Summary Under the proposed Cloud and AI Development Act (CADA), there is no separate list of sovereign cloud providers for Sweden. Instead, the regulation establishes a unified EU-wide framework with four Union assurance levels (Article 16) to classify cloud services based on sovereignty and risk. Swedish buyers will identify recognised providers through a single central EU repository (Article 22) rather than a national registry. Providers seeking to serve the Swedish public sector must align with these levels, which range from basic EU establishment (Level 1) to strict prohibitions on third-country control and mandatory Union citizenship for all personnel (Levels 3 and 4). Crucially, while Level 2 allows conditional personnel requirements, Levels 3 and 4 mandate Union citizenship as a cumulative criterion, not a conditional one.

Detail

The proposed Cloud and AI Development Act (CADA) introduces a harmonised regulatory framework to address the European Union's dependence on non-EU cloud computing service providers. For cloud service providers and data centre operators, understanding the Union cloud computing sovereignty framework is critical, as it will dictate market access to public sector contracts across the EU, including Sweden.

The Union Cloud Computing Sovereignty Framework (Article 16)

CADA establishes a four-tier system of Union assurance levels (Article 16). These levels define the criteria a cloud computing service provider must meet to be recognised as offering a specific level of sovereignty. The framework is designed to be proportionate, ensuring that public order is preserved by maintaining control and agency for public-sector bodies.

  • Union Assurance Level 1: This is the baseline level. Providers must be established in the Union. Infrastructure and assets, including those of subcontractors, must be located in the Union unless the public sector body explicitly requires otherwise. Customer data (including metadata and telemetry) must remain exclusively within the Union. Providers must demonstrate compliance with state-of-the-art cybersecurity standards and provide full transparency regarding subcontractors. Crucially, if the provider is subject to the control of a third country or a legal entity established in a third country, they must guarantee that no existing laws in that third country require them to report software vulnerabilities to third-country authorities before those vulnerabilities are known to have been exploited.
  • Union Assurance Level 2: This level introduces stricter requirements. The audited provider and its subcontractors must be established in the Union. Infrastructure, assets, and personnel must be located in the Union. Customer data must remain exclusively within the Union. Data generated by using the service cannot be used to train or fine-tune AI systems operated by third countries, nor can it be transferred outside the Union. Providers must obtain a European cybersecurity certificate of at least assurance level 'substantial' (or equivalent national schemes until the EU scheme is established). If subject to third-country control, providers must implement measures to ensure that control does not restrict service delivery, prevent third-country access to customer data, and prevent service disruption.
    • Personnel Note: For Level 2, the requirement for Union citizens is conditional. The text states: "if the public sector body determines that imposing additional personnel screening and Union citizenship requirements are necessary, the audited provider should ensure that personnel meeting those requirements are available."
  • Union Assurance Level 3: This level is aimed at higher-risk activities. It requires that the audited provider and subcontractors are not subject to the control of a third country or a legal entity established in a third country, with a specific derogation for providers from associated third countries that have implemented specific safeguards (recognised via Commission implementing acts under Article 18).
    • Personnel Note: For Level 3, the requirement for Union citizens is mandatory. Annex II, Section 3.1(d) states: "the personnel... are Union citizens and where appropriate, the personnel must also have the necessary national security clearance." This is a cumulative criterion, not conditional on the public sector body's request.
    • Cybersecurity: The service must obtain a European cybersecurity certificate of at least assurance level 'substantial'.
    • Support: Technical and operational support must be performed exclusively within the Union by Union residents and third parties not subject to third-country control.
  • Union Assurance Level 4: This is the highest level of assurance, intended for the most critical public sector activities. Similar to Level 3, providers and subcontractors must not be subject to third-country control. Personnel must be Union citizens and, where appropriate, hold national security clearance.
    • Cybersecurity: The service must obtain a European cybersecurity certificate of at least assurance level 'high'.
    • Data: Data identified as sensitive following a risk assessment must remain exclusively within the Union.

Recognition and the Central Repository (Article 22)

A common misconception is that Member States, such as Sweden, will maintain their own separate lists of sovereign providers. CADA centralises this function to ensure a single market.

Article 22 mandates that the Commission shall establish and maintain a central repository of cloud computing services that have been recognised in accordance with Article 17. This repository will be publicly available and regularly updated.

For a provider to be listed:

  1. They must submit an application for recognition to the national competent authority of their establishment (in Sweden, this would be the designated Swedish authority).
  2. For Level 1, providers submit an EU statement of conformity. For Levels 2, 3, and 4, they must undergo independent third-party audits and submit a 'positive' audit opinion.
  3. The national competent authority assesses the evidence and, if satisfied, recognises the service.
  4. The national competent authority then registers the service in the Commission's central repository.

Once registered, the service is recognised throughout the Union at the appropriate assurance level. This creates a single market for sovereign cloud services, allowing a provider established in Sweden to serve public bodies in other Member States, and vice versa, provided the assurance level meets the buyer's risk assessment requirements.

Distinguishing Sovereign Offerings from Third-Country Exposed Providers

The framework explicitly distinguishes between providers controlled within the EU/EEA and those exposed to non-EU law.

  • EU/EEA-Controlled Providers: Providers established in the Union that are not subject to third-country control can pursue all four assurance levels. They benefit from the presumption of sovereignty inherent in EU jurisdiction.
  • Third-Country Controlled Providers: Providers subject to the control of a third country (e.g., US-based hyperscalers) face significant hurdles.
    • They can only achieve Level 1 if they can demonstrate that no third-country laws require pre-exploitation vulnerability reporting.
    • They can achieve Level 2 only if they implement robust legal, technical, and organisational measures to prevent third-country access to data and service disruption.
    • They are generally excluded from Level 3 and 4, unless the Commission adopts an implementing act recognising the third country as providing sufficient assurances (Article 18). This requires the third country to have an adequacy decision under the GDPR and no laws enabling extraterritorial data access or service disruption.

For Swedish buyers, this means that for high-risk activities (requiring Level 3 or 4), they will likely be restricted to providers that are not subject to third-country control, effectively excluding many global hyperscalers from the most sensitive public sector contracts.

What this means for you

For cloud service providers and data centre operators subject to these rules, the transition to CADA requires strategic alignment with the Union assurance levels.

  1. Audit Your Supply Chain and Personnel: Providers must map their infrastructure, personnel, and subcontractors. If you aim for Level 2 or higher, ensure all personnel involved in service provision are located in the Union. For Level 3 and 4, you must ensure that all personnel are Union citizens. This is a mandatory requirement, not a conditional one based on the buyer's request.
  2. Prepare for Independent Audits: Levels 2, 3, and 4 require independent third-party audits. Start documenting compliance with cybersecurity standards (e.g., EUCS or national equivalents) and data localisation policies now. Note the distinction: Level 3 requires a 'substantial' certificate, while Level 4 requires a 'high' certificate.
  3. Engage with the Swedish National Competent Authority: Once CADA enters into force, Sweden will designate a national competent authority. Engage early to understand the specific procedural requirements for recognition applications.
  4. Target the Right Assurance Level: Assess your customer base. If you serve only low-risk public bodies, Level 1 may suffice. If you target defence, justice, or critical infrastructure, you must aim for Level 3 or 4. Achieving these levels may require restructuring your ownership or control mechanisms to eliminate third-country influence, as third-country control is generally incompatible with Levels 3 and 4.
  5. Monitor the Central Repository: Use the Commission's central repository (Article 22) to track competitors and understand the landscape of recognised providers. Being listed is a prerequisite for winning public sector contracts in Sweden and across the EU.

Common misconceptions

  • "Sweden will have its own sovereign cloud list." Incorrect. CADA creates a single EU-wide repository (Article 22). Swedish buyers will look to this central EU list, not a national Swedish list, to identify recognised providers.
  • "GDPR adequacy is enough for sovereign cloud status." Incorrect. While GDPR adequacy is a factor for Level 3 recognition of third-country providers (Article 18), sovereignty under CADA goes beyond data protection. It includes operational autonomy, personnel citizenship, and protection against extraterritorial legal access (e.g., US CLOUD Act). A provider can be GDPR-compliant but still fail CADA's sovereignty criteria due to third-country control.
  • "Level 1 is the only requirement for public sector." Incorrect. While Level 1 is the minimum for most public sector bodies (Article 30), bodies whose activities have been identified as contributing to the preservation of public order (e.g., defence, justice) must procure services at Level 2, 3, or 4 based on their risk assessment (Article 29).
  • "Personnel citizenship is optional for Level 3 if the buyer doesn't ask." Incorrect. For Level 2, citizenship requirements are conditional on the public sector body's determination. However, for Level 3 and 4, Annex II explicitly states that personnel are Union citizens as a mandatory cumulative criterion. There is no "opt-out" for the buyer; the provider must have Union citizens to qualify for these levels.
  • "Open source software automatically qualifies for higher assurance levels." Incorrect. While CADA promotes open source (Article 41), the assurance levels are based on control, location, and security. Using open source does not exempt a provider from meeting the personnel, infrastructure, and control criteria for Levels 2–4.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.