6 Min. Read Time
On June 3, 2026, the EU Commission presented a proposal that makes cloud sovereignty measurable for the first time. The Cloud and AI Development Act categorizes it into four levels. Already from level two, independence from third countries counts; from level three, it becomes practically impossible for US-controlled providers. This is still a draft, but anyone planning public procurement should understand the levels now.
Key Takeaways
- Sovereignty becomes a verifiable level: CADA defines four assurance levels for cloud services to the public sector, from Level 1 as a minimum requirement to Level 4 with full control over the supply chain without third-country influence.
- From Level 3, origin matters: Providers must be owned and controlled from the EU, including criteria on the nationality of personnel. This practically excludes US-controlled hyperscalers.
- This is still a proposal: The draft dates back to June 3, 2026; adoption is still pending. However, those planning public procurement will benefit from integrating the level logic into their architecture early on.
Related:The Germany Stack Goes Operational / Separating NIS2 and DORA Cleanly
What the Cloud and AI Development Act Aims to Regulate
What is CADA? The Cloud and AI Development Act is a proposed regulation by the EU Commission from June 3, 2026, aimed at strengthening cloud and AI sovereignty in Europe. It is not yet in force but is at the beginning of the legislative process. Its core consists of two key elements.
The first is infrastructure. The Commission sees a structural deficit in data center capacity in the EU and aims to triple it within five to seven years. This goal is primarily to be achieved through private investments, which the Commission estimates at around €200 billion. It is essential to distinguish: tripling is the capacity goal, and €200 billion is the investment sum to be mobilized, not a funding budget.
The second key element is dependency. A large part of European cloud usage runs through a small number of providers outside the EU. CADA aims to counter this concentration with a verifiable framework, and this is where the assurance levels come into play.
Four levels that make sovereignty verifiable
The leverage of CADA is that sovereignty is tied to verifiable criteria. What was once a buzzword becomes a classification. The proposal defines four assurance levels that the public sector can demand based on risk assessment. The classification follows criteria such as control over the service, control over the supply chain, data handling, infrastructure location, and cybersecurity.
| Level | Core requirement | Who meets it |
|---|---|---|
| Level 1 | Minimum standard for every cloud service to the public sector | Practically all providers |
| Level 2 | Independence from third countries, transparency over the software supply chain | Providers without third-country ties |
| Level 3 | Ownership and control from the EU, personnel nationality criteria | EU providers, hardly US-controlled |
| Level 4 | Full control over the supply chain without influence from third countries | Purely European stacks |
The grading does not force anyone to opt for a European solution across the board. It leaves the classification to the risk assessment of the respective authority. For an administration with sensitive data, Level 3 or 4 will be a logical requirement, and this will determine the provider selection before the first architecture sketch is created.
What the levels mean for procurement
Here, a regulatory proposal turns into a concrete procurement question. Providers will be recognized by the member states under the framework after an audit. Those that do not meet Level 3 or 4 cannot participate in tenders that require this level, which is not a ban on specific providers but effectively amounts to an exclusion, as a US-controlled hyperscaler can hardly meet the ownership and personnel criteria.
For architects, this means that the sovereignty level will have to be considered at the beginning of the planning process. If someone designs a system for the public sector and only later realizes that the target authority requires Level 3, they will have to rebuild half of the data storage. The sober consequence is a preliminary question in every procurement project: Which level is required, and which part of the stack already meets it?
Concretely, this affects more than just the server location. Level 3 requires ownership and control from the EU, which can already fail due to the corporate structure of a provider with a US parent company, regardless of where the servers are located. This also includes key management. Who holds the cryptographic keys and under which jurisdiction they do so determines the classification. And the personnel criteria go as far as who has administrative access to the infrastructure. Pure data residency in a Frankfurt data center only fulfills part of this, and precisely this confusion is common in sovereignty pitches.
Why the Architecture Decision Needs to Be Made Now
It’s tempting to delay the issue as long as CADA is just a proposal. However, this calculation rarely pays off. A sovereign stack cannot be retrofitted in the quarter when the tender appears. Data storage, key management, and supply chain are decisions with a long half-life.
Anyone building or selling cloud solutions for the public sector should conduct an honest self-assessment today: What level does their own stack achieve, and where is the next third-country influence that prevents Level 3? This question costs little and saves expensive rework under time pressure later on.
Frequently Asked Questions
Is CADA already in effect?
No. CADA has been a proposal of the EU Commission since 3 June 2026 and is undergoing the legislative process. The text may still change during negotiations with the Parliament and the Council.
What are the four Assurance Levels?
Four tiered sovereignty levels for cloud services for the public sector. Level 1 is the minimum standard, Level 2 requires third‑country independence and supply‑chain transparency, Level 3 mandates EU ownership together with personnel criteria, and Level 4 provides full control over the supply chain.
Does CADA exclude US providers?
Not through an outright ban, but in effect. For tenders that require Level 3 or 4, a US‑controlled hyperscaler can hardly meet the ownership and personnel criteria and therefore cannot participate.
What does the tripling of datacenter capacity mean?
The Commission aims to triple EU datacenter capacity within five to seven years. The effort is expected to be driven mainly by private investments of roughly 200 billion Euro, which should not be confused with a subsidy budget.
What should cloud architects do now?
Conduct an honest self‑assessment of your own stack and determine which Assurance level it reaches. Data storage, key management and the supply chain have long lead times and cannot be upgraded to Level 3 on short notice.
Editorial Reading Tips
More from the MBF Media Network
Image source: AI‑generated (June 2026)
Images in the article: AI‑generated (May 2026)
