Why is EU dependence on foreign cloud providers seen as a risk under CADA?

Summary The EU views its reliance on a handful of non-European cloud providers as a critical strategic risk because it exposes public order, data, and service continuity to the extraterritorial laws of third countries. As framed in the proposed Cloud and AI Development Act (CADA), this dependence creates vulnerabilities where foreign governments could access sensitive data, disrupt services, or exert economic coercion, undermining the Union's autonomy. To mitigate this, CADA would introduce a sovereignty framework requiring public-sector bodies to procure cloud services that meet defined Union assurance levels. CADA is a proposal and not yet in force.

Detail

The Cloud and AI Development Act (CADA), COM(2026) 502 final, is built on the premise that the EU's dependence on a limited pool of third-country cloud computing service providers poses a significant threat to its security, sovereignty, and resilience. The proposal frames this dependence not merely as a market imbalance but as a systemic vulnerability requiring a harmonised, EU-wide response.

Critical strategic dependencies and concentration risks

Recital 46 of the CADA proposal states that the Union "still remains critically dependent on a limited number of cloud computing service providers subject to the control of third countries or legal entities established in third-countries." This, it says, exposes the Union to "critical strategic dependencies and concentration risks, including vulnerabilities arising from the extraterritorial application of third-country laws", as well as "potential disruptions affecting the continuity, quality and resilience" of services and "reduced control and oversight over personal and non-personal data and infrastructure."

The risk is twofold. First, the market is dominated by a few large incumbents, creating a lack of diversification. Second, those providers are often subject to the jurisdiction of their home countries, whose laws may have extraterritorial effect. So even where a cloud service is hosted in Europe, the provider may be legally compelled to follow a foreign government's directives. Recital 46 concludes that retaining "control over infrastructure, data, assets and technology systems under Union and national jurisdiction has become an imperative policy objective."

The three categories of sovereignty risk

Recital 50 groups the risks of this dependence into three areas that form the basis for the proposed sovereignty framework:

1. Misuse — "manipulation, remote access and control, sabotage, weaponisation" of cloud infrastructure. If a provider is under third-country influence, the infrastructure could be turned against EU interests.
2. Access to information — "access to sensitive information, unauthorised communication, technology leakage, data manipulation or exfiltration, espionage." Third-country laws may compel providers to hand over customer data to foreign authorities, bypassing EU safeguards.
3. Dependency vulnerabilities — "political and/or economic coercion, for example by using vendor or technology lock-ins, embargos or sanctions, monopoly pricing damaging the financial interest of the Union and Member States." This is a leverage point where foreign actors could disrupt essential services or extract concessions.

Operational discontinuity

Beyond data access, the proposal highlights the risk of service interruption. Recital 46 expressly lists "potential disruptions affecting the continuity, quality and resilience of cloud computing services" among the concentration risks. If a geopolitical conflict arises, or a third country restricts services for political reasons, EU public-sector bodies could face sudden outages. This is especially dangerous for critical infrastructure, national security, and essential public services that depend on continuous cloud availability.

The CADA response: Union assurance levels

To address these risks, CADA would establish a Union cloud computing sovereignty framework (Article 16) comprising four "Union assurance levels" that cloud services must meet to serve Union entities and public-sector bodies.

• Article 16(1) sets the scope, requiring providers to meet the criteria in Annex II to provide services to Union entities and public sector bodies.
• The Annex II criteria become stricter at higher levels, addressing the location of infrastructure and personnel, the legal jurisdiction and control of the provider, and the ability of third countries to access data or disrupt services.
• At the highest levels (3 and 4), the criteria are designed to insulate the service from third-country control, so that no foreign law can compel data access or service disruption.

Why national measures are insufficient

Recital 47 explains why an EU-wide approach is needed. While some Member States "have developed or are in the process of developing national approaches to identifying national sovereign services", these "national measures do not adequately address the cross-border issues related to the Union's lack of sovereignty in the cloud computing ecosystem and risk fragmenting the Union internal market and undermining common goals of autonomy and sovereignty." A single harmonised framework would let all Member States apply the same standards and let European providers scale across the EU.

What this means for you

For public-sector procurement officers, CADA would change how you evaluate and select cloud services. As proposed, you could no longer rely on technical specifications, price, or general data-protection compliance (such as GDPR adequacy) alone — you would also have to consider the sovereignty profile of the provider.

1. Mandatory risk assessments. Under Article 29, Member States and Union entities would carry out risk assessments to identify which public-sector activities contribute to the preservation of public order and which Union assurance level (2, 3, or 4) is appropriate. You would map your services to these levels.

2. Procurement requirements. Article 30 sets the rules:

• For activities not identified as contributing to public order, you would use services recognised at Union assurance level 1 (Article 30(2)).
• For activities identified as contributing to public order (NIS2 sectors, or national security, defence, justice, law enforcement and similar), you could only procure services recognised at levels 2, 3, or 4 (Article 30(3)).

3. Verification of recognition. You would confirm a provider's recognised level in the Commission's central repository (Article 22) before contracting, rather than rely on self-declared claims.

4. Transition and migration. Where a risk assessment requires migration to another service, Article 29(6) provides a transition period not exceeding 12 months, taking into account technical feasibility, continuity of service and data portability.

5. Multi-cloud strategies. Article 29(9) requires Member States and Union entities to consider whether a multi-vendor or multi-cloud strategy is appropriate, which can reduce reliance on a single provider.

Common misconceptions

"GDPR adequacy is enough to ensure sovereignty." No. The explanatory memorandum notes that "while the EU-US Data Privacy Framework addresses transatlantic data transfers, it does not remove sovereignty concerns about dependence on third-country providers." GDPR focuses on data protection; CADA would focus on operational autonomy, infrastructure control, and protection against extraterritorial legal access. A provider can be GDPR-compliant yet still fail CADA's higher assurance levels because of third-country control.

"This only applies to national security agencies." The highest levels (3 and 4) target high-risk public-order activities, but the framework applies broadly. Article 30(2) would require public-sector bodies whose activities are not public-order relevant to use at least Union assurance level 1 — so even standard administrative services would have to meet baseline criteria such as EU-located infrastructure and subcontractor transparency.

"I can just buy from any EU-based subsidiary of a US provider." Not necessarily. CADA looks beyond legal establishment to actual control. At higher levels, Annex II requires that the provider and its subcontractors are not subject to the control of a third country or a third-country legal entity. If a US parent retains effective control over the EU subsidiary, the service may not qualify for the higher levels even with EU data residency.

"The AI Act already solves this problem." The AI Act and CADA have different objectives. The CADA proposal records that the AI Act "does not cover aspects of sovereignty." The AI Act focuses on safety, fundamental rights, and market access for AI systems; CADA would focus on cloud infrastructure, data sovereignty, and reducing dependence on foreign providers. They are complementary.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)

Related

• What is foreign ownership risk in cloud computing under CADA?
• What is a 'kill switch' risk in foreign-controlled cloud under CADA?
• How does CADA reduce dependence on third-country providers?
• Why does CADA call cloud dependence a strategic dependency?
• Vendor Lock-In and Cloud Sovereignty: Why CADA Treats It as a Risk

This is general information about a draft EU regulation, not legal advice.