CADA Sovereign Cloud in Ireland

Summary Under the proposed Cloud and AI Development Act (CADA), Ireland does not maintain a unique national list of sovereign cloud providers. Instead, the framework relies on a single EU-wide central repository established by the European Commission to identify services formally recognised at specific Union assurance levels. As CADA is currently a proposal (COM(2026) 502 final), no providers are yet officially recognised. Once adopted, Irish public bodies will be legally required to procure only services appearing in this repository that meet minimum assurance levels determined by national risk assessments. Providers must undergo a formal recognition process via Ireland's national competent authority to be listed. Crucially, the framework distinguishes between providers established in the EU but controlled by third countries (which face strict limits at higher levels) and those fully autonomous within the Union.

Detail

The proposed Cloud and AI Development Act (CADA) introduces a harmonised Union cloud computing sovereignty framework designed to reduce strategic dependencies on non-European providers and safeguard the Union's public order. For cloud service providers, data centre operators, and public buyers in Ireland, this means navigating a tiered system of sovereignty criteria known as "Union assurance levels."

The Union Cloud Computing Sovereignty Framework (Article 16)

Article 16 of the CADA proposal establishes a four-tier framework. To be recognised as offering a specific Union assurance level, a cloud computing service provider must meet cumulative criteria set out in Annex II. These levels dictate the degree of control, data localisation, personnel requirements, and cybersecurity measures required.

1. Union Assurance Level 1 (Baseline):

   • Establishment: The provider must be established in the Union.
   • Location: Infrastructure, assets, and customer data (including metadata and telemetry) must remain exclusively within the Union, unless the public sector body explicitly requires otherwise.
   • Cybersecurity: The provider must demonstrate compliance with state-of-the-art cybersecurity standards.
   • Third-Country Control: If the provider is subject to the control of a third country, it must guarantee that no laws in that third country require the reporting of software vulnerabilities to foreign authorities before those vulnerabilities are publicly known.
   • Transparency: Full transparency regarding subcontractors is required, with due diligence and ongoing oversight.

2. Union Assurance Level 2 (Substantial):

   • Personnel: Infrastructure, assets, and personnel (including subcontractors) must be located in the Union.
   • Cybersecurity: The service must obtain a European cybersecurity certificate of at least assurance level 'substantial' under a scheme established under Regulation (EU) 2019/881 (or national equivalents until such a scheme exists).
   • AI Data Use: Data generated by the service cannot be used to train or fine-tune any AI system operated by a third country or a legal entity established in a third country.
   • Third-Country Control: If controlled by a third country, the provider must implement measures ensuring that such control does not restrict service delivery, prevent access to customer data, or disrupt service continuity.
   • Support: Technical and operational support must be initiated and performed exclusively within the Union.

3. Union Assurance Level 3 (High - Conditional on Control):

   • Personnel: Personnel involved in the provision of the service must be Union citizens. Where appropriate, they must hold national security clearance for classified information.
   • Control: The provider and subcontractors must not be subject to the control of a third country.
     • Derogation: A narrow exception exists under Article 18 (not Article 19, as sometimes mis-cited). The Commission may adopt an implementing act recognising a third country as providing sufficient assurances, allowing a provider controlled by that country to qualify for Level 3. This requires the third country to have a GDPR adequacy decision and no laws enabling extraterritorial data access or service disruption.
   • Support: Technical support must be performed exclusively within the Union by Union residents.
   • Cybersecurity: Requires a European cybersecurity certificate of at least assurance level 'substantial'.

4. Union Assurance Level 4 (Highest):

   • Cybersecurity: Requires a European cybersecurity certificate of at least assurance level 'high'.
   • Control: The provider and subcontractors must not be subject to the control of a third country. No derogation for third-country control is permitted at this level.
   • Software Supply Chain: Measures must ensure that third countries do not hold effective control over the design, development, maintenance, or evolution of software components.
   • Personnel: Must be Union citizens with necessary security clearances where applicable.

Recognition and the Central Repository (Article 22)

A provider cannot simply claim to be "sovereign"; it must be formally recognised through a rigorous process.

• Application: Under Article 17, a provider submits an application for recognition to the national competent authority of establishment. For Irish providers, this would be the authority designated by Ireland under Article 25.
• Level 1 Process: Providers issue an EU statement of conformity based on a self-assessment. For SMEs, this statement is automatically recognised across the Union. For larger providers, the national authority assesses the evidence.
• Levels 2–4 Process: Providers must undergo independent third-party audits (Article 20). An auditing organisation issues an audit report and a 'positive' audit opinion. The national competent authority then reviews this evidence and issues a recognition decision.
• The Central Repository: Once recognised, the provider is registered in the central repository established and maintained by the European Commission under Article 22. This repository is publicly available and serves as the single source of truth for buyers across the EU, including in Ireland. It lists all cloud computing services recognised as offering Union assurance levels 1 through 4. Revocations are also published and remain visible for five years.

What This Means for Buyers in Ireland

Irish public sector bodies will not be able to choose providers based on national sovereignty claims or marketing labels alone. Their procurement decisions will be strictly tied to the EU-wide recognition status.

1. Risk Assessments (Article 29): By one year after CADA's entry into force, Ireland (as a Member State) must carry out risk assessments to identify which public sector activities contribute to the preservation of public order (e.g., national security, justice, law enforcement, defence). This assessment determines the minimum assurance level required for procurement in those sectors.
2. Procurement Obligations (Article 30):
   • General Public Sector: For activities not identified as contributing to public order, Irish contracting authorities must procure services recognised at least at Union assurance level 1.
   • Public Order Activities: For activities identified as contributing to public order, authorities must only procure services recognised at Union assurance levels 2, 3, or 4.
3. Identifying Providers: Irish buyers must access the Commission's central repository (Article 22) to find eligible providers. There is no separate "Irish list." If a provider is not in the central repository, they cannot be procured for public sector use under CADA.

Distinguishing EU/EEA-Controlled from Non-EU-Controlled Offerings

A critical distinction in CADA is between providers established in the EU but controlled by third-country entities, and those fully autonomous within the Union. This distinction determines eligibility for the higher assurance levels.

• EU-Controlled Providers: Providers established in the Union with no third-country control can achieve all four assurance levels, provided they meet the technical, personnel, and cybersecurity criteria. They are the primary candidates for Level 3 and Level 4, which are essential for critical public order functions.
• Non-EU-Controlled Providers (e.g., US-owned subsidiaries in Ireland):
  • Level 1: Possible, provided they guarantee no mandatory vulnerability reporting to foreign authorities.
  • Level 2: Possible, but only if they implement robust legal and technical measures to prevent third-country access to data, service disruption, or the enforcement of restrictive measures (sanctions/embargoes) by the third country.
  • Level 3: Generally not possible unless the Commission adopts a specific implementing act under Article 18 recognising the third country as an "associated third country." This is a high bar, requiring an adequacy decision and the absence of extraterritorial access laws.
  • Level 4: Impossible for providers subject to third-country control. The criteria explicitly require that the provider and subcontractors are not subject to such control.

What this means for you

For cloud service providers, data centre operators, and public buyers in Ireland:

1. For Providers (Preparation): Begin aligning your services with the criteria in Annex II. If you target Level 1, ensure your self-assessment processes are robust. For Levels 2–4, prepare for independent audits by accredited organisations. If you are a subsidiary of a non-EU entity, understand that you may be capped at Level 2 unless your parent country secures an Article 18 derogation.
2. For Providers (Engagement): Once CADA is adopted, Ireland will designate a national competent authority under Article 25. Engage early to understand the specific application processes for recognition.
3. For Buyers (Procurement Strategy): Do not rely on vendor marketing claims of "sovereignty." Your procurement decisions will be tied to the status of providers in the Commission's central repository. You must first participate in the national risk assessment process to determine which assurance levels your specific activities require.
4. For Buyers (Verification): Always verify a provider's status in the central repository before tendering. A provider recognised in one Member State is automatically recognised across the Union, including Ireland, once listed.

Common misconceptions

• "Sovereign cloud is a national label." CADA creates a Union-wide framework. There is no "Irish sovereign cloud" label separate from the EU assurance levels. Recognition is mutual across the EU; a provider recognised in Germany is automatically valid for Irish procurement if listed in the central repository.

• "All EU-based providers are automatically sovereign." No. Providers must actively apply for recognition and meet specific criteria. An EU-established provider controlled by a third country may only qualify for Level 1 or 2, not the higher levels required for critical public order activities.

• "The central repository is a national list." The repository in Article 22 is maintained by the European Commission, not by Ireland. It aggregates recognitions from all Member States. Ireland cannot create a separate list of approved providers.

• "Level 3 allows any third-country control." Level 3 generally prohibits third-country control. The only exception is the specific derogation under Article 18 for "associated third countries," which is a rare, Commission-decided status, not a general rule.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• CADA Sovereign Cloud in Germany: Assurance Levels, Providers & the Central Repository
• CADA Sovereign Cloud in Austria: Assurance Levels, Providers & the Central Repository
• CADA sovereign cloud in Romania: assurance levels, the central repository and third-country risks
• CADA Sovereign Cloud in the Netherlands: Levels, Providers & the Central Repository
• CADA Sovereign Cloud in Malta: Assurance Levels, Repository & Options

This is general information about a draft EU regulation, not legal advice.