Summary The proposed Cloud and AI Development Act (CADA) explicitly rejects a binary "sovereign vs. non-sovereign" classification in favor of a "nuanced and layered" framework. As stated in Recital 51, this approach is necessary because "the nuanced and layered nature of sovereignty" requires a proportionate response where the level of assurance matches the specific sensitivity of the data and the criticality of the service. This design results in four distinct Union assurance levels (Level 1 to Level 4), allowing public bodies to procure cloud services that offer appropriate safeguards without imposing disproportionate burdens on low-risk operations.

Detail

To understand why CADA moves away from a binary view of cloud sovereignty, it is necessary to examine the legislative intent and the structural design of the proposal. The current market discourse often relies on a simplified dichotomy: a service is either "sovereign" or it is not. However, this black-and-white approach is legally and operationally inadequate for the diverse needs of the public sector, ranging from local administrative portals to defense intelligence systems.

The Nuanced and Layered Nature of Sovereignty

Recital 51 of the CADA proposal explicitly addresses this complexity. It states: "To address those risks and provide for the appropriate mitigation measures, it is necessary to establish a Union cloud computing sovereignty framework determining criteria for trusted cloud computing services. To cater for the nuanced and layered nature of sovereignty, the framework should provide for four different levels of trusted offers ('Union assurance levels')."

This recital highlights two critical concepts that drive the legislation:

  1. Nuance: Sovereignty is not a single, monolithic attribute. It is a composite of various factors, including the location of data, the citizenship of personnel, the ownership structure of the provider, and the resilience of the service against third-country interference. Different public services have vastly different tolerance levels for these risks. A "nuanced" approach acknowledges that a library database and a border control system face fundamentally different threat landscapes.
  2. Layering: The risks associated with cloud services can be stacked or layered. A basic layer might involve ensuring data stays within the EU. A higher layer might require that no third-country entity has any control over the service provider. An even higher layer might mandate that all personnel are Union citizens with specific security clearances. By layering these requirements, CADA creates a scalable framework rather than a rigid wall.

Why a Single Binary Label Is Inadequate

A binary "sovereign" label would likely force all public sector bodies to adopt the highest possible security standards for all cloud services, regardless of their actual risk profile. This would be disproportionate and inefficient. For example, a local municipality hosting a public library catalog has significantly different risk requirements than a defense ministry managing classified intelligence.

Recital 52 reinforces this by stating: "The Union assurance levels should provide for a proportionate framework to ensure that public order is preserved by maintaining control and agency by public-sector bodies. Most public services would not require the highest levels of assurance."

By rejecting a binary model, CADA acknowledges that:

  • Operational Autonomy varies in importance. For some services, the ability to switch providers is sufficient; for others, complete independence from third-country jurisdiction is mandatory to prevent service disruption.
  • Data Sensitivity differs. Not all public data is classified. Some data is merely administrative, while other data is critical to national security.
  • Cost and Availability matter. Imposing the strictest sovereignty criteria (such as mandatory Union citizenship for all staff) on all services would limit the market to a tiny fraction of providers, reducing competition and increasing costs for the public sector.

The Four-Level Design as a Response to Nuance

Article 16 of the CADA proposal establishes the "Union cloud computing sovereignty framework," which operationalizes this nuanced approach through four Union assurance levels. These levels are cumulative, meaning that to meet Level 2, a provider must also meet the criteria for Level 1, and so on. This structure allows the framework to adapt to the "layered" nature of risk.

  1. Union Assurance Level 1 (Baseline): This is the minimum requirement for all public sector procurement. It requires the provider to be established in the Union, with infrastructure and assets located in the Union (unless the public sector body explicitly requires otherwise). Customer data must remain exclusively within the Union. This level addresses basic data sovereignty and jurisdictional control, ensuring that data does not leave the EU without explicit consent.
  2. Union Assurance Level 2 (Enhanced): This level adds stricter requirements, including mandatory independent third-party audits. It requires that subcontractors be established in the Union and that personnel involved in the service provision are located in the Union. It introduces stricter controls on third-country influence, requiring providers to demonstrate that third-country control does not restrict their ability to perform services or access customer data. It also mandates that data generated by the service is not used to train AI systems operated by third countries.
  3. Union Assurance Level 3 (High): This level is designed for more sensitive activities. It requires that all personnel involved in the service provision are Union citizens. It also mandates that the provider and its subcontractors are not subject to the control of a third country, unless a specific derogation applies (e.g., for associated third countries with adequate safeguards under Article 18). This level addresses the risk of personnel-based espionage or coercion and ensures that no third-country law can compel the provider to disrupt service.
  4. Union Assurance Level 4 (Critical): This is the highest level, intended for the most critical public order activities, such as defense or high-level intelligence. It requires Union citizenship for all personnel, potentially with national security clearances. It mandates that the provider and subcontractors are not subject to third-country control with no derogations. Additionally, it requires effective legal, technical, and organizational separation between the Union parent company and any third-country subsidiaries, ensuring that no foreign entity can influence the service.

This four-tier structure allows public procurement officers to map the "nuance" of their specific use case to the appropriate "layer" of assurance. A risk assessment, as required by Article 29, will determine which level is appropriate for a given activity.

What this means for you

For public-sector bodies, procurement officers, and cloud service providers, the layered sovereignty model in CADA fundamentally changes how cloud services are evaluated and specified.

  • Move Beyond Binary Checkboxes: You can no longer simply ask for a "sovereign" provider in a tender. Instead, you must conduct a risk assessment to determine the appropriate Union assurance level for your specific service. A "Level 1" requirement is valid and sufficient for many administrative tasks.
  • Proportionality in Procurement: For low-risk services (e.g., internal HR systems with non-sensitive data), you can procure services that meet Union Assurance Level 1. This ensures basic sovereignty and data protection without the high cost and limited availability of Level 3 or 4 services.
  • Strategic Use of Higher Levels: Reserve Union Assurance Levels 3 and 4 for activities that contribute to the preservation of public order, such as national security, defense, or critical infrastructure management. Article 30(3) requires that contracting authorities whose activities have been identified as contributing to public order must only procure services recognized as offering Union assurance levels 2, 3, or 4.
  • Risk Assessment is Key: Your first step is to carry out the risk assessments mandated by Article 29. This assessment will identify which public sector activities require which assurance level. You must then specify the required Union assurance level in your procurement documents.
  • Verification and Recognition: Ensure that the providers you select have been formally recognized by the national competent authority as offering the required Union assurance level. This recognition is recorded in the central repository established under Article 22.

Common misconceptions

Misconception: "Sovereign" means "EU-owned."

  • Reality: CADA does not require that the provider be wholly EU-owned for all levels. For example, at Level 1, a provider can be subject to third-country control if it guarantees that no laws in that third country require reporting software vulnerabilities to third-country authorities before they are exploited. The focus is on control and operational autonomy, not just ownership.

Misconception: All public sector bodies must use Level 4 services.

  • Reality: This is incorrect. Recital 52 explicitly states that "most public services would not require the highest levels of assurance." Level 4 is reserved for the most critical activities. Using Level 4 for all services would be disproportionate and inefficient.

Misconception: The levels are mutually exclusive.

  • Reality: The levels are cumulative. A provider recognized at Level 3 automatically meets the criteria for Levels 1 and 2. This allows for flexibility in procurement, as a Level 3 provider can serve both Level 2 and Level 3 needs.

Misconception: Sovereignty is only about data location.

  • Reality: While data localization is a key component (especially at Level 1), sovereignty under CADA also includes personnel citizenship (Levels 3 and 4), absence of third-country control (Levels 3 and 4), software supply chain transparency (Levels 2, 3, and 4), and resilience against service disruption.

Related

This is general information about a draft EU regulation, not legal advice.