CADA Sovereign Cloud in Hungary: Assurance Levels, Repository & Options

Summary Under the proposed Cloud and AI Development Act (CADA), Hungary does not maintain a unique national list of sovereign cloud providers. Instead, it participates in a unified EU-wide framework of four "Union assurance levels" defined in Article 16. Hungarian public bodies and critical private entities must procure cloud services that meet the specific assurance level determined by their risk assessment, verifying provider status exclusively through the Commission's central repository established under Article 22. This framework rigorously distinguishes between providers fully established and controlled within the Union and those exposed to non-EU laws, ensuring that data sovereignty and operational autonomy are legally audited rather than merely claimed.

This is general information about a draft EU regulation, not legal advice.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonised Union cloud computing sovereignty framework designed to mitigate risks associated with dependence on non-European cloud providers. For Hungary, this signifies a shift away from fragmented national trust criteria toward a single, auditable set of standards applicable across the single market. The core of this system is the classification of cloud computing services into four distinct "Union assurance levels," as set out in Article 16. These levels dictate the degree of sovereignty, data localisation, and personnel citizenship required, directly impacting which providers Hungarian entities can legally engage for specific use cases.

The Four Union Assurance Levels (Article 16)

As proposed in Article 16, the framework establishes cumulative criteria for cloud computing service providers to be recognised at levels 1 through 4. The requirements become progressively stricter, particularly regarding third-country control, data residency, and cybersecurity certification. These criteria are detailed in Annex II of the proposal.

Union Assurance Level 1: The Baseline for Public Sector Level 1 serves as the minimum baseline for public sector procurement. Under Annex II, a provider must be established in the Union. Crucially, the infrastructure, assets, and customer data (including metadata and telemetry) must remain exclusively within the Union, unless the public sector body explicitly requires otherwise. For Level 1, compliance is demonstrated through a conformity self-assessment and an "EU statement of conformity." Notably, if the provider is a Small and Medium-sized Enterprise (SME), this statement is automatically recognised across all Member States, including Hungary, without prior national authority intervention (Article 17(3)). However, if the provider is subject to third-country control, it must guarantee that no laws in that third country require reporting software vulnerabilities to foreign authorities before they are publicly known.

Union Assurance Level 2: Enhanced Security and Supply Chain Transparency Level 2 requires independent third-party audits. The provider and its subcontractors must be established in the Union, and all infrastructure, assets, and personnel involved in service provision must be located in the Union. A critical distinction at this level is the prohibition on using customer data to train or fine-tune AI systems operated by third-country entities. Furthermore, the provider must demonstrate robust software supply chain measures, including a complete Software Bill of Materials (SBOM) and controls to block remote features that could tamper with the system. If the provider is controlled by a third-country entity, it must prove that this control does not restrict its ability to deliver services or allow foreign access to customer data. Crucially, for Level 2, the requirement for Union-citizen personnel is conditional: it applies only if the public sector body explicitly requires it in the risk assessment.

Union Assurance Level 3: Strict Sovereignty and Personnel Citizenship Level 3 introduces stringent personnel and control requirements. All personnel, including subcontractors, involved in the service must be Union citizens. Additionally, the provider and its subcontractors must not be subject to the control of a third country or a legal entity established in a third country. There is a narrow derogation: the Commission may adopt implementing acts to allow providers controlled by specific third countries to qualify for Level 3 if those countries have adequate data protection decisions and safeguards against unauthorised data access or service disruption (Article 18). Technical support and operational assistance must be initiated and performed exclusively within the Union by Union residents. The cybersecurity requirement for Level 3 is a European cybersecurity certificate of at least assurance level "substantial" under a scheme established under Regulation (EU) 2019/881.

Union Assurance Level 4: Maximum Sovereignty for Critical Public Order Level 4 is reserved for the most sensitive public sector activities, such as those involving national security or classified information. Like Level 3, it requires that personnel be Union citizens and that the provider not be subject to third-country control. However, it demands a higher European cybersecurity certificate: assurance level "high" (not "substantial"). It also imposes stricter software supply chain controls, requiring proof that third-country entities do not hold effective control over the design, development, or maintenance of critical software components. Data identified as sensitive following a risk assessment must remain exclusively within the Union at all times.

Distinguishing EU/EEA-Controlled Offerings from Non-EU Exposed Providers

A key objective of CADA is to address the risk of extraterritorial access to data, such as that posed by the US CLOUD Act. The framework explicitly distinguishes between providers that are genuinely sovereign and those that are merely "EU-located" but legally exposed to foreign jurisdictions.

For Levels 2, 3, and 4, the criteria focus heavily on "control." If a cloud provider is owned or controlled by a third-country entity, it faces significant hurdles. For Level 3 and 4, the default rule is exclusion unless the Commission has specifically recognised the third country as providing sufficient assurances under Article 18. This recognition requires the third country to have an adequacy decision under the GDPR, no laws enabling control that conflicts with EU data access rules, and no measures allowing the degradation or disruption of service continuity.

For providers not meeting these strict sovereignty criteria, Hungarian buyers cannot rely on them for activities identified as contributing to the preservation of public order. The framework ensures that "sovereign" is a legally verified status, not a marketing term. Providers must prove that their corporate governance, shareholder structure, and operational procedures prevent any third-country authority from compelling data access or service interruption.

Identifying Recognised Providers via the Central Repository (Article 22)

Hungarian organisations do not determine provider status themselves; they verify it through a centralised mechanism. Article 22 mandates that the Commission establish and maintain a central repository of cloud computing services recognised as offering Union assurance levels 1 through 4.

This repository is the single source of truth for procurement. Once a provider successfully completes the recognition process through the national competent authority of its establishment (e.g., if a Hungarian provider is assessed by Hungary's authority, or a German provider by Germany's), it is registered in this EU-wide repository. The repository is publicly available and regularly updated.

For Hungarian buyers, this means:

Verification: Before procurement, buyers must check the central repository to confirm a provider's recognised assurance level.
Transparency: The repository includes information on any revocations of audit reports or recognitions, which remain visible for five years.
Cross-Border Validity: A provider recognised in one Member State is recognised across the Union. A Hungarian public body can procure from a French provider recognised at Level 3 just as easily as from a Hungarian one, provided the repository confirms the status.

Providers have ongoing transparency obligations under Article 23. They must notify the auditing organisation and the national competent authority of any material changes that could affect their assurance level. If a provider's status changes (e.g., a change in ownership introducing third-country control), the repository is updated, potentially invalidating their eligibility for certain Hungarian contracts.

What this means for you

For cloud service providers and data centre operators operating in or targeting the Hungarian market, CADA introduces a structured compliance pathway that replaces ad-hoc trust assertions with formal recognition.

For Providers:

Assess Your Control Structure: If you are controlled by a non-EU entity, you must evaluate whether you can meet the strict "no third-country control" criteria for Levels 3 and 4, or if you rely on the Commission's potential recognition of your home country under Article 18.
Prepare for Audits: Levels 2, 3, and 4 require independent third-party audits. You must document your supply chain, personnel citizenship, and data localisation controls meticulously. Annex II and Annex III of the proposal detail the specific evidence required (e.g., SBOMs, access logs, personnel contracts).
Engage with Competent Authorities: You must submit your application for recognition to the national competent authority of your establishment. If you are established in Hungary, you will work with the Hungarian authority designated under Article 25. Ensure your internal controls align with the audit criteria before applying.
Monitor the Repository: Once recognised, you must maintain your status. Any material change in your operational or legal structure must be reported immediately to avoid revocation of your assurance level, which would remove you from the central repository and make you ineligible for public sector contracts.

For Hungarian Buyers (Public Sector and Critical Private Entities):

Conduct Risk Assessments: Under Article 29, you must determine which assurance level your activities require. Most general public services will require Level 1. Activities involving national security, defence, or critical infrastructure will likely require Levels 2, 3, or 4.
Procure from the Repository: You are obligated to procure only from providers listed in the Commission's central repository at the appropriate assurance level. Do not rely on provider self-declarations; verify the status in the repository.
Plan for Migration: If your current provider does not meet the required assurance level, you must migrate within a reasonable transition period (not exceeding 12 months, per Article 29(6)). Start this process early to ensure continuity of service.
Consider Multi-Cloud Strategies: Article 29(9) encourages considering multi-vendor or multi-cloud strategies to enhance resilience. This can help mitigate the risk of dependency on a single provider, especially for critical services.

Common misconceptions

"Sovereign cloud" is a national Hungarian concept. Incorrect. CADA establishes a Union-wide framework. There is no separate "Hungarian sovereign cloud" certification. A provider recognised in Germany is recognised in Hungary. The assurance levels are uniform across the EU.

Any EU-based provider is automatically "sovereign." Incorrect. A provider can be established in the EU but still be controlled by a third-country entity. For Levels 3 and 4, third-country control is generally prohibited unless the Commission has specifically recognised the third country under Article 18. For Level 2, strict measures must be in place to prevent third-country interference.

Level 1 is just a self-declaration with no oversight. Incorrect. While Level 1 uses a self-assessment model, the provider must issue an EU statement of conformity and assume responsibility for compliance. National competent authorities can still investigate and penalise false declarations. Furthermore, for non-SMEs, the statement must be submitted to the evaluating national competent authority for recognition (Article 17(3)).

The central repository is only for public bodies. Incorrect. While the procurement obligations primarily target public bodies and entities in critical sectors (NIS2 Annex I), the repository is publicly available. Private entities, especially those in critical sectors, are encouraged to use it to assess provider trustworthiness and may be subject to impact assessments under Article 31.

"Substantial" cybersecurity certification applies only to Level 4. Incorrect. Under Annex II, Level 3 requires a "substantial" assurance level certificate, while Level 4 requires a "high" assurance level certificate. Level 2 also requires "substantial" certification.

Official sources