Brussels, 4th June 2026. Yesterday’s announcement of the Cloud and AI Development Act as part of the EU Sovereignty package is a step forward for Europe’s strategic autonomy, but challenges remain. With its assurance Level 3 and above, the Commission lives up to its promise and provides some strong definitions of Sovereignty that align with the CISPE Sovereign and Resilient Cloud Framework. The text is clearly aimed at political and security concerns and may, if well implemented, help to challenge the commercial dominance of established foreign cloud and AI vendors.
Some fundamental flaws and significant omissions in public procurement remain which underestimate the power of convenience and inertia when it comes to implementation. These include:
- No obligation to even assess European alternatives in public cloud procurement.
- Confusion and potential abuse of level 1 and 2 ‘Sovereignty’.
- Sovereignty assessed at company rather than service level.
- Some clauses in Annexes threaten the entire sovereignty definition.
On procurement, the Act fails to ask buyers even to look at European alternatives
CADA gets the broad architecture of cloud sovereignty right, but on public procurement it misses the mark. It does not even ask a public authority to check whether a European service exists before sending taxpayers’ money to a provider controlled from outside Europe – let alone require it to choose one. As this is a duty to look, is not a duty to prefer which could be seen as a barrier to trade; it is basic due diligence with public money. We see a significant risk that assessments become a ‘rubber-stamp’ exercise that allow IT departments to continue to buy non-sovereign services out of convenience.
Levels 1 and 2 cannot be called Sovereign
Whilst the definition of Level 3 Sovereignty is robust, those for Level 2 and 1 are confusing and non-sensical. It seems that almost any vendor can meet these requirements leading to confusion and the potential for deliberately misleading labelling. Services under Level 1 and 2 under the Commission’s Framework should not be called, designated or otherwise referred to as ‘sovereign’ in any way. This will continue to confuse the market, both public and private customers, and encourage more sovereignty washing attempts.
CADA recognises providers, then lists services that were never individually checked
The CISPE Framework assesses sovereignty or resilience at a service level, and we feel this is the only legitimate way to provide buyers with clear information on what they are buying. The Commission’s text is unclear whether it is companies or services that are to be audited. It also makes no provision for the detailed results of audits to be public. CISPE believes that service-level audits, and transparent sharing of controls and metrics, as well as scores, are the only credible way for customers to make informed decisions on the precise services they require. Independently audited industry frameworks, such as CISPE’s that meet or exceed the Commission’s requirements, should also be recognised and promoted by Member States.
Close the loopholes that could be used to slip past the rules
The text and its annexes are detailed and well drafted. Clearly the Commission has listened and reacted to many of the concerns from the European cloud sector. However, through its complexity there are many potential loopholes that we would like to see addressed.
The Act leaves a structural loophole that could be allow an intermediary to launder a foreign-controlled service into one recognised as Level 2, 3 or 4. By selling through a European aggregator which holds the direct contract and itself passes the criteria, a foreign-controlled subcontractor that does not have direct access to sensitive data can have its services and products resold into a recognised Level 2, Level 3 or Level 4 offering whilst sitting beyond the reach of the establishment and no-third-country-control conditions. These clauses, included in the second paragraph of Appendix II descriptions of each Level, not only undermine those definitions but introduce a dangerous backdoor which allows subversion of the entire definition of sovereignty.
CISPE is also concerned on the uneven burden borne by Nation States. Any EU country can designate a vendor as ‘sovereign’ but only the State containing that vendor’s European Headquarters can enforce the decision. This may unduly burden a small number of countries with a high level of enforcement duties. Other countries, and indeed individual vendors should also be able to challenge designations to avoid anti-competitive market distortions.
These and other loopholes and circumventions must be addressed in any final text.
-ENDS-
