The Cloud and AI Development Act (CADA) is the European Union’s proposed legislative instrument that transforms cloud sovereignty from a policy ambition into a structured, auditable compliance obligation. Where earlier initiatives relied on contractual best-efforts or voluntary certification, CADA introduces binding Sovereignty Effectiveness Assurance Levels, supply-chain transparency requirements, and a formal mechanism for Member States to audit and recognise sovereign cloud providers. For compliance officers, CISOs and IT decision-makers in regulated sectors, CADA is the most consequential cloud-governance development since GDPR.
The four Sovereignty Effectiveness Assurance Levels
CADA defines sovereignty not as a binary property but as a graduated scale. The four SEAL levels allow procurement specifications to match the sensitivity of the data being processed to a verifiable provider characteristic.
| SEAL Level | Core requirement | Typical use case |
|---|---|---|
| SEAL-0 | Standard cloud service with no specific sovereignty controls | Non-sensitive public information |
| SEAL-1 | Data residency within the EU; basic contractual protections | Internal administrative workloads |
| SEAL-2 | Operational control by EU-established entities; auditable access logs | Sensitive but non-regulated data |
| SEAL-3 | Full jurisdictional independence; immunity from third-country legal orders; verified supply chain | Healthcare records, financial supervision, legal proceedings, NIS-2 essential services |
| SEAL-4 | All SEAL-3 properties plus accreditation for classified or national-security data | Defence, intelligence, critical national infrastructure |
Regulated public-sector buyers, including bodies subject to NIS-2, DORA or the GDPR’s public-authority provisions, should require a minimum of SEAL-3 in all tender specifications for workloads handling personal data, financial records or health information. Specifying anything lower creates a gap between contractual commitment and legal exposure that a data protection authority or supervisory body can challenge during an audit.
CADA and EUCS: complementary frameworks, not duplicates
CADA and the ENISA Cybersecurity Certification Framework for Cloud Services (EUCS) address adjacent but distinct concerns, and understanding the difference is essential for structuring procurement correctly.
EUCS, developed by ENISA under the EU Cybersecurity Act, certifies the cybersecurity properties of a cloud service: availability, integrity, confidentiality and incident response. Its three assurance levels (Basic, Substantial, High) map broadly onto the sensitivity of the data processed. A provider holding EUCS High certification has demonstrated robust security architecture and operational resilience.
CADA adds a sovereignty layer that EUCS does not address. Jurisdictional independence, supply-chain transparency, personnel vetting, and immunity from non-EU legal orders are not cybersecurity properties in the technical sense; they are legal and structural properties that determine whether a foreign government can compel data disclosure. A cloud service can be EUCS High certified and simultaneously be fully accessible to US law enforcement under the CLOUD Act if its operator is a US-controlled entity.
The two frameworks are therefore complementary: EUCS High plus SEAL-3 under CADA together cover both the technical security and the legal sovereignty dimensions. Procurement specifications for regulated workloads should require both, not treat them as alternatives. The European Commission Cloud Sovereignty Framework v1.2.1 explicitly cross-references EUCS and incorporates CADA’s sovereignty criteria into a unified 48-point checklist.
Provider obligations under CADA: supply chain, personnel and legal immunity
CADA imposes three categories of obligation on providers seeking SEAL-2 certification and above, each of which has direct implications for how contracts are structured and how due diligence is conducted.
Supply-chain transparency requires providers to disclose all sub-processors, hardware suppliers and software dependencies that touch data covered by the certification. This mirrors the NIS-2 Directive’s supply-chain security requirements but goes further by requiring a formal sovereignty impact assessment for each third-party component. Providers must demonstrate that no sub-processor is subject to a third-country jurisdiction that could override EU data protection law.
Personnel citizenship and vetting at SEAL-3 requires that operational and administrative staff with privileged access to customer data are EU citizens or long-term EU residents subject to EU jurisdiction, and that they have undergone background screening equivalent to national security clearance standards. This provision directly addresses the risk of insider access facilitated by foreign intelligence services, a threat vector explicitly identified in ENISA’s 2023 Threat Landscape report.
Independence from third-country legal orders is the defining SEAL-3 obligation. Providers must demonstrate, through corporate structure, contractual architecture and legal opinion, that they cannot be compelled by a non-EU authority to disclose, copy or modify customer data without the explicit consent of the customer and the approval of the relevant EU Member State competent authority. This is the provision that excludes hyperscalers with US parent companies from SEAL-3 unless they establish a fully independent EU legal entity with no operational or financial dependency on the parent.
“Sovereignty is not a product feature; it is a legal and architectural property that must be verifiable at every layer of the stack, from the silicon to the contract.” — Thierry Breton, former European Commissioner for Internal Market, European Commission press remarks on EU cloud strategy.
Using the Cloud Sovereignty Framework v1.2.1 as a procurement checklist
The European Commission Cloud Sovereignty Framework v1.2.1 structures its 48 criteria across eight objectives, providing compliance officers with a ready-made due diligence instrument that maps directly onto both GDPR Article 28 processor requirements and DORA ICT third-party risk obligations.
The eight objectives cover: data localisation and residency; operational control and staffing; legal jurisdiction and immunity; supply-chain integrity; portability and exit rights; security certification alignment (referencing EUCS); transparency and auditability; and incident response under EU law. Each objective carries between four and eight criteria, and each criterion is formulated as a yes/no question that a provider must answer contractually.
Practical application for compliance officers: incorporate the 48 criteria directly into the Request for Information or Request for Proposal as mandatory pass/fail requirements for SEAL-3 workloads. Require providers to respond criterion by criterion with supporting evidence, not summary statements. Map each criterion response to a specific clause in the Data Processing Agreement. Store the completed matrix in your GDPR Article 30 records and your DORA ICT risk register. This creates an audit-ready evidence trail that demonstrates due diligence irrespective of whether CADA’s formal recognition audits are yet operational in your Member State.
“Certification without enforcement is merely a label. CADA’s value lies in making sovereignty claims legally actionable, not just commercially attractive.” — ENISA, position paper on cloud certification.
The Cloud III DPS tender and what SEAL-3 market signals mean
The European Commission’s Cloud III Dynamic Purchasing System (Cloud III DPS) tender, valued at approximately EUR 180 million (European Commission, DG DIGIT, 2023), was the first large-scale public procurement exercise to operationalise CADA-aligned sovereignty criteria before the Act’s formal enactment. Its outcome is therefore the clearest available signal of which providers can genuinely satisfy SEAL-3 requirements at enterprise scale.
OVHcloud, STACKIT, Scaleway and CleverCloud were among the European-headquartered providers awarded positions in the Cloud III DPS. Each operates exclusively within EU jurisdiction, maintains data centres on EU soil, and can demonstrate corporate structures free from US-parent-company exposure. Their inclusion confirms that a competitive sovereign cloud market exists across IaaS, PaaS and SaaS categories, and that public-sector buyers are not forced to choose between technical capability and legal sovereignty.
The average total cost of a data breach reached USD 4.45 million in 2023, the highest recorded in 18 years of the IBM/Ponemon study (IBM Cost of a Data Breach Report, 2023). For regulated entities, the reputational and regulatory cost of a breach involving data held under foreign jurisdiction is compounded by the inability to invoke EU data protection law against the disclosing party. SEAL-3 procurement directly reduces this tail risk.
ENISA’s 2023 Threat Landscape report found that ransomware and data-theft attacks on public administration increased by 46 percent year-on-year across EU Member States (ENISA Threat Landscape 2023). Sovereign infrastructure reduces the attack surface not only by eliminating foreign jurisdictional exposure but by removing the hyperscaler shared-tenancy risks that make public cloud environments attractive targets.
CADA audit timelines and how to prepare before mechanisms are operational
CADA sets a phased implementation timeline for Member State recognition audits. Under the current proposal, Member States have 24 months from the Act’s entry into force to designate national competent authorities responsible for recognising certified providers. A further 12 months is allocated for those authorities to develop mutual recognition procedures with counterparts in other Member States. This means that in the most optimistic scenario, a fully operational EU-wide recognition infrastructure will not exist before 2027 or 2028.
This gap creates a compliance planning challenge: the legal landscape is moving, but the audit infrastructure is not yet in place to formally validate compliance. The correct response is not to wait. Regulated entities should take three preparatory steps now.
First, complete provider due diligence using the Cloud Sovereignty Framework v1.2.1 checklist and document the results. This establishes a baseline that can be validated against formal SEAL certification once recognition audits begin, and demonstrates to current supervisory authorities that sovereignty risk was actively managed.
Second, include CADA SEAL-3 compliance as a contractual condition subsequent in cloud agreements signed today. Structure contracts so that if a provider fails to achieve formal SEAL-3 recognition within a defined period after Member State audit mechanisms become operational, the customer holds a no-fault exit right without penalty.
Third, map your cloud estate against NIS-2 Article 21 security requirements, DORA Chapter V ICT third-party risk obligations and GDPR Article 46 transfer safeguards. Providers that satisfy all three simultaneously will, in almost all cases, satisfy SEAL-3 criteria as well. This cross-mapping approach creates compliance efficiency and ensures that sovereignty due diligence is integrated into existing regulatory workflows rather than treated as a separate exercise.
FAQ
Is CADA already binding law, or is it still a proposal?
As of the publication of this article, CADA remains a legislative proposal under discussion in the European Parliament and Council. However, the European Commission Cloud Sovereignty Framework v1.2.1 and the Cloud III DPS tender already operationalise many of its principles in procurement today. Regulated buyers can and should apply CADA’s logic now without waiting for final enactment.
Which SEAL level applies to healthcare or financial-sector cloud procurement?
CADA positions SEAL-3 as the minimum threshold for sensitive public data, covering healthcare records, financial supervision data and legal proceedings. SEAL-4 is reserved for classified or national-security data. Compliance officers in finance and healthcare should specify SEAL-3 as a mandatory requirement in tender documents and Data Processing Agreements.
Does achieving EUCS certification automatically satisfy CADA’s SEAL requirements?
No. EUCS focuses on cybersecurity properties of the cloud service. CADA adds a sovereignty layer: jurisdictional independence, supply-chain transparency, and immunity from third-country legal orders. A provider can hold EUCS High certification and still fail SEAL-3 if its parent company is subject to US CLOUD Act jurisdiction.
What should procurement teams do before Member State recognition audits are operational?
Use the 48-criteria checklist in the European Commission Cloud Sovereignty Framework v1.2.1 as a self-assessment tool. Require providers to respond to each criterion contractually. Document the assessment in your GDPR Article 30 records of processing activities and in your DORA ICT risk register, so the evidence chain exists when formal audits begin.
Which European providers have demonstrated SEAL-3-equivalent characteristics in the Cloud III DPS tender?
OVHcloud, STACKIT, Scaleway and CleverCloud were among the European providers awarded positions in the Cloud III DPS, demonstrating architectures consistent with SEAL-3 criteria: EU-based data centres, no third-country parent-company exposure, and contractual immunity from non-EU legal orders. Their inclusion confirms that a competitive sovereign market exists and that public-sector buyers are not forced to choose between capability and sovereignty.
