MICKAI®
Article · 14 July 2026

What does the EU's CADA 4-level sovereignty framework actually require?

CADA sorts sensitive workloads into four sovereignty tiers, from EU-based processing at the bottom to EU-owned, cleared-personnel, independently audited systems free of third-country control at the top.

What does the EU's CADA 4-level sovereignty framework actually require?
Author
Micky Irons
Published
14 July 2026
Follow Micky Irons
LinkedInX
sovereign aicadacloud and ai development acteu sovereignty frameworkfour-level sovereignty

What is CADA and what does its 4-level framework require?

The Cloud and AI Development Act (CADA) is a proposed EU law introduced on 3 June 2026 as part of the Commission's Tech Sovereignty Package. Its centrepiece is a 4-level sovereignty framework that grades how independent a system is from foreign control. Level 1 asks for EU-based processing. Each higher level adds tighter conditions: limits on third-country control, EU ownership, supply-chain transparency, cleared personnel, and independent audit. The higher your workload's sensitivity, the higher the tier you are expected to meet.

In plain terms, CADA is the EU deciding that "runs in a European data centre" is no longer enough for the most sensitive work. Where data sits is only the starting line. Who owns the system, who can be compelled to hand over access, who operates it, and who can independently verify it all become part of the score.

What does the EU's CADA 4-level sovereignty framework actually require?, illustration 1

Why did the EU introduce CADA now?

The concern is concentration and control. A handful of non-EU providers run much of Europe's cloud and AI infrastructure. That creates exposure: foreign legal orders can reach data held by those providers, supply chains can be opaque, and operators often cannot prove who touched a system or when. CADA is the policy response, tying sensitive workloads to graded, checkable sovereignty guarantees rather than marketing labels. It sits alongside the wider push to give European organisations infrastructure they genuinely own and can account for.

What does the EU's CADA 4-level sovereignty framework actually require?, illustration 2

What are the four levels of CADA sovereignty?

CADA describes a ladder. The exact wording will settle as the law is negotiated, but the direction is clear.

  • Level 1 focuses on location: processing takes place inside the EU.
  • Level 2 adds protection against third-country control, so foreign legal reach over the system and its data is constrained.
  • Level 3 raises the bar to EU ownership and supply-chain transparency, so you can see and stand behind the stack you run.
  • Level 4 is the top tier: EU ownership plus cleared personnel operating the system and independent audit that verifies the guarantees hold.

Read it as a spectrum from "processed here" up to "owned here, operated by cleared people here, and independently provable." A routine analytics job might live at the lower end. Defence, intelligence, critical national infrastructure, sensitive health and government workloads are the ones pushed toward Levels 3 and 4.

What does the EU's CADA 4-level sovereignty framework actually require?, illustration 3

Who has to comply, and when?

CADA is a proposal at the point of writing, not yet an enforced obligation, so the immediate task is preparation rather than panic. It targets organisations running sensitive workloads: government bodies, defence and security, critical infrastructure operators, finance and healthcare among them. Timelines and precise scoping will move during the legislative process, so treat the four levels as the stable idea and the details as still in flight. The sensible move now is to map which of your workloads would fall into which tier, then look honestly at whether your current providers could ever satisfy the top two levels.

What does the EU's CADA 4-level sovereignty framework actually require?, illustration 4

How does CADA differ from data residency rules like GDPR?

Data residency and GDPR largely answer "where is the data and how is it protected?" CADA goes further and asks "who ultimately controls the system, and can that be independently verified?" A US or other non-EU provider can store European data in a European region and still sit low on the CADA ladder, because ownership and legal reach have not changed. That is the key shift: CADA scores control and provability, not just geography. An organisation can be fully GDPR-compliant and still fail Level 3 or 4.

How does Mickai map to the CADA levels?

We built Mickai for the top of this ladder by default, so we can be specific about where we fit and where we do not.

Mickai is a Sovereign Intelligence Operating System: AI that a regulated organisation owns and runs inside its own walls, offline, on hardware it controls. There is no external provider to compel, because the system is not sitting in someone else's cloud. Every consequential action is sealed into a post-quantum signed audit ledger using ML-DSA-65 (FIPS 204), which gives an independent auditor something concrete to check rather than a promise to trust. That directly supports the ownership, personnel-control and independent-audit tests that Levels 3 and 4 point at. Behind it sit 104 filed UK patent applications and 2,340 formal claims covering how the system is built.

Here is the honest boundary. Mickai is one way to satisfy Level 3 or Level 4, not the only way, and not the whole framework. CADA is broader than any single product: it covers procurement, governance, personnel clearance and legal structure that no vendor can supply on your behalf. Owning your AI stack removes the foreign-control and provider-compulsion problems, but you still have to run cleared personnel, keep your supply chain transparent and pass real audits. Mickai does not make an operator exempt from CADA, immune from law, or automatically compliant. It gives you the on-device, operator-owned, independently auditable foundation that the higher tiers assume, and it removes the hardest structural gaps rather than papering over them.

How should a buyer score vendors against CADA?

Treat the four levels as a scoring rubric and ask each vendor to show, not tell. Where does processing physically happen? Can any third-country law compel access, and through what route? Who owns the system and the model weights? Can you inspect the supply chain? Who operates it, and are they cleared? And crucially: can an independent auditor verify all of the above from tamper-evident records rather than a slide? Vendors that can only answer the first question sit at the bottom of the ladder. Vendors that can evidence the last one are the ones built for the top.

We are glad to be scored on exactly these questions. Mickai exists so that regulated organisations can answer them with owned hardware, offline operation and a post-quantum audit trail, and we would rather be a straight, checkable option on a buyer's CADA scorecard than a magic-bullet claim. That is what we do about it: we give you the highest-tier foundation and let the audit prove it.

CADA, introduced on 3 June 2026 in the EU Tech Sovereignty Package, grades sensitive workloads across four sovereignty levels.

Frequently asked questions

Is CADA law yet?

No. CADA was introduced on 3 June 2026 as a proposal within the Commission's Tech Sovereignty Package. It still has to move through the EU legislative process, so scope, timelines and exact wording can change. The stable idea to plan around is the four-level sovereignty framework itself.

What are the four CADA sovereignty levels in short?

Level 1 is EU-based processing. Level 2 adds limits on third-country control. Level 3 adds EU ownership and supply-chain transparency. Level 4 adds cleared personnel and independent audit. It is a ladder from processed in the EU up to owned, operated and provably verified in the EU.

Does using a European data centre make me CADA-compliant?

Not on its own. A European region satisfies the location question but not ownership, third-country legal reach, personnel control or independent audit. A non-EU provider can host data in Europe and still sit at the bottom of the ladder. CADA scores control and provability, not just geography.

How is CADA different from GDPR?

GDPR and residency rules mainly govern where data sits and how it is protected. CADA asks who ultimately controls the system and whether that control can be independently verified. An organisation can be fully GDPR-compliant and still fail CADA Level 3 or 4.

Does Mickai make me automatically CADA-compliant?

No. Mickai is one way to satisfy Level 3 or 4, not the whole framework. It gives you owned, offline, on-device AI with a post-quantum audit ledger, which covers the structural sovereignty gaps. You still need cleared personnel, supply-chain transparency, governance and real audits, none of which any vendor can supply for you.

Which workloads should aim for the top tiers?

Defence and security, critical national infrastructure, government, sensitive health and high-stakes finance are the workloads pushed toward Levels 3 and 4. Routine or low-sensitivity processing may sit lower. Map each workload to a tier, then check whether your current providers could ever meet the top two.

Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/eu-cada-four-level-sovereignty-framework-explained. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles