With the Cloud and AI Development Act proposed on June 3, 2026, the EU introduces its first four-tier sovereignty framework — and ties public-sector access to it. To serve government, you must meet at least tier 1. That turns a marketing adjective into a certifiable property.
June 3, 2026: Sovereignty Becomes Measurable
On June 3, 2026, the European Commission formally proposed the Cloud and AI Development Act (CADA) — part of the European technological sovereignty package. I've covered the broader shape of that package elsewhere (see the EU tech sovereignty package). This piece is about a single, consequential detail: CADA introduces the first EU-wide, four-tier sovereignty assurance framework for cloud and AI services.
That sounds like Brussels administrative language. In fact it's one of the most concrete regulatory moves in years. Until now, "sovereign" was an adjective any provider could put on a slide. A graded framework turns it into a graded, verifiable property — something you have to demonstrate rather than assert.
The backdrop is familiar: more than 70 percent of the EU cloud market sits with three U.S. hyperscalers. A scale alone doesn't change that number. But it changes what buyers ask for.
Klingt interessant?
What the Four Tiers Mean
The heart of the proposal is a graded sovereignty assurance with four levels. Instead of a binary either-or question — sovereign or not — you get a ladder: from a baseline level up to the strictest requirements on data residency, operational control, and independence from jurisdictions outside the EU.
The decisive part is the link to the market: all cloud providers wishing to serve the public sector will need to meet at least tier 1 — the lowest level. That threshold is deliberately low. Tier 1 isn't a bar only European niche players can clear; it's a minimum standard that, for the first time, defines what counts as sovereign enough to hold government data.
Two things happen at once here. First, a common yardstick emerges that the whole market has to be measured against — not just the providers who volunteer for it. Second, a sovereignty tier becomes something buyers will demand of their suppliers. Whoever writes a tender today will write a tier into it as a requirement tomorrow.
That's the mechanism that makes a scale effective: it's enforced less through penalties than through procurement. The public sector is an enormous buyer in Europe. Once the bottom rung of the ladder is an access requirement, it effectively defines the floor of the market.
What This Means for CTOs and Tech Leads
Three points I think matter — whether or not you sell to public buyers yourself.
First: sovereignty becomes a property you have to prove. As long as "sovereign" was a promise, a sales sentence sufficed. A certifiable tier demands evidence — about data residency, about operator structure, about which jurisdiction your provider answers to when it counts. If you can't answer that today, you have a gap in tomorrow's requirements document.
Second: the requirement travels up the supply chain. Even if you don't sell to government directly, your customers might. Once their procurement demands a tier, you pass that requirement down to your own subcontractors and infrastructure partners. A tier is only as credible as the weakest link beneath it.
Third: retrofitting costs more than building right. An architecture hard-coupled to a non-European provider can't be made sovereign by a certificate. The higher rungs of the ladder are reached through design decisions — where data lives, who controls operations, whether the application logic is bound to a single vendor. You make those decisions at the start, not at the end.
The honest takeaway: a scale doesn't split the market into "compliant" and "non-compliant." It places everyone at a position on it — and makes visible who sits at the sovereign end and who sits at the dependent one.
This Is Exactly Where nopex Comes In
CADA describes a ladder the market will be measured against from here on. The interesting question isn't whether a provider can somehow meet tier 1. It's where an architecture sits by nature — before anyone applies for a certificate.
nopex is built for the sovereign end of that ladder from the start, not retrofitted toward it. We combine agentic software development with infrastructure that runs on European data centers and creates no hard single-vendor lock-in: open models where possible, proprietary models where they add value — but the application logic never knows which vendor is behind it. Data residency and operator control aren't an after-the-fact compliance exercise; they're part of the design.
That's the difference between a provider that experiences a sovereignty tier as an obstacle and one for which it's just a description of the status quo. When "sovereign" becomes a certifiable property, the ones who win are those who already built where the ladder leads — instead of climbing up to it later.
CADA turns a marketing word into a scale. The question for every tech lead from now on is simply this: which rung are you standing on?

