A CADA sovereign risk assessment is the structured evaluation process through which a European public-sector body or regulated organisation determines whether a cloud or AI service meets the sovereignty assurance level required for a specific workload under the Cloud and AI Development Act (CADA) COM(2026) 502. Unlike a generic security audit, it tests legal architecture as much as technical controls: who can compel access to data, under which jurisdiction, and whether any structural safeguard prevents that access from materialising.
CADA introduces the most operationally consequential change to European cloud procurement law since GDPR. For compliance officers, CISOs and data protection officers in government, finance and healthcare, understanding its four-level framework before it enters into force is not optional preparation. It is risk management.
The Article 16 Four-Level Sovereignty Framework
CADA Article 16 establishes a Union sovereignty framework that classifies cloud and AI services into four assurance levels, each demanding progressively stronger legal and technical guarantees against extraterritorial access and loss of operational control.
Level 1 requires baseline transparency: the provider must disclose the jurisdictions in which data is stored and processed and identify any parent-company or contractual relationships that could trigger compelled disclosure. No structural separation from third-country law is required, making Level 1 suitable only for non-sensitive, publicly available workloads.
Level 2 adds contractual binding: the provider must commit to processing data exclusively within the EU/EEA and must demonstrate that no operational dependency on a third-country entity creates a realistic pathway for government-compelled access. National competent authorities evaluate these commitments against a defined criteria catalogue and issue a recognition decision. Finance sector entities operating under DORA and healthcare providers holding special-category data under GDPR Article 9 will rarely be permitted to remain at Level 2 for core operational workloads.
Level 3 requires structural independence from third-country law: the provider must operate under EU-based legal persons, with governance and key personnel that cannot be directed by a foreign parent or foreign government. Data must be encrypted with keys held exclusively in the EU, and the provider must have verifiable technical controls preventing remote access by non-EU-jurisdiction entities. A national competent authority recognition at Level 3 requires third-party audit evidence, not merely contractual declarations.
Level 4 is the highest assurance tier, reserved for critical infrastructure, classified government workloads and systemically important financial entities. It requires hardware-level sovereignty: dedicated infrastructure, no shared tenancy with non-sovereign workloads, and continuous conformity monitoring. Level 4 providers must hold EUCS High-tier certification under the ENISA European Union Cloud Certification Scheme and must meet the additional sovereignty overlay that CADA imposes on top of that scheme.
Mandatory vs Voluntary Assessment: PM15 and PM21
The CADA impact assessment introduces two distinct policy pathways that determine whether a sovereign risk assessment is a procurement gate or an optional quality signal.
PM15 makes the sovereign risk assessment mandatory for public-sector bodies and regulated entities in finance and healthcare when the procurement concerns a workload classified above a defined sensitivity threshold. Under PM15, a contracting authority may not award a contract to a provider that has not obtained the required assurance-level recognition from a national competent authority. For a hospital procuring an AI-assisted diagnostic platform or a central bank deploying a core banking cloud workload, PM15 creates a hard stop: no recognition, no contract.
PM21 creates a voluntary conformity declaration pathway for organisations and providers outside the mandatory scope. A legal services firm or a mid-sized insurance company may voluntarily conduct a sovereign risk assessment under CADA criteria and publish a PM21-conformant declaration. This carries reputational and commercial value in B2B procurement, particularly when the counterparty is a public body that itself operates under PM15 obligations.
“The question is no longer whether European organisations are exposed to extraterritorial access requests, but how often and under which legal instrument.” (ENISA, Cloud Security for the Healthcare Sector)
Provider Recognition: Criteria at Levels 2, 3 and 4
National competent authorities designated under CADA are responsible for evaluating provider applications for recognition. The criteria differ materially between levels and directly determine which providers can compete for sensitive public contracts.
| Assurance Level | Key Recognition Criteria | Audit Requirement | EUCS Tier Alignment |
|---|---|---|---|
| Level 2 | EU/EEA data residency; contractual no-foreign-access commitment; no operational third-country dependency | Self-declaration with competent authority review | EUCS Substantial |
| Level 3 | EU-based legal entity and governance; key-management exclusivity in EU; verifiable technical access controls | Independent third-party audit | EUCS High (baseline) |
| Level 4 | Dedicated sovereign infrastructure; no shared tenancy; continuous monitoring; hardware-level isolation | Ongoing conformity monitoring by competent authority | EUCS High plus CADA sovereignty overlay |
CADA Article 18 establishes a third-country recognition mechanism that allows a provider headquartered outside the EU to seek recognition if it can demonstrate that the legal framework of its home jurisdiction provides protections equivalent to those required at the relevant CADA level. Equivalence decisions under Article 18 are issued by the European Commission following a structured assessment and are subject to periodic review. Given the explicit extraterritorial reach of the US CLOUD Act and FISA Section 702, Article 18 equivalence for US-headquartered providers at Level 3 or Level 4 is considered structurally incompatible with the current US legal landscape, absent fundamental legislative change in Washington.
Article 19 Conformity Self-Assessment and Its Interaction with EUCS and NIS-2
For providers operating at lower sensitivity thresholds or in transitional periods, CADA Article 19 permits a conformity self-assessment as an interim pathway. This is not a rubber stamp: Article 19 requires the provider to document, against the Article 16 criteria catalogue, how each sovereignty requirement is technically and legally met, and to make that documentation available to national competent authorities on request.
Critically, Article 19 self-assessment is designed to interlock with the ENISA EUCS certification scheme and with NIS-2 Article 21 risk-management requirements. A provider that holds EUCS Substantial or High certification has already satisfied a significant portion of the Article 19 technical criteria, but CADA’s sovereignty layer, specifically the requirements around third-country legal insulation and key-management exclusivity, goes beyond what EUCS currently mandates. The self-assessment must therefore explicitly address the delta between EUCS scope and CADA sovereignty scope.
For public-sector workload providers, NIS-2 Article 21 independently requires documented risk-management measures covering supply chain security, access control and incident handling. A well-constructed Article 19 self-assessment that also maps to NIS-2 Article 21 categories reduces duplicated compliance effort and produces a single audit-ready artefact that satisfies both regulatory regimes simultaneously.
“Sovereignty is not an abstract political aspiration; it is a measurable property of a technical and legal architecture that can and must be audited.” (Thierry Breton, former European Commissioner for Internal Market)
According to the IBM Cost of a Data Breach Report 2024, the average cost of a data breach reached USD 4.88 million globally, the highest figure ever recorded in the series. Eurostat reported in 2023 that 45.2% of EU enterprises with 10 or more employees were already using cloud computing services, a penetration rate that makes the sovereignty gap materially significant at macroeconomic scale. NIS-2 itself expanded the number of covered sectors from 7 to 18 and applies to an estimated 160,000 additional entities across the EU, according to the European Parliament Legislative Observatory.
Practical Contract Mapping: What Compliance Officers Must Do Now
CADA is not yet in force, but the preparatory window is finite. A compliance officer or CISO who begins contract mapping now gains three to four years of lead time to renegotiate, exit or replace contracts that will not meet CADA requirements.
The first step is workload classification. Every active cloud contract must be tagged against the sensitivity categories that correspond to CADA levels: non-sensitive public data (Level 1 sufficient), operationally sensitive internal data (Level 2 minimum), personal data of citizens or patients and financial transaction data (Level 3 minimum), and critical infrastructure or classified government data (Level 4 required). Most large organisations will find that their current hyperscaler contracts cluster around what CADA will classify as Level 1 or Level 2, while the actual sensitivity of the workloads running on them demands Level 3 or higher.
The second step is legal exposure analysis. For each contract with a provider subject to US, UK or Chinese jurisdiction, the compliance officer should document the specific extraterritorial instruments that could compel disclosure: the US CLOUD Act for US-headquartered providers, FISA Section 702 for US electronic communication services, and the EU e-Evidence Regulation for cross-border law enforcement access within the EU. This documentation forms the baseline gap analysis against Article 16 criteria.
The third step is provider pipeline assessment. The compliance officer should identify which CADA-compliant sovereign providers already hold or are actively pursuing Level 3 or Level 4 recognition, and whether those providers can replicate the functionality of current contracts. Swiss-hosted providers operating under the revised Swiss Federal Act on Data Protection, for example, may qualify for Article 18 third-country recognition at Level 2 or Level 3 given Switzerland’s structural alignment with EU data protection standards, though formal equivalence decisions have not yet been issued.
PM17: The Public-Sector Cloud Federation and Exit Rights
Policy Measure 17 in the CADA framework establishes a public-sector cloud federation mechanism that allows Member State governments and EU institutions to create pooled sovereign cloud environments through multi-party procurement. This is designed to address the market fragmentation that has historically prevented smaller Member States from building the critical mass needed to sustain Level 4-capable sovereign infrastructure independently.
For regulated procurement, PM17 creates both an opportunity and an obligation. Providers admitted to the federation must publish standardised data portability procedures, support migration to any other federation-certified provider without proprietary technical barriers, and provide defined minimum notice periods before withdrawing a service or changing its sovereignty classification. These exit-rights obligations are non-waivable: a contracting authority cannot sign away its portability rights even if a particular provider offers commercial incentives to do so.
For multi-tenant sovereign cloud procurement, PM17 means that a government ministry or a systemically important bank procuring through the federation can enforce exit rights against a provider that subsequently loses its CADA recognition, without being trapped in a long-term contract with a non-compliant vendor. This fundamentally changes the risk calculus of sovereign cloud adoption and makes early federation participation an attractive strategic hedge against future recognition failures.
FAQ
When does the CADA sovereign risk assessment obligation become binding?
CADA COM(2026) 502 is still moving through the EU legislative process. The mandatory PM15 obligations are expected to apply once the regulation enters into force, typically 24 months after publication in the Official Journal. Organisations should begin preparatory mapping now so that existing contracts can be renegotiated or replaced in time.
Does CADA replace GDPR or NIS-2 for cloud procurement decisions?
No. CADA operates alongside GDPR and NIS-2. Article 19 conformity self-assessment explicitly cross-references NIS-2 Article 21 risk-management requirements and EUCS certification tiers, meaning all three instruments must be satisfied concurrently for sensitive public-sector workloads.
Can a US-headquartered cloud provider qualify for CADA Level 3 or Level 4?
In practice, Level 3 and Level 4 require structural guarantees against third-country compelled disclosure, including isolation from parent-company legal obligations under laws such as the US CLOUD Act and FISA 702. A provider subject to such jurisdiction would need to demonstrate through the Article 18 third-country recognition mechanism that equivalent protection exists, which is considered extremely difficult to satisfy at the higher assurance levels given current US law.
What is the difference between PM15 and PM21 in the CADA impact assessment?
PM15 makes sovereign risk assessment mandatory for public-sector bodies and regulated entities in finance and healthcare when procuring cloud or AI services above defined sensitivity thresholds. PM21 offers a voluntary pathway for other organisations that want to demonstrate sovereign compliance without a legal obligation. The mandatory track carries procurement-blocking consequences if a provider fails to meet the required assurance level.
What exit-rights obligations does the PM17 federation mechanism impose on providers?
Under PM17, federation providers must offer standardised data and configuration portability, published exit procedures with defined notice periods, and prohibition on proprietary lock-in mechanisms that would prevent switching to another federation member. These obligations run for the duration of the contract and cannot be waived by the contracting authority.
