Summary Under the proposed Cloud and AI Development Act (CADA), France will not maintain a distinct national list of sovereign cloud providers. Instead, it relies on a harmonised EU-wide framework of four "Union assurance levels" established by Article 16. Cloud providers must apply for recognition through a French national competent authority; once approved, they are listed in a central EU repository maintained by the Commission under Article 22. French buyers, particularly public bodies, must select providers based on these EU-wide assurance levels rather than local certifications. Crucially, the framework distinguishes between providers genuinely free from third-country control (Levels 3–4) and those established in the EU but potentially exposed to non-EU laws, requiring specific safeguards or derogations.

Detail

The proposed Cloud and AI Development Act (CADA) seeks to address the EU's strategic dependence on non-European cloud providers by replacing fragmented national approaches with a single, harmonised sovereignty framework. For cloud service providers operating in or targeting the French market, this means navigating a unified classification system rather than a patchwork of national labels. The core of this system is the Union cloud computing sovereignty framework, which categorises services into four assurance levels based on their resilience against extraterritorial legal reach, operational disruption, and unauthorised data access.

The Union Cloud Computing Sovereignty Framework (Article 16)

Article 16 of the CADA proposal establishes the Union cloud computing sovereignty framework, comprising four distinct assurance levels (Level 1 to Level 4). These levels are not merely technical certifications but legal attestations of a provider's ability to safeguard the Union's public order and strategic autonomy. The specific criteria for each level are detailed in Annex II of the proposal.

Level 1: Basic Union Assurance This is the baseline requirement for all public sector procurement under CADA. To achieve Level 1, a provider must be established in the Union. Its infrastructure, assets, and customer data must remain exclusively within the Union, unless a public sector body explicitly requires otherwise. A critical nuance for Level 1 concerns third-country control: if the provider is subject to the control of a third country or a legal entity established there, it must guarantee that no laws or practices in that third country require the reporting of software vulnerabilities to authorities before those vulnerabilities are known to be exploited. Recognition for Level 1 is primarily based on a conformity self-assessment by the provider. Notably, for Small and Medium-sized Enterprises (SMEs), the EU statement of conformity is directly and automatically recognised across all Member States without prior review by the national competent authority.

Level 2: Enhanced Union Assurance Level 2 introduces stricter operational and personnel requirements. The provider and its subcontractors must be established in the Union, and their infrastructure, assets, and personnel must be located in the Union. Crucially, data generated by the service cannot be used to train or fine-tune any AI system operated by a third country, nor can it be transferred outside the Union. The provider must obtain a European cybersecurity certificate of at least assurance level 'substantial' (or demonstrate compliance with the highest cybersecurity standards if such a scheme is not yet established). If the provider is controlled by a third-country entity, it must implement robust measures to prevent that control from restricting service delivery, accessing customer data, or disrupting service continuity. Recognition for Level 2 requires an independent third-party audit.

Level 3: High Union Assurance Level 3 is designed for activities contributing to the preservation of public order, such as national security, defence, or law enforcement. It mandates that personnel involved in the provision of the service are Union citizens. Where national security clearance is required for handling classified information, personnel must hold such clearance issued by a Member State. The provider and its subcontractors generally must not be subject to the control of a third country. However, Article 18 provides a derogation: the Commission may adopt an implementing act recognising a specific third country as providing sufficient assurances, allowing providers controlled by that country to qualify for Level 3 if they meet strict safeguards. The cybersecurity requirement for Level 3 is a European cybersecurity certificate of at least assurance level 'substantial'. Like Level 2, this level requires independent third-party audits.

Level 4: Highest Union Assurance Level 4 represents the highest tier of sovereignty, intended for the most critical public order activities. It requires that sensitive data identified through a risk assessment remain exclusively within the Union. Personnel must be Union citizens and hold necessary national security clearances. The provider and subcontractors must not be subject to the control of a third country or a legal entity established in a third country; no derogation under Article 18 applies to Level 4. The cybersecurity requirement is elevated to a European cybersecurity certificate of at least assurance level 'high'. Furthermore, Level 4 demands rigorous software supply chain measures, ensuring that third countries do not hold effective control over the design, development, maintenance, or evolution of software components.

Recognition and the Central Repository (Article 22)

The pathway to offering sovereign cloud services in France involves a formal recognition process. Under Article 17, a provider submits an application to the national competent authority of its establishment. In France, this would be the designated authority responsible for enforcing the sovereignty chapter. The authority assesses the evidence (self-assessment for Level 1; audit reports for Levels 2–4) and, if satisfied, adopts a recognition decision.

Once recognised, the service is registered in a central repository established and maintained by the European Commission, as mandated by Article 22. This repository is publicly available and serves as the definitive source of truth for buyers across the Union. It lists all cloud computing services recognised as offering Union assurance levels 1 through 4. The repository ensures transparency, allowing French public sector bodies to verify a provider's status instantly. Revocations of recognition are also published in the repository and remain visible for five years.

Distinguishing EU/EEA-Controlled vs. Non-EU Exposed Providers

A central feature of the CADA framework is the clear distinction between providers that are genuinely autonomous from third-country influence and those that are merely EU-established but legally exposed to non-EU jurisdictions.

  • EU-Controlled Sovereign Offerings (Levels 3 & 4): These providers meet the strictest criteria. At Level 3, third-country control is generally prohibited unless a specific Commission derogation (Article 18) applies. At Level 4, third-country control is strictly prohibited. These providers offer the highest degree of operational autonomy, ensuring that no foreign government can compel access to data or disrupt service. They are the primary option for French activities involving classified information or critical national infrastructure.
  • Providers Exposed to Non-EU Law (Levels 1 & 2, and conditional Level 3): Providers established in the EU but controlled by third-country entities (e.g., US hyperscalers with French subsidiaries) can qualify for Levels 1 and 2. They must demonstrate that their third-country control does not restrict service delivery, access data, or disrupt continuity. For Level 3, they can only qualify if the Commission has recognised their home country under Article 18. For many high-risk French public sector use cases, these providers may be excluded if the risk assessment determines that Level 3 or 4 is required and the provider cannot meet the "no control" or "recognised third country" criteria.

Implications for Buyers in France

For public sector bodies and contracting authorities in France, the CADA framework fundamentally alters procurement dynamics. Article 29 requires Member States to conduct risk assessments to identify public sector activities that contribute to the preservation of public order (e.g., in sectors under NIS2 Annex I/II, or areas of national security, defence, justice).

  • Non-Critical Activities: If a French public body's activity is not identified as contributing to public order preservation, Article 30(2) mandates the use of services recognised at Union assurance level 1.
  • Critical Activities: If the activity is identified as contributing to public order, Article 30(3) requires the authority to procure only services recognised at Union assurance levels 2, 3, or 4.

French buyers cannot simply choose any provider with a French presence. They must consult the central repository (Article 22) to verify that a provider holds the specific assurance level required for their use case. The procurement process must explicitly reference the required Union assurance level.

What this means for you

For Cloud Service Providers: If you operate in France or target French public clients, you must determine which Union assurance level your service can meet. This involves a thorough self-assessment for Level 1 or engaging an independent auditing organisation for Levels 2–4. You must then apply for recognition through the French national competent authority. Ensure your technical and organisational measures—particularly regarding data localisation, personnel citizenship, and third-country control—align strictly with Annex II. Once recognised, your service will appear in the EU central repository, making you visible to buyers across the entire Union, not just in France.

For Data Centre Operators: While CADA focuses on cloud services, data centre operators supporting these services must ensure their infrastructure meets the location and sustainability requirements. Data centres in France should be prepared to provide evidence of their location, energy efficiency, and security measures to cloud providers who need this information for their assurance level audits. Note that specific data centre KPIs are defined in Delegated Regulation (EU) 2024/1364, not directly in CADA, but compliance with these KPIs is often a prerequisite for the sustainability criteria in the assurance levels.

For French Public Sector Buyers: You must conduct or update your risk assessments under Article 29 to determine the appropriate assurance level for your cloud services. Use the central repository to identify recognised providers. When procuring, include the requirement for the specific Union assurance level in your tender documents. For critical activities, be prepared to exclude providers that do not meet Levels 2–4, even if they are EU-based, if they are subject to third-country control that cannot be mitigated or if the third country is not recognised under Article 18.

Common misconceptions

"France has its own sovereign cloud label." No. CADA replaces national sovereignty schemes with a harmonised EU framework. There is no "French sovereign cloud" label separate from the Union assurance levels. A provider recognised in France under CADA is recognised across the entire EU.

"All EU-based providers are automatically 'sovereign'." Being established in the EU is a necessary but insufficient condition. Providers must meet the specific criteria for each assurance level. A US-controlled provider established in France may qualify for Level 1 or 2 but may not meet the strict "no control" requirements for Level 3 or 4 unless specific derogations apply.

"The central repository is only for public sector use." While the repository is primarily a tool for public sector procurement, it is publicly available. Private sector entities, particularly those in critical sectors under NIS2, can use it to identify providers that meet high sovereignty standards, and they may conduct similar impact assessments under Article 31.

"Assurance levels are static." Providers must report material changes that could affect their assurance level under Article 23. If a provider's circumstances change (e.g., new third-country control), their recognition may be amended or revoked. The repository is regularly updated to reflect these changes.

Related

This is general information about a draft EU regulation, not legal advice.