The new draft European regulation includes a four-level classification system, very close to provisions removed in 2024 from the EUCS certification.

CADA introduces an assessment framework for the sovereignty of cloud and AI service providers. Its highest level is inspired by the SecNumCloud framework of ANSSI. This framework is intended in particular to guide public procurement toward providers suited to the criticality of the services concerned. It is structured around four levels of increasing requirements:

Level 1: infrastructures and data must be located within the European Union;

Level 2: additional requirements are added regarding independence from third countries and transparency of the software supply chain;

Level 3: the provider must be owned and controlled by a structure governed by European law and subject to governance and personnel requirements;

Level 4: the provider must guarantee full control of the software supply chain and the absence of any possible interference by a third country, including immunity from extraterritorial laws.

This system almost identically reproduces the contours of the sovereignty criterion removed in 2024 from the European Union Cybersecurity Certification Scheme for Cloud Services (EUCS), a certification scheme for cloud infrastructures provided for by the Cybersecurity Act. Defended by France, this criterion triggered a long political battle. It led to the removal of any mention of sovereignty from the EUCS, which was refocused solely on cybersecurity issues.

The EU is therefore reintroducing this dimension. It no longer takes the form of a certification that providers must obtain, such as the EUCS or SecNumCloud, but of a set of criteria conditioning access to certain public procurement contracts. The sovereignty of an offer will therefore be assessed directly by the States.

CADA is beginning its legislative journey. It is not expected to enter into force before two or three years.