Now that the Cloud and AI Development Act (CADA) proposal has been published, the debate about what European cloud sovereignty means has moved from widespread discussion to legislative text. The question that remains? Whether the definition is the right starting point for the two EU co-legislators (Council of the EU and EU Parliament) to consider.
The DG DIGIT Cloud Sovereignty Framework (CSF), already used as a procurement tool, is the blueprint for how CADA has approached its own sovereignty definition, in particular the four-tier Union Assurance Level (UAL) framework at its heart. It is the right foundation for what comes next. But there are key elements that deserve closer examination now that they have been proposed into law.
The Framework Unpacked
The CSF was an effective procurement tool because it was scalable - it was not defining sovereignty as a set of static attributes but rather as a framework where a solution is considered more sovereign as various degrees of the goals are met. Therefore, CSF is strongest where it sets easily understood and verifiable goals. Legal sovereignty - assessing which providers’ services are genuinely anchored in European jurisdiction and insulated from external legal claims - is a clear example. Equally important is operational sovereignty - measuring whether EU providers can run technology free from foreign control. Technology sovereignty - ensuring EU actors can interoperate and adapt their solutions without lock-in - completes the picture.
CADA introduces technology sovereignty requirements from UAL 2 upwards, including a complete software bill of materials, documented migration plans for third-country software dependencies, and interoperability standards. These are areas where the framework's criteria are, on the whole, concrete and verifiable.
The CSF broke new ground on data and AI sovereignty - and CADA should carry this forward. As European businesses adopt AI at scale, considering where training data sits, who can access it, and whether AI models are governed under EU control have become strategic priorities, rather than technical footnotes. It is critical for CADA, once finalised, to get this right. How this is approached will shape the future of Europe's AI ecosystem for years to come making the sovereignty definition withstand the test of time.
One area that warrants concern is the CSF’s supply chain sovereignty objective, which evaluates geographic origin, transparency and resilience. The direction is right, but the bar it sets needs further review. CADA has progressed this. Its approach at UAL 4, the strictest level of sovereignty, requiring providers to demonstrate that no third country holds effective control over the design, development or maintenance of software components, is more targeted than a blanket geographic origin test. But progress is not the same as precision, and that is what the implementing measures will need to deliver.
Where Precision Matters
Supply chain sovereignty needs careful calibration, especially in the implementing measures that follow on from CADA. Full ownership of every element of the supply chain sounds rigorous, but sets an expectation that no provider can realistically meet. Modern cloud infrastructure operates within deeply interconnected global supply chains. Demanding complete independence from non-EU suppliers at every layer is neither economically viable nor technologically realistic.
The right consideration is not where every component originates, but whether any dependencies create meaningful risk. A hardware component manufactured outside the EU does not inherently compromise sovereignty. A software dependency that allows a foreign government to access or disrupt European operations does. Supply chain scrutiny should target real points of vulnerability, not apply uniform pressure across the entire stack. As the EU Parliament and Council of the EU reach their own positions on the text, that distinction needs to be explicit.
The same logic applies to Intellectual Property (IP). CADA is right not to make IP registration a sovereignty criterion - and the Parliament and Council should resist any pressure to add it. Where IP is registered matters far less than whether it can be used as a lever for political coercion. Some EU Member States, such as France, have argued, persuasively, that the real test is economic: whether a provider is investing in the European industrial base, creating jobs, building local skills, and generating economic value within the EU. That is a tangible commitment. IP registration alone, which may also be driven by other considerations, such as corporate structures or local law, is not.
The CSF correctly lands that interoperability and auditing solutions without vendor lock-in are key sovereignty components. CADA’s instinct to promote open European alternatives as a sovereignty lever is understandable. But sovereignty is a property of the full stack, not a software licensing model. Open source comes with its own set of unique challenges , such as the origin and quality of the code, the ability to effectively support it, how value is captured and the long-term sustainability of the business model, lock-in dependencies (e.g. on support and custom code) that are created by the nature of open source which can be non-standardised. The recent utilisation of frontier AI security models on open source software have even called into question the once broadly held view that open source is more secure due to its open nature.
The more pertinent question - and the one CADA’s co-legislators should keep in mind - is whether a solution delivers the scale, security and support that European organisations need. The licensing model (open source or proprietary) provided the other sovereignty criteria are met becomes a discussion of how value is captured as opposed to a proof of sovereignty.
From Framework to Legislation
The CSF gave CADA a credible starting point. The test is whether the final legislation will translate it with enough precision to shift behaviour - rewarding verifiable operational capability over geography alone, and drawing a clear line between the dependencies that truly threaten sovereignty and those that do not. This is the difference between a sovereignty definition that strengthens Europe's digital infrastructure and one that simply drives the cost of building it.
The Act's four-tier framework is a step in the right direction but hits the mark most clearly where it focuses on operational, technical and jurisdictional criteria. The co-legislators now need to do three things: ensure supply chain implementing measures target genuine vulnerabilities rather than applying uniform geographic rules; resist any pressure to treat open source as a sovereignty shortcut; and hold the line against IP origin being introduced as a proxy for operational capability. Get those three things right, and CADA can become the legislative anchor Europe's cloud sovereignty agenda needs
These are the conversations we will be having with policymakers and cloud service providers at Forum Europe's fourth annual European Sovereign Cloud Day in Brussels on 24 June. I look forward to contributing to the discussions.