Sovereignty was a promise. Now it’s becoming a test criterion.

On June 3, 2026, the European Commission proposed the Cloud and AI Development Act (CADA)—the centerpiece of its new Tech Sovereignty Package. At its core: a four-tier model that public contracting authorities will use in the future to assess how sovereign a cloud provider truly is—not just where the data is located, but who owns the provider, who controls it, and which legal system it is subject to.
CADA is still a proposal, not yet law, but the direction is remarkably clear. Commission Vice President Henna Virkkunen has stated publicly that providers subject to the U.S. CLOUD Act will face structural difficulties in reaching the top two levels—regardless of where their data centers are located in Europe. The CLOUD Act allows U.S. authorities to access data from U.S. companies, no matter where in the world that data is located. Anyone subject to this law can hardly credibly promise “no influence by a third country.” That is precisely the test for Level 4.
The four levels, briefly explained
An overview of the four CADA sovereignty levels
EU Location
Data and infrastructure are located in the EU. No additional requirements regarding ownership, personnel, or the software supply chain.
✓ Available to U.S. hyperscalers with an EU region
Independence & Transparency
Additionally: verifiable independence from third countries and transparency throughout the entire software supply chain.
⚠ Depends on ownership structure and transparency requirements
EU Ownership & EU Control
The provider must be based in the EU, EU-owned, and under EU control—including requirements regarding the citizenship of its staff.
✗ Structurally unfeasible under the U.S. CLOUD Act
Complete digital sovereignty
Full transparency and control over the entire software supply chain, with no influence from third countries. The highest degree of digital independence recognized by the regulatory framework.
✗ Structurally unachievable under the U.S. CLOUD Act
Why this doesn’t end with cloud infrastructure
CADA is explicitly written for the public procurement of cloud services. But the underlying question is not specific to the cloud. It is: Who controls the software running in critical infrastructure—and to which legal system is that party accountable?
This question applies with equal validity to every security-critical software component. And hardly any component sits deeper at the heart of IT security architecture than the vulnerability management system, which knows where every vulnerability in a country’s infrastructure lies.
Who supplies this software, who controls it, and who—in case of doubt—could be forced to grant access or remain silent—this is no longer an academic question. It is the very question that CADA is now making binding for cloud providers.
Applying this standard: Where does Greenbone stand?
We are not a cloud provider as defined by CADA and will therefore not be “CADA-certified.” But if you apply the same criteria to an IT security system, a clear picture emerges:
- Control & Legal System: Greenbone is a company founded in Germany and firmly rooted in Europe. We are subject to German and European law, not the U.S. CLOUD Act.
- Staff: Our development and operations team is based in Germany and the EU.
- Software Supply Chain: OPENVAS is open source. Not “auditable upon request”—but fully transparent to everyone, at any time. This is a stronger position than “auditable software,” as required by CADA for Levels 2/3.
- Disclosure Requirements: Because we are not subject to U.S. law, there is no legal framework through which we could be forced into tacit cooperation with third-country authorities—the kind of “hidden disclosure” that CADA aims to protect against.
Many established companies are based in the U.S. This structural reality is what makes CADA measurable for the first time. An EU data center region does not change this as long as the parent company is subject to the CLOUD Act.
What this means for you
CADA is not yet in effect. But for the first time, the Commission has precisely defined what “digital sovereignty” actually means—in four verifiable stages rather than in marketing jargon. For government agencies, KRITIS operators, and public contracting authorities, this will likely become a requirement in their specifications.
Those who are already built on this foundation today won’t have to migrate tomorrow.



