This change will come about if recent proposals put forward by the European Commission for a new Cloud and AI Development Act (CADA) become law.
The EU proposals, which we explore in more detail below, reflect an increased global focus on sovereign tech models amidst a volatile geopolitical environment in which policymakers are seeking to reduce foreign dependencies and associated risks of potential interference with and disruption to the supply of essential goods or services.
In the US, for example, the Trump administration recently banned US AI developer Anthropic from enabling any foreign national – including the company’s own employees – from accessing its latest models, Fable 5 and Mythos 5. That ban, which has now been lifted, was imposed amidst concerns that those powerful frontier AI models could be exploited by cyber criminals backed by the US’ adversaries.
The CADA proposals, though in a different tech context, can be viewed through a similar lens. They reflect part of the EU’s response to evolving geopolitical risks as they manifest in the world of data and technology.
Not all policymakers are responding the same way. The EU’s approach towards the idea of a ‘sovereign cloud’ – a cloud environment entirely operated, located and governed within one jurisdiction – differs to that adopted by policymakers in the UK. As we have previously explored, the UK government has stopped short of mandating a sovereign cloud approach in public procurement policy, but its £500 million sovereign AI fund is a clear signal to market to develop sovereign cloud solutions for take-up in the UK. It has been reported that UK prime minister-in-waiting Andy Burnham will be pushing a bigger ‘buy British’ agenda for UK cloud and AI procurements too.
CADA: the EU proposals in more detail
The proposed CADA, which is still subject to a potentially length legislative process, is part of a wider ’technological sovereignty package’ the Commission announced on 3 June.
CADA introduces, amongst other measures, a formal EU-wide cloud and AI sovereignty framework with four sovereignty assurance levels which, for the first time in the EU, translates sovereignty into legislative criteria. The levels range from basic data localisation (Level 1) to full insulation from third-country legal and operational control (Level 4) and apply broadly to the procurement of “cloud and AI services” by public bodies in the EU.
Under CADA, cloud providers would have the opportunity to become recognised as achieving one of the proposed new assurance levels. Public bodies would be required to carry out a risk-based assessment of each proposed cloud and AI service and determine which sovereignty level is appropriate. The relevant levels would then be linked to procurement eligibility. In practice, it means that sovereignty is expected to become part of supplier evaluation in EU procurements where CADA applies. While there is no GDPR-style penalty regime envisaged for non-compliance, if the framework is ignored or not applied correctly, procurement decisions may be subject to legal challenge under existing EU procurement law..
In essence, Level 1 requires EU data localisation and baseline compliance with EU law (e.g. GDPR); Level 2 adds safeguards to mitigate third‑country legal risks; Level 3 requires substantive operational independence within the EU; and Level 4 demands full control and effective insulation from non‑EU legal and operational influence.
The lower levels are anticipated to be relevant to general administrative systems, public-facing services and other low-sensitivity workloads, where EU data localisation and standard safeguards are sufficient and exposure to foreign jurisdiction can be managed. By contrast, higher levels are anticipated to apply to systems involving sensitive personal data, core regulatory functions or critical state infrastructure, where increasing degrees of operational independence are required, culminating at Level 4 where full insulation from third-country legal and operational control is envisaged. The classification turns less on the type of service than on the sensitivity, criticality and tolerance for external interference associated with the underlying workload.
In practice, it is likely that what general global hyperscalers already offer is likely to accord with the first two proposed new assurance levels. Level 3 may require enhanced sovereign configurations, such as ring-fenced or hybrid models. Level 4 could, depending on how ultimately defined and implemented, favour providers capable of demonstrating full operational and legal insulation within the EU, such as insulation from non-EU legal regimes like the US CLOUD Act..
Given the fact that US hyperscalers have already launched EU sovereign cloud offerings, existing sovereign cloud offerings may enable participation at lower and intermediate levels. Participation at the highest assurance level will depend on final definitions and implementation. It will be interesting to see how the CADA requirements are translated by member state public authorities into procurement requirements, as this will inform who can respond.
However, before adoption and entry into force, CADA will be negotiated by the European Parliament and the Council of Ministers. This process is not quick: it typically takes between one and three years for complex digital regulation proposed by the Commission to be scrutinised and adopted by the EU’s legislative bodies. The EU AI Act, for example – which, like CADA, was also politically sensitive and strategically important – was the product of three years of negotiation and was only adopted after major amendments were applied.
Together with the EU AI Act, CADA reflects the widening gap between the EU’s more rules-based and structured approach compared with the UK’s more flexible, regulator-led model which arguably offers greater adaptability but less certainty.