Summary Under the proposed Cloud and AI Development Act (CADA), Croatia does not maintain a unique national list of approved sovereign cloud providers. Instead, it relies on a harmonised EU-wide framework where providers are recognised at one of four Union assurance levels. Croatian public bodies must procure services based on national risk assessments: general activities require Union Assurance Level 1, while activities preserving public order (e.g., defence, justice) require Levels 2, 3, or 4. Providers seeking to serve Croatia must apply for recognition through their national competent authority and appear in the European Commission's central repository (Article 22). Crucially, the framework strictly distinguishes between providers established in the Union and those subject to third-country control; the highest assurance levels generally prohibit third-country control unless a specific derogation is granted under Article 18.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a "Union cloud computing sovereignty framework" to mitigate strategic dependencies and protect public order. For cloud service providers (CSPs) and data centre operators targeting the Croatian market, particularly the public sector, this framework replaces fragmented national approaches with a single, auditable set of criteria.

The Union Cloud Computing Sovereignty Framework (Article 16)

Article 16 establishes four cumulative Union assurance levels. A provider recognised at a higher level must meet all criteria of the lower levels. The specific criteria are detailed in Annex II of the proposal.

1. Union Assurance Level 1: The Baseline

This is the minimum requirement for all public sector cloud usage.

  • Establishment: The provider must be established in the Union.
  • Infrastructure & Data: Infrastructure, assets, and customer data (including metadata and telemetry) must remain exclusively within the Union, unless the public sector body explicitly requires otherwise.
  • Cybersecurity: The provider must demonstrate compliance with state-of-the-art cybersecurity standards.
  • Third-Country Control: If the provider is subject to third-country control, it must guarantee that no laws in that third country require reporting software vulnerabilities to foreign authorities before they are exploited.
  • Transparency: Full transparency regarding subcontractors is required.

2. Union Assurance Level 2: Enhanced Sovereignty

This level introduces stricter supply chain and personnel requirements.

  • Personnel: If the public sector body determines it is necessary, the provider must ensure personnel meeting Union citizenship requirements are available. This is a conditional requirement at this level.
  • Cybersecurity Certification: The service must obtain a European cybersecurity certificate of at least 'substantial' assurance level (or demonstrate compliance with the highest standards if no scheme exists yet).
  • AI Data Usage: Data generated by the service cannot be used to train or fine-tune AI systems operated by a third country or a third-country legal entity, nor can it be transferred outside the Union.
  • Supply Chain: Providers must maintain a complete Software Bill of Materials (SBOM) and implement controls to block remote features that could tamper with systems.

3. Union Assurance Level 3: Public Order Protection

This level is mandatory for activities identified as contributing to the preservation of public order (e.g., national security, law enforcement).

  • Personnel: All personnel involved in service provision must be Union citizens. Where appropriate, they must hold necessary national security clearances.
  • Third-Country Control: Providers and subcontractors must not be subject to the control of a third country.
    • Derogation: A provider subject to third-country control may be recognised at Level 3 only if the Commission has adopted an implementing act under Article 18 ("Associated third countries") identifying that third country as providing sufficient assurances.
  • Support: Technical and operational support must be initiated and performed exclusively within the Union by personnel who are Union residents.

4. Union Assurance Level 4: Highest Assurance

Reserved for the most sensitive data and critical infrastructure.

  • Cybersecurity: Mandates a European cybersecurity certificate of at least 'high' assurance level.
  • Control: Strictly prohibits third-country control; no derogation is available under Article 18 for Level 4.
  • Software Control: Providers must demonstrate that no third country holds effective control over the design, development, maintenance, or evolution of software components.

Identification via the Central Repository (Article 22)

Croatian buyers cannot rely on marketing claims. Article 22 mandates the European Commission to establish and maintain a central repository of all cloud computing services recognised under the framework.

  • Single Source of Truth: The repository lists services recognised at Levels 1–4 across the entire Union.
  • Verification Process: Before procurement, Croatian contracting authorities must verify that a provider's service is listed in the repository at the required assurance level.
  • Transparency: The repository is publicly available and regularly updated by the Commission and national competent authorities.
  • Revocation Records: If a recognition is revoked, the record of that revocation must remain in the repository for five years to ensure historical transparency.

Distinguishing EU/EEA-Controlled vs. Third-Country Exposed Offerings

The framework creates a clear legal distinction between providers with full EU autonomy and those exposed to non-EU laws (such as the US CLOUD Act).

  • EU/EEA-Controlled Providers: Providers established in the Union and not subject to third-country control can achieve all four levels. They must still prove data localisation and cybersecurity compliance but face fewer hurdles regarding personnel citizenship and control structures.
  • Providers Exposed to Non-EU Law:
    • Level 1 & 2: Possible if the provider can guarantee no premature vulnerability reporting (Level 1) and that third-country control does not restrict service delivery or access data (Level 2).
    • Level 3: Only possible if the Commission has adopted an implementing act under Article 18 regarding the controlling third country. This act requires the third country to have an adequacy decision under GDPR, no measures compelling data access or service disruption, and an open market for EU services.
    • Level 4: Generally impossible for providers subject to third-country control, as the criteria strictly prohibit such control without a derogation mechanism.

Implications for Buyers in Croatia

Croatian public sector bodies are bound by Article 29 and Article 30.

  1. Risk Assessment: Croatia must conduct risk assessments (every two years) to identify which activities contribute to public order.
  2. Procurement Rules:
    • Activities not identified as public-order-relevant must procure Level 1 services.
    • Activities identified as public-order-relevant (e.g., defence, justice) must procure Level 2, 3, or 4 services.
  3. Verification: Buyers must cross-check the provider's status in the central repository before signing contracts.

What this means for you

For Cloud Service Providers (CSPs)

  • Audit Readiness: To serve Croatian public bodies in sensitive sectors, you must undergo independent third-party audits for Levels 2–4. Ensure your SBOMs are complete, data flows are strictly EU-bound, and you can verify Union citizenship for your personnel if required.
  • Application Strategy: If you are established in Croatia, apply to the Croatian national competent authority. If established elsewhere, apply in your home Member State; recognition is valid across the Union.
  • Third-Country Control: If you are controlled by a non-EU entity, check if the Commission has recognised that country under Article 18. Without this, you are capped at Level 2 and cannot serve high-security Croatian clients.
  • SME Advantage: If you are an SME, your Level 1 EU statement of conformity is automatically recognised across the Union without prior review by the competent authority (Article 17(3)).

For Croatian Public Sector Buyers

  • Risk Assessment First: Ensure your national risk assessment is up to date to determine the correct minimum assurance level for your procurement.
  • Repository Check: Never rely on a provider's self-declaration. Verify their status in the Commission's central repository (Article 22).
  • Tender Specifications: Explicitly state the required Union assurance level in your tender documents. For public-order activities, exclude providers that do not meet Level 2, 3, or 4.

Common misconceptions

"Sovereign cloud means data must stay in Croatia." No. CADA requires data to remain within the Union, not a specific Member State. Data can flow freely between Croatia and other EU countries unless the public sector body explicitly requires otherwise.

"All EU-based providers are automatically sovereign." No. A provider established in the EU must still apply for recognition and meet specific technical, legal, and operational criteria. Self-declaration is only sufficient for Level 1 SMEs; higher levels require independent audits.

"Third-country providers can never serve the EU public sector." They can, but with limitations. They can achieve Level 1 and 2 if they meet strict criteria. They can achieve Level 3 only if the Commission has specifically recognised their controlling third country under Article 18. They are generally excluded from Level 4.

"CADA replaces GDPR." No. CADA complements GDPR. Providers must still comply with EU data protection laws. The sovereignty framework adds operational autonomy and security requirements beyond data privacy.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.