Summary Under the proposed Cloud and AI Development Act (CADA), there is no specific national list of "Luxembourg sovereign cloud providers." Instead, providers must seek recognition under a harmonised EU-wide sovereignty framework consisting of four Union assurance levels (Article 16). Luxembourg buyers identify these recognised services exclusively through a central repository maintained by the European Commission (Article 22). To qualify as sovereign, a provider must demonstrate that its infrastructure, personnel, and data remain within the Union and that it is not subject to the extraterritorial control of non-EU laws. This framework distinguishes EU/EEA-controlled offerings from providers exposed to third-country jurisdictions, with the highest levels (3 and 4) effectively requiring Union citizenship for personnel and prohibiting third-country control unless a specific derogation applies.

Detail

The Union Cloud Computing Sovereignty Framework

The CADA proposal establishes a "Union cloud computing sovereignty framework" to mitigate risks associated with the EU's dependence on third-country cloud providers. As set out in Article 16, this framework comprises four distinct "Union assurance levels." These levels are not merely technical certifications; they are legal and operational standards designed to ensure data confidentiality, operational autonomy, and the prevention of harm to public order.

The criteria for each level are cumulative and increasingly stringent, detailed in Annex II of the proposal. The levels are structured to address different risk profiles, ranging from basic establishment requirements to strict controls over personnel citizenship and third-country influence.

1. Union Assurance Level 1: The Baseline

This is the entry-level requirement. To qualify, a provider must:

  • Be established in the Union.
  • Ensure its infrastructure and assets, including those of subcontractors, are located in the Union, unless the public sector body explicitly requires otherwise.
  • Guarantee that customer data (including metadata and telemetry) remains exclusively within the Union, unless explicitly required otherwise by the public sector body.
  • Demonstrate compliance with state-of-the-art cybersecurity standards.
  • Provide full transparency regarding subcontractors and subject them to due diligence.
  • Third-country control: If the provider is subject to the control of a third country, it must guarantee that no laws in that third country require it to report software vulnerabilities to foreign authorities before those vulnerabilities are known to have been exploited.

2. Union Assurance Level 2: Independent Audit & Substantial Security

This level introduces mandatory independent third-party audits and stricter location requirements. Beyond Level 1, the provider must:

  • Ensure the audited provider and its subcontractors are established in the Union.
  • Confirm that all infrastructure, assets, and personnel involved in the service are located in the Union.
  • Obtain a European cybersecurity certificate of at least assurance level 'substantial' (or an equivalent national scheme until a Union-wide scheme is established).
  • AI Data Restriction: Data generated by using the service cannot be used to train or fine-tune any AI system operated by a third country or a legal entity established in a third country, nor can it be transferred outside the Union.
  • Software Supply Chain: Implement measures including a complete Software Bill of Materials (SBOM) and controls to block remote features that could tamper with the service.
  • Personnel: While Level 2 does not mandate Union citizenship for all personnel, it allows the public sector body to determine if additional personnel screening and Union citizenship requirements are necessary (Annex II, 2.1(d)).

3. Union Assurance Level 3: High Public Order Protection

This level is designed for activities contributing to the preservation of public order. It imposes strict personnel and control requirements:

  • Personnel: All personnel involved in the service, including those of subcontractors, must be Union citizens. Where appropriate (e.g., when handling classified information), personnel must also hold the necessary national security clearance issued by a Member State.
  • Cybersecurity: Requires a European cybersecurity certificate of at least assurance level 'substantial'.
  • Third-Country Control: The provider and its subcontractors must not be subject to the control of a third country or a legal entity established in a third country.
    • Derogation: Article 18 allows the Commission to adopt implementing acts identifying specific third countries where providers subject to their control may still qualify for Level 3, provided those countries have implemented safeguards ensuring no unauthorised access to Union data or service disruption. This is the only pathway for a non-EU-controlled entity to reach Level 3.
  • Support: Technical and operational support must be initiated and performed exclusively within the Union by Union residents.

4. Union Assurance Level 4: Maximum Sovereignty

This is the highest level, intended for the most critical public sector activities (e.g., defence, intelligence):

  • Cybersecurity: Requires a European cybersecurity certificate of at least assurance level 'high'.
  • Personnel: All personnel must be Union citizens with appropriate security clearances where necessary.
  • Effective Control: The provider must demonstrate that no third country holds or exercises effective control over the design, development, maintenance, and evolution of the software components. This includes ensuring no third country can materially influence technical evolution, security remediation, or long-term continuity.
  • No Third-Country Control: The provider and subcontractors must not be subject to the control of a third country. Unlike Level 3, no derogation is provided for third-country control at Level 4.

The Central Repository (Article 22)

For Luxembourg organisations, the question is not "who is sovereign?" but "who is recognised?" Article 22 mandates the establishment of a central repository of cloud computing services that have been recognised as offering Union assurance levels 1–4.

  • Maintenance: The repository is established and maintained by the European Commission.
  • Registration: National competent authorities (in Luxembourg, the authority designated under Article 25) register services in this repository after completing the recognition process (detailed in Article 17).
  • Definitive Source: The repository is publicly available and regularly updated. For a buyer in Luxembourg, this repository is the definitive source of truth. If a cloud service is not listed in the central repository with a specific assurance level, it cannot be considered "recognised" under CADA, regardless of marketing claims.

Distinguishing Sovereign Offerings from Non-EU Exposed Providers

The CADA framework explicitly addresses the risk of extraterritorial law, such as the US CLOUD Act. The proposal notes that large market incumbents are often subject to third-country jurisdictions where laws with an extraterritorial effect apply, potentially conflicting with EU fundamental rights.

  • EU/EEA-Controlled Sovereign Offerings: Providers meeting the criteria for Levels 3 and 4 demonstrate that they are not subject to the control of a third country. They guarantee that their personnel, infrastructure, and data remain within the Union's legal and physical jurisdiction. For Level 3, a provider subject to third-country control may qualify only if the Commission has adopted an implementing act under Article 18 for that specific country.
  • Providers Exposed to Non-EU Law: Providers controlled by third-country entities or subject to third-country laws without the specific safeguards recognised by the Commission cannot achieve Levels 3 or 4. For Levels 1 and 2, they may qualify only if they can prove that no laws in the controlling third country require them to report vulnerabilities prematurely or disrupt service. However, the strict personnel and control requirements of higher levels effectively exclude most non-EU-controlled hyperscalers from the highest tiers of sovereign procurement.

What this means for you

For Cloud Service Providers in Luxembourg

If you operate a cloud service in Luxembourg and wish to serve public sector bodies, you must aim for recognition under the CADA framework.

  • Assess Your Control Structure: If you are owned by a non-EU parent company, you face significant hurdles for Levels 3 and 4. You must demonstrate effective legal, technical, and organisational separation between your Union entity and any third-country subsidiary (Annex II, Sections 2(k) and 3(k)).
  • Prepare for Audits: Levels 2–4 require independent third-party audits. Ensure your software supply chain is transparent, with a documented SBOM and controls against remote tampering.
  • Engage with the National Competent Authority: You must submit your application for recognition to the national competent authority of your establishment (Article 17). In Luxembourg, this will be the authority designated under Article 25.
  • SME Advantage: If you are a Small or Medium-sized Enterprise (SME) seeking Level 1 recognition, your EU statement of conformity is directly and automatically recognised in all Member States without prior national review (Article 17(3)).

For Data Centre Operators

While CADA primarily regulates cloud computing services, data centre operators supporting these services must ensure their facilities meet the location and personnel requirements. If you host infrastructure for a Level 3 or 4 provider, your personnel must be Union citizens, and your facility must be entirely within the Union. You must also ensure that no remote access for technical support is possible from outside the Union.

For Buyers in Luxembourg

  • Check the Repository: Before procuring cloud services, consult the central repository established under Article 22. Only procure services listed there with the assurance level required by your risk assessment.
  • Conduct Risk Assessments: Under Article 29, Member States and Union entities must conduct risk assessments to determine which assurance level (2, 3, or 4) is appropriate for their activities. If your activity contributes to public order (e.g., healthcare, justice, critical infrastructure), you will likely need Level 2 or higher.
  • Plan for Migration: If you currently use a non-recognised provider, you may need to migrate. Article 29(6) states that if a risk assessment requires migration, it must occur within a reasonable transition period not exceeding 12 months.
  • Procurement Rules: Under Article 30, contracting authorities whose activities contribute to public order must procure only services recognised at Union assurance levels 2, 3, or 4.

Common misconceptions

"Sovereign cloud means data stays in Luxembourg." Incorrect. CADA requires data to remain within the Union, not necessarily in Luxembourg. A provider established in Germany can be recognised as a Union assurance level 4 provider for a Luxembourg buyer, provided all criteria are met.

"Only EU-owned companies can be sovereign." Partially incorrect. A company can be owned by non-EU shareholders but still qualify for Levels 1 or 2 if it meets the strict criteria regarding data location, personnel, and vulnerability reporting. However, for Levels 3 and 4, the provider must not be subject to the control of a third country, which effectively requires EU/EEA control or specific derogations under Article 18.

"Cybersecurity certification equals sovereignty." Incorrect. While CADA requires cybersecurity certificates (e.g., EUCS), sovereignty also involves legal jurisdiction, personnel citizenship, and supply chain transparency. A provider can be highly secure but still subject to extraterritorial data access laws, disqualifying it from higher assurance levels.

"Luxembourg has its own sovereign cloud list." Incorrect. The recognition mechanism is EU-wide. The central repository is maintained by the Commission, not by Luxembourgish authorities. National competent authorities facilitate the process, but the recognition is valid across the Union.

"Article 18 allows any third-country provider to reach Level 3." Incorrect. Article 18 allows the Commission to adopt implementing acts identifying specific third countries where providers may be audited for Level 3. It does not automatically grant access; the third country must meet strict criteria regarding data access, service disruption, and market openness.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.