Summary Under the proposed Cloud and AI Development Act (CADA), there is currently no national list of sovereign cloud providers specific to Greece. As proposed, the regulation establishes a single, EU-wide "Union cloud computing sovereignty framework" where providers are recognized at one of four "Union assurance levels" (Article 16). Greek public bodies and private entities will identify eligible providers not through a Greek registry, but by consulting the European Commission's central repository (Article 22). Providers subject to non-EU control face strict hurdles for Levels 3 and 4, generally requiring a specific Commission implementing act to be eligible, while Level 4 generally excludes third-country control entirely.

Detail

The Cloud and AI Development Act (CADA), proposed in COM(2026) 502 final, fundamentally shifts how cloud sovereignty is assessed in the EU. Instead of fragmented national schemes, it creates a harmonized framework where cloud services are recognized across the Union based on four distinct assurance levels. For Greek organizations, particularly public sector bodies, this means procurement decisions will be driven by a mandatory risk assessment and verified against a centralized EU database.

The Union Cloud Computing Sovereignty Framework (Article 16)

Article 16 establishes the core mechanism: a framework comprising four Union assurance levels. These levels are cumulative; a service at a higher level must meet all criteria of the lower levels. The criteria are detailed in Annex II of the proposal.

1. Union Assurance Level 1 (Baseline) This level sets the minimum threshold for public sector procurement.

  • Establishment: The provider must be established in the Union.
  • Location: Infrastructure, assets, and customer data (including metadata and telemetry) must remain exclusively within the Union, unless the public sector body explicitly requires otherwise.
  • Third-Country Control: If the provider is subject to third-country control, it must guarantee that no laws in that third country require the reporting of software vulnerabilities to foreign authorities before they are publicly known.
  • Verification: Providers demonstrate compliance via a conformity self-assessment and an EU statement of conformity (Article 19).

2. Union Assurance Level 2 (Enhanced) This level introduces stricter operational and personnel controls.

  • Personnel: The provider and subcontractors must be established in the Union. Crucially, personnel involved in the service must be located in the Union.
  • Data & AI: Data generated by the service cannot be used to train or fine-tune AI systems operated by a third country or a legal entity established in a third country.
  • Cybersecurity: The service must obtain a European cybersecurity certificate of at least assurance level "substantial" (Annex II, 2.1(e)). Note: Under the proposal, Level 2 and Level 3 both require "substantial" certification; only Level 4 requires "high".
  • Supply Chain: Providers must maintain a complete Software Bill of Materials (SBOM) and implement controls to block remote features that could tamper with systems.
  • Third-Country Control: If subject to third-country control, the provider must demonstrate that such control does not restrict service delivery, allow unauthorized data access, or force compliance with restrictive measures (e.g., sanctions).

3. Union Assurance Level 3 (High Sensitivity) This level is designed for activities contributing to the preservation of public order.

  • Personnel: Personnel involved in the service must be Union citizens. Where appropriate, they must hold national security clearances for handling classified information.
  • Cybersecurity: Requires a European cybersecurity certificate of at least assurance level "substantial".
  • Third-Country Control: The provider and subcontractors must not be subject to the control of a third country or a legal entity established in a third country.
    • Derogation: By way of derogation, a provider subject to third-country control may be audited for Level 3 where the Commission has adopted an implementing act identifying that third country as providing sufficient assurances (Annex II, 3.1(g)). Note: The proposal text in Annex II explicitly cross-references an implementing act under Article 19 for this derogation, though Article 18 contains the substantive criteria for "Associated third countries". This appears to be a drafting inconsistency in the proposal text itself.
  • Support: Technical and operational support must be initiated and performed exclusively within the Union by Union residents.

4. Union Assurance Level 4 (Critical Public Order) The highest level, reserved for the most critical public order activities (e.g., defense, classified information).

  • Personnel: Personnel must be Union citizens with necessary national security clearances.
  • Cybersecurity: Requires a European cybersecurity certificate of at least assurance level "high".
  • Third-Country Control: The provider and subcontractors must not be subject to the control of a third country. No derogation is available for Level 4.
  • Software Control: The provider must demonstrate effective control over software components, ensuring no third country holds effective control over their design, development, or maintenance.

Identification via the Central Repository (Article 22)

Greek organizations will not rely on a national list of approved vendors. Instead, Article 22 mandates the Commission to establish and maintain a central repository of cloud computing services recognized as offering Union assurance levels 1 through 4.

  • Process: A provider applies for recognition to the national competent authority of its establishment (e.g., if a provider is established in France, the French authority assesses it).
  • Union-Wide Validity: Once recognized, the service is valid across the entire Union.
  • Access: The repository will be publicly available on a dedicated website, regularly updated by the Commission and national competent authorities.
  • Verification: Greek buyers must check this repository to confirm a provider's status before procurement. The repository will list services that have passed self-assessment (Level 1) or independent third-party audits (Levels 2–4).

Distinguishing EU-Controlled vs. Non-EU Exposed Providers

A primary goal of CADA is to differentiate between providers genuinely controlled by the EU and those merely operating within it but subject to extraterritorial laws (such as the US CLOUD Act).

  • EU/EEA-Controlled Providers: Providers established in the Union and not subject to third-country control can access Levels 3 and 4 more directly, provided they meet the personnel and cybersecurity certification requirements. They are not barred by the "no third-country control" rule.
  • Providers Exposed to Non-EU Law: Providers subject to third-country control face significant barriers:
    • Level 1: Permitted if they guarantee no early vulnerability disclosure to foreign authorities.
    • Level 2: Permitted if they prove third-country control does not restrict service or allow data access.
    • Level 3: Generally prohibited unless the Commission adopts an implementing act recognizing the third country as providing sufficient safeguards (Annex II, 3.1(g)).
    • Level 4: Prohibited. The criteria for Level 4 explicitly require that the provider is not subject to third-country control, with no derogation mechanism provided.

Implications for Buyers in Greece

For Greek public sector bodies, the procurement path is dictated by a mandatory risk assessment under Article 29.

  1. Risk Assessment (Article 29): By one year after entry into force, and every two years thereafter, Greece (as a Member State) must conduct risk assessments to identify public sector activities that contribute to the preservation of public order (e.g., national security, defense, justice, law enforcement).
  2. Procurement Obligations (Article 30):
    • Non-Critical Activities: If an activity is not identified as contributing to public order, the contracting authority must procure services with at least Union Assurance Level 1 (Article 30(2)).
    • Critical Activities: If an activity is identified as contributing to public order, the authority must procure services with Union Assurance Levels 2, 3, or 4 (Article 30(3)).
  3. National Discretion: While the minimum level is set by the risk assessment, the specific level (2, 3, or 4) for critical activities is determined by the Greek risk assessment, guided by Commission methodology. A Greek ministry of defense would likely require Level 3 or 4, while a municipal office might only require Level 1 or 2.

What this means for you

For cloud service providers, data center operators, and Greek public bodies:

  1. For Providers (Targeting Greece):

    • Audit Readiness: If you aim to serve Greek public clients for critical functions (Levels 2–4), you must undergo independent third-party audits. Ensure your software supply chain is transparent (SBOMs) and that your personnel meet the geographic and citizenship requirements of your target level.
    • Third-Country Control: If you are controlled by a non-EU entity, assess your eligibility for Levels 3 and 4. You may be limited to Levels 1 and 2 unless the Commission adopts an implementing act for your home country. Level 4 is effectively closed to third-country-controlled entities.
    • Repository Listing: Apply for recognition through your home Member State's competent authority. Once recognized, your service will appear in the EU central repository (Article 22), which Greek buyers will use to validate your status.

  2. For Greek Public Bodies:

    • Conduct Risk Assessments: You must identify which of your activities contribute to public order to determine the required assurance level (Article 29).
    • Check the Repository: Do not rely on national lists. Verify provider status via the Commission's central repository (Article 22).
    • Enforce Minimum Levels: Ensure procurement contracts mandate the minimum assurance level identified in your risk assessment (Level 1 for non-critical; Levels 2–4 for critical).

  3. For Private Sector Entities:

    • While CADA primarily targets public procurement, Article 31 allows private entities in sectors of high criticality (Annex I of NIS2) to conduct similar impact assessments. Market pressure may drive private adoption of higher assurance levels to align with public sector standards.

Common misconceptions

"Greece will publish its own list of sovereign cloud providers." No. CADA creates a single, EU-wide central repository (Article 22). Greek public bodies will use this EU list, not a national one. Recognition granted in any Member State is valid across the Union.

"Any provider established in the EU is automatically 'sovereign'." No. Being established in the EU is only the baseline for Level 1. To reach Levels 2, 3, or 4, providers must undergo audits, meet strict data localization and personnel requirements, and obtain specific cybersecurity certifications ("substantial" for Levels 2/3, "high" for Level 4).

"Non-EU providers are banned from the Greek market." No. Non-EU providers are not banned. They can qualify for Level 1 and potentially Levels 2 and 3 if their home country is recognized by the Commission as providing sufficient safeguards. However, they are generally excluded from Level 4, which requires no third-country control.

"Public bodies can choose any assurance level they prefer." No. The required level is determined by a mandatory risk assessment (Article 29). If a Greek public body's activities are deemed critical to public order, they must procure Level 2, 3, or 4 services. They cannot opt for Level 1 if the risk assessment dictates a higher level.

"Level 3 and Level 4 have the same cybersecurity certification requirement." No. While both require a European cybersecurity certificate, Level 3 requires at least "substantial" assurance, whereas Level 4 requires at least "high" assurance (Annex II, 3.1(e) vs 4.1(e)).

Related

This is general information about a draft EU regulation, not legal advice.