What sovereign cloud providers and options are available in Spain under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), Spain will not maintain a separate national list of "sovereign" providers. Instead, it relies on a harmonised EU-wide Union cloud computing sovereignty framework comprising four distinct assurance levels (Article 16). Spanish public authorities and critical private entities must procure services only from providers formally recognised at the specific assurance level determined by their national risk assessment. Verification of these providers is conducted exclusively via the Commission's central repository (Article 22). Crucially, the framework distinguishes between providers established in the Union and those subject to third-country control, imposing strict "no control" or "associated third country" derogation requirements for higher assurance levels.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, fundamentally restructures how cloud sovereignty is defined and procured across the EU, including in Spain. Rather than allowing Member States to create fragmented national lists of "trusted" providers, CADA establishes a single, uniform Union cloud computing sovereignty framework. This framework is anchored in Article 16, which mandates that cloud computing service providers must meet cumulative criteria to be recognised as offering one of four Union assurance levels.

The Four Union Assurance Levels (Article 16 & Annex II)

The framework is tiered, with requirements escalating from a baseline of EU establishment to the highest tier of operational autonomy and personnel sovereignty.

Union Assurance Level 1: The Baseline Level 1 serves as the minimum entry point for public sector procurement. As set out in Annex II, Section 1, a provider must be established in the Union. Crucially, the infrastructure, assets, and customer data (including metadata and telemetry) must remain exclusively within the Union, unless the public sector body explicitly requires otherwise.

• Cybersecurity: The provider must demonstrate compliance with state-of-the-art cybersecurity standards.
• Subcontractors: Full transparency is required regarding subcontractors, with due diligence and ongoing oversight to ensure they meet Union legal obligations.
• Third-Country Control: If the provider is subject to the control of a third country, it must guarantee that no laws in that third country require the reporting of software vulnerabilities to authorities before they are publicly known.
• Assessment: Recognition at this level is based on a conformity self-assessment by the provider, resulting in an EU statement of conformity (Article 19).

Union Assurance Levels 2, 3, and 4: The Sovereign Tiers Levels 2, 3, and 4 require independent third-party audits (Article 20) and introduce significantly stricter criteria regarding personnel, control, and data usage.

• Union Assurance Level 2:

  • Location: Infrastructure, assets, and personnel must be located in the Union.
  • Personnel: While personnel must be located in the Union, Union citizenship is conditional. Under Annex II, Section 2.1(d), the provider must ensure that personnel meeting Union citizenship requirements are available if the public sector body determines that such screening is necessary.
  • Cybersecurity: The service must obtain a European cybersecurity certificate of at least assurance level 'substantial' (Annex II, 2.1(e)). Note that 'substantial' is the same level required for Level 3; only Level 4 requires 'high'.
  • AI Training: Data generated by the service cannot be used to train or fine-tune AI systems operated by a third country or a legal entity established in a third country.
  • Software Supply Chain: Providers must maintain a complete Software Bill of Materials (SBOM) and implement controls to block remote features that could tamper with the service.

• Union Assurance Level 3:

  • Personnel: This level introduces a mandatory requirement for Union citizenship. Under Annex II, Section 3.1(d), personnel (including those of subcontractors) involved in the provision of the service must be Union citizens. Where appropriate, they must also hold necessary national security clearances for handling classified information.
  • Third-Country Control: The provider and its subcontractors must not be subject to the control of a third country. However, Article 18 provides a derogation: the Commission may adopt an implementing act identifying a third country as "associated" if it meets specific safeguards (e.g., adequacy decisions, no extraterritorial access laws). If such a decision exists, a provider under that third country's control may still qualify for Level 3, provided it demonstrates that the control does not restrict service delivery, prevent data access, or disrupt continuity.
  • Cybersecurity: Requires a European cybersecurity certificate of at least assurance level 'substantial'.

• Union Assurance Level 4:

  • Data Sensitivity: This level is designed for the most critical use cases. Customer data identified as sensitive following a risk assessment must remain exclusively within the Union.
  • Personnel: Personnel must be Union citizens and, where handling classified information, must hold necessary national security clearances.
  • Third-Country Control: The provider and subcontractors must not be subject to the control of a third country. Unlike Level 3, no derogation for associated third countries is available for Level 4.
  • Cybersecurity: Requires a European cybersecurity certificate of at least assurance level 'high' (Annex II, 4.1(e)).
  • Software Control: The provider must demonstrate effective control over software components, ensuring no third country holds effective control over their design, development, or maintenance.

Procurement Obligations for Spanish Buyers (Article 29 & 30)

For buyers in Spain, the choice of provider is not a matter of preference but of legal compliance based on a national risk assessment.

1. Risk Assessment (Article 29): By one year after CADA's entry into force, Spain (as a Member State) must carry out risk assessments to identify public sector activities that contribute to the preservation of public order. This includes sectors under the NIS2 Directive (Annex I/II) and areas like national security, defence, justice, and law enforcement.
2. Procurement Rules (Article 30):
   • Public Order Activities: If a Spanish contracting authority's activity is identified as contributing to public order, it must only procure cloud services recognised at Union assurance levels 2, 3, or 4.
   • Non-Public Order Activities: For activities not identified as having public order relevance, the minimum requirement is Union assurance level 1.

Identifying Recognised Providers: The Central Repository (Article 22)

Spanish buyers do not need to contact national authorities to verify a provider's status. Article 22 mandates the establishment of a central repository of cloud computing services recognised as offering Union assurance levels 1–4.

• Maintenance: The European Commission maintains this repository.
• Registration: Once a national competent authority (in Spain, this will be a designated authority) recognises a provider, it must register the service in the central repository.
• Verification: Spanish buyers must consult this publicly available repository to confirm that a provider holds the specific assurance level required for their use case.
• Transparency: Any revocation or amendment of a recognition is published in the repository and remains visible for five years.

Distinguishing EU-Controlled vs. Third-Country Exposed Providers

A critical distinction in CADA is between providers established in the EU and those subject to third-country control.

• EU-Controlled Providers: Providers established in the Union and not subject to third-country control can more easily meet Levels 2, 3, and 4. They must still prove that their infrastructure, assets, and personnel are located in the Union and that data does not leave the Union.
• Third-Country Exposed Providers: Providers subject to the control of a third country (e.g., via ownership, board composition, or legal jurisdiction) face significant hurdles:
  • Level 1: Must guarantee no pre-exploitation vulnerability reporting laws exist in the controlling country.
  • Level 2: Must demonstrate that third-country control does not restrict service delivery, prevent data access, or disrupt continuity.
  • Level 3: Generally prohibited unless the Commission has issued a specific implementing act under Article 18 designating the third country as "associated." Even then, strict safeguards must be proven.
  • Level 4: Strictly prohibited. Providers subject to third-country control cannot qualify for Level 4, as the criteria explicitly require that the provider is not subject to such control.

What this means for you

For Cloud Service Providers Targeting Spain

If you are a provider seeking to serve the Spanish public sector or critical private entities, you must align your service with one of the four Union assurance levels. You cannot rely on national certifications or self-declarations alone for Levels 2–4.

• Level 1: Prepare a self-assessment and issue an EU statement of conformity. Submit this to the Spanish national competent authority for recognition.
• Levels 2–4: Engage an independent auditing organisation to perform a third-party audit. You must obtain a 'positive' audit opinion confirming compliance with the cumulative criteria in Annex II.
• Third-Country Control: If you are controlled by a non-EU entity, assess your eligibility carefully. You may qualify for Level 1 or Level 2, but Level 3 requires an Article 18 derogation for your home country, and Level 4 is likely inaccessible.
• Marketing: Once recognised, ensure your service is listed in the Commission's central repository. This listing is your primary proof of compliance for Spanish tenders.

For Spanish Public Bodies and Critical Entities

• Conduct Risk Assessments: You must participate in or rely on the national risk assessment under Article 29 to determine if your activities are "public order" relevant.
• Verify Before Procuring: Before awarding a contract, check the central repository (Article 22). Do not accept a provider's word; verify their recognition status and the specific assurance level.
• Match the Level: If your activity is public-order relevant, you are legally barred from procuring Level 1 services. You must procure only Level 2, 3, or 4.
• Personnel Requirements: For Levels 3 and 4, be aware that you may require personnel to be Union citizens. Ensure your procurement documents reflect these specific needs.

Common misconceptions

"Spain will publish its own list of sovereign cloud providers." Incorrect. CADA creates a single, harmonised EU framework. While Spain will designate a national competent authority to perform the initial recognition, the resulting status is valid across the entire Union. The definitive list is the Commission's central repository (Article 22), not a national registry.

"All providers established in the EU are automatically 'sovereign'." Not necessarily. A provider may be established in Spain but subject to the control of a third-country parent company. Such providers face strict limitations, particularly at Levels 3 and 4. They must prove that third-country control does not compromise data access or service continuity, and Level 4 is strictly off-limits to them.

"Level 1 is sufficient for all government cloud needs." No. Article 30 explicitly mandates that for activities identified as contributing to the preservation of public order (e.g., law enforcement, defence, critical infrastructure), contracting authorities must procure services at Levels 2, 3, or 4. Level 1 is only the baseline for non-critical activities.

"Cybersecurity certification alone is enough for sovereignty." Incorrect. While a European cybersecurity certificate (at least 'substantial' for Levels 2/3, 'high' for Level 4) is a mandatory criterion, it is only one part of the puzzle. Sovereignty also depends on data localisation, personnel citizenship (for Levels 3/4), and the absence of third-country control.

"Open-source software is exempt from these rules." Incorrect. CADA applies to cloud computing services regardless of the underlying software licence. Providers using open-source components must still demonstrate controls to prevent remote tampering and maintain a complete Software Bill of Materials (SBOM) as required in Annex II.

Related

• What sovereign cloud providers and options are available in Sweden under CADA?
• What sovereign cloud providers and options are available in Slovenia under CADA?
• What sovereign cloud providers and options are available in Slovakia under CADA?
• What sovereign cloud providers and options are available in Portugal under CADA?
• What sovereign cloud providers and options are available in Poland under CADA?

This is general information about a draft EU regulation, not legal advice.