Summary As proposed, the Cloud and AI Development Act (CADA) treats cloud dependence as a "strategic dependency" because reliance on a few non-EU providers exposes the Union to risks to operational autonomy, data control, and public order that standard cybersecurity measures cannot fully address. The proposal points to vulnerabilities from extraterritorial third-country laws and potential service disruption. CADA would respond with a sovereignty framework (Article 16) setting four assurance levels and requiring public-sector procurement to match the level to the risk.
Detail
CADA reframes reliance on non-European cloud providers as a matter of strategic security and economic resilience, not merely commercial imbalance. It argues that the concentration of the European cloud market in a few non-EU hyperscalers is a systemic risk to the Union's sovereignty.
What makes the dependency "strategic"
Two features define it: the difficulty of substitution, and the security-relevant nature of the services.
1. Difficulty of substitution and concentration risk. The explanatory memorandum records that three non-EU hyperscalers control over 70% of the European cloud market. Because cloud services are deeply embedded in the operations of businesses and public administrations, switching is technically complex, costly, and slow. If a dominant provider degraded service, changed terms, or withdrew, European entities would have limited alternatives for continuity.
2. Security-relevance and extraterritorial reach. Large incumbents are often subject to laws with extraterritorial effect, such as the US CLOUD Act, which can mandate data access or transfer in conflict with EU fundamental-rights and data-protection frameworks. The proposal frames this as going beyond privacy to encompass unauthorised access to sensitive information, technology leakage, and the risk of political or economic coercion.
Recital 46: critical strategic dependencies
The classification is set out in Recital 46, which states:
"The Union still remains critically dependent on a limited number of cloud computing service providers subject to the control of third countries or legal entities established in third-countries. This exposes the Union to critical strategic dependencies and concentration risks, including vulnerabilities arising from the extraterritorial application of third-country laws, potential disruptions affecting the continuity, quality and resilience of cloud computing services, reduced control and oversight over personal and non-personal data and infrastructure, and the risk of undue economic or political influence being exercised through the control by third countries or legal entities established in third-countries of cloud computing services."
The recital broadens risk beyond cybersecurity, linking cloud dependence to public order, economic security, and political autonomy. It concludes that retaining control over infrastructure, data, assets, and technology systems under Union and national jurisdiction "has become an imperative policy objective."
From dependency to sovereignty: Article 16
To mitigate these dependencies, CADA would introduce a Union cloud computing sovereignty framework in Title IV, anchored by Article 16, comprising four Union assurance levels (levels 1 to 4) with criteria in Annex II.
- Article 16(1) establishes the framework of four assurance levels, with criteria set out in Annex II.
- Article 16(2) empowers the Commission to adopt delegated acts amending the levels (Annex II) and the evidence (Annex III).
- Article 16(3) requires the Commission to review Annex II and Annex III at least every 18 months.
The framework is proportionate: not every public service needs the highest level. For activities contributing to the preservation of public order—national security, defence, justice, critical infrastructure—a risk assessment determines the appropriate level. The question moves from "is this service secure?" to "is it sovereign enough for this public function?"
Linking concentration and coercion risks
Recital 50 of the proposal identifies specific vulnerabilities that flow from this dependency:
- Misuse: manipulation, remote access and control, sabotage, weaponisation.
- Access to information: unauthorised communication, technology leakage, data manipulation or exfiltration, espionage.
- Dependency vulnerabilities: political or economic coercion—for example via vendor or technology lock-ins, embargoes, sanctions, or monopoly pricing damaging the financial interests of the Union and Member States.
By naming these as strategic dependencies, CADA treats cloud as critical infrastructure whose compromise can cascade across healthcare, energy, finance, and beyond.
What this means for you
For public-sector procurement officers, this classification changes how you procure. You can no longer evaluate providers on price, performance, and standard certifications alone—sovereignty becomes a core criterion.
1. Mandatory risk assessments. Under Article 29, Member States and Union entities would carry out risk assessments (within a year of entry into force and at least every two years thereafter) to identify which activities contribute to the preservation of public order, weighing data sensitivity, the risk of third-country access, and the risk of service disruption. The result determines the required assurance level (2, 3, or 4) under Article 30.
2. Minimum assurance level 1. Even for non-critical activities, Article 30(2) would require Union entities and public sector bodies whose activities are not identified as contributing to public order to use services recognised at Union assurance level 1—a baseline of trust across the public sector.
3. Procurement criteria. Article 32 ("Union added value") would require non-price award criteria in procurement of innovative cloud services and AI systems, letting you reward contributions to the European ecosystem—such as Union-designed or -manufactured software or hardware. These criteria are ancillary, not decisive.
4. Monitoring and SME uptake. Article 33 requires Member States to monitor and report on procurement of innovation and to pursue the objective that at least 25% of their cloud and AI procurement is awarded to innovative SMEs.
Common misconceptions
"CADA bans non-EU cloud providers." It does not; it creates a recognition framework. Non-EU providers can operate but must meet criteria for higher assurance levels. Article 18 allows the Commission to recognise a third country so that providers controlled from there may be audited against the level 3 criteria, subject to cumulative conditions (including a GDPR adequacy decision and the absence of coercive measures). For the highest level, the provider and its subcontractors must not be subject to third-country control at all (Annex II, Section 4.1(g)).
"Sovereignty is the same as cybersecurity." Related but distinct. Cybersecurity protects against technical threats; sovereignty also covers operational autonomy, jurisdiction, and resistance to coercion. A cybersecure service can still be non-sovereign if foreign law can compel access or disruption.
"All public activities need the highest level." No. Recital 52 states that "Most public services would not require the highest levels of assurance." The Article 29 risk assessment ensures proportionality and subsidiarity, reserving the highest levels for the most critical activities.
"This is only about data privacy." Data protection is one component. CADA, as proposed, addresses broader strategic risks—supply-chain resilience, economic coercion, and continuity of critical services.
Official sources
Related
- Why is EU dependence on foreign cloud providers seen as a risk under CADA?
- What is strategic autonomy and how does CADA support it?
- What is open strategic autonomy in EU digital policy, and how does CADA reflect it?
- What is digital economic coercion, and how does cloud dependence enable it under CADA?
- What is a dependency vulnerability in cloud computing under CADA?
This is general information about a draft EU regulation, not legal advice.