CADA sovereign cloud in Romania

Summary Under the proposed Cloud and AI Development Act (CADA), Romania does not maintain a separate national list of sovereign cloud providers. Instead, it relies on the EU-wide Union cloud computing sovereignty framework established in Article 16 of the proposal. This framework defines four Union assurance levels (1–4) that classify cloud services based on their establishment, data localisation, personnel citizenship, and independence from third-country control. Romanian public bodies must procure services that meet the assurance level determined by their specific risk assessment under Article 29. To identify which providers are formally recognised, buyers and operators must consult the central repository maintained by the European Commission under Article 22, which lists all services recognised across the Union. Crucially, providers subject to control by a third country are generally barred from Levels 3 and 4 unless the Commission has adopted a specific derogation under Article 18 for that third country.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonised EU approach to cloud sovereignty. For cloud service providers and data centre operators in Romania, this means that "sovereignty" is no longer a marketing term but a legal status defined by Article 16 and the detailed criteria in Annex II. The proposal replaces fragmented national definitions with a single, auditable set of criteria, ensuring that a provider recognised in Romania is recognised throughout the Union.

The Union Cloud Computing Sovereignty Framework (Article 16)

Article 16 establishes a four-tier system of Union assurance levels. These levels are cumulative: a provider claiming Level 3 must meet all criteria for Levels 1 and 2, and a Level 4 provider must meet all criteria for Levels 1, 2, and 3. The criteria focus on establishment, infrastructure location, personnel, cybersecurity certification, and freedom from third-country control.

1. Union Assurance Level 1 (Baseline Sovereignty)

This level establishes a baseline of safeguards for the public sector, reducing vulnerabilities to third-country access.

• Establishment & Location: The provider must be established in the Union. Its infrastructure, assets, and subcontractors involved in the service must be located in the Union, unless the public sector body explicitly requires otherwise.
• Data Localisation: Customer data (including metadata and telemetry) must remain exclusively within the Union, unless the public sector body explicitly requires otherwise.
• Cybersecurity: The provider must demonstrate compliance with state-of-the-art cybersecurity standards.
• Transparency: Full transparency on subcontractors is required, including due diligence and ongoing oversight.
• Third-Country Control: If the provider is subject to the control of a third country, it must guarantee that no laws in that third country require reporting software vulnerabilities to foreign authorities before they are publicly known.
• Self-Certification: For Level 1, providers (including SMEs) can carry out a conformity self-assessment and issue an EU statement of conformity. For SMEs, this statement is directly and automatically recognised across the Union without prior recognition by the national competent authority (Article 17(3)).

2. Union Assurance Level 2 (Enhanced Sovereignty)

Level 2 introduces stricter requirements on personnel, cybersecurity certification, and AI training restrictions.

• Personnel & Screening: Infrastructure, assets, and personnel (including subcontractors) must be located in the Union. Crucially, if the public sector body determines that imposing additional personnel screening and Union citizenship requirements are necessary, the provider must ensure that personnel meeting those requirements are available (Annex II 2.1(d)).
• Cybersecurity Certification: The service must obtain a European cybersecurity certificate of at least assurance level 'substantial' under a European cybersecurity certification scheme (EUCS) covering cloud services. Until such a scheme is established, national schemes apply, or the provider must demonstrate compliance with the highest cybersecurity standards under applicable Union law (Annex II 2.1(e)).
• AI Training Restrictions: Data generated by using the service cannot be used to train or fine-tune any AI system operated by a third country or a third-country legal entity, and data cannot be transferred outside the Union in any case.
• Third-Country Control Safeguards: If controlled by a third country, the provider must implement measures to ensure that such control does not restrict service delivery, prevent access to customer data, or disrupt service continuity.
• Support Localisation: Technical and operational support must be initiated and performed exclusively within the Union.
• Software Supply Chain: Providers must maintain a complete Software Bill of Materials (SBOM), block remote features that could tamper with devices, and ensure third-country software components undergo source code audits.

3. Union Assurance Level 3 (High Sovereignty)

Level 3 is designed for activities contributing to the preservation of public order, requiring strict personnel citizenship and a prohibition on third-country control.

• Personnel Citizenship: All personnel involved in the service (including subcontractors) must be Union citizens. Personnel handling classified information must have the necessary national security clearance issued by a Member State (Annex II 3.1(d)).
• No Third-Country Control: The provider and its subcontractors must not be subject to the control of a third country or a third-country legal entity.
• Derogation for Associated Third Countries: By way of derogation, a provider subject to third-country control may be audited for Level 3 if the Commission has adopted an implementing act under Article 18 identifying that third country as providing sufficient assurances. This requires the third country to have an adequacy decision under GDPR and to have no measures enabling control that conflicts with EU law or compels service disruption (Article 18).
• Support Localisation: Support must be performed exclusively within the Union by Union residents and by third parties not subject to third-country control.

4. Union Assurance Level 4 (Maximum Sovereignty)

Level 4 represents the highest level of assurance, intended for the most critical public sector activities.

• Strict Data Localisation: Sensitive data identified via risk assessment must remain exclusively within the Union at all times.
• Personnel: All personnel must be Union citizens with necessary security clearances for classified information.
• Cybersecurity: The service must obtain a European cybersecurity certificate of at least assurance level 'high' (Annex II 4.1(e)).
• No Third-Country Control: Strict prohibition on third-country control over the provider and subcontractors.
• Software Control: Providers must demonstrate that no third country holds effective control over the design, development, maintenance, or evolution of software components.

Recognised Providers and the Central Repository (Article 22)

For Romanian organisations, the critical question is: How do I know which providers actually meet these levels?

Article 22 mandates the European Commission to establish and maintain a central repository of cloud computing services recognised under Article 17. This repository is the single source of truth for the EU.

• Recognition Process: Providers apply to the national competent authority of their establishment. For Levels 2–4, this requires a positive audit opinion from an independent auditing organisation (Article 20). The national competent authority then assesses the evidence and, if satisfied, adopts a recognition decision.
• Public Access: The central repository is publicly available and regularly updated by the Commission and national competent authorities. It lists services recognised at Levels 1–4.
• Revocation: If a provider fails to maintain standards, the revocation of their audit report or recognition is published in the repository and remains visible for five years (Article 22(3)).

Romanian buyers do not need to conduct their own sovereignty audits. They must verify that the provider they intend to use is listed in the Commission's central repository with the specific assurance level required by their risk assessment.

Distinguishing EU/EEA-Controlled Offerings from Non-EU Exposed Providers

The core distinction in CADA is control. A provider may be physically located in Romania but legally controlled by a non-EU entity (e.g., via shareholding, voting rights, or strategic decision-making power).

• EU/EEA-Controlled: Providers fully owned and controlled by EU entities can potentially reach Levels 3 and 4 without derogations. They offer the highest degree of operational autonomy and protection against extraterritorial data access laws (such as the US CLOUD Act).
• Non-EU Exposed: Providers subject to third-country control face strict barriers.
  • They cannot achieve Level 4.
  • They cannot achieve Level 3 unless the Commission has specifically adopted an implementing act recognising their home country as an "associated third country" under Article 18. This requires the third country to have an adequacy decision under GDPR and robust safeguards against extraterritorial data access and service disruption.
  • For Levels 1 and 2, non-EU controlled providers must implement extensive technical and legal measures to prove that third-country authorities cannot access data or disrupt services.

What This Means for You

For Cloud Service Providers in Romania:

1. Audit Readiness: If you target the public sector, you must prepare for independent third-party audits (for Levels 2–4). This includes documenting your SBOM, proving data localisation, and verifying personnel citizenship.
2. Governance Review: Conduct a thorough analysis of your ownership structure. If you have non-EU shareholders with veto rights or strategic control, you may be barred from Levels 3 and 4 unless your home country is designated as an associated third country.
3. Subcontractor Management: Your sovereignty status depends on your subcontractors. Ensure all subcontractors involved in service delivery meet the same location and control criteria.

For Data Centre Operators in Romania:

1. Infrastructure Verification: Ensure your facilities are fully located in the Union and that your operational staff are Union residents.
2. Support Localisation: If you provide technical support, ensure it is initiated and performed exclusively from within the Union. Remote support from non-EU locations will disqualify you from Levels 2–4.

For Buyers in Romania (Public Sector):

1. Risk Assessment: Conduct a risk assessment under Article 29 to determine which assurance level (1–4) is required for your specific use case. This assessment must identify activities contributing to the preservation of public order (e.g., national security, law enforcement).
2. Check the Repository: Before procurement, verify the provider's status in the Commission's central repository (Article 22). Do not rely solely on contractual guarantees.
3. Procurement Restrictions: If your activities are identified as contributing to public order, you must procure services with Union assurance levels 2, 3, or 4 (Article 30(3)). For other activities, a minimum of Level 1 is required (Article 30(2)).

Common Misconceptions

• "Data Localisation is Enough": Simply storing data in Romania is insufficient for Levels 2–4. You must also control the personnel, the software supply chain, and the legal entity operating the service.
• "GDPR Adequacy Equals Sovereignty": A third country may have an adequacy decision for data transfers (GDPR), but this does not automatically allow its providers to offer Level 3 or 4 services. They must still meet the strict operational and control criteria in Annex II, and for Level 3, the Commission must explicitly recognise the country under Article 18.
• "Self-Certification Applies to All Levels": Only Level 1 allows for self-certification (via EU statement of conformity). Levels 2, 3, and 4 require independent third-party audits and formal recognition by national competent authorities.
• "Romania Has Its Own Sovereign List": CADA creates a single EU-wide repository. There is no separate Romanian list of sovereign providers. A provider recognised in Germany is recognised in Romania.
• "L3 Cybersecurity is 'High'": Under Annex II, Level 3 requires a cybersecurity certificate of at least 'substantial' assurance. Only Level 4 requires a 'high' assurance certificate.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• CADA Sovereign Cloud in Ireland: Assurance Levels, Providers & the Central Repository
• CADA Sovereign Cloud in Germany: Assurance Levels, Providers & the Central Repository
• CADA Sovereign Cloud in Austria: Assurance Levels, Providers & the Central Repository
• CADA Sovereign Cloud in the Netherlands: Levels, Providers & the Central Repository
• CADA Sovereign Cloud in Malta: Assurance Levels, Repository & Options

This is general information about a draft EU regulation, not legal advice.