The Cloud and AI Development Act aims to strengthen Europe’s cloud and AI ecosystem. Overview of Union Assurance Levels, procurement obligations and timetable.
Why did the Commission publish the proposal?
The draft’s reasoning is clear: three non‑European hyperscalers control over 70 percent of the European cloud market, while the market share of European providers fell from 29 percent (2017) to 15 percent (2022) and has since stagnated. The Commission sees risks for data sovereignty, operational continuity and public order, especially from extraterritorial third‑country laws that could enable data access or interrupt services.
The draft responds with a bundle of three approaches: supply‑side support (Cloud and AI Leadership Initiatives, data centre acceleration zones with a maximum twelve‑month permitting period), demand‑side measures (procurement obligations, EuroCloud Federation for the public sector) and the sovereignty framework as the connecting element.
How does the sovereignty framework work?
The core of the draft is Title IV. Article 16 establishes four Union Assurance Levels, whose cumulative criteria are set out in Annex II. The levels differ mainly across three dimensions: establishment and data localisation, third‑country control, and conformity assessment procedures.
- Level 1 requires establishment in the EU, infrastructure and customer data to remain in the EU, and transparency about subcontractors. Conformity is shown by a self‑assessment with an EU declaration of conformity (Article 19).
- Level 2 adds independent third‑party audits, software supply‑chain requirements including an SBOM, and a cybersecurity certificate of at least “substantial” level. Third‑country control remains permissible if legal, technical and organisational safeguards prevent data access and service interruptions.
- Level 3 generally excludes providers under third‑country control. An exception applies only for third countries the Commission recognises by an implementing act under Article 18, based among other things on an adequacy decision under the GDPR and mutual market access.
- Level 4 requires complete freedom from third‑country control with no exceptions, EU citizenship of personnel and a cybersecurity certificate at the “high” level. Levels 3 and 4 are also intended to permit hosting of EU classified information.
The recognition procedure runs via the national authority at the provider’s head office. A granted recognition is valid EU‑wide and will be recorded in a public central register. For Levels 2 to 4 an annual review of the audit report is foreseen.
Notable is the interlinking with existing acts: Annex II adopts the SBOM definition of the Cyber Resilience Act and refers the certification evidence to a future European certification scheme for cloud services under the Cybersecurity Act. The Commission explicitly announces in the draft that it will resume work on the long‑blocked EUCS scheme. Until then, national schemes apply or, where none exist, evidence of the highest market‑standard cybersecurity measures.
Who will need to use the Union Assurance Levels in future?
Member states and EU bodies must carry out risk assessments within one year of entry into force and determine which public activities require which assurance levels. Procurement then follows a two‑tier logic: all public authorities must use at least Level‑1 services. Contracting authorities whose activities are assessed as relevant to public order, for example in the NIS‑2 sectors, defence, justice or law enforcement, may procure only services at Levels 2 to 4. Exceptions are narrowly defined, for instance if no suitable recognised service is available.
For the private sector the draft is initially cautious: companies in the most critical NIS‑2 sectors (Annex I) can voluntarily carry out comparable impact assessments. However, the Commission can make such assessments and accompanying risk‑mitigation measures mandatory by delegated act. The reason is explicit: public‑sector procurement requirements are typically mirrored by regulated industries and thus shift the market overall.
Additional procurement criteria with a European added value are proposed: when procuring innovative cloud services and AI systems, contracting authorities should assess the extent to which providers contribute to the European supply chain, for example through software or hardware developed in the EU. This criterion is explicitly subordinate to technical and financial criteria.
What does the draft mean for manufacturers?
Manufacturers in mechanical, plant and equipment engineering are not directly targeted by the Cloud and AI Development Act, but they are affected in two ways.
First, via the customer chain: a manufacturer of pump systems with a cloud platform for monitoring and remote maintenance whose customers are water utilities supplies operators that fall under NIS 2 Annex I. If those operators’ risk assessments classify the supply activity as relevant to public order, they will in future be allowed to use only recognised cloud services at Levels 2 to 4. Which cloud infrastructure the manufacturer’s backend runs on thus becomes a procurement criterion for the customer, not merely a technical implementation detail.
Second, via the manufacturer’s own cloud strategy: companies building an IoT backend today on a hyperscaler should include the sovereignty discussion in their architecture decisions. The draft creates for the first time a uniform, auditable standard for what a “sovereign cloud” in the EU means and will likely end the proliferation of national criteria catalogues and vendor‑branded “sovereign cloud” offers that, in the Commission’s view, do not solve the core problems.
The draft now enters the ordinary legislative procedure of Parliament and Council. Substantive changes are to be expected, particularly regarding third‑country rules and the criteria in Annex II. However, the basic architecture of tiered assurance levels and binding procurement is likely to remain. The regulation is intended to apply one year after entry into force, with member states’ risk assessments to follow within the same period.
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
