Summary Under the proposed Cloud and AI Development Act (CADA), there is no Czech-specific list of sovereign cloud providers; instead, the Act establishes a harmonised Union cloud computing sovereignty framework with four Union assurance levels (Level 1 to Level 4). Public bodies in Czechia must procure services that meet the assurance level determined by national risk assessments, with a mandatory minimum of Union Assurance Level 1 for all public sector activities. Providers seek recognition via the Commission's central repository (Article 22), which serves as the single source of truth for buyers. Crucially, the framework distinguishes between genuinely EU/EEA-controlled offerings and providers merely present in the EU but exposed to non-EU laws (such as the US CLOUD Act), with higher assurance levels requiring strict proof of independence from third-country control.

Detail

The proposed Cloud and AI Development Act (CADA) addresses the Union's strategic dependence on non-European cloud computing providers by introducing a unified sovereignty framework. For cloud service providers operating in or targeting Czechia, the core mechanism for demonstrating sovereignty is the Union cloud computing sovereignty framework established in Article 16. This framework does not rely on national lists but categorises cloud services into four distinct Union assurance levels, each with cumulative criteria detailed in Annex II.

The Union Cloud Computing Sovereignty Framework (Article 16)

Article 16 mandates that cloud computing service providers must meet specific criteria to be recognised as offering a particular Union assurance level. These levels are designed to be cumulative; a provider seeking Level 3 must first satisfy all criteria for Levels 1 and 2. The framework is not static; the Commission is empowered to amend the criteria via delegated acts to reflect technological and legal developments.

Union Assurance Level 1: The Baseline

Level 1 is the minimum requirement for all public sector procurement under CADA. To achieve this level, a provider must:

  • Be established in the Union.
  • Locate its infrastructure and assets (including those of subcontractors) in the Union, unless the public sector body explicitly requires otherwise.
  • Ensure customer data (including metadata and telemetry) remains exclusively within the Union, unless explicitly required otherwise by the public sector body.
  • If subject to the control of a third country, guarantee that no laws in that third country require the reporting of software vulnerabilities to authorities before those vulnerabilities are known to have been exploited.
  • Demonstrate compliance with state-of-the-art cybersecurity standards.

Union Assurance Level 2: Enhanced Autonomy

Level 2 introduces stricter controls on personnel and data usage, aimed at reducing risks of third-country interference:

  • Personnel: The provider and subcontractors must be established in the Union. If a public sector body determines that additional personnel screening or Union citizenship requirements are necessary, the provider must ensure such personnel are available.
  • Data Usage: Data generated by the service cannot be used to train or fine-tune any AI system operated by a third country or a legal entity established in a third country.
  • Software Supply Chain: Providers must maintain a complete Software Bill of Materials (SBOM) and implement controls to block remote features that could tamper with or disrupt the system.
  • Third-Country Control: If subject to third-country control, the provider must demonstrate that such control does not restrict service delivery, allow data access, or compel compliance with restrictive measures (e.g., sanctions) unless legitimate under EU law.

Union Assurance Level 3: High Sovereignty

Level 3 is reserved for activities contributing to the preservation of public order (e.g., defence, justice, critical infrastructure). It imposes rigorous requirements on personnel and control:

  • Personnel: All personnel involved in the provision of the service, including subcontractors, must be Union citizens. Where appropriate, they must hold national security clearances.
  • Third-Country Control: The provider and subcontractors must not be subject to the control of a third country, unless the Commission has adopted an implementing act under Article 18 recognising that third country as providing sufficient safeguards.
  • Support: Technical and operational support must be initiated and performed exclusively within the Union by Union residents.

Union Assurance Level 4: Maximum Sovereignty

Level 4 represents the highest tier, typically for handling classified information:

  • Personnel: All personnel must be Union citizens with necessary security clearances.
  • Control: The provider must not be subject to third-country control.
  • Software Control: The provider must demonstrate that third countries do not hold effective control over the design, development, maintenance, or evolution of software components.
  • Cybersecurity: The service must obtain a European cybersecurity certificate of at least assurance level 'high' (distinct from the 'substantial' level required for Levels 2 and 3).

Identification via the Central Repository (Article 22)

For organisations in Czechia, verifying a provider's sovereignty status is streamlined through the central repository mandated by Article 22. This repository is the definitive, Union-wide database of recognised services.

  • Single Source of Truth: Once a provider is recognised by a national competent authority (e.g., in the Czech Republic or another Member State), the service is registered in the central repository.
  • Public Accessibility: Article 22(4) states that the repository shall be publicly available and regularly updated on a dedicated website. Czech buyers do not need to navigate disparate national registries; they simply consult this central EU database.
  • Transparency: The repository includes information on the recognised assurance level and remains updated even if a recognition is revoked, with revocations remaining visible for five years.

Distinguishing EU-Controlled Offerings from Non-EU Exposed Providers

A critical function of CADA is distinguishing between providers that are genuinely sovereign and those that are merely "EU-presence" providers exposed to extraterritorial laws.

EU/EEA-Controlled Offerings: Providers that are established in the Union and not subject to the control of a third country can more readily achieve Levels 3 and 4. These providers must demonstrate through rigorous audits of ownership structures, board composition, and legal exposure that no third-country entity can compel data access or service disruption.

Providers Exposed to Non-EU Law: Providers controlled by non-EU entities (e.g., US hyperscalers) face significant barriers to higher assurance levels:

  • Level 1 & 2: They may qualify if they can prove that legal, technical, and organisational measures prevent third-country access to data and ensure service continuity.
  • Level 3: They can only qualify if the Commission has adopted a specific implementing act under Article 18 recognising the third country as providing sufficient safeguards. This requires the third country to have an adequacy decision, no laws enabling control that conflicts with EU data access rules, and no measures compelling service disruption.
  • Level 4: Providers subject to third-country control are effectively barred from Level 4, which requires absolute independence from such control.

This distinction directly addresses risks posed by laws like the US CLOUD Act, which can compel US-based providers to disclose data regardless of where it is stored. CADA requires providers to prove that such extraterritorial reach is legally or technically neutralised.

Implications for Buyers in Czechia

For public authorities in Czechia, the procurement landscape is governed by Article 29 and Article 30:

  1. Risk Assessment: Member States must conduct risk assessments to identify which public sector activities contribute to the preservation of public order.
  2. Mandatory Levels:
    • Article 30(2): Public sector bodies whose activities are not identified as contributing to public order must procure services recognised at Union Assurance Level 1.
    • Article 30(3): For activities contributing to public order (e.g., defence, justice), authorities must procure services recognised at Level 2, 3, or 4.
  3. Verification: Buyers must verify the provider's status in the central repository before awarding contracts.

What this means for you

For cloud service providers and data centre operators in Czechia, CADA introduces a mandatory compliance pathway to access the public sector market.

  1. Audit and Certification: If you aim to serve public bodies, you must undergo the recognition process. For Level 1, this involves a self-assessment and an EU statement of conformity. For Levels 2–4, you must engage an independent auditing organisation to obtain a 'positive' audit opinion. Prepare for deep-dive audits into your ownership structure, data flows, and software supply chain.
  2. Third-Country Exposure: If your company is owned by a non-EU parent, you must document how you legally and technically isolate EU operations from third-country access requests. Failure to demonstrate this isolation will likely cap your recognition at Level 1 or exclude you from higher tiers.
  3. Monitor the Central Repository: You must ensure your recognised status is accurately reflected in the Commission's central repository (Article 22). This is the primary tool Czech buyers will use to verify your compliance.
  4. Prepare for Risk Assessments: Work with your Czech public sector clients to understand their risk assessments (Article 29). If they determine their activities require Level 3 or 4, you must meet the stringent citizenship and control criteria.

Common misconceptions

"CADA creates a Czech national list of sovereign providers." No. CADA establishes an EU-wide recognition mechanism. There is no separate Czech list; the Commission's central repository is the definitive source for all Member States.

"Any EU-based provider is automatically sovereign." No. Physical presence in the EU is necessary but not sufficient. Providers must demonstrate legal and operational autonomy from third-country control, especially for Levels 2–4. A provider with a Czech office but US parentage may still be subject to US law unless specific safeguards are proven.

"Open-source software automatically meets sovereignty criteria." No. While CADA promotes open source, providers using open-source components must still demonstrate that they have controls to prevent remote tampering or disruption (Annex II). The origin of the code does not exempt providers from supply chain security audits.

"Level 1 is optional for public bodies." No. Article 30(2) mandates that public sector bodies whose activities have not been identified as contributing to public order must use services recognised as having Union Assurance Level 1. It is the mandatory baseline for all public procurement.

"Level 3 allows any third-country provider if they promise compliance." No. For Level 3, a provider subject to third-country control can only qualify if the Commission has adopted an implementing act under Article 18 recognising that specific third country as providing sufficient safeguards. Without this Commission decision, third-country control is a disqualifier for Level 3.

Related

This is general information about a draft EU regulation, not legal advice.