Why is the GDPR not enough to achieve cloud sovereignty under CADA?

Summary The General Data Protection Regulation (GDPR) ensures lawful data processing but does not guarantee operational autonomy or immunity from foreign laws that could disrupt services or compel data access. As proposed in COM(2026) 502 final, the Cloud and AI Development Act (CADA) addresses these specific strategic gaps by introducing a "Union cloud computing sovereignty framework" with four Union assurance levels. While GDPR compliance remains a prerequisite, the Commission explicitly states it is "not sufficient to change dependence on non-EU providers." CADA would complement the GDPR by mandating controls over infrastructure location, personnel citizenship, and third-country control to safeguard public order and ensure service continuity.

Detail

The General Data Protection Regulation (GDPR) is the cornerstone of EU data protection, ensuring that personal data is processed lawfully, fairly, and transparently. However, for public-sector bodies, critical infrastructure operators, and Union entities, data protection is only one dimension of security. The proposed Cloud and AI Development Act (CADA) recognizes a critical distinction: while the GDPR protects individual rights regarding data processing, it does not adequately address the strategic risks associated with cloud computing dependencies, such as operational disruption, unauthorized access by foreign governments, or the inability to act autonomously in a crisis.

The Limitations of the GDPR in a Sovereign Context

The explanatory memorandum of the CADA proposal explicitly addresses the relationship between existing data protection frameworks and the need for a new sovereignty instrument. It states that while the GDPR and the EU-US Data Privacy Framework address transatlantic data transfers, they "do not remove sovereignty concerns about dependence on third-country providers." The proposal clarifies that "the notion of sovereignty goes beyond data transfers and relates to operational autonomy too."

Under the current landscape, the EU market for cloud computing is characterised by a pronounced dependence on a limited pool of third-country providers. Currently, three non-EU hyperscalers control over 70% of the European cloud market. These providers are often subject to third-country jurisdictions where laws with an extraterritorial effect apply. This creates two primary risks that the GDPR cannot mitigate:

1. Unauthorized Access and Extraterritorial Compulsion: Laws in third countries may mandate access to data stored by providers under their jurisdiction, potentially conflicting with EU fundamental rights and data protection standards. The GDPR regulates how data controllers and processors handle data within the EU legal framework, but it cannot prevent a foreign government from compelling a provider to disclose data if the provider is subject to that foreign law. The GDPR focuses on the lawfulness of processing by the controller, not the immunity of the infrastructure from foreign legal coercion.
2. Operational Disruption and Supply Chain Resilience: Dependence on foreign providers exposes EU users to risks of operational discontinuity. Unilateral decisions by third-country actors, such as embargoes, sanctions, political coercion, or the degradation of service quality, could disrupt service provision. The GDPR does not address the resilience of the supply chain, the continuity of service, or the ability of the Union to maintain control over its digital infrastructure during geopolitical tensions.

As the CADA proposal notes, "legal safeguards are needed but not sufficient to change dependence on non-EU providers." Past experience with GDPR enforcement pushed public bodies towards stronger contractual controls, but these measures produced "compliance solutions rather than concrete changes" in market structure or provider independence.

The CADA Sovereignty Framework: Addressing the Gap

To address these gaps, CADA establishes a "Union cloud computing sovereignty framework" comprising four Union assurance levels (Article 16). This framework provides harmonized, auditable criteria for cloud computing services, moving beyond data protection to ensure control over infrastructure, data, and operational continuity. The framework is designed to allow contracting authorities to procure services that match the specific risk profile of their activities.

• Union Assurance Level 1: This baseline requires providers to be established in the Union, with infrastructure and assets located in the Union. Customer data must remain exclusively within the Union unless the public sector body explicitly requires otherwise. Providers must demonstrate compliance with state-of-the-art cybersecurity standards and provide full transparency on subcontractors. This level addresses basic data localization but does not yet impose strict personnel or control restrictions.
• Union Assurance Levels 2, 3, and 4: These higher levels introduce progressively stricter requirements to mitigate third-country influence.
  • Level 2 requires independent third-party audits, ensures that infrastructure, assets, and personnel are located in the Union, and mandates that data is not used to train AI systems operated by third countries. Crucially, it requires measures to prevent third-country control from restricting the provider's ability to deliver the service or access customer data.
  • Level 3 adds a requirement that personnel involved in the service are Union citizens (conditional on public body requirements) and introduces a derogation mechanism (Article 18) allowing services controlled by a third country to qualify only if the Commission has adopted an implementing act confirming the third country provides sufficient safeguards against unauthorized access and service disruption.
  • Level 4 represents the highest tier of sovereignty. It requires that the provider and its subcontractors are not subject to the control of a third country or a legal entity established in a third country. It also mandates a "high" level of European cybersecurity certification (Annex II 4.1(e)), whereas Levels 2 and 3 require a "substantial" level.

Why GDPR Compliance Is Not Enough

Compliance with the GDPR focuses on the processing of personal data. It does not regulate the ownership of the infrastructure, the jurisdiction of the provider, or the resilience of the service against geopolitical shocks. A cloud provider can be fully GDPR-compliant—processing data lawfully and respecting data subject rights—while still being subject to foreign laws that allow data access or service disruption.

CADA's approach is complementary. It ensures that public-sector bodies can make informed procurement decisions based on the level of assurance they require. By mandating risk assessments (Article 29), Member States and Union entities can determine which activities contribute to public order and require higher assurance levels. This ensures that critical data and operations are protected not just from privacy breaches, but from strategic dependencies that could undermine EU autonomy. The proposal explicitly states that the sovereignty framework "complements the GDPR" because "the notion of sovereignty goes beyond data transfers and relates to operational autonomy too."

What this means for you

For public-sector procurement officers, legal counsel, and compliance teams, this distinction is critical. You cannot rely solely on GDPR compliance as a proxy for cloud sovereignty. When procuring cloud computing services under the proposed CADA regime, you must:

1. Conduct Risk Assessments: Under Article 29, Member States and Union entities are required to carry out risk assessments to identify public sector activities that contribute to the preservation of public order. This includes assessing the sensitivity, criticality, and magnitude of data processed, as well as the risk of unlawful access by third countries or service disruption. The assessment determines the appropriate assurance level.
2. Procure Based on Assurance Levels: Based on your risk assessment, you must procure cloud services that meet the appropriate Union assurance level. For activities identified as contributing to public order (e.g., law enforcement, defence, critical infrastructure), you must procure services recognized as offering Union assurance levels 2, 3, or 4 (Article 30). For other activities, a minimum of Union assurance level 1 is required.
3. Verify Recognition: Ensure that the cloud computing service provider you select has been formally recognized as offering the required Union assurance level. This recognition is based on rigorous audits and criteria that go far beyond GDPR compliance, including checks on third-country control, data localization, personnel citizenship, and cybersecurity certifications.

By aligning your procurement with CADA's assurance levels, you ensure that your organization's cloud services are not only privacy-compliant but also resilient against geopolitical risks and operational disruptions.

Common misconceptions

Misconception 1: GDPR compliance means data is safe from foreign access. Reality: The GDPR regulates data processing within the EU. It does not prevent a foreign government from accessing data if the cloud provider is subject to foreign laws. CADA addresses this by requiring providers to demonstrate immunity from such foreign coercion at higher assurance levels, specifically by preventing third-country control from compelling data access or service disruption.

Misconception 2: Data localization is the same as sovereignty. Reality: Storing data in the EU is a component of sovereignty (required for Union assurance level 1), but it is not sufficient. Sovereignty also involves control over the provider, the infrastructure, and the ability to maintain service continuity regardless of foreign political pressure. CADA's higher assurance levels address these broader aspects by mandating Union citizenship for personnel (Levels 3/4) and prohibiting third-country control (Level 4).

Misconception 3: CADA replaces the GDPR. Reality: CADA complements the GDPR. It does not replace data protection obligations. Instead, it adds a layer of sovereignty and resilience requirements specifically for cloud computing services used by the public sector. Providers must comply with both the GDPR and CADA's assurance criteria. The proposal explicitly states that CADA "complements the EU-US Data Privacy Framework" and the GDPR, as sovereignty "goes beyond data transfers."

Misconception 4: CADA is only about technical cybersecurity. Reality: While cybersecurity is a component (requiring "substantial" certification for Levels 2/3 and "high" for Level 4), CADA focuses on sovereignty and operational autonomy. It addresses non-technical risks such as extraterritorial laws, vendor lock-in, and the risk of service disruption due to third-country political decisions, which technical cybersecurity standards alone cannot resolve.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• CADA and the EU-US DPF: Why Adequacy is Not Enough for Tier 3 Sovereignty
• CADA vs GDPR: How Processor Due Diligence Changes Under the New Sovereignty Framework
• Does CADA require data localisation that GDPR does not?
• Why is CADA part of the EU tech sovereignty package with the Chips Act 2.0?
• Why a Cybersecurity Act certificate cannot prove cloud sovereignty under CADA

This is general information about a draft EU regulation, not legal advice.