Why can't GDPR deliver cloud sovereignty? CADA and the gap

TL;DR The GDPR protects personal data privacy but does not establish a framework for cloud sovereignty, which requires control over infrastructure, personnel, and operational autonomy against third-country jurisdictional reach. As the proposed Cloud and AI Development Act (CADA) recognises, the EU currently lacks a cross-cutting regulatory framework defining what makes a cloud computing service "trusted" against risks like extraterritorial data access or service disruption. CADA would fill this gap by introducing four Union assurance levels, mandatory risk assessments for public sector activities, and procurement obligations designed to protect operational autonomy and public order. CADA is a proposal and is not yet in force.

Detail

The limitation of existing data protection law While the General Data Protection Regulation (GDPR) provides robust safeguards for the processing of personal data, it does not address the broader strategic and operational dimensions of cloud sovereignty. The CADA proposal explicitly identifies this legislative gap. Recital 47 of the proposal states: "Existing Union law addresses cybersecurity, data protection, interoperability and data portability requirements which cloud computing services are subject to. However, there is no cross-cutting Union regulatory framework establishing a harmonised understanding of what constitutes a trusted cloud computing service for mitigating such risks."

The GDPR focuses on the rights of data subjects and the obligations of controllers and processors regarding privacy. It does not mandate where infrastructure must be physically located, who must own the hardware, or whether the provider is subject to foreign laws that could compel data access or service disruption. Consequently, a cloud provider can be fully GDPR-compliant while still being exposed to extraterritorial legal demands from third countries, such as those enabled by the US CLOUD Act. This creates a sovereignty gap: data may be legally protected from misuse, but it is not necessarily protected from access by foreign governments or from operational discontinuity due to geopolitical pressures.

CADA's sovereignty framework: Union assurance levels CADA would address this by establishing a "Union cloud computing sovereignty framework" comprising four Union assurance levels (Article 16), with the criteria set out in Annex II. These cumulative criteria are what providers would have to meet to be recognised as offering services to Union entities and public sector bodies at a given level. As proposed, they go well beyond data protection and include:

• Union establishment and location: For the higher levels, the provider and subcontractors must be established in the Union, and infrastructure, assets, and personnel must be located within the Union (Annex II).
• Data localisation: Customer data, including metadata and telemetry, must remain within the Union unless explicitly required otherwise by the public sector body (Annex II).
• Absence of third-country control: For higher assurance levels, the provider and its subcontractors must not be subject to the control of a third country or of a legal entity established in a third country (Annex II). By way of exception, Article 18 lets the Commission identify "associated third countries" whose providers may be audited against Union assurance level 3, where that country meets cumulative criteria (including a GDPR adequacy decision and the absence of laws compelling data access or service disruption).
• Personnel requirements: Higher levels require that personnel involved in service provision be Union citizens, with security clearances where classified information is handled (Annex II).
• Software supply chain transparency: Providers must demonstrate control over their software supply chain and implement measures to prevent remote tampering (Annex II).

Risk assessments and public procurement obligations To operationalise this framework, CADA would impose specific obligations on Member States and Union entities. Under Article 29, Member States and Union entities would carry out risk assessments to identify public sector activities that contribute to the preservation of public order, particularly in sectors falling under Annex I or II of the NIS2 Directive (Directive (EU) 2022/2555) and in areas such as national security, internal security, external border management, defence, justice, and law enforcement. The assessment also determines which Union assurance level (2, 3, or 4) is appropriate.

Based on these risk assessments, Article 30 would set procurement rules:

• Union assurance level 1: Union entities and public sector bodies whose activities have not been identified as contributing to public order must use cloud computing services recognised under Article 17 as having Union assurance level 1.
• Union assurance levels 2, 3, or 4: Contracting authorities whose activities have been identified as contributing to public order (in the sectors and areas above) must only procure services recognised as having Union assurance level 2, 3, or 4. Article 30(4) allows narrow, duly justified exceptions where no recognised service can meet the need or the cost would be disproportionate.

Recognition and auditing Recognition would be managed by national competent authorities of establishment (Article 17). Level 1 relies on a conformity self-assessment and an EU statement of conformity (Article 19). Levels 2, 3, and 4 require independent third-party audits (Article 20) to verify compliance with the criteria in Annex II. The Commission would maintain a central repository of recognised services (Article 22), giving public sector buyers transparency.

Why GDPR alone is insufficient The GDPR's primary mechanisms for cross-border data transfer are adequacy decisions and appropriate safeguards (for example, Standard Contractual Clauses). However, these mechanisms do not prevent a cloud provider from being compelled by its home country's laws to provide access to data stored in the EU, nor do they guarantee that the provider can resist such demands without facing penalties in its home jurisdiction. CADA's sovereignty framework, as proposed, directly targets these non-technical risks by requiring legal, technical, and organisational measures so that third-country control cannot be exercised in a way that restricts service delivery or grants access to customer data (Annex II).

What this means for you

For in-house counsel and compliance officers:

• Track the risk-assessment timeline: As proposed, Member States and Union entities must carry out risk assessments under Article 29 within one year of the Regulation's entry into force, and thereafter every two years. You would need to identify which of your public sector activities contribute to public order, which then dictates your procurement requirements.
• Review procurement contracts: If your authority handles public-order-relevant activities, you would only be able to procure cloud services with Union assurance level 2, 3, or 4 (Article 30(3)). Ensure tender documents reflect this and that you verify the provider's recognition status in the Commission's central repository (Article 22).
• Prepare for audit requirements: Providers aiming to serve the public sector at levels 2–4 must prepare for independent third-party audits (Article 20), demonstrating control over their supply chain, personnel arrangements, and infrastructure location.
• Monitor third-country controls: If your provider is subject to third-country control, level 3 eligibility would depend on the Commission having identified that country as an "associated third country" under Article 18. Otherwise, that provider could not be used for public-order activities at levels 3 or 4.
• Penalties and liability: As proposed, Member States must lay down penalties for infringements of the sovereignty chapter by providers (Article 24), and recipients of services would have the right to seek compensation for damage caused by a provider's non-compliance (Article 24(3)).

Common misconceptions

• Misconception: GDPR compliance equals cloud sovereignty.
  • Reality: The GDPR ensures data privacy but does not prevent foreign government access to data or service disruption due to geopolitical factors. CADA would address these operational and jurisdictional risks.
• Misconception: CADA replaces cybersecurity certifications.
  • Reality: CADA would complement cybersecurity certification. Cybersecurity certification under the higher assurance levels (a European cybersecurity certificate of at least the relevant assurance level) is one component, but sovereignty also covers legal and operational autonomy, which cybersecurity certification alone does not guarantee.
• Misconception: Only public sector bodies are affected.
  • Reality: The mandatory procurement rules apply to public sector bodies, but the framework would create a market standard. Private sector essential and important entities under NIS2 may carry out similar assessments (Article 31), and the availability of recognised services would shape the broader market.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• What is GDPR Article 48, and why does it matter for cloud sovereignty under CADA?
• Can non-EU cloud providers meet CADA's sovereignty levels?
• Can a cloud service lose its CADA sovereignty recognition?
• Why is cloud sovereignty important for critical infrastructure? CADA
• Why is sovereignty described as layered or nuanced in CADA?

This is general information about a draft EU regulation, not legal advice.