Why are Member State sovereign cloud labels fragmented? CADA's answer

Summary As proposed, the Cloud and AI Development Act (CADA) explicitly targets the fragmentation caused by divergent national "sovereign cloud" labels, which the proposal identifies as a barrier to the single market that undermines common goals of autonomy and technological sovereignty. Recital 47 of the proposal states that while some Member States have developed national approaches, these measures "risk fragmenting the Union internal market and undermining common goals of autonomy and sovereignty." CADA would replace these disparate national definitions with a single, harmonised EU-wide sovereignty framework comprising four "Union assurance levels" (Article 16), ensuring that public sector procurement and critical infrastructure rely on consistent, auditable criteria rather than inconsistent national definitions.

Detail

The European Union's current landscape for cloud computing sovereignty is characterised by a patchwork of national initiatives. In recent years, several Member States have developed or are in the process of developing national approaches to identifying "national sovereign services." While these initiatives aim to enhance security and reduce dependence on third-country providers, the proposed CADA argues that this decentralised strategy has created significant regulatory and market inefficiencies.

The Problem of Fragmentation: Recital 47

The primary legal and policy justification for EU-level intervention in this area is found in Recital 47 of the CADA proposal. It provides a stark assessment of the current situation:

"Some Member States have developed or are in the process of developing national approaches to identifying national sovereign services. However, national measures do not adequately address the cross-border issues related to the Union's lack of sovereignty in the cloud computing ecosystem and risk fragmenting the Union internal market and undermining common goals of autonomy and sovereignty."

This recital highlights that national measures, while well-intentioned, are insufficient for the cross-border nature of cloud services. The fragmentation presents three distinct challenges for the EU's strategic objectives:

1. Market Fragmentation: Divergent national criteria create a fragmented regulatory environment. Cloud computing service providers, particularly European ones seeking to scale, face the burden of complying with multiple, potentially conflicting national standards. This increases administrative costs and hinders the ability of providers to operate seamlessly across Member States, leading to market inefficiencies and unequal competitive conditions.
2. Inadequate Cross-Border Protection: National sovereign labels often fail to address the cross-border nature of cloud services. Data and infrastructure frequently span multiple jurisdictions. A label granted by one Member State does not necessarily guarantee sovereignty protections in another, leaving gaps in the Union's overall security posture.
3. Undermining Common Goals: The proposal argues that fragmented national measures undermine the Union's collective goals of autonomy and sovereignty. By acting individually, Member States dilute their bargaining power and fail to create a unified front against critical external dependencies, particularly on non-European hyperscalers.

CADA's Solution: A Harmonised Union Framework

To address these issues, CADA proposes a single, harmonised EU-wide sovereignty framework. This framework is designed to replace the current mosaic of national labels with a uniform set of criteria that apply across the entire Union.

Article 16 of the proposal establishes this "Union cloud computing sovereignty framework." It introduces four distinct "Union assurance levels" (Level 1 to Level 4), each with specific, cumulative criteria that cloud computing service providers must meet to be recognised as offering services at that level. These criteria are detailed in Annex II of the proposal and cover aspects such as:

• Establishment and Location: Requirements for the provider's establishment in the Union and the location of infrastructure, assets, and personnel. For example, Union assurance level 2 and above require that the infrastructure, assets, and personnel of the audited provider and its subcontractors are located in the Union.
• Data Localisation: Strict requirements that customer data, including metadata and telemetry, remain exclusively within the Union unless explicitly required otherwise by the public sector body.
• Personnel Citizenship: Higher assurance levels introduce personnel requirements. Union assurance level 3 and 4 require that personnel, including those of subcontractors, are Union citizens. Furthermore, where appropriate, personnel must hold necessary national security clearances when handling classified information.
• Cybersecurity Certification: Requirements for obtaining European cybersecurity certificates at specific assurance levels. Union assurance level 2 and 3 require a certificate of at least assurance level "substantial," while Union assurance level 4 requires a certificate of at least assurance level "high" under a European cybersecurity certification scheme covering cloud computing services.
• Third-Country Control: Criteria addressing the risk of control by third countries or legal entities established in third countries. Union assurance level 3 and 4 generally require that the provider and its subcontractors are not subject to the control of a third country, unless the Commission has adopted an implementing act under Article 18 recognising the third country as providing sufficient assurances.

Recognition and Enforcement: Single Recognition, EU-Wide Validity

The proposal establishes a mechanism for the recognition of cloud computing service providers against these Union assurance levels. Under Article 17, a provider seeking recognition must submit an application to the national competent authority of its establishment. This authority then assesses the evidence, which may include a conformity self-assessment (for Level 1) or an independent third-party audit report (for Levels 2–4).

Crucially, once a service is recognised by one Member State, it is recognised throughout the Union. This "single recognition, EU-wide validity" principle is designed to eliminate the need for providers to navigate multiple national certification processes. The Commission will also maintain a central repository of recognised services (Article 22), providing transparency and facilitating procurement by public sector bodies.

Impact on Public Procurement

The harmonised framework directly influences public procurement rules. Article 30 sets out obligations for contracting authorities. Public sector bodies whose activities have not been identified as contributing to the preservation of public order must use services recognised at Union assurance level 1. However, where risk assessments (conducted under Article 29) determine that activities have public order relevance, contracting authorities must procure services recognised at Union assurance levels 2, 3, or 4.

This mandatory linkage between risk assessment and assurance levels ensures that sovereignty requirements are applied proportionately and consistently across the Union, replacing the ad-hoc nature of many national sovereign cloud labels.

What this means for you

For in-house counsel and compliance officers, the shift from national sovereign labels to a harmonised EU framework under CADA has significant implications:

• Simplified Compliance for Cross-Border Providers: If you represent a cloud provider operating in multiple Member States, CADA would replace the need to comply with disparate national sovereign standards with a single set of EU-wide criteria. This reduces administrative burden and legal uncertainty.
• Mandatory Risk Assessments: Public sector bodies must conduct risk assessments (Article 29) to determine the appropriate Union assurance level for their cloud services. Compliance officers in the public sector must ensure these assessments are carried out within the specified timelines (within one year of the Regulation's entry into force, and thereafter every two years).
• Audit and Documentation Requirements: Providers seeking recognition for Union assurance levels 2–4 must undergo independent third-party audits (Article 20). Compliance teams must prepare for rigorous audits covering infrastructure location, data flows, personnel citizenship, and third-country control. Audit reports and evidence must be submitted to national competent authorities.
• Central Repository Registration: Recognised services will be listed in a central repository maintained by the Commission (Article 22). Providers must ensure their information is accurate and up-to-date, as this repository will be the primary tool for public procurement decisions.
• Penalties for Non-Compliance: Member States will lay down rules on penalties for infringements of the sovereignty framework (Article 24). Penalties must be effective, proportionate and dissuasive. Compliance officers should monitor national implementations of these penalty regimes.

Common misconceptions

"CADA bans non-European cloud providers." No. CADA does not ban non-European providers. It establishes criteria for Union assurance levels. Providers subject to third-country control can still qualify for certain levels (e.g., Level 3) if the Commission adopts an implementing act recognising the third country as providing sufficient assurances (Article 18). The focus is on meeting specific sovereignty criteria, not origin-based exclusion.

"National sovereign labels will continue to exist alongside CADA." While Member States may maintain national initiatives, CADA establishes a binding EU-wide framework for public procurement and critical sectors. The proposal explicitly states that national measures risk fragmenting the market and undermining common goals. The Union assurance levels are designed to be the primary standard for public sector procurement, effectively superseding the relevance of fragmented national labels for cross-border services.

"All cloud services must meet the highest sovereignty standard." No. The framework is risk-based. Most public services will not require the highest levels of assurance. Union assurance level 1 is the minimum requirement for public procurement. Higher levels (2–4) are only required where risk assessments identify public order relevance (Article 30). This ensures proportionality.

Related

• What makes a cloud service truly sovereign under CADA?
• Sovereign cloud vs air-gapped cloud: the difference under CADA
• Sovereign cloud vs ordinary cloud: the difference under CADA
• What is sovereign compute for frontier AI under CADA?
• Does holding your own encryption keys make a cloud sovereign under CADA?

This is general information about a draft EU regulation, not legal advice.