European Commission’s Proposed Cloud Sovereignty Framework Creates New Compliance Tiers for Software Providers

Analysis

The proposed CADA, which was published on June 3, 2026, and is part of the EU's Tech Sovereignty Package, aims to establish the most comprehensive framework yet for regulating cloud services in Europe. (The package also comprises the Chips Act 2.0, the EU Open Source Strategy, and a Strategic Roadmap for Digitalisation and AI in Energy.) For enterprise application providers, platform businesses, and hyperscalers, CADA creates a new compliance architecture that will fundamentally reshape how software and cloud services are delivered to European customers.

At the core of CADA sits the EU Cloud Sovereignty Framework, comprising four assurance levels. Level 1 requires that data processing and storage happen within an EU infrastructure. Level 2 demands demonstrated independence from third countries and transparency over the software supply chain. Level 3 requires EU ownership and control, with additional citizenship criteria for personnel, although the EC can recognize third-country providers. Level 4 demands full transparency and control over the software supply chain, with no interference from a third country. EU tech chief Henna Virkkunen indicated that the U.S. Cloud Act, which compels U.S.-based companies to hand over data hosted on their services, makes it "difficult to reach" the stricter requirements.

For U.S. hyperscalers, the implications are immediate and material. The EC estimates that only 1% of Europe's public services require the strictest tier, level 4, which effectively excludes foreign technology. However, the EU ownership and control requirements of level 3 could affect a significantly larger portion of public-sector contracts. Companies that have invested in European sovereign cloud structures (with localized governance, EU-only operational teams, and cryptographic segregation) may find themselves positioned at level 2 or potentially level 3, depending on implementation.

Enterprise software providers face a different but equally significant challenge. CADA requires every Member State to adopt a national cloud and AI strategy that includes measures supporting cloud computing stacks "built upon open hardware and software." The "open source first" principle in Article 41 requires EU entities and public-sector bodies to encourage the use of open-source components when building their cloud and AI ecosystem. While the current formulation allows consideration of "functionality, including security, total cost, and other relevant, duly justified objective criteria," this nonetheless represents a structural procurement preference that challenges traditional proprietary licensing models.

The investment of €2 billion (about $2.3 billion) in the EU Open Source Strategy for funding accelerators, maintenance instruments, and the Open Internet Stack aims to create commercially viable European alternatives to proprietary offerings. The target of having 30 million active users of open-source collaboration tools by 2030 indicates the EC's ambition to shift substantial public-sector demand away from incumbent providers.

Perhaps most relevant for software companies is the potential extension beyond the public sector. CADA would also empower the EC to adopt delegated acts requiring private companies in sectors regulated by the NIS2 Directive (Directive (EU) 2022/2555)—such as banking, energy, telecommunications, and health care—to carry out comparable sovereignty risk assessments of their cloud dependencies. While the precise scope remains subject to negotiation, industry associations have already warned that this could fragment the EU single market (27 EU Member States, plus Iceland, Liechtenstein, Norway, and Switzerland) and force cloud-based services to reorganize global operations.

Platform businesses and Software-as-a-Service, or SaaS, providers should pay particular attention to the sovereignty risk-assessment mechanism. Member States must determine the appropriate protection level for each public-sector use case and must procure digital services accordingly within one year of adoption. The EC reserves the right to overrule national assessments that it considers inadequate.

The competitive landscape is shifting accordingly. European cloud providers and open-source companies are positioned to benefit from preferential procurement treatment. U.S. and Asian providers must decide whether to create fully separated EU subsidiaries, invest in sovereign cloud architectures, or accept exclusion from the most sensitive market segments.

Practically, companies should begin taking several measures: (i) mapping their European public-sector exposure against the four assurance levels; (ii) assessing whether their current architecture can satisfy level 2 or level 3 requirements; (iii) evaluating the commercial impact of open-source procurement preferences on their European revenue; and (iv) monitoring the legislative process for any expansion of sovereignty obligations to the private sector.

CADA is now subject to European Parliament and Council negotiation, with final adoption targeted for late 2027. Given the strong political support for cloud sovereignty, companies should treat the core framework as highly likely to be adopted and begin strategic planning now.