Summary The Court of Justice of the European Union's Schrems II judgment invalidated the EU-US Privacy Shield, ruling that US surveillance lawsβ€”specifically FISA 702β€”failed to provide adequate protection for EU personal data against indiscriminate access. While the subsequent EU-US Data Privacy Framework (DPF) restored a legal mechanism for data transfers, the proposed Cloud and AI Development Act (CADA) explicitly clarifies that this does not resolve broader "sovereignty" concerns. As proposed in Recital 50, the DPF addresses transatlantic data transfers but "does not remove sovereignty concerns about dependence on third-country providers," as sovereignty extends to "operational autonomy." Consequently, CADA introduces a Union cloud computing sovereignty framework (Article 16) with four assurance levels. This framework mandates that public sector bodies conduct risk assessments (Article 29) and procure services meeting specific assurance levels (Article 30), ensuring that critical infrastructure is not dependent on providers subject to extraterritorial third-country control, regardless of GDPR compliance.

Detail

To understand the strategic shift introduced by the proposed Cloud and AI Development Act (CADA), one must distinguish between data protection adequacy (the domain of Schrems II and the DPF) and technological sovereignty (the domain of CADA). These are distinct legal and operational concepts that address different layers of risk in the digital ecosystem.

The Schrems II Judgment and FISA 702

In July 2020, the Court of Justice of the European Union (CJEU) delivered its landmark judgment in Data Protection Commissioner v Facebook Ireland Ltd and Max Schrems (Case C-311/18), known as Schrems II. The Court invalidated the EU-US Privacy Shield framework, which had previously served as a legal basis for transferring personal data from the EU to the United States.

The core of the Court's reasoning was that US law, particularly Section 702 of the Foreign Intelligence Surveillance Act (FISA 702) and Executive Order 12333, did not limit the access of US public authorities to personal data transferred from the EU in a manner that was "strictly necessary and proportionate" to protect national security. The Court found that US surveillance programs were not limited to what is strictly necessary, lacked actionable rights for EU data subjects before US courts, and failed to provide effective legal remedies. Consequently, the Court concluded that the US did not offer a level of protection "essentially equivalent" to that guaranteed by the EU Charter of Fundamental Rights.

While the Court upheld the validity of Standard Contractual Clauses (SCCs), it placed a heavy burden on data exporters to assess, on a case-by-case basis, whether the law of the third country (the US) would impinge on the effectiveness of those clauses. This created significant legal uncertainty for transatlantic data flows, particularly for cloud services where data is often processed by US-based entities.

The EU-US Data Privacy Framework (DPF) and Its Limits

In response to Schrems II, the European Commission adopted the EU-US Data Privacy Framework (DPF) in July 2023. The DPF was designed to address the specific deficiencies identified by the CJEU. It introduced binding commitments from the US government, including a new Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, which established a two-tier redress mechanism for EU citizens and limited US intelligence access to what is necessary and proportionate.

However, the proposed CADA makes a critical distinction: compliance with the DPF is not equivalent to sovereignty.

Recital 50 of the CADA proposal explicitly states:

"The proposal is consistent with existing rules on the processing of personal data, including the General Data Protection Regulation (GDPR) and the EU-US Data Privacy Framework. However, while the EU-US Data Privacy Framework addresses transatlantic data transfers, it does not remove sovereignty concerns about dependence on third-country providers. The proposal thus complements the EU-US Data Privacy Framework as the notion of sovereignty goes beyond data transfers and relates to operational autonomy too."

This recital highlights that the DPF solves the data transfer problem (i.e., is the transfer legal under GDPR?), but it does not solve the sovereignty problem (i.e., does the provider have the autonomy to operate without interference from a third country?). A US-based cloud provider could be fully DPF-compliant yet still be subject to:

  1. Extraterritorial laws that compel data access for national security purposes outside the specific scope of the DPF's redress mechanism.
  2. Sanctions regimes that could force the provider to cut off service to EU entities.
  3. Operational disruption risks if the provider's infrastructure or personnel are subject to third-country control.

CADA is designed to fill this gap by establishing a framework that ensures "operational autonomy" and reduces "dependence on third-country providers," regardless of the status of data transfer adequacy.

The CADA Sovereignty Framework: Union Assurance Levels

To address these sovereignty concerns, CADA proposes a Union cloud computing sovereignty framework under Article 16. This framework establishes four Union assurance levels (1 to 4), with criteria detailed in Annex II. These levels are cumulative; a service meeting Level 2 must also meet all Level 1 criteria. The framework moves beyond data location to scrutinize the legal and operational control of the provider.

Union Assurance Level 1: The Baseline

Level 1 establishes a baseline of Union establishment and data localization.

  • Establishment: The provider must be established in the Union.
  • Infrastructure: Infrastructure and assets must be located in the Union, unless the public sector body explicitly requires otherwise.
  • Data: Customer data must remain exclusively within the Union.
  • Third-Country Control: If the provider is subject to third-country control, it must guarantee that no laws in that third country require reporting software vulnerabilities to authorities prior to exploitation.
  • Cybersecurity: Compliance with state-of-the-art cybersecurity standards is required.

Union Assurance Level 2: Enhanced Autonomy

Level 2 introduces stricter requirements regarding personnel and supply chain security.

  • Personnel: The provider and subcontractors must be established in the Union.
  • Data Usage: Data generated by the service cannot be used to train or fine-tune AI systems operated by a third country.
  • Cybersecurity: The service must obtain a European cybersecurity certificate of at least assurance level 'substantial' (as defined in the Cybersecurity Act).
  • Supply Chain: Strict controls on software supply chains, including the requirement to block remote features that could tamper with or disrupt the service.
  • Third-Country Control: If subject to third-country control, the provider must demonstrate measures to prevent access to customer data, service disruption, or the enforcement of restrictive measures (sanctions) by the third country.

Union Assurance Level 3: High Autonomy and Personnel Citizenship

Level 3 is designed for activities contributing to public order, such as defense and law enforcement.

  • Personnel Citizenship: All personnel involved in the provision of the service must be Union citizens. Where appropriate, they must hold national security clearance.
  • Third-Country Control: The provider and subcontractors must not be subject to the control of a third country.
    • Derogation: Article 18 allows the Commission to adopt an implementing act recognizing a third country as providing sufficient assurances. If such an act exists, a provider subject to that third country's control may still qualify for Level 3, provided it demonstrates that the third country's control does not restrict service delivery, access data, or enforce sanctions.
  • Cybersecurity: Requires a European cybersecurity certificate of at least assurance level 'substantial'.
  • Support: Technical and operational support must be initiated and performed exclusively within the Union by Union residents.

Union Assurance Level 4: Maximum Sovereignty

Level 4 is the highest tier, intended for the most sensitive operations, including the hosting of EU classified information.

  • Cybersecurity: Requires a European cybersecurity certificate of at least assurance level 'high'.
  • Third-Country Control: The provider and subcontractors must not be subject to the control of a third country. No derogation under Article 18 is available for Level 4.
  • Software Control: The provider must demonstrate that no third country holds effective control over the design, development, maintenance, or evolution of software components.
  • Personnel: All personnel must be Union citizens with necessary security clearances.

Risk Assessments and Procurement Obligations

The sovereignty framework is not merely a voluntary certification; it is a mandatory procurement requirement for the public sector.

Article 29 obliges Member States and Union entities to conduct risk assessments to identify public sector activities that contribute to the preservation of public order. These assessments must determine which Union assurance level (2, 3, or 4) is appropriate for specific activities, particularly in sectors falling under the NIS2 Directive, national security, defense, justice, and law enforcement.

Article 30 then links these assessments to procurement rules:

  • Article 30(2): Public sector bodies whose activities are not identified as contributing to public order preservation must use cloud services recognized as having at least Union assurance level 1.
  • Article 30(3): Contracting authorities whose activities are identified as contributing to public order preservation must only procure services recognized as having Union assurance levels 2, 3, or 4.

This creates a powerful market signal. Even if a US-based provider is fully compliant with the DPF and GDPR, it may fail to meet the criteria for Union Assurance Level 2 or 3 due to its subjectivity to US law (FISA 702, sanctions) or its personnel structure. Consequently, such a provider would be ineligible for critical public sector contracts in the EU.

Addressing Third-Country Control via Article 18

A critical component of CADA is the mechanism for handling third-country control. Article 18 provides a pathway for providers subject to third-country control to qualify for Union assurance level 3, but only if the Commission has adopted an implementing act recognizing that third country as providing sufficient assurances.

To qualify, the third country must:

  1. Be subject to a relevant adequacy decision under GDPR Article 45.
  2. Have no measures enabling control over providers that conflict with lawful access rules.
  3. Have no measures compelling service disruption or degradation.
  4. Have no measures obliging providers to comply with restrictive measures (sanctions) unless legitimate under EU law.
  5. Maintain an open market to Union cloud services.
  6. Grant equivalent access to public procurement procedures for Union entities.

This mechanism acknowledges that while the DPF addresses data transfers, the broader question of "control" requires a separate, rigorous assessment. If the US legal landscape changes (e.g., new surveillance laws or sanctions), the Commission could suspend or repeal such recognition, instantly impacting the eligibility of US providers for Level 3 services.

What this means for you

For in-house counsel, compliance officers, and public procurement teams, the proposed CADA represents a fundamental shift from a "data protection" mindset to a "strategic autonomy" mindset.

1. Distinguish "Adequacy" from "Sovereignty" Compliance with the EU-US Data Privacy Framework is necessary but not sufficient for critical public sector engagements. You must assess whether your cloud provider can meet the technical and operational criteria of the Union assurance levels. A provider can be DPF-compliant but still fail Union assurance levels due to third-country control or personnel citizenship requirements.

2. Mandatory Risk Assessments for Public Sector Public sector entities must carry out risk assessments under Article 29 within one year of the regulation's entry into force. These assessments will dictate which assurance level is required for your specific data and services. Failure to align procurement with these assessments violates Article 30. For private sector entities in high-criticality sectors (listed in Annex I of NIS2), Article 31 allows for similar impact assessments, signaling that market pressure will drive adoption of sovereign standards even outside the public sector.

3. Prepare for Rigorous Audits Providers targeting Union assurance levels 2, 3, and 4 must undergo independent third-party audits (Article 20). This includes providing evidence of:

  • Union establishment and genuine economic activity.
  • Location of all infrastructure, assets, and personnel.
  • Absence of third-country control that could lead to data access or service disruption.
  • Software supply chain transparency, including Software Bills of Materials (SBOMs) and source code audits for critical components.
  • Personnel citizenship verification for Level 3 and 4.

4. Monitor Third-Country Recognition Status If you rely on non-EU providers, monitor the Commission's decisions under Article 18. A third country's eligibility for Union assurance level 3 is not permanent. If the Commission determines that a country's laws (e.g., regarding surveillance or sanctions) no longer meet the criteria, the recognition can be suspended or repealed, potentially forcing a costly migration.

5. Penalties and Compensation Article 24 empowers Member States to impose effective, proportionate, and dissuasive penalties for infringements of the sovereignty framework. While specific fine amounts are left to national implementation, the criteria include the nature, gravity, and duration of the infringement. Recipients of cloud services also have the right to seek compensation for damages resulting from provider infringements.

Common misconceptions

Misconception 1: "If we comply with GDPR and the DPF, we are sovereign." Correction: No. As stated in Recital 50, the DPF addresses data transfers but not sovereignty concerns like operational autonomy or dependency. A provider can be GDPR-compliant but still fail Union assurance levels due to third-country control or personnel issues.

Misconception 2: "Schrems II is resolved by the DPF, so CADA is redundant." Correction: Schrems II was a data protection case focused on the legality of data transfers. CADA addresses structural dependency and strategic autonomy. The DPF does not prevent service disruption, sanctions enforcement, or access to data for purposes outside the DPF's scope. CADA's assurance levels are designed to mitigate these broader risks.

Misconception 3: "Only public sector bodies are affected." Correction: While Article 30 mandates specific assurance levels for public procurement, Article 31 allows private entities in high-criticality sectors (NIS2 Annex I) to conduct similar impact assessments. Furthermore, the market signal created by public procurement will likely drive private sector adoption of sovereign standards, especially for B2B contracts involving sensitive data.

Misconception 4: "Union assurance level 1 is the minimum for all public sector use." Correction: Article 30(2) mandates Union assurance level 1 as the minimum for activities not identified as contributing to public order preservation. However, Article 30(3) requires levels 2, 3, or 4 for activities that do contribute to public order preservation (e.g., defense, justice, critical infrastructure). The risk assessment under Article 29 determines which category applies.

Misconception 5: "L3 cybersecurity certification is 'high' assurance." Correction: Under Annex II, Level 3 requires a cybersecurity certificate of at least 'substantial' assurance. Only Level 4 requires a 'high' assurance certificate. This distinction is critical for providers aiming for the highest tiers of sovereignty.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.