Data, AI & Digital Sovereignty
8. CADA defines four cloud and AI sovereignty assurance levels for EU public-sector procurement
The European Commission's Cloud and AI Development Act policy page defines four sovereignty assurance levels for public bodies: Level 1 requires EU-located processing and storage, Level 2 adds independence from third countries and software supply-chain transparency, Level 3 requires EU ownership/control with additional criteria such as personnel citizenship, and Level 4 requires full software supply-chain transparency and no third-country interference.
BY GEOPOLITICS DESK · JUNE 11, 2026 · 1 MIN READ
The European Commission's Cloud and AI Development Act policy page defines four sovereignty assurance levels for public bodies: Level 1 requires EU-located processing and storage, Level 2 adds independence from third countries and software supply-chain transparency, Level 3 requires EU ownership/control with additional criteria such as personnel citizenship, and Level 4 requires full software supply-chain transparency and no third-country interference. The Act also aims to triple EU data-centre capacity within five to seven years and establish common EU-level public-procurement mechanisms.
This moves digital sovereignty from political preference to procurement law. Legal teams should begin building contract templates that assess data location, provider control, personnel location, foreign legal compulsion, audit rights and software supply-chain transparency.