Summary Under the proposed Cloud and AI Development Act (CADA), Poland does not maintain a national list of "trusted" cloud providers. Instead, the Regulation establishes a Union cloud computing sovereignty framework (Article 16) with four Union assurance levels. Any provider established in the EU can apply for recognition if they meet the criteria in Annex II. Polish public bodies and private entities must identify recognised providers via the European Commission's central repository (Article 22), not a Polish register. Crucially, providers subject to third-country control (e.g., US hyperscalers) are generally barred from Level 3 and Level 4 unless the Commission adopts a specific implementing act under Article 18 recognising that third country—a mechanism currently unavailable for major non-EU jurisdictions.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, fundamentally shifts how cloud sovereignty is defined in the EU. For Poland, as for all Member States, the era of fragmented national "trusted provider" lists ends. In its place, CADA introduces a harmonised, auditable framework where sovereignty is determined by operational criteria rather than corporate nationality.

The Union Cloud Computing Sovereignty Framework (Article 16)

Article 16 establishes the Union cloud computing sovereignty framework, comprising four distinct Union assurance levels. These are not voluntary marketing badges but mandatory compliance tiers that dictate which cloud services Polish contracting authorities and Union entities may procure. The criteria for these levels are exhaustively detailed in Annex II of the proposal.

The framework is designed to mitigate specific risks, including the extraterritorial reach of foreign laws (such as the US CLOUD Act) that could compel data access or service disruption.

The Four Assurance Levels

1. Union Assurance Level 1: The Baseline

  • Criteria: The provider must be established in the Union. Infrastructure and assets (including those of subcontractors) must be located in the Union. Customer data must remain exclusively within the Union.
  • Third-Country Control: A provider subject to third-country control may qualify for Level 1 if they guarantee that no laws in that third country require reporting software vulnerabilities to authorities before those vulnerabilities are known to be exploited (Annex II, 1.1(g)).
  • Verification: Providers perform a conformity self-assessment and issue an EU statement of conformity (Article 19). For SMEs, this statement is automatically recognised across the EU without prior national authority approval (Article 17(3)). Other providers submit to their national competent authority.
  • Use Case: The mandatory baseline for all public sector procurement.

2. Union Assurance Level 2: Enhanced Sovereignty

  • Criteria: Stricter requirements. The provider and subcontractors must be established in the Union. Crucially, personnel involved in the service must be located in the Union. The service must obtain a European cybersecurity certificate of at least 'substantial' assurance level (under the Cybersecurity Act/EUCS) (Annex II, 2.1(e)). Data generated cannot be used to train AI systems operated by third countries.
  • Third-Country Control: Possible if the provider demonstrates that third-country control does not restrict service delivery, prevent access to data, or disrupt continuity. Robust legal, technical, and organisational measures must block third-country access.
  • Verification: Requires an independent third-party audit by an accredited auditing organisation, resulting in a 'positive' audit opinion (Article 20).
  • Use Case: Public sector activities identified as having higher sensitivity or criticality in national risk assessments.

3. Union Assurance Level 3: High Sovereignty & Personnel Citizenship

  • Criteria: Builds on Level 2. The most significant addition is the personnel requirement: all personnel involved in the service, including those of subcontractors, must be Union citizens (Annex II, 3.1(d)).
  • Third-Country Control: Generally not possible for providers subject to third-country control. The provider and subcontractors must not be subject to the control of a third country.
    • The Exception: A derogation exists where the Commission has adopted an implementing act under Article 18 identifying a specific third country as providing sufficient assurances (e.g., via adequacy decisions and specific safeguards). Annex II, 3.1(g) explicitly references this derogation.
  • Verification: Independent third-party audit.
  • Use Case: Activities contributing to the preservation of public order in sectors like national security, defence, justice, or law enforcement, as determined by Polish risk assessments (Article 29).

4. Union Assurance Level 4: Maximum Sovereignty

  • Criteria: The highest tier. All Level 3 criteria apply, plus an enhanced cybersecurity requirement: a European cybersecurity certificate of at least 'high' assurance level (Annex II, 4.1(e)). It also mandates effective legal, technical, and organisational separation between the Union parent and any third-country subsidiaries.
  • Third-Country Control: Strictly prohibited. Annex II, 4.1(g) states the provider and subcontractors "are not subject to the control of a third country." Unlike Level 3, there is no derogation clause for Level 4. Even if the Commission recognises a third country under Article 18, that recognition does not extend to Level 4.
  • Verification: Independent third-party audit.
  • Use Case: The most critical public sector activities, often involving classified information or high-impact risks to public order.

How Polish Buyers Identify Providers: The Central Repository (Article 22)

Under CADA, trust is centralised. Polish contracting authorities do not maintain their own lists of sovereign providers. Instead, Article 22 mandates that the European Commission establish and maintain a central repository of cloud computing services recognised as offering Union assurance levels 1–4.

  • The Process: Once a provider (whether Polish, German, or French) completes the self-assessment (Level 1) or audit (Levels 2–4) and is recognised by the national competent authority of establishment, that authority registers the service in the central repository.
  • For Polish Buyers: When a Polish public body needs to procure cloud services, they must consult this central repository to verify if a provider holds the required Union assurance level for their specific activity.
  • Transparency: The repository is publicly available and regularly updated. It also publishes revocations of recognition, ensuring buyers are immediately aware if a provider no longer meets the criteria.

Distinguishing EU-Controlled vs. Third-Country-Controlled Providers

CADA explicitly differentiates between providers controlled within the EU and those exposed to non-EU laws. This distinction is the primary filter for Levels 3 and 4.

  • EU-Controlled Providers: Providers established in the EU that are not subject to third-country control can pursue all four assurance levels, provided they meet the personnel and cybersecurity criteria.
  • Third-Country-Controlled Providers: Providers subject to the control of a non-EU entity (e.g., a US hyperscaler) face strict limitations:
    • Level 1: Accessible if they meet the vulnerability reporting guarantee.
    • Level 2: Accessible if they can prove robust measures prevent third-country access or disruption.
    • Level 3: Generally inaccessible. The only path is if the Commission adopts an implementing act under Article 18 recognising the specific third country. Currently, no such act exists for major jurisdictions like the US.
    • Level 4: Inaccessible. The text of Annex II, 4.1(g) contains no derogation. A provider subject to third-country control cannot achieve Level 4, regardless of any Article 18 recognition.

This means Polish public bodies requiring Level 3 or 4 services (e.g., for defence or justice) cannot use cloud services from providers controlled by non-EU entities, unless those entities have legally and technically separated into a distinct EU-established entity that is demonstrably free from third-country control.

What this means for you

For cloud service providers, data centre operators, and Polish public bodies, the implications are immediate and structural.

1. For Cloud Providers in Poland and the EU

  • Audit Your Control Structure: Determine immediately if you are subject to third-country control. If you are a subsidiary of a US or Asian parent, you are likely capped at Level 2. To reach Level 3, you must either demonstrate strict legal/technical separation or rely on a future Article 18 recognition (which is uncertain). Level 4 is effectively closed to you unless you restructure to be fully EU-controlled.
  • Prepare for Independent Audits: Levels 2, 3, and 4 require independent third-party audits (Article 20). Begin aligning your operations with Annex II now. This includes documenting your software bill of materials (SBOM), verifying personnel citizenship, and mapping data flows to ensure no data leaves the Union.
  • Engage with the Polish Competent Authority: The national competent authority in Poland (to be designated under Article 25) is your entry point. Build relationships early to understand their interpretation of the criteria, particularly regarding "control" and "personnel location."
  • Market to the Repository: Your primary marketing asset will be your listing in the Commission's central repository (Article 22). Polish buyers will not accept local Polish certifications; they will check the EU-wide list.

2. For Polish Public Bodies and Contracting Authorities

  • Conduct Risk Assessments: You must carry out risk assessments under Article 29 to determine which assurance level is appropriate for your activities. If your work involves national security, defence, or law enforcement, you will likely be required to procure only Level 3 or 4 services.
  • Verify via the Repository: Do not rely on vendor claims. Verify the provider's status in the central repository before issuing a tender.
  • Plan for Migration: If you currently use a third-country-controlled provider for critical functions, you may face a mandatory migration within a 12-month transition period (Article 29(6)) if your risk assessment dictates a higher assurance level that your current provider cannot meet.

Common misconceptions

"Sovereign cloud means Polish-owned." No. CADA focuses on Union assurance. A German, French, or Polish provider can offer a Level 4 service in Poland if they meet the criteria. Ownership nationality is secondary to establishment, control, and operational compliance within the EU.

"Level 1 is enough for all public sector use." No. Polish public bodies must conduct risk assessments (Article 29). If their activities contribute to public order in critical sectors (e.g., healthcare, energy, justice), they will likely be legally required to procure Level 2, 3, or 4 services.

"The US CLOUD Act doesn't affect EU providers." It does. If a provider is subject to US control, it cannot offer Level 3 or 4 services unless it can prove it can resist US legal requests. This is a core reason for the strict criteria in Annex II.

"Poland will have its own list of trusted providers." No. CADA harmonises this at the EU level. The central repository (Article 22) is the single source of truth. National lists are being replaced by the Union framework to prevent market fragmentation.

"Third-country providers can get Level 3 if they have an adequacy decision." Not automatically. While an adequacy decision is a prerequisite for the Commission to consider an Article 18 implementing act, the act itself is a separate, specific decision. Without that specific implementing act, third-country-controlled providers are barred from Level 3.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.