 and 4, you must demonstrate effective legal, technical, and organisational separation from any non-EU entities.
  • If you use third-country software components, you must have documented migration plans and source code audits to prevent remote tampering or disruption.

3. Engagement with the Belgian Competent Authority

You must apply for recognition to the national competent authority of your establishment. In Belgium, this will be the authority designated under Article 25.

  • Level 1: Submit an EU statement of conformity.
  • Levels 2–4: Submit the audit report and 'positive' audit opinion from an independent auditing organisation.
  • Once recognised, your service will be registered in the central repository.

4. Strategic Positioning

  • For Providers: If you are a Belgian provider with foreign ownership, you may be capped at Level 2 unless the Commission grants a derogation for your home country under Article 18. To access Level 3 and 4 contracts (defence, justice), you may need to restructure ownership or ensure strict separation from third-country control.
  • For Buyers: Belgian public bodies must conduct risk assessments under Article 29 to determine the required assurance level. They must then procure only from providers listed in the central repository at that level.

Common misconceptions

"Belgium has its own sovereign cloud list." False. CADA creates a single EU-wide framework. Belgian public bodies must use the Commission's central repository (Article 22), not a national list. National authorities only perform the initial recognition; the repository is the definitive source for buyers.

"Being based in Belgium makes me automatically sovereign." False. A Belgian provider can still be subject to third-country control (e.g., through foreign ownership or legal jurisdiction) or use non-EU subcontractors that fail the criteria. You must actively meet the assurance level criteria and undergo the required assessment.

"Level 1 is enough for all public sector work." False. While Level 1 is the minimum baseline, Article 30(3) mandates that activities contributing to the preservation of public order (e.g., law enforcement, defence, justice) must procure services at Level 2, 3, or 4. A risk assessment under Article 29 will determine the specific level required.

"Non-EU providers can easily reach Level 3 or 4." False. Level 4 explicitly excludes providers subject to third-country control. Level 3 is only accessible to such providers if the Commission has adopted a specific implementing act under Article 18 recognising the third country as providing sufficient safeguards—a rare and high-bar exception.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.