Summary As proposed in the Cloud and AI Development Act (CADA), there are currently no specific sovereign cloud providers exclusively listed for Estonia; instead, providers must seek EU-wide recognition under the Union cloud computing sovereignty framework. Estonian buyers will access this list via a central repository maintained by the European Commission, not a national Estonian database. Providers must meet cumulative criteria for one of four assurance levels, with Levels 2–4 requiring independent audits and strict controls against third-country interference. Crucially, while Level 3 allows for a derogation for third-country controlled providers, this is only possible if the Commission has adopted a specific implementing act under Article 18 identifying that third country as providing sufficient assurances.

Detail

The proposed Cloud and AI Development Act (CADA) introduces a harmonised Union cloud computing sovereignty framework to mitigate risks associated with dependence on non-European cloud providers. For cloud service providers and data centre operators targeting the Estonian market, the key mechanism is the Union assurance level system. This framework is designed to ensure that public sector bodies across the EU, including in Estonia, can procure cloud services that guarantee data confidentiality, operational autonomy, and protection from extraterritorial legal reach.

The Four Union Assurance Levels

Under Article 16 of the proposed regulation, the sovereignty framework comprises four distinct assurance levels. These levels are cumulative, meaning a provider meeting Level 4 also meets the criteria for Levels 1–3. The specific criteria are detailed in Annex II of the proposal.

  1. Union Assurance Level 1: This is the baseline level. Providers must be established in the Union, with infrastructure and assets located within the Union (unless the public sector body explicitly requires otherwise). Customer data must remain exclusively within the Union. Providers subject to third-country control must guarantee that no laws in that third country require reporting software vulnerabilities to foreign authorities before they are known to have been exploited. Recognition for Level 1 is achieved through a conformity self-assessment and an EU statement of conformity. Notably, for small and medium-sized enterprises (SMEs), this statement is directly and automatically recognised across all Member States without prior recognition by a national competent authority.
  2. Union Assurance Level 2: This level introduces stricter requirements, including that subcontractors must also be established in the Union. Infrastructure, assets, and personnel must be located in the Union. Crucially, data generated by the service cannot be used to train or fine-tune AI systems operated by third countries. Providers must demonstrate that third-country control does not restrict their ability to perform services or grant access to customer data. Recognition requires an independent third-party audit resulting in a 'positive' audit opinion. The cybersecurity requirement for this level is a European cybersecurity certificate of at least assurance level 'substantial'.
  3. Union Assurance Level 3: This level mandates that personnel involved in service provision must be Union citizens. It requires a European cybersecurity certificate of at least assurance level 'substantial'. Similar to Level 2, it strictly prohibits third-country access to customer data and service disruption. Recognition again requires an independent third-party audit.
    • Third-Country Derogation: A critical nuance exists for Level 3. While the default rule is that providers must not be subject to third-country control, Annex II (Section 3.1(g)) provides a derogation. A provider subject to third-country control may be audited for Level 3 only if the Commission has adopted an implementing act under Article 18 identifying that third country as providing sufficient assurances. This act requires the third country to have an adequacy decision for data protection and no measures enabling it to exercise control over the provider in a way that conflicts with EU law.
  4. Union Assurance Level 4: This is the highest level, intended for the most sensitive public order activities. It requires all personnel to be Union citizens with necessary national security clearances. It mandates a European cybersecurity certificate of at least assurance level 'high'. Providers must demonstrate effective control over software components, ensuring no third country holds effective control over their design or evolution. Like Levels 2 and 3, recognition requires an independent third-party audit.

How Estonian Buyers Identify Recognised Providers

A critical feature of CADA is the centralisation of information. Under Article 22, the Commission shall establish and maintain a central repository of cloud computing services that have been recognised in accordance with Article 17.

For organisations in Estonia, this means you will not look to a separate Estonian national list for sovereign providers. Instead, you will consult the Commission's publicly available, regularly updated central repository. When an Estonian national competent authority recognises a cloud computing service, it registers that service in this central repository. This ensures that an Estonian public body can verify a provider's assurance level with the same certainty as a public body in Germany or France, fostering a single market for trusted cloud services. The repository will remain available for five years even if a recognition is revoked.

Distinguishing Sovereign Offerings from Third-Country Exposed Providers

The proposal explicitly distinguishes between providers that are truly sovereign and those merely offering "EU versions" of their services.

  • EU/EEA-Controlled Sovereign Offerings: Providers meeting the assurance levels must demonstrate that their infrastructure, data, and personnel are located in the Union. For Levels 2–4, they must prove that any third-country control (e.g., via shareholding) is legally, technically, and organisationally separated from their EU operations. They must show that third countries cannot compel them to access data, degrade service quality, or comply with restrictive measures like embargoes unless those measures are legitimate under EU law.
  • Providers Exposed to Non-EU Law: The proposal notes that many current market incumbents are subject to third-country jurisdictions with extraterritorial effect, such as the US CLOUD Act. Under CADA, providers controlled by third countries may only be eligible for Union Assurance Level 3 if the Commission has adopted a decision identifying that third country as providing sufficient assurances (under Article 18). This requires the third country to have an adequacy decision for data protection and no measures that enable it to exercise control over the provider in a way that conflicts with EU law. Without such a Commission decision, providers subject to third-country control cannot qualify for Level 3 or 4, and may face significant hurdles for Level 2.

What this means for you

For cloud service providers and data centre operators in Estonia or serving Estonian clients, the implications are strategic and operational:

  • Audit Readiness: If you aim to serve Estonian public sector bodies involved in activities contributing to public order (as defined by Estonian risk assessments under Article 29), you will likely need to target Union Assurance Level 2, 3, or 4. This means preparing for rigorous independent audits that scrutinise your software supply chain, personnel citizenship, and third-country exposure.
  • Supply Chain Transparency: You must document your software bill of materials (SBOM) and demonstrate that you have controls to block remote features that could tamper with systems. You must also prove that your subcontractors meet the same location and control criteria.
  • Registration Strategy: Your path to market involves submitting an application for recognition to the Estonian national competent authority (if you are established there) or the competent authority of your main establishment. Upon positive conclusion, your service will be listed in the Commission's central repository, making you visible to all EU public buyers, including in Estonia.
  • Public Procurement Alignment: Estonian contracting authorities will be required to procure, as a minimum, Union Assurance Level 1 services. For activities identified as contributing to public order (e.g., national security, justice, critical infrastructure), they must procure Level 2, 3, or 4. Aligning your offering with these levels is essential to remain competitive in the Estonian public sector market.

Common misconceptions

  • "Estonia will have its own list of sovereign providers." Incorrect. CADA establishes a Union-wide central repository (Article 22). Recognition is mutual across the EU. An Estonian authority recognises a provider, but the list is centralised at the Commission level.
  • "Self-certification is enough for high-security public contracts." Incorrect. Self-assessment is only sufficient for Union Assurance Level 1 (Article 19). Levels 2, 3, and 4 require independent third-party audits (Article 20) and a positive audit opinion.
  • "Non-EU providers can easily qualify for Level 3 or 4." Incorrect. Providers subject to third-country control are generally excluded from Level 3 and 4 unless the Commission has specifically decided that the third country provides sufficient safeguards (Article 18). This is a high bar, requiring adequacy decisions and proof that the third country cannot compel data access or service disruption.
  • "Sovereignty is just about data location." Incorrect. While data must remain in the Union, sovereignty under CADA also covers operational autonomy, personnel citizenship (for Levels 3–4), software supply chain security, and freedom from third-country legal coercion.

Related

This is general information about a draft EU regulation, not legal advice.