What sovereign cloud providers and options are available in Finland under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), there is no separate national list of "sovereign" cloud providers for Finland. Instead, CADA establishes a harmonised EU-wide sovereignty framework with four Union assurance levels (Level 1 to Level 4), as set out in Article 16. Finnish public sector bodies and critical private entities will identify compliant providers exclusively by checking the Commission's central repository of recognised services, mandated by Article 22. Providers must achieve recognition through self-assessment (Level 1) or independent third-party audits (Levels 2–4) to prove they meet strict criteria regarding data localisation, personnel citizenship, and freedom from third-country control. This framework distinguishes between providers genuinely free from non-EU legal reach and those merely hosting data in the EU.

Detail

The proposed Cloud and AI Development Act (CADA) fundamentally shifts how cloud sovereignty is defined and verified in the EU, including Finland. Rather than relying on national certifications, voluntary labels, or vague marketing claims about "data residency," CADA introduces a harmonised legal framework to mitigate risks associated with dependence on non-European cloud providers. This framework is designed to protect public order, ensure operational autonomy, and safeguard data confidentiality against extraterritorial laws, such as the US CLOUD Act, by establishing a single, auditable standard across the Union.

The Union Cloud Computing Sovereignty Framework

The core of CADA's autonomy measures is the Union cloud computing sovereignty framework, established in Article 16. This chapter creates a tiered system of four "Union assurance levels" (Level 1 to Level 4). These levels represent increasing degrees of sovereignty, security, and control. A cloud computing service provider must demonstrate compliance with cumulative criteria for each level to be recognised. The criteria, detailed in Annex II of the proposal, escalate in strictness as the level increases.

• Union Assurance Level 1 (Baseline): This is the minimum baseline for public sector procurement. Providers must be established in the Union, with infrastructure and assets located in the Union. Crucially, customer data must remain exclusively within the Union unless the public sector body explicitly requires otherwise. Providers must demonstrate state-of-the-art cybersecurity standards and full transparency regarding subcontractors. If a provider is subject to the control of a third country, it must guarantee that no laws in that third country require reporting software vulnerabilities to foreign authorities before they are exploited.
• Union Assurance Level 2 (Enhanced): This level requires that both the provider and its subcontractors are established in the Union. All infrastructure, assets, and personnel involved in the service must be located in the Union. Data generated by the service cannot be used to train AI systems operated by third countries. Providers must obtain a European cybersecurity certificate of at least assurance level 'substantial' under a scheme established under Regulation (EU) 2019/881 (or demonstrate equivalent national standards until such a scheme exists). Strict software supply chain measures, including a complete Software Bill of Materials (SBOM), are mandatory.
• Union Assurance Level 3 (High Sovereignty): This level introduces strict personnel requirements. All personnel, including those of subcontractors, must be Union citizens. Where appropriate, personnel must hold necessary national security clearances when handling classified information. Third-country control is generally prohibited. However, a narrow derogation exists: a provider subject to third-country control may be recognised at Level 3 if the Commission has adopted an implementing act under Article 18 identifying that third country as providing sufficient assurances (e.g., via an adequacy decision and specific safeguards against extraterritorial access).
• Union Assurance Level 4 (Maximum Sovereignty): The highest level of assurance, intended for the most sensitive public order activities, including the secure hosting of EU classified information. It requires Union citizenship for all personnel and strict separation from third-country control. Providers must demonstrate that no third country holds effective control over the design, development, or maintenance of software components. This level requires a European cybersecurity certificate of at least assurance level 'high'.

Recognition and the Central Repository

How do Finnish buyers and providers navigate this system? CADA mandates a transparent, EU-wide recognition mechanism to prevent market fragmentation.

Article 22 establishes the "Central repository of cloud computing services." The Commission must establish and maintain this dedicated repository. National competent authorities (such as the one Finland will designate) register cloud computing services that have been recognised under Article 17.

For a provider to be listed, it must undergo a specific process:

1. Submission: The provider submits an application for recognition to the national competent authority of its establishment.
2. Evidence: For Level 1, this involves an EU statement of conformity (self-assessment). For Levels 2–4, it requires an independent third-party audit resulting in a "positive" audit opinion from an auditing organisation.
3. Recognition: The evaluating national competent authority assesses the evidence. If compliant, it issues a recognition decision.
4. Publication: The service is registered in the central repository, making it visible to all Member States, including Finland.

This repository serves as the single source of truth. It lists services recognised at each assurance level and includes any revocations of recognition, which remain published for five years.

Distinguishing Sovereign Offerings from Non-EU Exposed Providers

A key objective of CADA is to distinguish between providers that are genuinely sovereign and those that are merely EU-located but exposed to non-EU law.

Under Article 16 and Annex II, a provider subject to the control of a third country (e.g., a US-based hyperscaler) faces significant hurdles. For Levels 2 and 3, they must demonstrate that necessary legal, technical, and organisational measures are in place to prevent third-country access to data and to prevent service disruption. For Level 3, they are generally excluded unless the Commission adopts an implementing act under Article 18 identifying their home country as providing sufficient assurances.

In contrast, EU/EEA-controlled providers that meet the strict personnel, data localisation, and supply chain criteria can achieve higher assurance levels more readily. This creates a clear market distinction: "Sovereign" in CADA terms means audited compliance with these specific legal and technical criteria, not just data residency. A provider with data in Finland but controlled by a non-EU entity without an Article 18 designation would likely be capped at Level 1 or 2, depending on their ability to prove independence from third-country legal reach.

What this means for you

For cloud service providers and data centre operators in Finland, CADA presents both a compliance challenge and a market opportunity.

For Providers:

• Audit Readiness: If you aim to serve the public sector or critical private entities, you must prepare for independent audits for Levels 2–4. This includes securing a European cybersecurity certificate (or demonstrating equivalent standards) and maintaining a detailed SBOM.
• Personnel and Subcontractors: Review your supply chain immediately. For Level 3 and 4, ensure all personnel and subcontractors are Union citizens and located in the Union. For Level 2, ensure subcontractors are established in the Union.
• Engage with the Finnish Competent Authority: Monitor the designation of Finland's national competent authority. You will need to submit your application for recognition to this body, which will then register your service in the central repository.

For Buyers (Public Sector and Critical Private Entities):

• Use the Repository: Do not rely on vendor claims or marketing brochures. Use the Commission's central repository (Article 22) to verify a provider's recognised assurance level before procurement.
• Risk Assessment: Conduct risk assessments as required by Article 29. If your activities concern public order (e.g., healthcare, justice, critical infrastructure, defence), you may be required to procure only services recognised at Level 2, 3, or 4.
• Transition Planning: If your current provider is not recognised at the required level, plan for migration. CADA allows a reasonable transition period (not exceeding 12 months) for migration, but you must act promptly to ensure continuity and compliance.

Common misconceptions

"Data residency equals sovereignty."

• Correction: Storing data in Finland is necessary but not sufficient. CADA requires strict controls on personnel, subcontractors, software supply chains, and freedom from third-country legal access. A US provider with data in Finland may not meet Level 2 criteria due to ownership and legal exposure.

"Only public sector bodies are affected."

• Correction: While public procurement rules are strict, Article 31 allows private entities in critical sectors (under NIS2) to conduct similar impact assessments. Market pressure from public sector demand will likely drive private sector adoption of higher assurance levels.

"CADA bans non-EU providers."

• Correction: CADA does not ban non-EU providers. However, it makes it difficult for them to achieve Level 3 or 4 recognition unless their home country is designated as an "associated third country" under Article 18. They can still compete at Level 1 or 2 if they meet the strict criteria.

"Finland will have its own separate sovereignty list."

• Correction: CADA harmonises this at the EU level. Finland will participate in the EU-wide recognition process and use the central repository. National lists will be redundant and potentially fragment the single market.

"Level 3 allows any third-country provider."

• Correction: Level 3 generally prohibits third-country control. The only exception is for providers from countries specifically designated by the Commission under Article 18 as providing sufficient assurances. Without this specific designation, a third-country controlled provider cannot reach Level 3.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• What sovereign cloud providers and options are available in Sweden under CADA?
• What sovereign cloud providers and options are available in Spain under CADA?
• What sovereign cloud providers and options are available in Slovenia under CADA?
• What sovereign cloud providers and options are available in Slovakia under CADA?
• What sovereign cloud providers and options are available in Portugal under CADA?

This is general information about a draft EU regulation, not legal advice.