What sovereign cloud providers and options are available in Lithuania under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), Lithuania will not maintain a separate national list of "sovereign" providers. Instead, the regulation establishes a single Union cloud computing sovereignty framework with four Union assurance levels (Article 16) that apply across the entire EU. Lithuanian public bodies and Union entities will identify recognised providers exclusively through a central repository maintained by the European Commission (Article 22). Providers controlled by third countries (e.g., US hyperscalers) face strict limitations: they may qualify for lower levels with safeguards, but generally cannot reach the highest levels (3 and 4) unless the Commission adopts a specific derogation under Article 18. As a proposal, CADA is not yet in force; these rules would apply once adopted.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, fundamentally shifts the paradigm for cloud procurement in Lithuania. Rather than relying on fragmented national definitions of "sovereignty," the proposal creates a harmonised, auditable Union framework. For Lithuanian cloud providers, data centre operators, and public sector buyers, this means compliance is determined by meeting specific, cumulative criteria defined in Annex II of the proposal, verified through independent audits, and recorded in a central EU database.

The Union Cloud Computing Sovereignty Framework (Article 16)

Article 16 of the proposal establishes the "Union cloud computing sovereignty framework." This framework consists of four distinct assurance levels. To be recognised as offering a specific level, a cloud computing service provider must meet all cumulative criteria for that level. These levels are not optional tiers of quality but mandatory thresholds that determine which public sector activities in Lithuania a provider can serve.

1. Union Assurance Level 1 (Baseline): This is the minimum requirement for any cloud service procured by public sector bodies under CADA.

   • Establishment: The provider must be established in the Union.
   • Location: Infrastructure and assets (including those of subcontractors) must be located in the Union, unless the public sector body explicitly requires otherwise.
   • Data: Customer data (including metadata and telemetry) must remain exclusively within the Union.
   • Cybersecurity: The provider must demonstrate compliance with state-of-the-art cybersecurity standards.
   • Third-Country Control: If the provider is subject to the control of a third country, it must guarantee that no laws in that third country require the reporting of software vulnerabilities to foreign authorities before those vulnerabilities are known to be exploited.
   • Verification: This level relies on a conformity self-assessment by the provider and an EU statement of conformity (Article 19), without mandatory independent third-party audits.

2. Union Assurance Level 2 (Enhanced Sovereignty): This level introduces stricter controls on personnel, AI training, and third-country influence.

   • Personnel: Infrastructure, assets, and personnel (including subcontractors) must be located in the Union.
   • AI Restrictions: Data generated by the service cannot be used to train or fine-tune any AI system operated by a third country or a legal entity established in a third country.
   • Cybersecurity: The service must obtain a European cybersecurity certificate of at least assurance level 'substantial' (or demonstrate compliance with the highest standards if no scheme exists yet).
   • Third-Country Control: If controlled by a third country, the provider must demonstrate measures preventing third-country access to data, service disruption, or the imposition of restrictive measures (e.g., sanctions).
   • Support: Technical and operational support must be initiated and performed exclusively within the Union.
   • Verification: Requires an independent third-party audit and a 'positive' audit opinion (Article 20).

3. Union Assurance Level 3 (Public Order Protection): Designed for activities contributing to the preservation of public order (e.g., law enforcement, defence, justice).

   • Personnel Citizenship: All personnel involved in the service, including subcontractors, must be Union citizens. Where handling classified information, personnel must hold necessary national security clearances.
   • Cybersecurity: Requires a European cybersecurity certificate of at least assurance level 'substantial'.
   • Third-Country Control: Generally prohibited. However, Article 18 allows for a derogation: the Commission may adopt an implementing act recognising a third country as providing sufficient assurances. If such an act exists, the provider may qualify for Level 3 provided strict safeguards are met (e.g., no access to data, no service disruption).
   • Support: Technical support must be performed exclusively within the Union by Union residents.
   • Verification: Requires independent third-party audit.

4. Union Assurance Level 4 (Highest Sovereignty): The highest level, intended for the most critical public order activities and classified information.

   • Personnel: All personnel must be Union citizens with necessary security clearances.
   • Cybersecurity: Requires a European cybersecurity certificate of at least assurance level 'high'.
   • Third-Country Control: Strictly prohibited. The provider and subcontractors must not be subject to the control of a third country or a legal entity established in a third country.
   • Software Supply Chain: The provider must demonstrate that no third country holds effective control over the design, development, maintenance, or evolution of the software components used.
   • Verification: Requires independent third-party audit.

Recognition and the Central Repository (Article 22)

Lithuanian organisations cannot rely on a provider's self-declared "sovereign" status. Article 22 mandates the establishment of a central repository of cloud computing services recognised under the framework.

• The Process: A provider seeking recognition must submit an application to the national competent authority of establishment. For a provider established in Lithuania, this would be the authority designated by Lithuania under Article 25.
• The Repository: Once the competent authority confirms recognition (based on self-assessment for Level 1 or an audit report for Levels 2–4), the service is registered in the central repository maintained by the Commission.
• Public Access: The repository is publicly available and regularly updated. Lithuanian contracting authorities must consult this repository to verify that a provider is recognised at the required assurance level. A provider not listed in the repository cannot be procured for public sector activities requiring a specific Union assurance level.
• Transparency: The repository will also publish revocations of recognition, ensuring that Lithuanian buyers are aware if a provider loses its status.

Distinguishing EU/EEA-Controlled vs. Non-EU-Controlled Providers

A primary driver of CADA is mitigating risks from extraterritorial laws, such as the US CLOUD Act, which allows US authorities to compel data disclosure from US-based providers regardless of where the data is stored. CADA addresses this through the "control" criteria in Annex II.

• EU/EEA-Controlled Offerings: Providers established, controlled, and operated entirely within the EU/EEA are the natural candidates for Levels 2, 3, and 4. They face no inherent conflict with third-country laws regarding data access or service disruption, provided they meet the technical and personnel criteria (e.g., Union citizen staff for Levels 3 and 4).
• Non-EU-Controlled Providers (e.g., US Hyperscalers):
  • Level 1: Possible, provided they guarantee no pre-exploitation vulnerability reporting to third-country authorities.
  • Level 2: Possible, but requires robust legal, technical, and organisational measures to prevent third-country access to data and service disruption. They must also prove that third-country control does not restrict their ability to deliver the service.
  • Level 3: Generally prohibited unless the Commission adopts a specific implementing act under Article 18 identifying the third country as providing sufficient assurances. This is a high bar, requiring the third country to have no measures enabling control that conflicts with EU law.
  • Level 4: Strictly prohibited. A provider subject to third-country control cannot achieve Level 4, as the criteria explicitly require that the provider is not subject to such control.

What this means for you

For cloud service providers, data centre operators, and public sector bodies in Lithuania, the proposed CADA introduces a new compliance landscape.

1. For Cloud Providers in Lithuania

• Audit Readiness: If you aim to serve Lithuanian public bodies for critical functions (Levels 2–4), you must prepare for independent third-party audits. Ensure your software bill of materials (SBOM) is complete, your supply chain is transparent, and your personnel records are verifiable.
• Personnel Strategy: To reach Levels 3 and 4, you must ensure that all personnel involved in the service (including subcontractors) are Union citizens. This may require restructuring hiring practices or subcontracting arrangements.
• Third-Country Parentage: If you are a subsidiary of a non-EU parent, you must rigorously document the legal, technical, and organisational separation between your EU entity and the parent. Without a specific Commission decision under Article 18, you will likely be capped at Level 2.
• Application: Once CADA is in force, submit your application for recognition to the Lithuanian national competent authority. Do not market your services as "CADA-compliant" until you are listed in the central repository.

2. For Lithuanian Public Bodies (Buyers)

• Risk Assessment First: Before procuring, your organisation must conduct a risk assessment under Article 29 to determine which assurance level is required. Standard administrative tasks may only require Level 1, while activities in defence, justice, or law enforcement will likely require Levels 2, 3, or 4.
• Verify in the Repository: Never accept a provider's claim of sovereignty without checking the central repository (Article 22). If a provider is not listed at the required level, they cannot be procured for that activity.
• No National Lists: Do not wait for a Lithuanian-specific list. The framework is Union-wide. A provider recognised in Germany is automatically recognised in Lithuania.

3. For Data Centre Operators

• Location Matters: Ensure your infrastructure is physically located in the Union. For Levels 2–4, this is a strict requirement with no exceptions for public order activities.
• Sustainability: While not a direct sovereignty criterion, data centres in acceleration zones must meet sustainability KPIs defined in Delegated Regulation (EU) 2024/1364, which may influence procurement decisions alongside sovereignty levels.

Common misconceptions

"Sovereignty under CADA just means data localisation." Incorrect. While data must remain in the Union for all levels, sovereignty also encompasses operational autonomy, personnel citizenship (for Levels 3 and 4), cybersecurity certification (substantial or high), and freedom from third-country legal control. A provider can store data in Lithuania but fail Level 3 if its staff are not EU citizens or if it is controlled by a non-EU entity without a Commission derogation.

"Non-EU providers are completely banned from Lithuania." Incorrect. Non-EU controlled providers can still operate in Lithuania and may qualify for Level 1 or Level 2 if they implement robust safeguards. However, they face significant barriers for Level 3 (requiring a specific Commission decision under Article 18) and are strictly excluded from Level 4.

"Lithuania will create its own list of sovereign providers." Incorrect. CADA establishes a Union-wide framework. The central repository (Article 22) is maintained by the Commission. A provider recognised in one Member State is recognised across the entire Union, preventing market fragmentation and ensuring a level playing field.

"I can self-certify for Level 3 or 4." Incorrect. Only Level 1 allows for self-assessment and an EU statement of conformity (Article 19). Levels 2, 3, and 4 mandate independent third-party audits (Article 20) and formal recognition by the national competent authority.

"The US CLOUD Act is irrelevant if data is in Lithuania." Under CADA, it is highly relevant. The framework specifically addresses the risk that a provider subject to US jurisdiction could be compelled to access data or disrupt services. For Levels 3 and 4, the proposal generally excludes providers subject to such third-country control unless the Commission explicitly finds the third country provides sufficient safeguards.

Related

• What sovereign cloud providers and options are available in Sweden under CADA?
• What sovereign cloud providers and options are available in Spain under CADA?
• What sovereign cloud providers and options are available in Slovenia under CADA?
• What sovereign cloud providers and options are available in Slovakia under CADA?
• What sovereign cloud providers and options are available in Portugal under CADA?

This is general information about a draft EU regulation, not legal advice.