What sovereign cloud providers and options are available in Bulgaria under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), there is no national "Bulgarian sovereign cloud" list. Instead, providers must achieve formal recognition under the EU-wide Union cloud computing sovereignty framework (Article 16). Buyers in Bulgaria must verify a provider's status exclusively via the Commission's central repository (Article 22). The framework distinguishes between providers established in the Union and those controlled by third countries, with four distinct assurance levels dictating which public sector activities (from general administration to classified defence) can use them. Crucially, while Level 1 and 2 allow for some third-country influence under strict conditions, Level 3 and 4 generally prohibit third-country control unless a specific derogation is granted by the Commission under Article 18.

Detail

The proposed CADA does not create a national register of sovereign providers for Bulgaria or any other Member State. Instead, it establishes a harmonised, single-market mechanism where cloud computing service providers (CCSPs) apply for recognition at one of four Union assurance levels. This recognition, once granted by the national competent authority of establishment, is valid across all Member States, including Bulgaria.

The Union Cloud Computing Sovereignty Framework (Article 16)

Article 16 establishes the Union cloud computing sovereignty framework, which defines the criteria for trusted cloud computing services. The framework consists of four assurance levels, with criteria detailed in Annex II. The structural requirements and key distinctions for each level are as follows:

• Union Assurance Level 1 (Baseline): This is the entry-level standard. Providers must be established in the Union, with infrastructure and data remaining exclusively within the Union unless the public sector body explicitly requires otherwise. A critical condition for providers subject to third-country control is that they must guarantee no laws in that third country require them to report software vulnerabilities to foreign authorities before those vulnerabilities are known to have been exploited. This level relies on a conformity self-assessment by the provider (Article 19).
• Union Assurance Level 2 (Substantial): This level requires independent third-party audits. Providers and their subcontractors must be established in the Union, with personnel and infrastructure located in the Union. Data generated by the service cannot be used to train or fine-tune AI systems operated by a third country. Providers must demonstrate effective legal, technical, and organisational separation from any third-country subsidiaries. Crucially, regarding personnel, Level 2 is conditional: if a public sector body determines that imposing Union citizenship requirements are necessary, the provider must ensure such personnel are available. The cybersecurity requirement is a European cybersecurity certificate of at least assurance level 'substantial' (Annex II 2.1(e)).
• Union Assurance Level 3 (High Sovereignty): This tier significantly tightens control. In addition to Level 2 criteria, personnel involved in service provision (including subcontractors) must be Union citizens. Providers and subcontractors generally cannot be subject to the control of a third country. However, a specific derogation exists: a provider subject to third-country control may be recognised at Level 3 only if the Commission has adopted an implementing act under Article 18 recognising that specific third country as providing sufficient assurances. This act requires the third country to have no measures compelling data access, service degradation, or compliance with restrictive measures (sanctions/embargoes) that conflict with EU law. The cybersecurity requirement remains at the 'substantial' level.
• Union Assurance Level 4 (Maximum Sovereignty): The highest level, designed for the most sensitive public order activities, including the secure hosting of EU classified information. It requires Union citizenship for all personnel, no third-country control (no derogation possible), and strict separation from third-country entities. The cybersecurity requirement is elevated to a European cybersecurity certificate of at least assurance level 'high' (Annex II 4.1(e)).

How Buyers in Bulgaria Identify Recognised Providers (Article 22)

Bulgarian contracting authorities and public sector bodies cannot rely on marketing claims of "sovereignty" or national certifications. They must verify a provider's status through the central repository established by the Commission under Article 22.

• Article 22(1) mandates that the Commission establish and maintain a dedicated repository of cloud computing services recognised under Article 17.
• Article 22(2) requires the national competent authority of establishment (which could be Bulgaria's designated authority if the provider is established there, or another Member State's authority if the provider is established elsewhere) to register the cloud computing service in this central repository.
• Article 22(4) states that the central repository shall be publicly available and regularly updated by the Commission and national competent authorities on a dedicated website.

This means a Bulgarian ministry looking for a Level 3 provider must query this EU-wide database. If a provider is not in the repository, they are not recognised for public procurement under CADA. The repository serves as the single source of truth for the entire Union.

Distinguishing EU/EEA-Controlled Offerings from Non-EU Exposed Providers

A critical distinction in CADA is between providers established in the Union and those subject to control by a third country. This distinction determines eligibility for the higher assurance levels.

• EU/EEA-Controlled: Providers incorporated under the law of a Member State with their main establishment in the Union are presumed to meet the baseline sovereignty criteria, provided they meet the technical and data localisation requirements of the specific assurance level. For Levels 3 and 4, these providers face no additional hurdles regarding third-country control.
• Non-EU Controlled: Providers established in the EU but controlled by a third-country entity (e.g., a US-based hyperscaler with an EU subsidiary) face strict scrutiny. Under Article 16 and Annex II, they must prove that third-country laws (such as the US CLOUD Act) do not enable access to EU data or disrupt service continuity.
  • For Level 1, they must prove no obligation to report vulnerabilities to foreign authorities.
  • For Level 2, they must demonstrate measures to prevent third-country access to customer data and service disruption. Personnel citizenship is conditional on public sector requirements.
  • For Level 3, third-country controlled providers are generally excluded. The only exception is if the Commission has adopted an implementing act under Article 18 (associated third countries). This act requires the third country to have an adequacy decision under GDPR, no measures enabling control that conflicts with EU law, and no measures compelling service degradation or compliance with restrictive measures.
  • For Level 4, third-country control is strictly prohibited. No derogation exists.

What this means for you

For cloud service providers, data centre operators, and Bulgarian public sector bodies navigating the proposed CADA:

1. For Cloud Providers Serving Bulgaria

• Audit Readiness: If you target Assurance Levels 2–4, you must undergo independent third-party audits (Article 20). Ensure your subcontractors are also compliant, as their status directly affects your recognition.
• Control Structure Documentation: If your parent company is outside the EU, you must document how you legally and technically isolate EU data and operations from third-country jurisdictions. Be prepared to prove that you cannot comply with foreign data access requests.
• Personnel Strategy: For Level 3 and 4, you must ensure that all personnel involved in service provision are Union citizens. For Level 2, you must be ready to deploy Union citizens if the Bulgarian public sector body explicitly requires it.
• Repository Registration: Once CADA is in force, your recognised status will be published in the Commission's central repository (Article 22). Ensure your registration details are accurate, as this is the sole source of truth for Bulgarian buyers.

2. For Bulgarian Public Sector Bodies

• Risk Assessment First: Before procuring, Bulgarian authorities must conduct a risk assessment under Article 29 to determine which of their activities contribute to the preservation of public order. This assessment dictates the minimum assurance level required (Level 1 for general use; Level 2, 3, or 4 for public order-relevant activities like law enforcement or defence).
• Verify via Repository: Do not accept national certificates or marketing materials as proof of sovereignty. Verify the provider's recognition status and assurance level in the Commission's central repository.
• Match Level to Need: Ensure the procurement aligns with the risk assessment. If an activity is deemed to preserve public order, you must procure only services recognised at Level 2, 3, or 4 (Article 30(3)).

3. Strategic Planning

• Multi-Cloud Strategies: Given the strict personnel and control requirements for higher levels, consider multi-vendor or multi-cloud strategies to ensure resilience and compliance (Article 29(9)).
• Monitor Article 18 Derogations: If you rely on a third-country controlled provider for Level 3 services, monitor the Commission's implementing acts under Article 18. If a third country is not recognised, that provider cannot be used for Level 3 services.

Common misconceptions

"Sovereignty is a binary yes/no." No. CADA uses a tiered approach. A provider can be "sovereign" at Level 1 but not Level 3. Buyers must match the level to their specific risk assessment and the sensitivity of the data.

"Only EU-headquartered companies can be sovereign." Not entirely. Non-EU controlled providers can qualify for Level 1 and Level 2 if they demonstrate robust legal and technical separation from third-country laws. However, Level 3 and 4 are heavily restricted for such providers, with Level 4 being strictly off-limits to third-country control.

"Bulgaria will have its own list of sovereign providers." No. Recognition is EU-wide. A provider recognised in Germany is recognised in Bulgaria. The central repository (Article 22) is the single source of truth for the entire Union.

"Cybersecurity equals Sovereignty." CADA explicitly distinguishes between cybersecurity (covered by EUCS/NIS2) and sovereignty (control, data localisation, third-country law exposure). A service can be secure (high cybersecurity) but not sovereign if it is subject to extraterritorial data access laws or third-country control.

"Level 3 allows any third-country provider with an adequacy decision." No. An adequacy decision is a necessary but not sufficient condition. The third country must also have no measures enabling control that conflicts with EU law, and the Commission must specifically adopt an implementing act under Article 18 recognising that third country for Level 3 purposes.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• What sovereign cloud providers and options are available in Sweden under CADA?
• What sovereign cloud providers and options are available in Spain under CADA?
• What sovereign cloud providers and options are available in Slovenia under CADA?
• What sovereign cloud providers and options are available in Slovakia under CADA?
• What sovereign cloud providers and options are available in Portugal under CADA?

This is general information about a draft EU regulation, not legal advice.