Sovereign Cloud Becomes a Regulatory Requirement: What the EU CADA Signals for the Rest of the World

· 4 min read · SOVALYX Technologies

SHARE

Presented on 3 June 2026 as part of the European sovereignty package, alongside the Chips Act 2.0, the Cloud and AI Development Act (CADA) takes effect on 4 August 2026. It introduces a four-level sovereignty assurance framework for cloud providers serving public administrations, with the first mandatory tiers applying from 2028-2029. Sovereignty stops being a marketing argument: it becomes a contractual clause.

What the CADA contains — and its timeline

The sovereignty package presented on 3 June 2026 combines two texts: a Chips Act 2.0 for semiconductors and the CADA for cloud and AI, as analysed by the British Institute for Sovereignty and Innovation. At its core: a framework of four assurance levels that grades the sovereignty requirements imposed on cloud providers serving European administrations.

The timeline is progressive: entry into force on 4 August 2026, then the first mandatory tiers from 2028-2029, as detailed by regulations.ai and Alliancy. That delay is not a reprieve: it is the time given to public buyers and their suppliers to climb the levels one by one.

From conviction to contract: the real shift

Until now, cloud sovereignty belonged to strategic debate: you could believe in it or not, write it into your doctrine or ignore it. The CADA changes the nature of the question. The moment a public buyer must require a given assurance level, sovereignty becomes a verifiable award criterion, on a par with a security certification. You no longer argue — you prove.

And as always with European legislation — the GDPR yesterday, the AI Act and its 2026-2027 timeline today — the effect spreads beyond the initial perimeter. Requirements imposed on administrations will flow down by contract to their providers, then to those providers' subcontractors, including outside Europe. Private-sector tenders will borrow from it, because a public, graded reference framework is convenient to reuse.

The tier logic: a grid any organisation can use

The technical detail of the four levels belongs to the European regulatory process. But the logic of graded sovereignty is already clear, and it raises questions that every organisation — public or private, European or not — should be asking:

The more demanding an organisation becomes on these five axes, the higher its "tier" — that is exactly the spirit of graded assurance, and it is a reading grid you can apply to your existing contracts today.

Seen from Mauritius: anticipate rather than endure

For a Mauritian company serving European clients — directly or as a subcontractor — the CADA is an early-warning signal: the supplier questionnaires of 2027-2028 will contain graded sovereignty questions, just as they already contain GDPR questions. Being able to answer precisely — "here is where the data resides, under which law, and who holds the keys" — will become a measurable competitive advantage.

It also validates the hybrid model we describe in our article on data sovereignty in Mauritius: sensitive or critical data on controlled local infrastructure, the rest wherever it is most efficient. The movement to repatriate stable workloads to dedicated infrastructure follows the same slope, for cost as much as control. That articulation — sovereign private cloud, disaster recovery and verifiable contractual commitments — is precisely what a team like SOVALYX works on from Mauritius.

Self-assessment: locate your real sovereignty level

Question to ask (yourself or your host)Why it matters
Where is our data physically stored and processed?Location is the first criterion of every sovereignty framework.
Which law applies to the provider (headquarters, parent, subsidiaries)?A third country's extraterritorial law can override your contractual clauses.
Who administers the systems, from where, with what access?Operational access is data access, whatever the location.
Who holds the encryption keys?Whoever holds the keys holds the data — encryption only protects against those who do not have them.
How fast can we exit, and in what formats?Without reversibility, any sovereignty requirement remains theoretical.
Does the DR plan work if this provider disappears or cuts the service?Continuity is part of sovereignty: depending on a single player is a risk in itself.

If several answers are "we don't know", you have found your next project — and if you want to frame it with a third party, a diagnostic can be scheduled within days.

How SOVALYX can help

To answer the sovereignty questions in this grid precisely — location, applicable law, operations, reversibility — SOVALYX operates a resilient private cloud hosted in Mauritius, where you know exactly where your data resides and who administers it. An automated, tested disaster recovery plan and 24/7 monitoring under SLA cover the continuity dimension, which is an integral part of sovereignty; in-house private LLMs guarantee that no content ever leaves for a public AI service. An infrastructure and AI assessment measures where you really stand on these axes before your European clients' supplier questionnaires do.

Talk sovereign hosting with an engineer

🧰 The companion tool: Are you ready for the AI Act? — free · 2 minutes.

Reviewed and optimised by AI.