• Request consultation
  • Newsletter
  • Deutsch Deutsch German de
  • English English English en
  • Italiano Italiano Italian it
  • Nederlands Nederlands Dutch nl
Greenbone
  • Products
    • OPENVAS BASIC
      • OPENVAS BASIC: Order
    • OPENVAS SCAN
    • Upcoming Solutions
      • OPENVAS SECURITY INTELLIGENCE
      • OPENVAS AI
    • Solutions for Your Sector
      • Educational Sector
      • Healthcare Sector
      • Public Sector
    • Technology
      • Feed Comparison
      • Product Comparison
        • OPENVAS vs. Nessus
      • Roadmap & Lifecycle
  • Service & Support
    • Technical Support
    • Self-Learning Courses
    • Documents
  • Events
    • Cybersec Europe 2026
    • Webinars
  • Partners
    • MSSP
  • About Greenbone
    • Careers
    • Contact
  • Blog
    • Know-how
      • Attack Vector Timeline
      • Cyberattacks and Defense
      • Cyber Defense Security
      • Cyber Resilience Act
      • Data Security
      • Digital Operational Resilience Act
      • Exposure Management
      • IT and Information Security
      • NIS2 Directive
      • Open Source Vulnerability Management
      • The Vulnerability Timeline
  • Click to open the search input field Click to open the search input field Search
  • Menu Menu
  • Products
    • OPENVAS BASIC
      • OPENVAS BASIC: Order
    • OPENVAS SCAN
    • Upcoming Solutions
      • OPENVAS SECURITY INTELLIGENCE
      • OPENVAS AI
    • Solutions for your sector
      • Educational Sector
      • Healthcare Sector
      • Public Sector
    • Technology
      • Feed Comparison
      • Product Comparison
        • OPENVAS vs. Nessus
      • Roadmap and Lifecycle
    • Request IT Security
  • Service & Support
    • Technical Support
    • Self-Learning Courses
    • Documents
  • Events
    • Cybersec Europe 2026
    • Webinars
  • Partners
    • MSSP
  • About Greenbone
    • Careers
    • Contact
    • Newsletter
  • Our Blog
    • Know-how
      • Attack Vector Timeline
      • Cyberattacks and Defense
      • Cyber Defense Security
      • Cyber Resilience Act
      • Data Security
      • Digital Operational Resilience Act
      • Exposure Management
      • IT and Information Security
      • NIS2 Directive
      • Open Source Vulnerability Management
      • The Vulnerability Timeline
  • German
  • English
  • Italian
  • Dutch
Greenbone AG

Sovereignty was a promise. Now it’s becoming a test criterion.

Blog

EU as a symbol of digital sovereignty – Greenbone explains the CADA sovereignty levels

On June 3, 2026, the European Commission proposed the Cloud and AI Development Act (CADA)—the centerpiece of its new Tech Sovereignty Package. At its core: a four-tier model that public contracting authorities will use in the future to assess how sovereign a cloud provider truly is—not just where the data is located, but who owns the provider, who controls it, and which legal system it is subject to.

CADA is still a proposal, not yet law, but the direction is remarkably clear. Commission Vice President Henna Virkkunen has stated publicly that providers subject to the U.S. CLOUD Act will face structural difficulties in reaching the top two levels—regardless of where their data centers are located in Europe. The CLOUD Act allows U.S. authorities to access data from U.S. companies, no matter where in the world that data is located. Anyone subject to this law can hardly credibly promise “no influence by a third country.” That is precisely the test for Level 4.

The four levels, briefly explained

An overview of the four CADA sovereignty levels

L1

EU Location

Data and infrastructure are located in the EU. No additional requirements regarding ownership, personnel, or the software supply chain.

✓ Available to U.S. hyperscalers with an EU region

L2

Independence & Transparency

Additionally: verifiable independence from third countries and transparency throughout the entire software supply chain.

⚠ Depends on ownership structure and transparency requirements

L3

EU Ownership & EU Control

The provider must be based in the EU, EU-owned, and under EU control—including requirements regarding the citizenship of its staff.

✗ Structurally unfeasible under the U.S. CLOUD Act

L4

Complete digital sovereignty

Full transparency and control over the entire software supply chain, with no influence from third countries. The highest degree of digital independence recognized by the regulatory framework.

✗ Structurally unachievable under the U.S. CLOUD Act

Why this doesn’t end with cloud infrastructure

CADA is explicitly written for the public procurement of cloud services. But the underlying question is not specific to the cloud. It is: Who controls the software running in critical infrastructure—and to which legal system is that party accountable?

This question applies with equal validity to every security-critical software component. And hardly any component sits deeper at the heart of IT security architecture than the vulnerability management system, which knows where every vulnerability in a country’s infrastructure lies.

Who supplies this software, who controls it, and who—in case of doubt—could be forced to grant access or remain silent—this is no longer an academic question. It is the very question that CADA is now making binding for cloud providers.

Applying this standard: Where does Greenbone stand?

We are not a cloud provider as defined by CADA and will therefore not be “CADA-certified.” But if you apply the same criteria to an IT security system, a clear picture emerges:

  • Control & Legal System: Greenbone is a company founded in Germany and firmly rooted in Europe. We are subject to German and European law, not the U.S. CLOUD Act.
  • Staff: Our development and operations team is based in Germany and the EU.
  • Software Supply Chain: OPENVAS is open source. Not “auditable upon request”—but fully transparent to everyone, at any time. This is a stronger position than “auditable software,” as required by CADA for Levels 2/3.
  • Disclosure Requirements: Because we are not subject to U.S. law, there is no legal framework through which we could be forced into tacit cooperation with third-country authorities—the kind of “hidden disclosure” that CADA aims to protect against.

Many established companies are based in the U.S. This structural reality is what makes CADA measurable for the first time. An EU data center region does not change this as long as the parent company is subject to the CLOUD Act.

What this means for you

CADA is not yet in effect. But for the first time, the Commission has precisely defined what “digital sovereignty” actually means—in four verifiable stages rather than in marketing jargon. For government agencies, KRITIS operators, and public contracting authorities, this will likely become a requirement in their specifications.

Those who are already built on this foundation today won’t have to migrate tomorrow.

 

Contact Try for Free Buy Here Back to Overview
8. July 2026/by Greenbone AG
Share this entry
  • Share on LinkedIn
  • Share by Mail
https://www.greenbone.net/wp-content/uploads/greenbone-logo-2025.png 0 0 Greenbone AG https://www.greenbone.net/wp-content/uploads/greenbone-logo-2025.png Greenbone AG2026-07-08 11:28:562026-07-08 11:28:56Sovereignty was a promise. Now it’s becoming a test criterion.

Search

Search Search

Archive

  • 2026
  • 2025

Newsletter

Subscribe Now

OPENVAS BASIC

Our entry-level enterprise product

Test 14 Days Free of Charge

Products & Solutions

  • OPENVAS PRODUCTS
  • OPENVAS SECURITY INTELLIGENCE
  • OPENVAS SCAN
  • OPENVAS BASIC
  • OPENVAS FREE
  • OPENVAS AI
ISO9001-EN

Service & Support

  • Technical Support
  • FAQ
  • Documents
  • Warranty
  • Open Source Vulnerability Management
  • Cyber Resilience Act
ISO27001-EN

About us

  • About Greenbone
  • Partners
  • MSSP
  • License information
  • Privacy Statement
  • Terms & Conditions
ISO14001-EN

Contact with us

  • Contact
  • Newsletter
  • Media Contact
  • Careers
  • Security Response
  • Imprint
  • Grounding Page

Community

  • Community Portal
  • Community Forum
© Copyright - Greenbone AG 2020-2026
  • Link to LinkedIn
Link to: The Missing Handoff: How KIX and Greenbone Turn Vulnerability Scans Into Action Link to: The Missing Handoff: How KIX and Greenbone Turn Vulnerability Scans Into Action The Missing Handoff: How KIX and Greenbone Turn Vulnerability Scans Into Ac...
Scroll to top Scroll to top Scroll to top
Contact
Request IT Security Contact Us Subscribe to Newsletter Follow on LinkedIn