What sovereign cloud providers and options are available in Denmark under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), Denmark will not maintain a unique national list of sovereign cloud providers. Instead, it will rely on a single, EU-wide Union cloud computing sovereignty framework established by Article 16. This framework defines four Union assurance levels (1–4), ranging from basic Union establishment to strict prohibitions on third-country control and mandatory Union citizenship for personnel. Danish public bodies and private entities must identify recognised providers exclusively through the central repository maintained by the European Commission under Article 22, not through national Danish registries. Providers seeking recognition must undergo conformity self-assessment for Level 1 or independent third-party audits for Levels 2, 3, and 4. Crucially, the framework distinguishes between providers merely established in the EU and those genuinely free from extraterritorial third-country laws, with Level 3 and 4 effectively excluding providers subject to non-EU control unless a specific derogation under Article 18 applies.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, represents a paradigm shift for cloud sovereignty in the European Union. For Denmark, as for all Member States, the era of fragmented national "sovereign cloud" labels is ending. In its place, CADA proposes a harmonised, legally binding framework that standardises trust across the single market. This section details the mechanics of this framework, the specific requirements for each assurance level, and how Danish organisations will navigate the new landscape.

The Union Cloud Computing Sovereignty Framework (Article 16)

Article 16 of the proposal establishes the core mechanism: a Union cloud computing sovereignty framework comprising four distinct assurance levels. These levels are not voluntary marketing tiers but legally defined statuses that cloud computing service providers must meet to be recognised as offering "Union assurance" to Union entities and public sector bodies. The specific criteria for each level are enumerated in Annex II of the proposal.

The framework is designed to be cumulative; a provider seeking a higher level must satisfy all criteria of the lower levels.

Union Assurance Level 1: The Baseline

Level 1 serves as the minimum entry point for the sovereign framework. To qualify, a provider must be established in the Union. Its infrastructure, assets, and those of its subcontractors must be located in the Union, unless a public sector body explicitly requires otherwise. Customer data (including metadata and telemetry) must remain exclusively within the Union.

• Cybersecurity: The provider must demonstrate compliance with state-of-the-art cybersecurity standards.
• Third-Country Control: If the provider is subject to the control of a third country or a legal entity established in a third country, it must guarantee that no laws in that third country require the reporting of software vulnerabilities to third-country authorities before those vulnerabilities are known to be exploited.
• Transparency: Full transparency regarding subcontractors is mandatory, including due diligence and ongoing oversight.

Union Assurance Level 2: Enhanced Autonomy

Level 2 introduces stricter operational and technical constraints, requiring an independent third-party audit.

• Personnel & Location: The provider, its subcontractors, and all personnel involved in the service must be established and located in the Union.
• Cybersecurity Certification: The service must obtain a European cybersecurity certificate of at least assurance level 'substantial' under a scheme established under Regulation (EU) 2019/881 (the Cybersecurity Act). If such a scheme is not yet available, national schemes apply, or the provider must demonstrate compliance with the highest cybersecurity standards under applicable Union law. Note: The 'substantial' level is the standard for L2 and L3; only L4 requires 'high'.
• AI Data Usage: Data generated by the service cannot be used to train or fine-tune any AI system operated by a third country or a legal entity established in a third country.
• Support: Technical and operational support must be initiated and performed exclusively within the Union.
• Supply Chain: Providers must maintain a complete Software Bill of Materials (SBOM) and implement controls to block remote features that could tamper with or disrupt systems.

Union Assurance Level 3: Personnel and Control Restrictions

Level 3 is designed for activities contributing to the preservation of public order. It adds critical restrictions on personnel and ownership.

• Personnel Citizenship: All personnel involved in the provision of the service, including those of subcontractors, must be Union citizens. Where appropriate, personnel handling classified information must hold national security clearance issued by a Member State.
• Third-Country Control: The provider and its subcontractors must not be subject to the control of a third country or a legal entity established in a third country.
  • Derogation: A provider subject to third-country control may still qualify for Level 3 if the Commission has adopted an implementing act under Article 18 identifying that third country as providing sufficient assurances. This requires the third country to have a GDPR adequacy decision, no measures enabling control that conflicts with EU data laws, and no measures compelling service degradation or compliance with restrictive measures (e.g., sanctions) unless legitimate under EU law.
• Support Personnel: Technical support must be performed by personnel who are Union residents and by third parties not subject to third-country control.

Union Assurance Level 4: The Highest Tier

Level 4 is reserved for the most critical public order activities and imposes the strictest requirements.

• Cybersecurity: The service must obtain a European cybersecurity certificate of at least assurance level 'high'.
• Control: There is no derogation for third-country control. The provider and subcontractors must not be subject to the control of a third country or a legal entity established in a third country.
• Software Supply Chain: Providers must demonstrate that a third country does not hold effective control over the design, development, maintenance, and evolution of software components.

Recognition and the Central Repository (Article 22)

How does a Danish contracting authority verify a provider's status? The proposal eliminates national registries in favour of a single EU source of truth.

1. Application: A provider submits an application for recognition to the national competent authority of establishment (in Denmark, this would be the authority designated by the Danish government under Article 25).
2. Assessment:
   • For Level 1, the provider submits a conformity self-assessment and an EU statement of conformity (Article 19).
   • For Levels 2, 3, and 4, the provider must undergo an independent third-party audit (Article 20) and submit the audit report and a 'positive' audit opinion.
3. Recognition: The evaluating national competent authority assesses the evidence. If satisfied, it adopts a recognition decision.
4. Central Repository: Under Article 22, the national competent authority registers the recognised service in a central repository established and maintained by the Commission.
5. Public Access: This repository is publicly available and regularly updated. It lists all services recognised as offering Union assurance levels 1 to 4.

For Danish buyers, the process is straightforward: they consult the Commission's central repository to identify eligible providers. There is no separate Danish national registry for sovereign cloud status.

Distinguishing EU-Controlled Offerings from Non-EU Exposed Providers

A primary objective of CADA is to mitigate risks arising from the extraterritorial application of third-country laws (such as the US CLOUD Act). The framework achieves this through the distinction between "establishment" and "control."

• Levels 1 & 2 (Conditional Third-Country Control): Providers subject to third-country control can qualify, provided they implement measures to prevent third-country access to data and service disruption. However, they must guarantee that no third-country laws force them to report vulnerabilities before exploitation is known.
• Level 3 (Strict Control Rules): The general rule is a prohibition on third-country control. The only exception is the Article 18 derogation, which requires a Commission decision confirming the third country offers sufficient safeguards. This is a high bar, requiring an adequacy decision and the absence of laws compelling service degradation.
• Level 4 (Absolute Independence): Level 4 offers no exception for third-country control. A provider controlled by a non-EU entity cannot achieve Level 4, regardless of its operational separation. This effectively excludes major non-EU hyperscalers from offering Level 4 services unless they can demonstrate complete legal and operational separation from their parent entities—a requirement that is currently unmet by most global providers.

What this means for you

For cloud service providers, data centre operators, and public sector bodies in Denmark, the proposed CADA framework requires a strategic shift from national compliance to EU-wide alignment.

For Cloud Service Providers in Denmark

1. Determine Your Target Level: Assess your current infrastructure, personnel, and ownership structure against Annex II. If you are a Danish subsidiary of a non-EU parent, you may be limited to Level 1 or 2 unless you can secure an Article 18 derogation for Level 3. Level 4 is likely inaccessible without full divestment from third-country control.
2. Prepare for Audits: If targeting Levels 2, 3, or 4, begin preparing for independent third-party audits. This involves compiling a complete SBOM, documenting software supply chain controls, and verifying that all technical support is performed by Union residents within the Union.
3. Engage the Danish Competent Authority: Identify the national competent authority designated by Denmark under Article 25. You must submit your application for recognition to this authority, not the Commission directly.
4. Verify Personnel Requirements: For Levels 3 and 4, ensure you have a workforce of Union citizens. If you rely on non-EU nationals for critical roles, you may need to restructure your operations or limit your offering to lower assurance levels.

For Danish Public Bodies and Contracting Authorities

1. Consult the Central Repository: Do not rely on national lists. Use the Commission's central repository under Article 22 to verify a provider's recognition status and assurance level.
2. Conduct Risk Assessments: Under Article 29, you must carry out risk assessments to determine which assurance level is appropriate for your activities. If your activities contribute to the preservation of public order (e.g., law enforcement, defence), Article 30(3) mandates that you procure only services recognised at Level 2, 3, or 4.
3. Apply Union Added Value Criteria: Under Article 32, you should include non-price award criteria evaluating the tenderer's contribution to the European cloud ecosystem, such as the use of Union-designed hardware or software.

Common misconceptions

"Denmark will have its own list of approved sovereign cloud providers." No. CADA establishes a harmonised EU-wide framework. While the national competent authority in Denmark processes applications, the recognition is valid across the entire Union, and the definitive list is the Commission's central repository. There is no separate Danish national registry.

"Being established in Denmark is enough for Level 3 or 4." No. While establishment in the Union is a prerequisite, Levels 3 and 4 impose strict requirements on personnel citizenship (Union citizens) and the absence of third-country control. A provider established in Denmark but controlled by a US parent company cannot achieve Level 4 and would struggle with Level 3 without a specific Commission derogation.

"CADA replaces the GDPR." No. CADA complements existing EU law. The sovereignty framework focuses on operational autonomy, data confidentiality, and resilience against third-country interference, which are distinct from the data protection principles of the GDPR. Providers must comply with both.

"Level 1 is 'non-sovereign'." No. Level 1 is the baseline for sovereign cloud services under CADA. It requires establishment in the Union, data residency in the Union, and compliance with state-of-the-art cybersecurity standards. It is the minimum requirement for general public sector procurement.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• What sovereign cloud providers and options are available in Sweden under CADA?
• What sovereign cloud providers and options are available in Spain under CADA?
• What sovereign cloud providers and options are available in Slovenia under CADA?
• What sovereign cloud providers and options are available in Slovakia under CADA?
• What sovereign cloud providers and options are available in Portugal under CADA?

This is general information about a draft EU regulation, not legal advice.