Who is affected

The proposal is most relevant for cloud computing service providers, AI developers, and public sector bodies procuring services from such actors.

The proposal would also affect Member States because they would need to adopt national cloud and AI strategies, designate data center acceleration zones, carry out public sector cloud sovereignty risk assessments and designate national competent authorities for the cloud sovereignty framework.

The proposal would establish Cloud and AI Leadership Initiatives to support research, innovation and large-scale capacity across the EU cloud and AI ecosystem, which may benefit EU-based providers and developers of cutting-edge cloud and AI technologies.

Key obligations

The proposal creates a EU-wide cloud computing sovereignty framework with four assurance levels for cloud services supplied to public sector bodies. Cloud providers seeking recognition would apply to the national competent authority of establishment.

Assurance level 1 would be based on a conformity self-assessment and an EU statement of conformity. Assurance levels 2, 3 and 4 would require independent third-party audits, with providers required to obtain an audit report and audit opinion from an auditing organization.

Somewhat simplified, the four assurance levels are:

• Level 1: where data is processed and stored in infrastructure located in the EU (unless customer explicitly accept otherwise).
• Level 2: where providers must demonstrate independence from third countries and transparency over their software supply chain.
• Level 3: where providers must be owned and controlled from the EU and meet additional criteria, such as personnel citizenship. The Commission can recognise third-country providers.
• Level 4: where providers have full transparency and control over their software supply chain and no interference from a third country.

Public sector bodies whose activities are not identified as relevant to public order would have to use cloud computing services recognized at assurance level 1. Contracting authorities whose activities are identified as contributing to public order in NIS2 sectors or in areas such as national security, defense, justice, law enforcement, external border management or internal security would have to procure only services recognized at Union assurance level 2, 3 or 4. The required level will depend on an impact assessment conducted by local authorities.

The proposal would also require public procurement procedures for innovative cloud computing services and AI systems to include non-price award criteria assessing contribution to the European cloud and AI ecosystem.

Member States would have to designate at least one data center acceleration zone within six months of entry into force. Data center projects in acceleration zones would benefit from facilitated administrative and permit-granting processes, including an aggregated baseline permit and a maximum permit-granting period of 12 months from submission of an application.

Private sector entities are as a starting point not subject to mandatory requirements of cloud or AI procurements. However, in specific and duly justified circumstances, the Commission may adopt delegated acts requiring such private entities to carry out impact assessments and adopt risk mitigation measures.

How can we assist

• Assessing whether a cloud service or AI system is likely to be affected by the proposal.
• Mapping potential obligations for cloud service providers in high-criticality sectors.
• Supporting public sector procurement planning, risk assessments and award criteria for cloud and AI procurement.
• Advising data center operators on acceleration zones, strategic project applications and permitting implications.

---

Contact us