What sovereign cloud providers and options are available in Italy under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), Italy does not maintain a unique national list of sovereign cloud providers. Instead, it participates in a harmonized EU-wide framework of four "Union assurance levels" established by Article 16. Italian public bodies and critical private entities must procure cloud services that meet the assurance level determined by national risk assessments, verifying provider status exclusively through the Commission's central repository under Article 22. This system explicitly distinguishes between providers controlled within the EU/EEA and those exposed to non-EU laws (such as the US CLOUD Act), ensuring that services used for public-order activities are resilient against extraterritorial interference.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, fundamentally shifts the paradigm for cloud sovereignty in Italy. Rather than relying on fragmented national certifications or bilateral agreements, CADA establishes a single "Union cloud computing sovereignty framework." For Italian organizations, this means the availability of sovereign cloud options is not defined by a domestic registry, but by whether a provider has been formally recognized across the entire Union as meeting one of four cumulative assurance levels.

The Union Cloud Computing Sovereignty Framework (Article 16)

Article 16 establishes a framework comprising four Union assurance levels. These levels are strictly cumulative; a provider seeking recognition at Level 3 must first meet all criteria for Levels 1 and 2. The specific criteria are detailed in Annex II of the proposal, focusing on the location of infrastructure, data, and personnel, as well as the legal control exerted by third countries.

• Union Assurance Level 1 (Baseline): This level serves as the minimum requirement for general public sector use. To qualify, a provider must be established in the Union. Crucially, the infrastructure, assets, and customer data (including metadata and telemetry) must remain exclusively within the Union, unless the public sector body explicitly requires otherwise. A key safeguard for Level 1 addresses third-country control: if a provider is subject to the control of a third country, it must guarantee that no existing laws in that third country require the reporting of software vulnerabilities to authorities before those vulnerabilities are known to have been exploited.
• Union Assurance Level 2 (Enhanced Security): This level introduces stricter requirements for personnel and cybersecurity. Providers and their subcontractors must be established in the Union, with infrastructure, assets, and personnel located there. Data generated by the service cannot be used to train or fine-tune any AI system operated by a third country or a legal entity established in a third country. Providers must obtain a European cybersecurity certificate of at least assurance level "substantial" (or demonstrate compliance with the highest cybersecurity standards if the EU scheme is not yet available). Additionally, strict software supply chain measures are required, including a complete Software Bill of Materials (SBOM) and controls to block remote features that could tamper with the service.
• Union Assurance Level 3 (Public Order): Designed for activities contributing to the preservation of public order (e.g., national security, defense, justice, law enforcement), this level mandates that all personnel involved in the service, including those of subcontractors, be Union citizens. Where appropriate, personnel must hold national security clearances. Like Level 2, it requires strict data localization and cybersecurity certification. A critical distinction is that providers and subcontractors generally cannot be subject to the control of a third country. However, Article 18 provides a derogation: the Commission may adopt an implementing act recognizing a specific third country as providing sufficient assurances, allowing providers controlled from that country to qualify for Level 3 if they meet rigorous safeguards against data access and service disruption.
• Union Assurance Level 4 (Classified Information): This is the highest level of assurance, enabling the secure hosting of EU classified information. It requires Union citizenship for personnel and, where handling classified information, necessary national security clearances issued by a Member State. It prohibits third-country control over the provider and subcontractors entirely (with no derogation for associated third countries at this level) and mandates a European cybersecurity certificate of at least assurance level "high".

Distinguishing EU-Controlled Offerings from Non-EU Exposed Providers

A core objective of CADA is to mitigate risks associated with the extraterritorial application of third-country laws. The explanatory memorandum explicitly identifies the US CLOUD Act as a primary concern, noting that laws with extraterritorial effect can compel providers to disclose data or disrupt services, conflicting with EU fundamental rights.

Under CADA's framework, the distinction is clear:

• Providers Subject to Third-Country Control: A provider is considered subject to third-country control if it is established in the Union but controlled by a legal entity in a third country, or if its infrastructure and personnel are located outside the Union. For Levels 2 and 3, such providers must demonstrate robust legal, technical, and organizational measures to prevent third-country access to data or service disruption. They must prove that third-country control does not restrict their ability to deliver the service or oblige them to comply with restrictive measures like sanctions.
• Associated Third Countries (Article 18): The Commission may recognize specific third countries as providing sufficient assurances for Level 3. To qualify, a third country must have an adequacy decision under the GDPR, have no laws compelling data access that conflicts with EU data protection, and have no measures to disrupt service continuity. Currently, no such list exists in the proposal. Consequently, most non-EU-controlled hyperscalers (e.g., those subject to US law) would likely only qualify for Level 1, unless they implement significant legal and technical firewalls and the Commission adopts a specific implementing act for their country of control.
• The "Substantial" vs. "High" Distinction: It is vital to note that Annex II specifies that Level 2 and Level 3 require a cybersecurity certificate of at least "substantial" assurance, while Level 4 requires "high" assurance. This aligns with the evolving European cybersecurity certification scheme (EUCS).

Identifying Recognized Providers via the Central Repository (Article 22)

Italian organizations do not need to conduct independent technical audits to verify a provider's sovereignty status. Article 22 mandates that the European Commission establish and maintain a central repository of cloud computing services recognized as offering Union assurance levels 1–4.

• Recognition Process: Providers apply to the national competent authority of their main establishment. For a provider based in Italy, this would be the authority designated by Italy under Article 25. After assessment (which involves independent audits for Levels 2–4 under Article 20), the service is recognized across the entire Union.
• Public Access: The repository is publicly available. Italian buyers can query this database to identify which services have been formally recognized and at which assurance level.
• Transparency and Updates: Providers must report any material changes that could affect their assurance level under Article 23. The repository is updated accordingly. If a recognition is revoked, it is published and remains visible for five years, ensuring buyers are aware of past non-compliance.

Implications for Italian Buyers

Italian public sector bodies must conduct risk assessments under Article 29 to determine the required assurance level for their specific activities.

• General Public Services: Under Article 30(2), Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognized at Union Assurance Level 1.
• Public Order Activities: Under Article 30(3), contracting authorities whose activities have been identified as contributing to the preservation of public order (e.g., in sectors falling under Annex I or II of the NIS2 Directive, or areas of national security, defense, justice, or law enforcement) must only procure services recognized at Union Assurance Levels 2, 3, or 4.

Private sector entities in critical sectors (e.g., energy, transport, health) may conduct similar impact assessments under Article 31, though CADA primarily mandates these procurement rules for public bodies. However, the market signal from public procurement is expected to drive broader adoption of sovereign services.

What this means for you

For cloud service providers and data centre operators operating in Italy, CADA introduces a new compliance pathway to access the lucrative public sector market.

1. Assess Your Current Status: Determine if your existing offerings meet the criteria for Union Assurance Level 1. If you are a non-EU hyperscaler with an Italian subsidiary, evaluate whether your current legal and technical structures allow you to meet Level 2 or 3 criteria, particularly regarding data localization, personnel citizenship, and third-country access risks.
2. Prepare for Audits: For Levels 2–4, you must undergo independent third-party audits under Article 20. Ensure your documentation, including SBOMs, data flow diagrams, evidence of personnel citizenship, and proof of separation from third-country subsidiaries, is audit-ready.
3. Apply for Recognition: Submit an application to the Italian national competent authority (once designated) for recognition under the appropriate assurance level. Without this recognition, you cannot be listed in the central repository and are ineligible for most public sector contracts.
4. Monitor the Central Repository: Regularly check the Commission's central repository to monitor competitors and ensure your own status remains up-to-date. Be aware that revocations are public and remain visible for five years.

For Italian public sector IT managers and procurement officers, the shift is from evaluating technical specs to verifying legal and sovereignty certifications. You must rely on the central repository (Article 22) to identify compliant providers and align your procurement strategies with the outcomes of your national risk assessments (Article 29).

Common misconceptions

• "Italy has its own sovereign cloud certification." CADA harmonizes sovereignty criteria across the EU. While Italy will designate a national competent authority to process applications, the recognition is valid across the entire Union. There is no separate "Italian sovereign" label; there are only Union Assurance Levels.
• "All EU-based providers are automatically sovereign." Being established in the EU is only the first criterion for Level 1. Providers must also demonstrate that their infrastructure, data, and personnel are located in the Union, and that they are not subject to third-country laws that could compromise data confidentiality or service continuity.
• "The US CLOUD Act is no longer a risk if the provider is EU-based." If an EU-based provider is controlled by a US parent company, it remains subject to US laws. Under CADA, such providers must implement strict technical and legal firewalls to qualify for Levels 2 and 3. For Level 4, third-country control is generally prohibited.
• "Private companies are exempt from sovereignty requirements." While CADA's mandatory procurement rules apply to public bodies, private entities in critical sectors (e.g., finance, energy) are encouraged to conduct impact assessments under Article 31. Furthermore, the market signal from public procurement will drive demand for sovereign services, indirectly affecting private sector choices.
• "Level 3 allows any third-country provider." Level 3 generally prohibits third-country control. A derogation exists only if the Commission has adopted a specific implementing act under Article 18 recognizing a third country as providing sufficient assurances. Without such an act, a provider controlled from a third country cannot qualify for Level 3.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• What sovereign cloud providers and options are available in Sweden under CADA?
• What sovereign cloud providers and options are available in Spain under CADA?
• What sovereign cloud providers and options are available in Slovenia under CADA?
• What sovereign cloud providers and options are available in Slovakia under CADA?
• What sovereign cloud providers and options are available in Portugal under CADA?

This is general information about a draft EU regulation, not legal advice.