The Cloud and AI Development Act (CADA), proposed by the European Commission as COM(2026)502, introduces a structured, EU-wide tiered framework for assessing the sovereignty of cloud and AI services. It gives procurement officers, CISOs and data protection officers a common vocabulary and a legally grounded baseline to replace the patchwork of national schemes, vendor self-declarations and ad hoc contractual workarounds that currently pass for cloud sovereignty governance in most European organisations.
For regulated sectors, including public administration, finance, healthcare and legal services, the stakes are concrete. EU public-sector organisations spent an estimated €26 billion on cloud services in 2023 (European Commission, DESI 2023), with a significant share concentrated among three US-headquartered hyperscalers. Each of those contracts carries exposure to the US CLOUD Act, FISA Section 702 and Patriot Act provisions that can compel disclosure of data stored or processed by US-controlled entities, regardless of where the servers physically sit.
The Four CADA Sovereignty Assurance Levels Explained
CADA defines four Sovereignty Assurance Levels (SALs) that describe progressively stronger guarantees against third-country legal jurisdiction, supply-chain opacity and non-EU control.
Level 1 requires basic transparency: providers disclose their legal jurisdiction and sub-processor chains but face no substantive restriction on foreign ownership or personnel. This level is broadly equivalent to a well-structured data processing agreement and is unsuitable for sensitive public-sector workloads.
Level 2 adds contractual and technical controls. The provider must demonstrate that data does not leave the EEA under normal operating conditions, that encryption keys are held by an EU-based entity, and that access by non-EU staff is logged and subject to a defined authorisation process. Foreign ownership is permitted but must be disclosed.
Level 3 introduces structural independence. The provider must be majority-owned by EU legal persons, all personnel with privileged access to production systems must hold EU citizenship or permanent residency, and the software supply chain must be documented through a verifiable software bill of materials (SBOM). Crucially, the provider must demonstrate that no third-country law can compel data disclosure: organisational firewalls, contractual immunities and legal analysis of the provider’s jurisdictional exposure are all required evidence artefacts.
Level 4 adds operational air-gapping for the most sensitive workloads: classified government data, critical infrastructure control systems and law-enforcement records. At this level, physical infrastructure must be located on EU soil with no logical connectivity to non-Level-4 environments, all software components must be open-source or subject to full source-code escrow with an EU-based trustee, and third-party audits must be conducted by an accredited conformity assessment body at least annually. Personnel security clearances aligned with national vetting standards are required.
CADA and Existing National Schemes: Complement, Not Replacement
CADA is designed to function as a harmonising layer above national certification schemes, not to abolish them. France’s SecNumCloud qualification scheme and Germany’s BSI Cloud Computing Compliance Criteria Catalogue (C5) each address overlapping concerns but with different methodologies and scopes.
SecNumCloud’s ‘qualified’ tier already imposes strict requirements on EU ownership and third-country legal exposure, closely mirroring CADA Level 3. BSI C5, by contrast, is primarily a controls-based attestation focused on operational security; it does not mandate EU ownership and therefore aligns more naturally with CADA Level 2. Neither scheme constitutes automatic CADA compliance, but both can serve as supporting evidence in a CADA conformity assessment, reducing audit duplication for providers already certified under them.
ENISA has noted that “the lack of a harmonised EU-level certification for cloud sovereignty creates regulatory fragmentation and leaves public buyers without a common baseline to verify vendor claims” (ENISA Cloud Certification Scheme Landscape 2023). CADA addresses this directly by establishing a single set of criteria that national competent authorities must apply, while allowing member states to impose stricter requirements for nationally classified workloads.
Procurement Implications: The EU Cloud III DPS and Framework Lock-In
For public administrations, CADA intersects directly with the EU Cloud III Dynamic Purchasing System (Cloud III DPS), the successor procurement vehicle to the earlier cloud framework agreements operated through EU institutions and national central purchasing bodies. CADA’s proposed common EU-level procurement framework would require that contracts for sensitive public-sector workloads above defined thresholds specify a minimum CADA level as a selection criterion, not merely a desirable attribute.
This has direct consequences for organisations currently locked into Microsoft Azure or AWS Enterprise Agreement frameworks. Those agreements, negotiated at member-state or EU-institution level, do not currently embed CADA-level requirements. A CADA-compliant procurement framework would either require renegotiation of those agreements to include binding sovereignty commitments, or migration to providers capable of reaching the required level. Given that Azure and AWS are US-controlled entities, they cannot structurally achieve CADA Level 3 or Level 4 without divesting control of the relevant EU operations to EU-majority-owned entities.
Mapping CADA Levels to GDPR, NIS-2 and DORA
CADA does not operate in isolation. For CISOs and compliance officers, the practical task is to integrate CADA levels into existing regulatory obligations.
| Regulation | Relevant provision | CADA level relevance |
|---|---|---|
| GDPR | Article 44: transfers to third countries | CADA Level 3+ reduces the residual risk that must be assessed under transfer impact assessments (TIAs). It does not replace SCCs or adequacy decisions but strengthens the legal basis for a positive TIA conclusion. |
| NIS-2 Directive (EU) 2022/2555 | Article 21: supply-chain security measures | CADA Level 3’s SBOM requirement and personnel access controls directly satisfy NIS-2’s mandate to assess risks in the supply chain of ICT products and services. ENISA’s 2023 Threat Landscape found supply-chain attacks accounted for 17 percent of all significant incidents affecting EU critical infrastructure. |
| DORA (EU) 2022/2554 | Article 30: ICT concentration risk | DORA Article 30 requires financial entities to identify and manage concentration risk from reliance on a single third-party ICT provider. Using a CADA Level 3 or 4 EU-sovereign provider as a secondary or primary environment directly reduces reportable concentration risk and supports the exit strategy documentation DORA requires. |
The IBM Cost of a Data Breach Report 2024 recorded a global average breach cost of USD 4.88 million, the highest figure ever reported. For regulated entities, regulatory fines and contractual liability compound that figure. A CADA-aligned procurement decision is therefore also a financial risk management decision.
Former EU Commissioner for Internal Market Thierry Breton stated: “Cloud services used by public authorities must be fully shielded from unlawful access by third-country governments. Sovereignty is not a marketing label; it is a legal and technical requirement.” That framing aligns precisely with what CADA levels 3 and 4 formalise in binding procurement criteria.
Swiss Hosting Under the Revised FADP: A CADA-Adjacent Option
Switzerland occupies a specific and often misunderstood position in this landscape. The revised Federal Act on Data Protection (revFADP), which entered into force on 1 September 2023, brought Swiss data protection law to a standard the European Commission recognises as adequate under GDPR. Personal data can therefore flow from EU member states to Swiss processors without Standard Contractual Clauses or other Article 46 safeguards, as long as the processing falls within the scope of the adequacy decision.
Critically, Swiss-incorporated and Swiss-operated providers are not subject to the US CLOUD Act, FISA 702, or the Patriot Act. A Swiss provider with no US-person ownership and no US-listed parent company has no legal pathway by which a US government agency can compel data production. This is a substantive legal advantage over EU-domiciled subsidiaries of US corporations.
However, Switzerland is not an EU member state and cannot be certified under CADA. Swiss providers are outside the EU’s internal market for sovereign cloud procurement purposes. For an EU public body subject to CADA’s mandatory procurement rules, a Swiss provider can serve as a compliant data processor under GDPR and can satisfy the legal exposure criteria that underpin CADA Levels 1 and 2, but it does not obtain a formal CADA certification. Organisations assessing Swiss hosting should document this position explicitly in their transfer impact assessments and supply-chain risk registers, noting the adequacy status, the absence of US-law exposure, and the limitation of formal CADA certification as distinct considerations.
Audit Evidence and Procurement Requirements for Level 3 and Level 4
Claiming a CADA level is not self-certification. For Level 3 and Level 4, CADA requires conformity assessment by an accredited third-party body. Procurement teams should require the following evidence artefacts before contract signature:
First, a conformity assessment report issued within the preceding 12 months by an EU-accredited conformity assessment body, referencing the specific CADA level attested. Second, a current SBOM covering all software components in the service stack, including open-source dependencies, with a documented vulnerability management process. Third, a certified register of personnel with privileged system access, confirming EU citizenship or permanent residency status and, for Level 4, applicable national security clearances. Fourth, a legal opinion, not merely a vendor assertion, confirming that no third-country law creates a compelled-disclosure obligation for data processed under the contract. Fifth, incident response documentation showing tested procedures aligned with NIS-2 Article 23 notification timelines and, for financial entities, DORA’s 4-hour initial notification requirement.
Providers that cannot produce these artefacts on request should not be permitted to claim a Level 3 or Level 4 designation in tender responses. Procurement frameworks that accept vendor self-declarations against CADA criteria without third-party attestation are reproducing exactly the fragmentation that CADA was designed to eliminate.
FAQ
Is CADA already in force, and when will it apply to procurement decisions?
CADA was proposed by the European Commission as COM(2026)502 and is subject to the ordinary legislative procedure involving the European Parliament and Council. It is not yet in force. Organisations should begin gap assessments now, since implementation timelines typically allow 12 to 24 months after publication in the Official Journal before full applicability.
Does achieving CADA Level 2 satisfy GDPR Article 44 transfer restrictions?
Not automatically. CADA Level 2 addresses operational independence from non-EU interference but does not constitute a transfer mechanism under GDPR. Article 44 transfers still require a Commission adequacy decision, Standard Contractual Clauses, or another Chapter V instrument. CADA levels inform the risk assessment accompanying those instruments but do not replace them.
Can a provider certified under SecNumCloud or BSI C5 automatically claim a specific CADA level?
No. CADA recognises existing national schemes as partial supporting evidence, but automatic equivalence has not been confirmed in the legislative text. SecNumCloud’s qualified tier and C5 attestations are likely to map closely to CADA Level 3, but providers will still need to demonstrate conformity against the EU-level CADA criteria through an accredited conformity assessment body.
How does Swiss hosting under the revised FADP affect CADA compliance for an EU-based organisation?
Switzerland holds EU adequacy status under GDPR, meaning personal data can flow there without additional transfer mechanisms. Swiss providers are outside the reach of the US CLOUD Act and FISA 702. However, Switzerland is not an EU Member State, so Swiss providers cannot attain CADA certification. They can serve as compliant data processors under GDPR, and their legal environment supports a CADA-adjacent risk posture, particularly relevant at Levels 1 and 2, but they fall outside CADA’s EU-internal procurement framework.
What evidence artefacts should a procurement team require from a provider claiming CADA Level 3 or Level 4?
Procurement teams should request: a conformity assessment report from an EU-accredited auditor, a software bill of materials covering the full service stack, documentation of EU-majority ownership and a personnel access register confirming EU citizenship or clearance status, a legal opinion confirming no third-country compelled-disclosure exposure, and incident response documentation tested against NIS-2 and DORA Article 30 timelines.
