Why is cloud sovereignty important for critical infrastructure? CADA

Summary Under the proposed Cloud and AI Development Act (CADA), sovereignty matters for cloud-hosted critical infrastructure because dependence on third-country providers exposes the Union to risks of unauthorised data access, service disruption, and geopolitical coercion. CADA would establish a four-tier "Union assurance level" framework (Article 16) so that public-sector bodies running critical or sensitive activities use cloud services that protect operational autonomy and public order. By mandating sovereignty risk assessments (Article 29), the proposal aims to keep essential services resilient against extraterritorial legal reach and technical sabotage. CADA is a proposal and is not yet in force.

Detail

The European Commission's proposal for CADA addresses a structural vulnerability in the EU's digital ecosystem: heavy reliance on non-European cloud computing service providers. The proposal frames cloud sovereignty not as a mere preference for local vendors, but as a way to safeguard the Union's public order and operational resilience. For public-sector procurement officers, understanding the link between cloud sovereignty and critical infrastructure is key to complying with the proposed risk-based procurement obligations.

The sovereignty framework and Article 16

At the heart of CADA's approach is Article 16, which would establish a "Union cloud computing sovereignty framework" of four Union assurance levels (1 through 4). The criteria, set out in Annex II, assess factors such as:

• Establishment and control: Whether the provider and its subcontractors are established in the Union and free from third-country control (at the higher levels).
• Data localisation: Whether customer data, including metadata and telemetry, remains within the Union.
• Personnel and support: Whether infrastructure, assets, and personnel are located in the Union, and whether technical and operational support is performed within the Union.
• Cybersecurity and software supply chain: Compliance with the applicable European cybersecurity certification and transparency measures to prevent remote tampering.

Recognition at a given level is not automatic: it involves a conformity self-assessment for level 1 (Article 19) and independent third-party audits for levels 2, 3, and 4 (Article 20).

Protecting public order and critical infrastructure

CADA explicitly links cloud sovereignty to the protection of "public order." Recital 50 of the proposal describes the risks that being critically dependent on a limited number of providers subject to third-country control may create:

• Misuse: including manipulation, remote access and control, sabotage, and weaponisation.
• Access to information: including access to sensitive information, unauthorised communication, technology leakage, data manipulation or exfiltration, and espionage.
• Dependency vulnerabilities: including political or economic coercion (for example through vendor or technology lock-ins, embargoes or sanctions) and monopoly pricing.

For critical activities — such as those in essential public-sector functions — these risks are severe. If a provider subject to third-country jurisdiction were compelled by foreign laws (such as the US CLOUD Act) to disclose data or degrade service, the EU entity could lose control over its own digital assets. CADA aims to prevent this by requiring that services used for public-order activities meet higher assurance levels (2, 3, or 4), with stricter requirements on data localisation, personnel, and separation from third-country control.

Link to NIS2 and risk assessments

The proposal complements the NIS2 Directive (Directive (EU) 2022/2555). While NIS2 focuses on technical cybersecurity risk management, CADA addresses broader sovereignty and non-technical risks. Under Article 29, Member States and Union entities would conduct risk assessments to identify which public sector activities contribute to the preservation of public order. The assessment must consider at least:

• The sensitivity, criticality, and magnitude of the data processed (personal and non-personal).
• The risk and impact on public order of unlawful access by a third country or a legal entity established in a third country.
• The risk and impact on public order of possible service disruption.

Based on these assessments, Article 30 would require that contracting authorities whose activities contribute to public order in sectors falling under Annex I or II of NIS2 (and in areas such as national security, defence, justice, and law enforcement) procure only services recognised at Union assurance level 2, 3, or 4. This creates a direct path from sovereignty criteria to procurement decisions for critical infrastructure.

Why this matters for critical infrastructure

Critical infrastructure in the cloud is uniquely exposed: cloud services often involve multi-tenant architectures, shared resources, and complex supply chains. Without sovereign guarantees, a compromise in part of the supply chain, or a legal order from a third country, could affect the wider service. CADA's framework, as proposed, aims to ensure that:

1. Operational autonomy is preserved: by requiring technical and operational support within the Union at the higher levels, reducing the risk of remote sabotage or forced service degradation.
2. Data confidentiality is supported: through data localisation and, at higher levels, personnel requirements that reduce the risk of unauthorised access.
3. Resilience is enhanced: by reducing dependence on a limited number of non-EU hyperscalers, and by prompting consideration of multi-vendor strategies.

What this means for you

For public-sector procurement officers, CADA would introduce a mandatory, risk-based approach. You could no longer treat cloud services as generic IT commodities; you would evaluate them through the lens of sovereignty and public order.

1. Engage with sovereignty risk assessments: Participate in or rely on the national and Union risk assessments required by Article 29. Identify which of your activities contribute to public order. If they involve sensitive data, national security, or essential public functions, you would likely need Union assurance level 2, 3, or 4.
2. Verify Union assurance levels: When procuring, check the central repository (Article 22) to confirm the provider is formally recognised at the required level. Do not rely on marketing claims of "EU hosting"; look for formal recognition.
3. Plan for migration: Where a risk assessment requires it, Article 29(6) allows a reasonable transition period of up to 12 months, taking into account technical feasibility, continuity of service, and data portability.
4. Consider multi-cloud strategies: Article 29(9) requires you to consider whether a multi-vendor or multi-cloud strategy is appropriate as part of procurement, which can reduce single-point-of-failure and dependency risks.
5. Engage with national competent authorities: The national competent authority of establishment oversees recognition and enforcement (Articles 17, 25, 26). Engage to understand how national assessments map to the assurance levels.

Common misconceptions

Misconception 1: Sovereignty means all data must stay in one Member State. Correction: CADA promotes the free flow of data within the Union. The localisation criteria mean data must remain within the Union, not within a single Member State. Recital 64 supports that data is not confined to the territory of a single Member State and may be stored and processed across the Union without unjustified restrictions.

Misconception 2: Only EU-owned providers can achieve high assurance levels. Correction: The higher levels (especially 3 and 4) have strict requirements on control and personnel. However, Article 18 lets the Commission identify "associated third countries" whose providers may be audited against Union assurance level 3, where the country meets cumulative criteria (including a GDPR adequacy decision and no laws compelling data access or service disruption). The default criteria still require absence of third-country control.

Misconception 3: Sovereignty is only about data privacy. Correction: Data protection is one component, but CADA's framework addresses operational autonomy, service continuity, and protection against geopolitical coercion, covering infrastructure location, personnel, software supply chain, and the legal jurisdiction of the provider.

Misconception 4: The AI Act covers cloud sovereignty. Correction: The AI Act (Regulation (EU) 2024/1689) governs the safety, fundamental rights, and transparency of AI systems. It does not address cloud sovereignty or the geopolitical risks of cloud infrastructure. CADA would complement it by addressing the sovereignty of the underlying cloud.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)

Related

• Why is sovereignty described as layered or nuanced in CADA?
• CADA Sovereignty: Why Assessment is Per Service, Not Per Provider
• Why is sovereignty a competitiveness issue, not just a security one? | CADA
• Why data residency is not enough for cloud sovereignty under CADA
• Why the EU-US Data Privacy Framework doesn't solve CADA sovereignty

This is general information about a draft EU regulation, not legal advice.