Why does CADA create a four-tier cloud sovereignty framework?

Summary The proposed Cloud and AI Development Act (CADA) creates a four-tier Union cloud computing sovereignty framework to replace fragmented national standards with a harmonised EU-wide system. As established in Article 16, this framework allows public authorities to match the strictness of sovereignty controls—such as data localisation, personnel citizenship, and third-country control restrictions—to the actual sensitivity of their operations. This graduated approach ensures that critical national security and defence data receive maximum protection under Union assurance levels 3 and 4, while routine administrative tasks can utilise cost-effective services at levels 1 and 2, avoiding unnecessary burdens on low-risk activities.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, introduces a Union cloud computing sovereignty framework comprising four distinct assurance levels. Article 16(1) explicitly states that this framework consists of four Union assurance levels, the criteria for which are set out in Annex II, that cloud computing service providers must meet to be recognised as offering services to Union entities and public sector bodies.

The primary objective, as outlined in the proposal's explanatory memorandum and Article 1(1)(c), is to enable the availability of a "sovereign cloud and artificial intelligence (AI) offer to safeguard the Union's public order." The framework addresses the risks associated with dependence on third-country providers, including extraterritorial data access laws, potential service disruption, and the loss of operational autonomy.

Why a Four-Tier Approach?

The four-tier structure is designed to be proportionate. Not all public sector activities pose the same risk to public order. A rigid, one-size-fits-all sovereignty requirement would either be too burdensome for low-risk administrative tasks or insufficiently protective for critical national security functions. The four tiers allow for a graduated assurance model that balances security with market efficiency.

1. Union Assurance Level 1 (Baseline): Serves as the minimum standard for general public sector use. It requires the provider to be established in the Union and ensures that infrastructure and customer data remain within the Union unless the public sector body explicitly requires otherwise. It mandates compliance with state-of-the-art cybersecurity standards and full transparency regarding subcontractors.
2. Union Assurance Level 2 (Enhanced): Introduces stricter controls for higher-sensitivity data. It requires that infrastructure, assets, and personnel involved in service provision are located in the Union. Crucially, it mandates that data generated by the service is not used to train AI systems operated by third countries and prevents third-country control from restricting the provider's ability to perform the service.
3. Union Assurance Level 3 (High): Designed for highly sensitive activities. It requires that personnel involved in the service are Union citizens (conditional on public sector body requirements for Level 2, but mandatory for Level 3). It generally prohibits the provider and its subcontractors from being subject to the control of a third country, though Article 18 provides a derogation mechanism for specific third countries with adequate safeguards. It requires a European cybersecurity certificate of at least 'substantial' assurance.
4. Union Assurance Level 4 (Maximum): The highest level of assurance, reserved for the most critical public order activities. It imposes the strictest requirements, including that personnel must be Union citizens with necessary national security clearances when handling classified information. It requires a European cybersecurity certificate of at least 'high' assurance and generally prohibits third-country control entirely, with no derogations for associated third countries.

Graduated Assurance for Different Sensitivity Needs

The framework acknowledges that public order encompasses a wide range of activities, from routine administrative data processing to critical defence and justice operations. Article 29 of CADA obliges Member States and Union entities to conduct risk assessments to determine which Union assurance level is appropriate for their specific activities.

• Low Sensitivity: For activities not identified as contributing to the preservation of public order, Article 30(2) mandates the use of services recognised as having Union assurance level 1. This ensures a consistent baseline of trust without imposing the heavy costs associated with higher tiers.
• High Sensitivity: For activities identified as contributing to the preservation of public order in sectors such as national security, defence, justice, or critical infrastructure (as listed in Annex I or II of the NIS2 Directive), Article 30(3) requires the procurement of services recognised as having Union assurance levels 2, 3, or 4. The specific level is determined by the risk assessment, ensuring that the most critical data receives the highest level of protection against third-country interference.

Reference to Annex II Criteria

The specific requirements for each tier are detailed in Annex II of the proposal. These criteria are cumulative, meaning a provider seeking Level 3 must meet all criteria for Levels 1 and 2 as well. Key differentiators include:

• Data Localisation: While Level 1 allows data to remain in the Union (with explicit exceptions), Levels 2–4 strictly prohibit the transfer of data generated by the service outside the Union for any purpose, including AI training.
• Personnel Requirements: Level 1 does not mandate Union citizenship for personnel. Level 2 allows for additional screening if determined necessary by the public sector body. Levels 3 and 4 mandate that all personnel involved in the provision of the service are Union citizens. Level 4 further requires national security clearances for handling classified information.
• Third-Country Control: Level 1 allows providers subject to third-country control if they guarantee no laws require reporting vulnerabilities to third-country authorities before exploitation. Levels 2 and 3 require measures to prevent third-country control from restricting service performance or accessing data. Level 4 generally prohibits third-country control entirely, with no derogations for associated third countries.
• Cybersecurity Certification: Level 1 requires compliance with state-of-the-art cybersecurity standards. Level 2 and Level 3 require a European cybersecurity certificate of at least 'substantial' assurance under a scheme established under Regulation (EU) 2019/881. Level 4 requires a 'high' assurance certificate.

This structured approach ensures that sovereignty is not just a binary concept but a scalable attribute that can be aligned with the specific risk profile of each public sector procurement.

What this means for you

For public-sector procurement officers and compliance teams, the four-tier framework simplifies decision-making by providing clear, harmonised criteria for selecting cloud services. Instead of navigating disparate national sovereignty standards, you can rely on the Union assurance levels to guide your procurement strategy.

1. Conduct Risk Assessments: You must carry out risk assessments as required by Article 29 to identify which of your activities contribute to the preservation of public order. This assessment will determine whether you need Level 1, 2, 3, or 4 assurance.
2. Procure Accordingly: Based on your risk assessment, you must procure cloud services that have been recognised under Article 17 as offering the appropriate Union assurance level. For non-critical activities, Level 1 is sufficient. For critical activities, you must procure from providers recognised at Levels 2, 3, or 4.
3. Check the Central Repository: The Commission will establish and maintain a central repository of recognised cloud computing services under Article 22. You can use this repository to identify providers that have been formally recognised at the assurance level required for your specific use case.
4. Consider Multi-Cloud Strategies: Article 29(9) encourages you to consider whether a multi-vendor or multi-cloud strategy is appropriate to enhance resilience and limit dependency on a single provider. This is particularly relevant for high-assurance levels where switching costs and continuity are critical.

By aligning your procurement with these tiers, you ensure compliance with CADA while optimising costs and security. You avoid over-specifying sovereignty requirements for low-risk tasks, which can limit competition and increase prices, while ensuring that your most sensitive data is protected by the highest standards.

Common misconceptions

• Misconception: All public sector cloud services must be Level 4.
  • Reality: Only activities identified as contributing to the preservation of public order in critical sectors (e.g., national security, defence) require Levels 2, 3, or 4. Most standard administrative activities only require Level 1, which is less restrictive and more cost-effective.
• Misconception: Sovereignty levels are the same as cybersecurity certifications.
  • Reality: While cybersecurity is a component of each level, sovereignty encompasses broader risks, including data localisation, personnel citizenship, and freedom from third-country legal control. A service can be highly secure but not sovereign if it is controlled by a third-country entity with extraterritorial data access laws.
• Misconception: Providers can choose which criteria to meet.
  • Reality: The criteria in Annex II are cumulative. A provider seeking Level 3 must meet all criteria for Levels 1 and 2. There is no picking and choosing of individual criteria within a tier.
• Misconception: Third-country providers can never offer Level 3 or 4.
  • Reality: While Levels 3 and 4 generally prohibit third-country control, Article 18 provides a mechanism for the Commission to recognise certain third countries as providing sufficient assurances for Level 3. However, Level 4 remains strictly reserved for providers not subject to third-country control.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• What is the four-tier sovereignty framework in CADA in plain English?
• What are the four CADA Union assurance levels in the sovereignty framework?
• Why is CADA Level 4 the highest sovereignty tier?
• What is the Union cloud computing sovereignty framework under CADA?
• CADA Delegated & Implementing Acts: How the Sovereignty Framework Evolves

This is general information about a draft EU regulation, not legal advice.