Summary Under the proposed Cloud and AI Development Act (CADA), Malta does not maintain a unique national list of sovereign cloud providers. Instead, Maltese public bodies and regulated entities must rely on the EU-wide Union cloud computing sovereignty framework established in Article 16. This framework defines four cumulative assurance levels (1–4) that providers must meet to be recognised as offering "Union assurance." Buyers in Malta identify these recognised providers exclusively through the central repository maintained by the European Commission, as mandated by Article 22. A provider's status depends on strict compliance with criteria regarding data localisation, personnel citizenship, and freedom from third-country control, rather than merely having a physical data centre in Malta.

Detail

The Union Cloud Computing Sovereignty Framework (Article 16)

CADA introduces a harmonised mechanism to mitigate the risks associated with dependence on non-European cloud providers, particularly those subject to extraterritorial laws such as the US CLOUD Act. Article 16 establishes the Union cloud computing sovereignty framework, which consists of four cumulative assurance levels. These levels define the degree of sovereignty, security, and autonomy a cloud service must offer to be eligible for public procurement in the EU, including in Malta.

The criteria for each level are detailed in Annex II of the proposal and escalate in strictness. Crucially, the framework distinguishes between technical cybersecurity and legal/operational sovereignty.

1. Union Assurance Level 1 (Baseline Self-Assessment)

  • Requirements: The provider must be established in the Union. Infrastructure and assets (including those of subcontractors) must be located in the Union unless the public sector body explicitly requires otherwise. Customer data must remain exclusively within the Union. The provider must demonstrate compliance with state-of-the-art cybersecurity standards and provide full transparency regarding subcontractors.
  • Assessment Method: Providers carry out a conformity self-assessment and issue an EU statement of conformity.
  • SME Derogation: For Small and Medium-sized Enterprises (SMEs), this statement is directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority.
  • Third-Country Control: Providers subject to third-country control must guarantee that no laws in that third country require reporting software vulnerabilities to authorities before they are known to be exploited.

2. Union Assurance Level 2 (Independent Audit & Substantial Security)

  • Requirements: Builds on Level 1 but adds stricter controls. The provider and its subcontractors must be established in the Union. Infrastructure, assets, and personnel must be located in the Union. Data generated by the service cannot be used to train AI systems operated by third countries.
  • Cybersecurity: The service must obtain a European cybersecurity certificate of at least assurance level 'substantial' under a scheme established under Regulation (EU) 2019/881. Until such a scheme is established, national schemes apply.
  • Personnel Conditionality: If the public sector body determines that imposing additional personnel screening and Union citizenship requirements are necessary, the provider must ensure personnel meeting those requirements are available. This makes citizenship conditional at Level 2, not mandatory for all staff by default.
  • Third-Country Control: If controlled by a third country, the provider must demonstrate that such control does not restrict service delivery, prevent third-country access to data, or allow service disruption.

3. Union Assurance Level 3 (Enhanced Sovereignty & Mandatory Citizenship)

  • Requirements: Similar to Level 2, but personnel involved in service provision must be Union citizens. If handling classified information, personnel must have necessary national security clearances.
  • Cybersecurity: Requires a European cybersecurity certificate of at least assurance level 'substantial'.
  • Third-Country Control: Generally, providers and subcontractors must not be subject to the control of a third country.
  • The Derogation: By way of derogation, a provider subject to third-country control may be audited for Level 3 where the Commission has adopted an implementing act under Article 18 ("Associated third countries") identifying that third country as providing sufficient assurances. This requires strict safeguards against unauthorised access or service disruption.

4. Union Assurance Level 4 (Highest Sovereignty & High Security)

  • Requirements: The strictest level. All personnel must be Union citizens with security clearances for classified data.
  • Cybersecurity: The service must obtain a European cybersecurity certificate of at least assurance level 'high'. Note that Level 3 and Level 2 both require 'substantial', while only Level 4 requires 'high'.
  • Third-Country Control: The provider and subcontractors must not be subject to third-country control. No derogation exists for third-country controlled entities at this level.
  • Support: Technical and operational support must be performed exclusively within the Union by Union residents and entities not subject to third-country control.

Identifying Recognised Providers: The Central Repository (Article 22)

For organisations in Malta, the critical question is: How do I know if a provider is compliant? CADA removes the burden of individual due diligence for baseline compliance by establishing a single source of truth.

Article 22 mandates that the European Commission shall establish and maintain a central repository of cloud computing services that have been recognised under Article 17.

  • Recognition Process: A provider submits an application to the national competent authority of its main establishment (e.g., if a provider is headquartered in Germany, the German authority evaluates it). Once recognised, that status is valid across the entire Union, including Malta.
  • Public Access: The central repository is publicly available and regularly updated. It lists services recognised at Levels 1, 2, 3, or 4.
  • Revocation: If a provider's status is revoked (e.g., due to non-compliance or a change in ownership that introduces third-country control), this revocation is published in the repository and remains visible for five years.

Maltese contracting authorities must consult this repository to verify that a tendered service meets the required assurance level. They cannot accept a provider's self-declaration without checking the repository for Levels 2–4, and even for Level 1, the EU statement of conformity must be valid.

Distinguishing Sovereign Offerings from Non-EU Exposed Providers

The core purpose of this framework is to distinguish between providers that are legally and technically insulated from foreign interference and those that are not.

  • EU/EEA-Controlled Sovereign Offerings: Providers that meet the criteria for Levels 2–4 are typically EU-incorporated and EU-controlled. They guarantee that data remains in the Union, personnel are EU-based (and citizens for Levels 3–4), and no third country can compel them to hand over data or disrupt services. These are the "sovereign" options CADA promotes.
  • Providers Exposed to Non-EU Law: Many global hyperscalers are subject to laws like the US CLOUD Act, which can compel them to disclose data stored abroad. Under CADA's Annex II criteria, a provider subject to such extraterritorial laws often cannot meet the requirements for Levels 2–4 unless they can prove effective legal and technical separation (which is difficult for Level 4). Consequently, such providers may only qualify for Level 1 (if established in the EU) or may not qualify for public procurement in sensitive sectors at all.

For Malta, this means that traditional global cloud providers may be excluded from high-risk public sector contracts (requiring Levels 2–4) unless they have spun off a distinct, EU-controlled entity that meets the strict personnel and data localisation requirements.

What this means for you

If you are a cloud service provider or data centre operator offering services in Malta, you must take the following steps:

  1. Assess Your Current Standing: Review your corporate structure, data flows, and personnel locations against Annex II criteria. Are your servers in the Union? Are your support staff in the Union? Are you controlled by a non-EU parent?
  2. Determine Your Target Assurance Level:
    • If you target general public sector bodies, Level 1 may suffice. Ensure you can issue a valid EU statement of conformity.
    • If you target critical infrastructure, defence, or justice sectors (which Maltese bodies may classify as requiring higher assurance), you must aim for Levels 2–4. This requires independent audits (Level 2+) and potentially restructuring your workforce to ensure EU citizenship for key personnel (Levels 3–4).
    • Cybersecurity Note: Ensure your cybersecurity certification matches the level: 'substantial' for Levels 2 and 3, but 'high' for Level 4.
  3. Engage with the Competent Authority: To be recognised, you must apply to the national competent authority of your main establishment. If your main establishment is in Malta, you will work with the Maltese competent authority. If you are a foreign provider, you must work with the authority in your home Member State.
  4. Monitor the Central Repository: Once recognised, your status will appear in the Commission's central repository. Ensure you maintain compliance, as any material change (e.g., change in ownership) must be reported immediately under Article 23, or your recognition may be revoked.

If you are a buyer in Malta (public sector or regulated private entity):

  1. Conduct Risk Assessments: Under Article 29, you must assess which of your activities require which assurance level. Do not assume all cloud services need Level 4; most general administrative tasks may only require Level 1.
  2. Check the Repository: Before issuing a tender or signing a contract, verify the provider's status in the central repository mandated by Article 22. Do not rely on marketing materials alone.
  3. Plan for Migration: If your current provider does not meet the required assurance level, you must migrate to a recognised provider within a reasonable transition period (not exceeding 12 months, per Article 29(6)).

Common misconceptions

  • "Sovereign cloud means the data centre must be in Malta."
    • Correction: No. CADA requires data and infrastructure to be located in the Union (EU), not necessarily in the specific Member State. A provider with data centres in Germany or France can be "sovereign" for a Maltese buyer, provided they meet the assurance level criteria.
  • "Any EU-based subsidiary of a US company is sovereign."
    • Correction: Not necessarily. If the US parent retains control (e.g., through voting rights or ability to compel data access), the provider may fail the criteria for Levels 2–4, which require that the provider not be subject to third-country control. The legal separation must be effective, not just nominal.
  • "Level 1 is the same as Levels 2–4."
    • Correction: Level 1 is a baseline self-assessment. Levels 2–4 require independent third-party audits and stricter rules on personnel citizenship and third-country control. Public bodies handling sensitive data (e.g., justice, defence) cannot use Level 1 providers if their risk assessment mandates a higher level.
  • "The list of providers is decided by the Maltese government."
    • Correction: The list is EU-wide. Recognition is granted by the competent authority of the provider's establishment and recorded in the central EU repository. Malta cannot unilaterally add or remove providers from this EU-wide list.
  • "Level 3 and Level 4 both require 'high' cybersecurity certification."
    • Correction: No. Level 2 and Level 3 require a 'substantial' assurance level certificate. Only Level 4 requires a 'high' assurance level certificate.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.