Why most public services don't need the highest CADA sovereignty tier

Summary Under the proposed Cloud and AI Development Act (CADA), most public services would not need the highest cloud-sovereignty tier because the framework is deliberately proportionate and risk-based. Recital 52 states that the Union assurance levels "should provide for a proportionate framework" and that "most public services would not require the highest levels of assurance." A risk assessment (Article 29) decides where higher tiers are justified, keeping procurement cost-effective and avoiding unnecessary burden on routine administrative tasks.

Detail

The CADA proposal would create a "Union cloud computing sovereignty framework" defining four levels of assurance for cloud services. These Union assurance levels 1, 2, 3 and 4 are established by Article 16, with criteria set out in Annex II.

The four levels of assurance

The criteria escalate in strictness on data location, personnel, cybersecurity and freedom from third-country control:

• Union assurance level 1. The provider must be established in the Union, with infrastructure, assets and customer data located/kept exclusively within the Union (unless the public sector body explicitly requires otherwise) and compliance with state-of-the-art cybersecurity standards. Demonstrated through a conformity self-assessment and an EU statement of conformity (Article 19).
• Union assurance level 2. Requires independent third-party audit. Adds that infrastructure, assets and personnel are located in the Union, a European cybersecurity certificate of at least "substantial," and that data generated by using the service is not used to train or fine-tune any AI system operated by a third country.
• Union assurance level 3. Adds that personnel are Union citizens (with national security clearance where appropriate for classified information) and that the provider and relevant subcontractors are not subject to third-country control — subject to a narrow derogation, under Article 18, for "associated third countries" recognised by the Commission.
• Union assurance level 4. The highest tier: a European cybersecurity certificate of at least "high," Union-citizen personnel, exclusive Union location of sensitive data, and an unconditional prohibition on third-country control. Designed for the most sensitive data and critical functions.

Proportionality and Recital 52

A central principle is proportionality. Recital 52 gives the explicit rationale for not applying the top tiers universally:

"The Union assurance levels should provide for a proportionate framework to ensure that public order is preserved by maintaining control and agency by public-sector bodies. Most public services would not require the highest levels of assurance. In some specific cases Union assurance levels 3 or 4 may be considered necessary and proportionate in preserving public order. The risk assessment to be performed by Member States and Union entities ensures that the principles of proportionality and subsidiarity are complied with, by assessing the specific cases in which protection of public order requires the highest level of assurance."

The default, as proposed, is not maximum security for every workload but a posture matched to the specific risk. Applying level 4 criteria to a standard municipal website or a non-sensitive document system would be disproportionate, raising cost and narrowing the vendor pool without commensurate benefit.

The role of risk assessments

To determine the right level, Article 29 requires Member States and Union entities to conduct risk assessments identifying public-sector activities that contribute to the preservation of public order — particularly in NIS2 sectors (Directive (EU) 2022/2555, such as energy, transport and health) and in national security, internal security, border management, defence, justice or law enforcement.

Where an activity is not identified as contributing to public order, Article 30(2) provides that the entity shall use services recognised at Union assurance level 1 — a baseline of trust for general public services. Only where the risk assessment identifies a link to public order does the obligation escalate to Union assurance levels 2, 3 or 4 (Article 30(3)).

What this means for you

For public-sector procurement officers and IT decision-makers, this offers clarity and efficiency:

1. Run the risk assessment. You are not expected to guess; perform the Article 29 assessment, documenting the sensitivity, criticality and magnitude of the data. If your service does not involve public-order functions, you likely do not need level 3 or 4.
2. Default to level 1 for general services. For routine administrative tasks, internal communications and public-facing information that do not touch public order, procure at level 1. This widens your vendor pool and supports competitive pricing.
3. Justify higher tiers. If you believe a workload needs level 3 or 4, the risk assessment must show why lower levels are insufficient — useful for audit trails and compliance checks.
4. Cost efficiency. Avoiding unnecessary high-tier requirements lowers total cost of ownership, since higher levels involve audits, restricted vendor pools and compliance overhead.

Common misconceptions

• "Sovereignty means every byte must be level 4." Incorrect. CADA rejects a one-size-fits-all approach; Recital 52 confirms most services do not need the highest assurance. Sovereignty is about control and agency proportionate to risk.
• "Level 1 is insecure." Level 1 still requires Union establishment, data kept exclusively within the Union (unless otherwise required) and state-of-the-art cybersecurity. It is a robust baseline.
• "I can choose any level I want." Procurement is not free choice. Article 30 sets mandatory minimums based on your risk assessment: you cannot pick level 1 where the assessment requires higher, and you need not buy level 4 where level 1 suffices.
• "Third-country providers are completely banned." No. Article 18 lets the Commission recognise "associated third countries" so that providers under their control may be audited for Union assurance level 3, provided strict cumulative criteria (including a GDPR adequacy decision) are met. The framework targets criteria, not blanket origin-based exclusion.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• CADA Level 4: Why EU Control is Mandatory for the Highest Sovereignty Tier
• Which CADA sovereignty tier protects against the US CLOUD Act?
• Sovereignty vs trust in cloud services: what CADA changes
• What is sovereignty by design in cloud services under CADA?
• What does cloud sovereignty mean for public-sector buyers under CADA?

This is general information about a draft EU regulation, not legal advice.