What sovereign cloud providers and options are available in Slovakia under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), there is no national list of "sovereign" cloud providers specific to Slovakia. Instead, providers must be recognised at the Union level against four harmonised assurance levels defined in Article 16. Slovak buyers and public bodies identify these recognised providers via a single central repository maintained by the European Commission, as mandated by Article 22. This framework distinguishes between providers offering basic EU establishment guarantees (Level 1) and those meeting stricter criteria on data localisation, personnel citizenship, and freedom from third-country control (Levels 2–4), ensuring that critical public sector workloads are not exposed to extraterritorial laws from non-EU jurisdictions.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a unified framework to reduce the EU's dependence on non-European cloud computing service providers and to safeguard public order. For cloud service providers and data centre operators aiming to serve the Slovak market, the core mechanism is the Union cloud computing sovereignty framework. This framework establishes four distinct "Union assurance levels" that determine which providers can serve which public sector customers, including those in Slovakia.

The Union Cloud Computing Sovereignty Framework (Article 16)

Article 16 of the CADA proposal sets out the scope and structure of the sovereignty framework. It defines four cumulative assurance levels. A provider seeking to serve EU public bodies must meet the criteria for at least Level 1, and higher levels for more sensitive activities. The criteria are detailed in Annex II of the proposal.

• Union Assurance Level 1 (Baseline): This is the mandatory baseline for all public sector cloud procurement. To qualify, a provider must be established in the Union. Its infrastructure and assets (including those of subcontractors) must be located in the Union, unless the public sector body explicitly requires otherwise. Crucially, customer data (including metadata and telemetry) must remain exclusively within the Union. Providers subject to third-country control must guarantee that no laws in that third country require them to report software vulnerabilities to foreign authorities before they are known to be exploited. This level does not require independent third-party audits; providers issue a self-declaration (EU statement of conformity).

• Union Assurance Level 2 (Substantial Security): This level introduces stricter controls and requires independent third-party audits. The provider and its subcontractors must be established in the Union. Infrastructure, assets, and personnel must be located in the Union. Customer data must remain exclusively in the Union. Data generated by using the service cannot be used to train or fine-tune AI systems operated by third countries. Providers must obtain a European cybersecurity certificate of at least 'substantial' assurance level under a scheme established under Regulation (EU) 2019/881. If the provider is subject to third-country control, it must demonstrate that this control does not restrict service delivery, prevent access by third countries to customer data, or allow for service disruption. Technical and operational support must be initiated and performed exclusively within the Union.

• Union Assurance Level 3 (Public Order): This level is designed for activities contributing to the preservation of public order (e.g., law enforcement, defence, justice). The provider and subcontractors must be established in the Union, with infrastructure, assets, and personnel located in the Union. Personnel involved in the provision of the service must be Union citizens and, where appropriate, hold national security clearance. Data must remain exclusively in the Union. Technical support must be performed exclusively within the Union by Union residents and parties not subject to third-country control. Generally, providers at this level must not be subject to the control of a third country or a legal entity established in a third country. However, a derogation exists: if the Commission has adopted an implementing act under Article 18 identifying a third country as providing sufficient assurances, providers controlled by that country may be audited for Level 3.

• Union Assurance Level 4 (Highest Security): This is the highest level of assurance, intended for the most sensitive data and classified information. It mirrors Level 3 but requires a European cybersecurity certificate of at least 'high' assurance level. It strictly prohibits any third-country control over the provider or its subcontractors (no derogation under Article 18 applies here). Personnel must be Union citizens with necessary security clearances. The provider must retain effective control over software components, ensuring no third country holds effective control over their design, development, or maintenance.

Recognising Providers: The Central Repository (Article 22)

A common challenge for buyers is verifying which providers meet these complex criteria. CADA addresses this by mandating a centralised verification mechanism.

Article 22 requires the Commission to establish and maintain a central repository of cloud computing services that have been recognised in accordance with Article 17. National competent authorities (such as the one designated by Slovakia) register services in this repository once they have been assessed and recognised at a specific assurance level.

• Public Accessibility: The central repository must be publicly available and regularly updated by the Commission and national competent authorities on a dedicated, easily accessible website.
• Transparency: The repository will list services recognised at Levels 1, 2, 3, and 4. It will also publish any revocations of audit reports or recognitions, which must remain visible for five years.
• Slovakia's Role: Slovak organisations do not maintain their own list of sovereign providers. Instead, they consult this EU-wide central repository to identify which providers are recognised and at what assurance level. This ensures a single market approach, allowing a provider recognised in one Member State to serve public bodies across the EU, including Slovakia, provided they meet the specific assurance level required by the Slovak buyer's risk assessment.

Distinguishing EU/EEA-Controlled Offerings from Non-EU Exposed Providers

The CADA framework explicitly targets the risk of extraterritorial jurisdiction, such as that posed by the US CLOUD Act or similar laws in other third countries.

• EU/EEA-Controlled Providers: Providers established in the EU/EEA that are not subject to third-country control are the primary candidates for Levels 3 and 4. They benefit from the presumption that they are not subject to foreign laws that could compel data access or service disruption. For Level 3 and 4, the criteria explicitly require that the provider and subcontractors are not subject to the control of a third country.
• Providers Exposed to Non-EU Law: Providers controlled by third-country entities (e.g., US hyperscalers) can still qualify for Level 1 if they meet the basic establishment and data residency criteria. For Level 2, they must demonstrate robust legal, technical, and organisational measures to prevent third-country access or disruption. For Level 3, they are generally excluded unless the Commission has adopted a specific decision under Article 18 recognising their home country as providing sufficient safeguards (e.g., based on an adequacy decision and specific legal guarantees). This creates a clear market distinction: providers exposed to non-EU law may face significant barriers to serving high-security public sector workloads in Slovakia, as they cannot automatically access Level 3 or 4 without a specific Commission derogation.

What this means for you

For cloud service providers and data centre operators aiming to serve the Slovak market, the CADA proposal introduces a mandatory compliance and recognition pathway.

1. Assess Your Control Structure: If your provider is subject to third-country control, you must evaluate whether you can meet the stringent requirements of Level 2 or, if applicable, Level 3 (via Article 18 recognition). If you cannot demonstrate that third-country laws cannot be used to access data or disrupt service, you may be limited to Level 1 or excluded from critical public sector contracts.
2. Prepare for Audit: To achieve recognition at Levels 2, 3, or 4, you must undergo independent third-party audits. Ensure your documentation on data flows, personnel locations, and supply chain controls is audit-ready. For Level 1, you must issue an EU statement of conformity. Note that for Level 2 and 3, the cybersecurity certification must be at least 'substantial', while Level 4 requires 'high'.
3. Monitor the Central Repository: Once recognised, your service will be listed in the Commission's central repository (Article 22). Ensure you promptly notify the auditing organisation and competent authority of any material changes that could affect your status (Article 23), as failure to do so can lead to revocation.
4. Target the Right Buyers: Understand that Slovak public bodies will conduct risk assessments (Article 29) to determine the required assurance level. If your service is only Level 1, you can serve general public administration functions. If you aim for defence, justice, or critical infrastructure clients in Slovakia, you must target Level 3 or 4 recognition, which requires Union citizen personnel and no third-country control (unless an Article 18 derogation applies).

Common misconceptions

• "Sovereignty is defined by data localisation alone." While data must remain in the Union for all levels, sovereignty under CADA also encompasses operational autonomy, personnel citizenship (for Levels 3–4), cybersecurity certification, and freedom from third-country legal control. A provider with EU data centres but US-controlled ownership may still fail Level 3 criteria.
• "Slovakia will have its own list of sovereign providers." CADA harmonises the framework at the Union level. Slovakia will designate a national competent authority to assess and recognise providers, but these recognitions are entered into the single EU central repository. There is no separate national whitelist.
• "Level 1 is optional for public bodies." Article 30(2) mandates that Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must still use services recognised at Union Assurance Level 1. There is no "non-sovereign" option for public procurement under CADA.
• "Third-country providers are banned." They are not banned. They can qualify for Level 1 and, under specific conditions, Level 2. For Level 3, they can qualify if the Commission adopts a decision under Article 18 recognising their home country as providing sufficient assurances. However, the default assumption for Level 3 and 4 is no third-country control.
• "Level 3 and 4 require the same cybersecurity certification." They do not. Level 2 and 3 require a certificate of at least 'substantial' assurance, while Level 4 requires a certificate of at least 'high' assurance.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• What sovereign cloud providers and options are available in Sweden under CADA?
• What sovereign cloud providers and options are available in Spain under CADA?
• What sovereign cloud providers and options are available in Slovenia under CADA?
• What sovereign cloud providers and options are available in Portugal under CADA?
• What sovereign cloud providers and options are available in Poland under CADA?

This is general information about a draft EU regulation, not legal advice.