What sovereign cloud providers and options are available in Cyprus under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), Cyprus does not maintain a distinct national list of sovereign cloud providers. Instead, it relies on a harmonised EU-wide system of four "Union assurance levels" defined in Article 16. Buyers in Cyprus, particularly public authorities, must select providers recognised at the appropriate assurance level based on risk assessments of their data sensitivity and public order impact. These recognised providers are listed in a central EU repository maintained by the European Commission under Article 22, ensuring that organisations in Cyprus can identify trusted services that are legally and technically separated from third-country control.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, introduces a fundamental shift in how cloud sovereignty is defined and verified across the European Union. For cloud service providers and data centre operators operating in or targeting the Cypriot market, understanding the Union cloud computing sovereignty framework is critical. This framework, established primarily in Article 16 of the proposal, moves away from fragmented national definitions of "sovereign cloud" to a single, auditable set of criteria known as the Union assurance levels.

The Union Cloud Computing Sovereignty Framework (Article 16)

Article 16 establishes a Union cloud computing sovereignty framework comprising four distinct Union assurance levels. These levels are cumulative, meaning a provider seeking a higher level must meet all criteria of the lower levels. The framework is designed to safeguard the Union's public order by ensuring data confidentiality, operational autonomy, and protection against third-country interference. The specific criteria for each level are detailed in Annex II of the proposal.

1. Union Assurance Level 1 (Baseline): This is the entry-level requirement. Providers must be established in the Union, with infrastructure and assets located within the Union. Crucially, customer data (including metadata and telemetry) must remain exclusively within the Union unless the public sector body explicitly requires otherwise. Providers must demonstrate compliance with state-of-the-art cybersecurity standards and provide full transparency regarding subcontractors. If a provider is subject to the control of a third country, it must guarantee that no laws in that third country require the reporting of software vulnerabilities to third-country authorities before they are exploited. Recognition at this level is based on a conformity self-assessment (EU statement of conformity), with automatic recognition for SMEs across all Member States.
2. Union Assurance Level 2 (Substantial): This level introduces mandatory independent third-party audits. In addition to Level 1 criteria, personnel and infrastructure must be located in the Union. Data generated by the service cannot be used to train or fine-tune AI systems operated by third countries. Providers must implement strict software supply chain measures, including a Software Bill of Materials (SBOM) and controls to block remote features that could tamper with systems. Crucially, the service must obtain a European cybersecurity certificate of at least assurance level 'substantial' under a European cybersecurity certification scheme. If a provider is controlled by a third country, it must demonstrate legal, technical, and organisational measures to prevent that control from restricting service delivery or enabling data access.
3. Union Assurance Level 3 (High): This level is intended for more sensitive use cases. It requires that all personnel involved in the service provision be Union citizens. The provider and its subcontractors must not be subject to the control of a third country, with a limited derogation possible if the Commission has adopted an implementing act under Article 18 recognising specific third-country safeguards. Technical and operational support must be performed exclusively within the Union by Union residents. The cybersecurity certification requirement remains at the 'substantial' level.
4. Union Assurance Level 4 (Highest): This is the highest level, designed for highly critical public sector activities, including those involving classified information. It requires Union citizenship for all personnel, who must also hold necessary national security clearances. The provider and subcontractors must strictly not be subject to third-country control. The service must obtain a European cybersecurity certificate of at least the 'high' assurance level. Effective control over software components must be retained, ensuring no third country holds influence over design, development, or maintenance.

Distinguishing Sovereign Offerings from Non-EU Exposed Providers

A core objective of CADA is to mitigate risks associated with the extraterritorial application of third-country laws, such as the US CLOUD Act, which can compel US-based providers to hand over data stored abroad. The assurance levels address this by scrutinising "control."

• EU/EEA-Controlled Sovereign Offerings: Providers recognised at Levels 2, 3, and 4 must demonstrate that they are not subject to the control of a third country. This involves rigorous audits of ownership structures, corporate governance, and commercial links. For Level 3 and 4, this control test is stricter, generally excluding providers with significant third-country ownership unless specific Commission derogations apply.
• Providers Exposed to Non-EU Law: Providers that do not meet these sovereignty criteria, or those that are subject to third-country control without adequate safeguards, cannot be recognised at higher assurance levels. They may still operate in the EU market for private sector use or for public sector bodies with low-risk activities (Level 1), but they will be excluded from procurement for critical public order functions.

The Central Repository (Article 22)

To ensure transparency and ease of access for buyers in Cyprus and across the EU, Article 22 mandates the establishment of a central repository. The European Commission shall establish and maintain this dedicated repository of cloud computing services that have been recognised under Article 17 (the recognition procedure).

• Public Availability: The central repository must be publicly available and regularly updated on a dedicated and easily accessible website.
• Registration: The national competent authority of the Member State where the provider is established (e.g., the Cypriot authority) is responsible for registering the recognised cloud computing service in the repository.
• Revocation Visibility: If a recognition is revoked by a competent authority or an audit report is revoked by an auditing organisation, this must be published in the central repository and remain available for five years.

For organisations in Cyprus, this repository serves as the definitive source of truth. Instead of navigating complex national certifications, Cypriot public bodies and private entities can query this central EU database to identify which providers have been formally recognised at which assurance level.

Implications for Buyers in Cyprus

For public sector bodies in Cyprus, the choice of cloud provider is no longer a purely commercial decision. Under Article 29, Member States and Union entities must carry out risk assessments to determine which public sector activities contribute to the preservation of public order.

• Low-Risk Activities: If an activity is not identified as contributing to public order preservation, the contracting authority must use cloud services recognised at Union Assurance Level 1.
• High-Risk/Critical Activities: If the risk assessment identifies activities in sectors such as national security, defence, justice, or critical infrastructure (as listed in Annex I and II of the NIS2 Directive), the authority must procure services recognised at Union Assurance Level 2, 3, or 4.

Cyprus organisations must therefore align their procurement strategies with these risk assessments. The central repository under Article 22 allows them to verify that the providers they intend to engage have the necessary recognition status.

What this means for you

For cloud service providers and data centre operators targeting the Cypriot market, the path to becoming a "sovereign" provider is now standardised at the EU level.

1. Self-Assessment vs. Audit: If you are an SME seeking Level 1 recognition, you can issue an EU statement of conformity, which is automatically recognised in all Member States, including Cyprus. For Levels 2-4, you must undergo independent third-party audits and submit evidence to the national competent authority.
2. Evidence Preparation: You must prepare detailed evidence for audits, particularly regarding software supply chains (SBOMs), data localisation, and freedom from third-country control. Annex III of CADA details the specific audit evidence required, such as ownership structures and governance documents.
3. Registration: Once recognised by the Cypriot national competent authority, your service will be listed in the EU central repository. This visibility is crucial for winning public sector contracts in Cyprus and across the EU.
4. Continuous Compliance: Recognition is not permanent. You must report material changes to your auditing organisation and competent authority. Failure to comply can lead to revocation, which will be publicly visible in the repository for five years, potentially damaging your market reputation.

Common misconceptions

• "Sovereign cloud means data must stay in Cyprus." CADA does not mandate data localisation to a specific Member State. The criteria require data to remain within the Union. Data can flow between Cyprus, Germany, or France, provided it stays within EU borders and the provider meets the sovereignty criteria.
• "Only EU-owned companies can be sovereign." While third-country control is heavily scrutinised, CADA allows for derogations. Under Article 18, the Commission may adopt decisions identifying third countries where providers can still be audited for Level 3 if specific safeguards are in place. However, for Level 4, third-country control is generally prohibited.
• "The AI Act defines cloud sovereignty." The AI Act (Regulation (EU) 2024/1689) focuses on the safety and fundamental rights risks of AI systems. CADA focuses on the infrastructure and service provision aspects (cloud and data centres) that underpin AI. They are complementary but distinct frameworks. CADA's assurance levels are specific to cloud computing services, not AI models themselves.
• "Level 3 requires 'high' cybersecurity certification." This is incorrect. Under Annex II, Level 2 and Level 3 require a cybersecurity certificate of at least 'substantial' assurance. Only Level 4 requires a 'high' assurance level certificate.
• "Personnel must be Union citizens at Level 2." This is a common error. Union citizenship for personnel is a conditional requirement at Level 2 (only if the public body explicitly requires it). It becomes mandatory at Levels 3 and 4.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)

Related

• What sovereign cloud providers and options are available in Sweden under CADA?
• What sovereign cloud providers and options are available in Spain under CADA?
• What sovereign cloud providers and options are available in Slovenia under CADA?
• What sovereign cloud providers and options are available in Slovakia under CADA?
• What sovereign cloud providers and options are available in Portugal under CADA?

This is general information about a draft EU regulation, not legal advice.