Why does CADA emphasise secure and verifiable compute for sensitive sectors?

Summary The proposed Cloud and AI Development Act (CADA) introduces "secure and verifiable compute" as a critical technical enabler for deploying AI in sensitive sectors where data sovereignty and operational autonomy are non-negotiable. As proposed in COM(2026) 502 final, this approach addresses the gap where standard data protection fails to prevent extraterritorial access or service disruption by third-country actors. Recital 19 explicitly calls for these approaches to enable AI use in sensitive contexts, particularly for industrial data pooling and defence applications. For public sector bodies and providers, this technical requirement is inextricably linked to the highest tiers of the Union cloud computing sovereignty framework: Union Assurance Levels 3 and 4. As proposed, achieving these levels would require infrastructure capable of cryptographically verifying data isolation and preventing unauthorised manipulation, ensuring that sensitive defence intelligence and industrial secrets remain protected even when processed on shared cloud infrastructure.

Detail

The Cloud and AI Development Act (CADA), as proposed by the European Commission in COM(2026) 502 final, marks a strategic evolution from traditional data protection towards comprehensive technological sovereignty. While existing frameworks like the GDPR and the AI Act address data privacy and system safety respectively, CADA targets the underlying infrastructure and the risk of third-country control. A central pillar of this proposal is the establishment of a "Union cloud computing sovereignty framework" comprising four distinct assurance levels. This framework is designed to mitigate "critical strategic dependencies" and "concentration risks" arising from the EU's reliance on a limited number of non-EU hyperscalers, whose operations may be subject to laws with extraterritorial effects, such as the US CLOUD Act.

The Mandate for Secure and Verifiable Compute

CADA explicitly recognises that legal safeguards and data localisation alone are insufficient to guarantee sovereignty in an era of sophisticated cyber threats and geopolitical leverage. The proposal emphasises the need for technical architectures that can independently verify the integrity and isolation of computing processes.

Recital 19 of the CADA proposal specifically addresses the industrial sector, stating: "Secure and verifiable compute approaches should be explored to enable the use of AI in sensitive contexts." This provision is a direct response to the challenge of enabling collaboration without compromising intellectual property. In the manufacturing sector, for instance, the proposal notes that the Commission should "facilitate data pooling across industrial sectors through trusted third parties to train specialised AI models, ensuring a sufficient volume of training data, while strictly preserving intellectual property rights."

Secure and verifiable compute—often realised through confidential computing, secure enclaves, or homomorphic encryption—allows data to be processed in an encrypted state. This ensures that even the cloud infrastructure provider cannot access the plaintext data or the resulting model weights. This capability is essential for the "Cooperative European Industrial Models" grand challenge outlined in Annex I, which focuses on "advanced confidentiality-preserving technologies" such as federated learning and secure execution environments. By enabling data pooling without exposing raw data, these approaches would allow European industries to compete globally while maintaining strict control over their proprietary information.

Application in Defence and High-Criticality Sectors

The imperative for secure and verifiable compute is most acute in the defence and national security sectors. The proposal's explanatory memorandum and recitals highlight that "highly critical use cases in the public sector should be operated using sovereign cloud and AI computing services" to ensure data confidentiality and operational autonomy.

Recital 20 explicitly states: "The Union should also foster the availability of highly secured computing infrastructures for the training, testing and deployment of defence-related AI models and systems." This requirement goes beyond standard cybersecurity measures; it demands infrastructure that is legally and technically insulated from third-country control. In the context of defence, where the risk of espionage, sabotage, or service disruption by foreign actors is a primary concern, the ability to verify that data has not been accessed or manipulated is paramount.

The proposal links these technical requirements directly to the highest Union assurance levels. Specifically, Union Assurance Level 4 is designed for activities involving classified information or those of particular systemic importance to public order. As proposed, achieving Level 4 would necessitate not only that the provider is not subject to third-country control but also that the infrastructure itself provides verifiable guarantees of data isolation and integrity.

The Link to Union Assurance Levels

The CADA proposal ties the use of secure and verifiable compute directly to its four-tier assurance framework, as detailed in Annex II. The criteria for each level escalate in strictness, with the highest levels requiring the most robust technical safeguards.

1. Union Assurance Level 1: This baseline level requires providers to be established in the Union, with infrastructure and data remaining within the Union unless explicitly required otherwise. It focuses on basic establishment and data localisation but does not mandate the advanced technical controls associated with secure compute.
2. Union Assurance Level 2: This level introduces stricter requirements, including the need for a European cybersecurity certificate of at least "substantial" assurance (Annex II, 2.1(e)). It mandates that data generated by the service is not used to train AI systems operated by third countries. Crucially, it requires that if the provider is subject to third-country control, specific legal and technical measures must be implemented to prevent access to customer data and disruption of service. While it allows for some third-country control under strict conditions, it does not yet mandate the "high" assurance cybersecurity certification or the complete exclusion of third-country control found in higher levels.
3. Union Assurance Level 3: This level further restricts third-country control. Personnel involved in the service must be Union citizens (Annex II, 3.1(d)), and subcontractors must also be established in the Union. It allows for the hosting of EU classified information. A key feature of Level 3 is the possibility of a derogation for providers subject to third-country control, but only if the Commission has adopted an implementing act under Article 18 identifying the third country as providing sufficient assurances. Even then, the provider must demonstrate that third-country control cannot be exercised in a manner that restricts service delivery or compromises data.
4. Union Assurance Level 4: The highest level, intended for the most sensitive public sector activities, including defence, national security, and critical infrastructure. As proposed, Level 4 requires that the provider and subcontractors are not subject to the control of a third country or a legal entity established in a third-country (Annex II, 4.1(g)). It mandates a European cybersecurity certificate of at least "high" assurance (Annex II, 4.1(e)). This level is designed for scenarios where any risk of foreign interference or data leakage is unacceptable. The technical architecture supporting Level 4 would inherently require secure and verifiable compute methods to satisfy the rigorous audit criteria regarding data isolation, source code auditability, and the prevention of remote tampering.

The proposal requires Member States and Union entities to conduct risk assessments to determine which assurance level is appropriate for their specific activities (Article 29). For activities contributing to the preservation of public order in sectors such as defence, justice, or critical infrastructure, the risk assessment would likely necessitate Union Assurance Levels 3 or 4. Consequently, the technical architectures supporting these services must incorporate secure and verifiable compute methods to satisfy the audit criteria.

Industrial Data Pooling and Manufacturing

Beyond defence, CADA addresses the needs of strategic industrial sectors through the lens of secure compute. Recital 19 notes that in manufacturing, the Commission should "facilitate data pooling across industrial sectors through trusted third parties to train specialised AI models, ensuring a sufficient volume of training data, while strictly preserving intellectual property rights."

Secure and verifiable compute is the technical enabler for this vision. It allows manufacturers to collaborate on AI development without sharing raw, sensitive production data. This approach supports the "Cooperative European Industrial Models" grand challenge outlined in Annex I, which focuses on "advanced confidentiality-preserving technologies" such as federated learning and secure execution environments. By leveraging these technologies, European industries could pool data to train more robust AI models while maintaining strict control over their intellectual property, thereby enhancing the Union's industrial competitiveness.

Technical and Legal Safeguards

The proposal's sovereignty framework is not merely a set of guidelines but a legally binding requirement for public procurement. Article 30 stipulates that contracting authorities whose activities have been identified as contributing to the preservation of public order must only procure cloud computing services recognised as having Union Assurance Levels 2, 3, or 4. This creates a strong market signal for providers to invest in secure compute technologies that can meet these audit standards.

The audit process for Levels 2, 3, and 4 is conducted by independent third-party auditing organisations (Article 20). These audits examine the provider's infrastructure, software supply chain, and operational controls. For secure and verifiable compute, auditors would look for evidence that the provider has implemented measures to block remote features that could tamper with devices, ensure source code auditability, and maintain effective legal and technical separation between the Union entity and any third-country subsidiaries (Annex II, Section 2.1(i) and 3.1(i)). The audit evidence requirements in Annex III further specify the need for "complete and up-to-date software bill of materials (SBOM)" and evidence of "risk-based process for identifying and mitigating dependencies on external software manufacturers."

What this means for you

For CTOs, architects, and SMEs operating in or supplying to sensitive sectors, the CADA proposal introduces significant technical and compliance implications:

1. Infrastructure Re-evaluation: If you provide cloud or AI services to public sector bodies in defence, healthcare, or critical infrastructure, you must assess whether your current architecture meets the criteria for Union Assurance Levels 2, 3, or 4. This may require migrating workloads to EU-based infrastructure with strict data localisation policies and implementing confidential computing technologies to ensure data remains verifiable and isolated.
2. Audit Readiness: Providers aiming for Assurance Levels 2-4 must undergo independent third-party audits. You should begin documenting your software supply chain, including Software Bills of Materials (SBOMs), and preparing evidence of technical controls that prevent third-country access or service disruption. This includes demonstrating that your personnel and subcontractors are located in the Union and that your code does not contain remote tampering mechanisms.
3. Opportunities for Secure Compute Vendors: SMEs specialising in confidential computing, federated learning, and secure enclaves will find a growing market. Public sector bodies will need these technologies to comply with CADA's requirements for data pooling and sensitive AI training without compromising sovereignty.
4. Procurement Strategy: Public sector CTOs should start conducting risk assessments of their AI use cases as required by Article 29. Identify which activities involve sensitive data or contribute to public order. For these, plan procurement strategies that prioritise providers with Union Assurance Level certifications. Consider multi-cloud strategies to avoid vendor lock-in and enhance resilience, as encouraged by the proposal.
5. Data Pooling Initiatives: For industrial companies, explore secure and verifiable compute solutions to enable collaborative AI training with partners. This allows you to leverage larger datasets for better AI models while maintaining strict control over your intellectual property, aligning with CADA's goals for industrial competitiveness.

Common misconceptions

"CADA bans all third-country cloud providers." No. As proposed, CADA does not ban non-EU providers outright. However, it creates a tiered system where access to sensitive public sector workloads (Assurance Levels 2-4) is heavily restricted. Providers subject to third-country control can only qualify for Level 3 if the Commission has adopted a specific implementing act under Article 18 granting that third country "associated" status based on strict safeguards. For Level 4, providers must not be subject to third-country control.

"Data localisation is enough for sovereignty." No. CADA explicitly moves beyond data localisation. While Levels 1-3 require data to remain in the Union, the proposal emphasises that sovereignty also involves operational autonomy and protection from extraterritorial laws. Secure and verifiable compute is highlighted as a technical solution to ensure that even if data is processed, it remains inaccessible to the infrastructure provider or foreign governments.

"Secure and verifiable compute is only for defence." No. While defence is a primary use case, Recital 19 and Annex I highlight its importance for manufacturing, healthcare, and other strategic industrial sectors. The ability to pool data securely for AI training is a key enabler for industrial innovation and competitiveness across the EU.

"The AI Act's cybersecurity requirements cover CADA's sovereignty needs." No. The AI Act focuses on risk management, data governance, and transparency for AI systems. CADA addresses the underlying infrastructure and cloud service sovereignty. While they are complementary, CADA's assurance levels and audit requirements for cloud infrastructure are distinct from the AI Act's product safety rules. CADA specifically addresses the risk of third-country access and service disruption, which is not the primary focus of the AI Act.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)

Related

• What secure-compute infrastructure does CADA provide for defence AI?
• How does CADA affect access to compute for AI training in academia?
• How does CADA address cloud and AI skills shortages across sectors?
• Can automotive companies access frontier-AI compute under CADA?
• Which CADA obligations bite hardest for fintech companies?

This is general information about a draft EU regulation, not legal advice.