Why does CADA use four levels of sovereignty instead of one?

Summary The proposed Cloud and AI Development Act (CADA) would use four levels of sovereignty—called Union assurance levels—so that public-sector procurement is proportionate to the actual risks of a given cloud service. Rather than applying a single, rigid standard to all government activities, this tiered approach lets contracting authorities match the strictness of security and autonomy requirements to the sensitivity of the data and the criticality of the activity to public order. This design avoids unnecessary cost and complexity for low-risk services while providing robust protection for the most critical functions. CADA is a proposal and is not yet in force.

Detail

The European Commission's proposal for the Cloud and AI Development Act (CADA) would change how the EU manages its dependence on third-country cloud providers. Central to this framework is a "Union cloud computing sovereignty framework" comprising four levels of assurance. This structure is not arbitrary; Recital 51 explains that four levels are used "to cater for the nuanced and layered nature of sovereignty."

The problem with a one-size-fits-all approach

A single, maximum-security standard for all cloud services would be both impractical and economically damaging. If every municipal website or internal HR portal had to meet the same criteria as a defence intelligence database, the cost of compliance would rise sharply and the pool of eligible providers would shrink. That could slow digital transformation in the public sector.

Conversely, a single low standard would leave critical infrastructure and sensitive citizen data exposed to extraterritorial legal risks, such as those posed by laws like the US CLOUD Act, which can compel providers to disclose data regardless of where it is stored.

By creating four tiers, CADA would allow a risk-based approach. Recital 52 states that "most public services would not require the highest levels of assurance," recognising that the regulatory burden should be calibrated to the actual threat.

The four Union assurance levels

Under Article 16, the framework would establish four Union assurance levels, with detailed criteria in Annex II. These levels create a gradient of trust and control. The points below summarise the proposal's structure; the precise, cumulative criteria are set out in Annex II.

1. Union assurance level 1: The baseline for public-sector cloud procurement. It focuses on basic operational autonomy and data residency within the Union, with conformity demonstrated by self-assessment. It is suitable for the majority of public-sector activities that do not contribute to public order.
2. Union assurance level 2: Introduces stricter requirements verified by independent third-party audit, including a European cybersecurity certificate of at least assurance level "substantial," tighter controls on subcontractors, and support performed within the Union.
3. Union assurance level 3: Designed for more sensitive use cases. It adds requirements such as Union citizenship for relevant personnel, the absence of third-country control over the provider and subcontractors, a higher cybersecurity assurance level, and stricter supply-chain transparency (including software bills of materials).
4. Union assurance level 4: The highest level, for the most critical public-order activities. It imposes the most rigorous constraints, including the highest cybersecurity assurance, strict personnel screening, and the secure hosting of EU classified information. Recital 62 notes that levels 3 and 4 should allow for the secure hosting of EU classified information.

Proportionality and subsidiarity in action

The use of four levels reflects the legal principles of proportionality and subsidiarity.

Proportionality ensures that EU measures do not go beyond what is necessary. Recital 52 states that the assessment "ensures that the principles of proportionality and subsidiarity are complied with, by assessing the specific cases in which protection of public order requires the highest level of assurance." A local library's digital catalogue does not threaten national security, so subjecting it to level 4 would be disproportionate.

Subsidiarity means the EU acts only where objectives cannot be sufficiently achieved by Member States alone. The EU would set the harmonised four-level framework to prevent fragmentation, but the decision on which level applies to a specific activity is left to Member States and Union entities. Article 29 requires them to conduct risk assessments determining which activities contribute to public order and which Union assurance level (2, 3, or 4) is appropriate. This preserves national competence over security classifications while giving the Union a common language for sovereignty.

The role of risk assessments

The tiered system would be operationalised through mandatory risk assessments. Under Article 29, Member States and Union entities must identify public sector activities using cloud services and assess their impact on public order. The assessment must consider at least:

• The sensitivity, criticality, and magnitude of the data processed (personal and non-personal).
• The risk and impact on public order of unlawful access by a third country or a legal entity established in a third country.
• The risk and impact on public order of possible service disruption.

Based on this assessment, Article 30 would require that:

• Authorities whose activities are not identified as contributing to public order use services recognised as having Union assurance level 1.
• Authorities whose activities are identified as contributing to public order (in sectors under Annex I or II of NIS2 and areas such as national security, defence, justice, and law enforcement) procure only services with Union assurance level 2, 3, or 4, as appropriate.

This makes the four levels practical tools for procurement decisions, not just theoretical categories.

What this means for you

For public-sector procurement officers, the four-level framework would change how you evaluate and select cloud providers.

1. Participate in risk assessments: You can no longer assume a default security level for all cloud contracts. You would need to engage in the risk assessment process under Article 29 and define whether your specific use case involves data or functions that contribute to public order.
2. Match procurement to assurance levels: In tender documents, specify the required Union assurance level. If your activity is not critical to public order, level 1 expands your bidder pool and may reduce costs. If it is critical, you must specify level 2, 3, or 4 and require bidders to demonstrate recognition.
3. Use the central repository: The Commission would maintain a central repository of recognised services (Article 22). Use it to verify that a provider is formally recognised at the level you require, simplifying due diligence.
4. Plan for migration: If your current service does not meet the required level, Article 29(6) provides a reasonable transition period of up to 12 months for migration, taking into account technical feasibility, continuity of service, and data portability. Start evaluating current contracts now.

Common misconceptions

Misconception 1: "All public sector cloud services must be level 4." Incorrect. Recital 52 states that most public services would not require the highest levels of assurance. Level 4 is for the most sensitive activities, such as those involving classified information. Applying level 4 universally would be disproportionate and economically unviable.

Misconception 2: "Level 1 means no requirements." Level 1 is not a free pass. It still requires recognition under Article 17 (via an EU statement of conformity), data residency within the Union unless otherwise required, and the baseline criteria in Annex II. It is a baseline of trust, not an absence of requirements.

Misconception 3: "The EU decides which level my department needs." The EU sets the criteria for each level, but the decision on which level applies to a specific activity is made through national or Union-level risk assessments (Article 29). The Commission provides guidance and may, under Article 29(5), specify the level where it concludes a Member State's assessment is inadequate, but the assessment rests with the competent authorities.

Misconception 4: "Third-country providers can never compete." The framework favours Union-based providers, but Article 18 lets the Commission identify "associated third countries" whose providers may be audited against Union assurance level 3, where that country meets cumulative criteria (including a GDPR adequacy decision and no laws compelling data access or service disruption). This is the exception rather than the rule, and does not extend to level 4.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• Why is sovereignty a competitiveness issue, not just a security one? | CADA
• How does sovereignty differ across the four CADA tiers?
• Can non-EU cloud providers meet CADA's sovereignty levels?
• Why is cloud sovereignty important for critical infrastructure? CADA
• Why is sovereignty described as layered or nuanced in CADA?

This is general information about a draft EU regulation, not legal advice.