What sovereign cloud providers and options are available in Portugal under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), there is no static national list of "sovereign" providers for Portugal. Instead, the regulation establishes a harmonized Union cloud computing sovereignty framework with four Union assurance levels (Article 16). Portuguese public bodies and critical private entities must procure services only from providers formally recognized at the appropriate level. Verification happens exclusively via the Commission's central repository (Article 22), not through national certifications. The framework strictly distinguishes between providers fully established and controlled within the Union and those subject to third-country control; for the highest levels (3 and 4), providers generally must not be subject to third-country control unless the Commission has adopted a specific derogation for an "associated third country" under Article 18.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, fundamentally shifts how cloud sovereignty is assessed in Portugal. Rather than relying on fragmented national schemes, the proposal creates a single, EU-wide recognition mechanism. For cloud service providers (CSPs) operating in or targeting Portugal, and for Portuguese contracting authorities, the core compliance mechanism is the Union assurance level system.

The Union Cloud Computing Sovereignty Framework (Article 16)

Article 16 establishes the framework, comprising four cumulative assurance levels. To be recognized at a higher level, a provider must meet all criteria of the lower levels. The criteria are detailed in Annex II and verified through independent audits (for levels 2–4) or self-assessment (for level 1).

1. Union Assurance Level 1: The Baseline

This level serves as the minimum entry point for public sector procurement.

• Establishment: The provider must be established in the Union.
• Infrastructure & Data: Infrastructure, assets, and customer data (including metadata) must remain exclusively within the Union, unless the public sector body explicitly requires otherwise.
• Cybersecurity: The provider must demonstrate compliance with state-of-the-art cybersecurity standards.
• Third-Country Control: If the provider is subject to the control of a third country, it must guarantee that no laws in that third country require reporting software vulnerabilities to foreign authorities before they are known to have been exploited.
• Transparency: Full transparency regarding subcontractors is required.

2. Union Assurance Level 2: Enhanced Sovereignty

This level is mandatory for public sector activities identified as contributing to the preservation of public order (e.g., energy, transport, healthcare) under national risk assessments.

• Personnel: Infrastructure, assets, and personnel involved in the service must be located in the Union.
• Conditional Citizenship: Crucially, the requirement for personnel to be Union citizens is conditional. Annex II (2.1)(d) states: "if the public sector body determines that imposing additional personnel screening and Union citizenship requirements are necessary, the audited provider should ensure that personnel meeting those requirements are available." Thus, at Level 2, citizenship is not automatically mandatory for all staff unless the specific public buyer demands it.
• Cybersecurity: The service must obtain a European cybersecurity certificate of at least assurance level 'substantial' (once the scheme is established). Note that under Annex II, both Level 2 and Level 3 require the "substantial" level; only Level 4 requires "high".
• AI & Data: Data generated by the service cannot be used to train or fine-tune AI systems operated by a third country, nor transferred outside the Union.
• Supply Chain: Providers must maintain a complete Software Bill of Materials (SBOM) and implement controls to block remote tampering features in third-country software components.

3. Union Assurance Level 3: High Sovereignty & Public Order

This level is designed for highly sensitive activities, including those handling classified information.

• Mandatory Citizenship: Unlike Level 2, Annex II (3.1)(d) makes Union citizenship mandatory for all personnel involved in the provision of the service, including subcontractors. "The personnel... are Union citizens and where appropriate, the personnel must also have the necessary national security clearance."
• Third-Country Control: The default rule is that the provider and subcontractors must not be subject to the control of a third country.
  • The Derogation: A provider subject to third-country control may qualify for Level 3 only if the Commission has adopted an implementing act under Article 18 identifying that third country as an "associated third country." This requires the third country to have an adequacy decision, no laws enabling control that conflicts with EU data laws, and no measures compelling service disruption.
• Support: Technical and operational support must be initiated and performed exclusively within the Union by Union residents.

4. Union Assurance Level 4: Maximum Sovereignty

This is the highest tier, intended for the most critical public order functions.

• Personnel: Like Level 3, all personnel must be Union citizens with necessary security clearances.
• Cybersecurity: The service must obtain a European cybersecurity certificate of at least assurance level 'high'.
• Third-Country Control: The provider and subcontractors must not be subject to the control of a third country. The Article 18 derogation for associated third countries is not available for Level 4; the exclusion of third-country control is absolute.
• Data: Sensitive customer data must remain exclusively within the Union.

Procurement Obligations for Portuguese Buyers (Article 30)

For Portuguese contracting authorities, the assurance level dictates procurement eligibility:

• General Public Sector: Must procure at least Level 1 services.
• Public Order Activities: Under Article 29, Member States must conduct risk assessments to identify activities contributing to public order (e.g., national security, defense, justice, law enforcement). For these activities, Article 30(3) mandates that authorities only procure services recognized as offering Level 2, 3, or 4.
• Private Sector: Entities in sectors listed in Annex I of the NIS2 Directive may voluntarily conduct similar impact assessments (Article 31) to determine their required assurance levels.

Recognizing Providers via the Central Repository (Article 22)

Portuguese buyers cannot rely on a provider's self-declaration or a national seal. Article 22 mandates the establishment of a central repository maintained by the Commission.

• Registration: Once a national competent authority (to be designated by Portugal) recognizes a service, it must register it in this central repository.
• Public Access: The repository will be publicly available on a dedicated website.
• Verification: Before procuring, Portuguese authorities must verify that the service is listed in the repository with the correct assurance level. If a service is not listed, it cannot be legally procured for the relevant use case.
• Updates: The repository is updated regularly. Revocations of recognition are also published and remain visible for five years.

Distinguishing EU-Controlled vs. Third-Country Exposed Providers

The framework draws a sharp line between providers fully under EU jurisdiction and those exposed to non-EU laws (such as the US CLOUD Act).

• EU-Controlled Providers: These providers, established in the Union with no third-country control, can naturally qualify for all four levels, provided they meet the technical and personnel criteria.
• Third-Country Exposed Providers:
  • Levels 1 & 2: Providers subject to third-country control can qualify if they prove that such control does not restrict service delivery, does not allow data access by the third country, and does not enable service disruption.
  • Levels 3 & 4: The default is exclusion. A provider subject to third-country control is ineligible for Level 3 or 4 unless the Commission has specifically designated that third country as an "associated third country" under Article 18. This designation is a high bar, requiring an adequacy decision and guarantees against extraterritorial legal interference. Without this specific Commission decision, a provider controlled by a non-EU entity (e.g., a US hyperscaler) cannot legally offer Level 3 or 4 services to Portuguese public bodies handling public order activities.

What this means for you

For Cloud Service Providers in Portugal

1. Target the Right Level: If you aim to serve Portuguese public bodies in critical sectors (health, energy, defense), you must target Level 2, 3, or 4. Level 1 is insufficient for these contracts.
2. Audit Your Corporate Structure: For Levels 3 and 4, you must demonstrate you are not subject to third-country control. If you have foreign shareholders, you must prove they cannot exercise control that conflicts with EU law. If you are a subsidiary of a non-EU parent, you are likely capped at Level 1 or 2 unless the Commission designates your parent's country as "associated."
3. Prepare for Personnel Checks: For Levels 3 and 4, ensure you have a workforce of Union citizens with necessary security clearances. For Level 2, be prepared to screen personnel if the Portuguese buyer explicitly requires it.
4. Secure Cyber Certification: Aim for the 'substantial' assurance level (for Levels 2/3) or 'high' (for Level 4) under the future European cybersecurity certification scheme.
5. Engage the Portuguese Authority: Submit your application for recognition to the national competent authority designated by Portugal. This authority will evaluate your evidence (per Annex III) and register you in the central repository.

For Portuguese Public Bodies and Critical Entities

1. Conduct Risk Assessments: Under Article 29, you must assess which of your activities contribute to public order. This determines whether you are legally bound to procure only Level 2, 3, or 4 services.
2. Verify via the Repository: Do not accept marketing claims. Check the Commission's central repository to confirm a provider's recognition status and assurance level before signing a contract.
3. Demand Evidence: For Level 2, explicitly state in your tender if you require Union citizen personnel. For Levels 3 and 4, this is a mandatory requirement.
4. Monitor Changes: Under Article 23, providers must report material changes. If a provider's status changes (e.g., a third country acquires control), their recognition may be revoked, and they would be removed from the repository.

Common misconceptions

"Portugal will publish its own list of sovereign providers." No. While Portugal designates the competent authority that evaluates applications, the recognition is Union-wide. The definitive list is the Commission's central repository (Article 22). A provider recognized in Portugal is recognized across the EU, and vice versa.

"Level 2 requires all staff to be EU citizens." Not automatically. Under Annex II (2.1)(d), Union citizenship for personnel at Level 2 is conditional: "if the public sector body determines that imposing additional personnel screening and Union citizenship requirements are necessary." It becomes mandatory only at Level 3 and Level 4.

"US providers can easily get Level 3 or 4." Highly unlikely under the current proposal. Levels 3 and 4 generally require that the provider is not subject to third-country control. The only exception is if the Commission adopts an implementing act under Article 18 designating the US (or any third country) as an "associated third country." This requires the third country to have an adequacy decision and, critically, no laws that enable control over the provider conflicting with EU data laws or compelling service disruption. Given laws like the US CLOUD Act, this is a significant hurdle.

"Data localization is the only requirement for sovereignty." Incorrect. While data must remain in the Union, the framework also mandates strict controls on personnel citizenship (for Levels 3/4), cybersecurity certification (substantial or high), software supply chain transparency (SBOMs), and corporate governance to prevent third-country interference.

"CADA replaces the AI Act." No. CADA governs the infrastructure and sovereignty of the cloud (where the data lives and who controls the provider). The AI Act governs the AI systems running on that cloud. A public body in Portugal might need to comply with the AI Act for a high-risk AI system and CADA for the sovereign cloud infrastructure hosting it.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)

Related

• What sovereign cloud providers and options are available in Sweden under CADA?
• What sovereign cloud providers and options are available in Spain under CADA?
• What sovereign cloud providers and options are available in Slovenia under CADA?
• What sovereign cloud providers and options are available in Slovakia under CADA?
• What sovereign cloud providers and options are available in Poland under CADA?

This is general information about a draft EU regulation, not legal advice.