CADA hands procurement a tool it has lacked: a way to answer “is this provider sovereign enough” without falling back on instinct. Adopted as a proposal on 3 June 2026, the Cloud and AI Development Act defines four assurance levels for cloud and AI sovereignty. The CADA sovereignty levels are not law yet, and they were written for public sector bodies, yet any buyer can use them as a scoring frame this quarter. Score a service, record its level, and the question turns from a yes-or-no shrug into a graded test with a clear next move.
The graded ladder in plain English
Each level adds one demand to the one beneath it. Level 1 asks only that data is processed and stored in EU infrastructure; it says nothing about who controls the provider, so it is the baseline and little more. Level 2 adds independence from third-country control and transparency over the software supply chain. The ladder is cumulative, so a provider cannot claim a higher level while failing a lower one.
Where Level 3 and Level 4 raise the bar
Level 3 is where the test bites. It requires the provider to be owned and controlled from the EU, with additional criteria such as the citizenship of key personnel, though the Commission may recognise certain third-country providers under conditions. Level 4 goes further still: full transparency and control over the software supply chain, with no third-country interference. That is the top of the ladder, and most US-headquartered hyperscalers will not reach it without restructuring.
Five changes the CADA sovereignty levels force this quarter
You do not need to wait for adoption to act on the framework. The CADA sovereignty levels already give procurement and due diligence a structure, and five changes put that structure to work:
- Score your critical cloud and AI services against the four levels and record today’s level for each. Note the single change that would move a service up one level, because that note is your negotiation ask at the next renewal.
- Add a sovereignty-level question to the vendor questionnaire, and state the workload scope it applies to. A provider can sit at Level 3 for one service and Level 1 for another, so an unscoped answer is worthless.
- Keep the GDPR transfer analysis and the transfer impact assessment separate from the score. A high sovereignty level does not discharge the Chapter V transfer obligation; data localisation and data sovereignty are not the same thing, and remote access from outside the EEA is still a transfer.
- Capture CLOUD Act and foreign-law exposure for very critical workloads as a distinct question. The DigiD case shows that contracts alone cannot fix a jurisdictional reach problem.
- Write a level-continuity clause into the contract so a downgrade becomes a contractual event, not a surprise. Ownership changes and sub-processor swaps can drop a provider a level overnight.
A sovereignty level is not a GDPR transfer analysis
The most common mistake will be to treat a good score as a clean bill of health. It is not. The sovereignty levels measure who controls the provider and its supply chain; the transfer analysis measures what happens to personal data when it leaves the EEA. Score both, and score them separately, or you will hand a regulator a single number where it expects two assessments.
Where the CLOUD Act still reaches
Location alone, the bottom of the ladder, does nothing against foreign-law access. For a very critical workload, ask the blunt question: can any third-country law compel access to this data, or override this provider, regardless of where the data physically sits? Level 3 and Level 4 exist precisely because the US CLOUD Act can answer yes. A provider hosting in Frankfurt while owned in California has not closed that gap.
Open source moves up the CADA sovereignty levels agenda
The Level 4 demand for supply-chain transparency does not sit alone. CADA arrives alongside the EU Open Source Strategy, which places open components at the centre of technological autonomy. Together they push open-source supply-chain governance up the procurement agenda, because you cannot claim transparency over a supply chain you cannot inspect. This is also where a recognised management standard earns its place: ISO/IEC 42001 gives you a structured way to govern third-party and supplier oversight, which is exactly what the higher CADA sovereignty levels demand as evidence. Reuters has reported draft tender criteria that could exclude the largest US providers from sensitive contracts on these grounds, so the commercial stakes are real.
Make the scored card part of the file
A score that lives in someone’s head protects nobody. The discipline is to attach a scored card to the vendor file, alongside the GDPR transfer analysis, and to record both the current level and the one change that would raise it. Our CADA sovereignty reference card turns the four levels into a one-page scorecard built for exactly this, with space for the level, the target, the transfer-analysis flag and the CLOUD Act note.
Score the service, write the level-continuity clause, file both before the renewal rather than after it. That is how the four levels stop being a talking point and start being a control.
Newsletter
Releted Blogs
LATEST NEWS
AI governance is not a future problem
Regulation is already in effect. Your competitors are already building internal capability. The gap between ‘we are aware of AI’ and ‘we have operational control’ is closing, and it closes faster with a structured framework.
Book a 30-minute discovery call. No obligation. We will assess where your organisation stands and what a realistic starting point looks like.
No sales pressure. No jargon. Just a structured conversation about your organisation's AI readiness.