Summary Under the proposed Cloud and AI Development Act (CADA), a certificate issued under the Cybersecurity Act (CSA) addresses technical security but cannot prove cloud sovereignty. CADA explicitly states that the CSA "is not suited for addressing sovereignty concerns that go beyond these technical elements." While the CSA certifies resilience against cyber threats, CADA's four "Union assurance levels" assess non-technical risks: exposure to foreign laws, third-country control, and operational autonomy. A provider can hold a top-tier cybersecurity certificate yet fail CADA's sovereignty criteria if they are subject to third-country jurisdiction or lack Union citizenship for key personnel. Public procurement must therefore verify CADA recognition, not just cybersecurity certification.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a distinct regulatory framework to address the EU's strategic dependence on third-country cloud providers. A critical feature of this proposal is the clear separation between technical cybersecurity and cloud sovereignty. While existing instruments like the Cybersecurity Act (CSA) and the forthcoming European Cybersecurity Certification Scheme for Cloud Services (EUCS) are vital for technical robustness, CADA clarifies that they are insufficient to guarantee the Union's strategic autonomy.

The Fundamental Distinction: Technical Security vs. Sovereignty

The explanatory memorandum accompanying the CADA proposal draws a sharp line between these two concepts. It notes that while the CSA "addresses supply chain risks" and focuses on "technical cybersecurity," it "is not suited for addressing sovereignty concerns that go beyond these technical elements."

Cybersecurity certification verifies that a service is technically secure: it is resilient against attacks, encrypts data, and has robust incident response mechanisms. However, it does not evaluate whether a foreign government can legally compel the provider to access data, disrupt services, or force the provider to comply with extraterritorial sanctions.

CADA addresses these "non-technical risks." The proposal highlights that dependence on third-country providers exposes the Union to risks of "operational discontinuity" and the "extraterritorial effects of legislation adopted by third countries." These include scenarios where a foreign government mandates data access or threatens to cut off service due to political disputes. These are legal and geopolitical risks that a technical audit cannot measure. Consequently, CADA creates a separate, harmonised sovereignty framework to fill this gap.

The Four Union Assurance Levels: Beyond the Certificate

CADA Article 16 establishes the "Union cloud computing sovereignty framework," which defines four "Union assurance levels" (Levels 1 to 4). To be recognised at any of these levels, a provider must meet cumulative criteria detailed in Annex II. These criteria extend far beyond the scope of a cybersecurity certificate:

  • Union Assurance Level 1 (Baseline): Requires the provider to be established in the Union and for infrastructure and assets to be located within the Union. Crucially, it mandates that customer data remains exclusively within the Union. It also addresses third-country control by requiring a guarantee that no laws in a controlling third country force the provider to report software vulnerabilities to foreign authorities before they are known to be exploited.
  • Union Assurance Levels 2, 3, and 4 (Higher Tiers): These levels introduce stricter, non-technical requirements:
    • Personnel: For Levels 3 and 4, personnel involved in the service must be Union citizens. For Level 2, this is conditional: it applies only "if the public sector body determines that imposing additional personnel screening and Union citizenship requirements are necessary."
    • Third-Country Control: Levels 3 and 4 generally prohibit the provider from being subject to the control of a third country or a legal entity established in a third country. A limited derogation exists for Level 3 if the Commission adopts an implementing act under Article 18 (not Article 19, as sometimes mis-cited) confirming the third country provides sufficient safeguards.
    • Operational Autonomy: Providers must demonstrate that third-country control does not restrict their ability to deliver services, limit infrastructure, or oblige them to comply with restrictive measures like embargoes.
    • Data Usage: Data generated by the service must not be used to train or fine-tune AI systems operated by third countries.

The Role of Cybersecurity Certification in CADA

CADA does not discard cybersecurity; it integrates it as a component of the higher sovereignty tiers. For Union Assurance Levels 2, 3, and 4, providers must obtain a European cybersecurity certificate of at least assurance level "substantial" (for Levels 2 and 3) or "high" (for Level 4) under a scheme established under the Cybersecurity Act (Regulation (EU) 2019/881).

However, this certification is merely one of many cumulative criteria. A provider holding a "high" assurance EUCS certificate could still fail CADA recognition if:

  1. They are controlled by a third-country entity that can compel data access.
  2. Their key personnel are not Union citizens (for Level 3/4).
  3. Their data is used to train foreign AI models.

Conversely, a provider might meet all sovereignty criteria regarding location and control but fail to obtain the required cybersecurity certificate, thus preventing recognition at Levels 2–4. Therefore, CADA treats cybersecurity certification as a necessary but insufficient condition for sovereignty.

Why Certification Alone Is Insufficient

The core reason a Cybersecurity Act certificate cannot prove cloud sovereignty is the scope of the risks each instrument addresses.

  • Cybersecurity Certification evaluates technical controls: encryption, access management, and system resilience. It assumes the provider is legally bound to protect data but does not test whether that legal bond can be overridden by foreign law.
  • CADA Sovereignty evaluates legal and operational autonomy. It explicitly assesses whether a provider is subject to foreign laws that could force data disclosure, service disruption, or compliance with sanctions.

For example, Annex II criteria for Levels 2–4 require providers to prove that third-country control does not "restrain or restrict the provider's ability to perform and deliver the service" or "obliges the audited provider to implement... restrictive measures such as sanction regimes." These are legal questions regarding corporate governance and jurisdiction that fall entirely outside the scope of a technical cybersecurity audit.

What this means for you

For public-sector procurement officers, IT directors, and compliance teams, the distinction between cybersecurity certification and CADA sovereignty compliance has immediate practical implications:

  1. Do Not Equate EUCS with Sovereignty: When evaluating cloud providers, never assume that a service holding a European Cybersecurity Certificate (EUCS) automatically meets CADA's sovereignty requirements. You must verify that the provider has been formally recognised under CADA's Union assurance framework by a national competent authority.
  2. Conduct Mandatory Risk Assessments: Under Article 29, Member States and Union entities must carry out risk assessments to determine which Union assurance level (1, 2, 3, or 4) is appropriate for their specific activities. This assessment considers data sensitivity, criticality, and the impact on public order. Your procurement requirements must align strictly with the assurance level determined by this assessment.
  3. Check the Central Repository: Recognition under CADA is recorded in a central repository maintained by the Commission. When issuing tenders, require proof of this recognition. A cybersecurity certificate is only one piece of evidence used during the audit process; it is not the final proof of sovereignty.
  4. Scrutinise Ownership and Control: Pay close attention to the corporate structure of cloud providers. CADA's higher assurance levels (particularly 3 and 4) strictly limit or prohibit third-country control. Even if a provider has robust technical security, their legal exposure to foreign laws (e.g., the US CLOUD Act) may disqualify them from higher sovereignty tiers.
  5. Plan for Migration: If your current provider holds a cybersecurity certificate but lacks CADA sovereignty recognition, you may need to migrate services. CADA allows for a reasonable transition period (up to 12 months) for migration, but planning must begin early to ensure continuity of service for public-order-relevant activities.

Common misconceptions

"If a cloud provider has a high-level EUCS certificate, it is sovereign under CADA."

  • Reality: EUCS certifies technical cybersecurity, not sovereignty. CADA requires additional criteria related to data localisation, personnel citizenship, and the absence of third-country control that EUCS does not cover. A provider can be technically secure but legally vulnerable.

"GDPR compliance ensures cloud sovereignty."

  • Reality: GDPR protects personal data rights and regulates transfers, but it does not address operational autonomy, service continuity, or the risk of foreign government access to data under laws like the US CLOUD Act. CADA's sovereignty framework addresses these broader strategic risks.

"Only the highest assurance level is needed for secure cloud services."

  • Reality: CADA's framework is proportionate. Most public services only require Union Assurance Level 1. Higher levels (2, 3, 4) are reserved for activities identified as contributing to the preservation of public order, such as national security, defence, justice, or law enforcement.

"Cybersecurity certification is optional under CADA."

  • Reality: For Union Assurance Levels 2, 3, and 4, a European cybersecurity certificate is a mandatory requirement. However, it is a necessary condition, not a sufficient one, for sovereignty recognition.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.