EU Sovereign Cloud Investing: The Four-Tier Framework Explained
CADA: What It Means for EU Cloud Investors
Nobody Reads the Impact Assessment. That's the Problem.
A partner at a Berlin infrastructure fund is looking at a term sheet on a Friday afternoon. The company: a sovereign cloud platform, EU-owned, EU-operated, selling itself as the compliant option once the Cloud and AI Development Act kicks in. One slide shows a hockey-stick chart. “Addressable public sector spend.” Big number. She’s spent two weeks trying to figure out if it’s real.
This is where a lot of European infrastructure investing sits today. A real law meets a founder story that ran way ahead of what the law says.
CADA publishes in the EU’s Official Journal on July 15 and takes effect August 4. It’s the centerpiece of the Commission’s Tech Sovereignty Package, adopted in early June. The goal: triple EU data center capacity in five to seven years, cut reliance on non-EU cloud and AI providers.
Here’s how it works. Four sovereignty tiers. Public bodies run their own risk assessments and decide which tier a contract needs. Level 1 just means you’re an EU entity, and the Commission has said outright that EU subsidiaries of US companies clear that easily. Level 2 wants proof of independence from third-country influence and a transparent supply chain. Level 3 wants EU ownership and control, down to citizenship requirements for personnel. Level 4, the “Strategic Autonomy Cloud” tier, is for defense: full transparency, zero third-country interference.
Now the part nobody puts in a pitch deck. The Commission’s own impact assessment says about 20% of public contracts will need Level 2. Under 10% will need Level 3. About 1%, mostly defense, needs Level 4. Everything else, the bulk of public cloud spend, clears at Level 1. AWS, Microsoft and Google’s European subsidiaries meet that bar without changing much about how they run.
So the founder pitch since June has basically been: the EU just handed European cloud providers a protected market. That’s not what happened. The law hands them a protected sliver. Real, growing, but nowhere close to the bulk of public procurement. Price a Series B off “broad market capture” and the actual numbers will come in short, because most agencies have no legal reason to go past Level 1 or 2, and the hyperscalers can hit both.
That doesn’t kill the sovereign cloud thesis. It just means you underwrite it tier by tier, not off the headline. A company that can genuinely clear Level 3 or 4, real EU ownership, EU staff, demonstrable independence, is fighting for a small pool. But it’s a pool the hyperscalers can’t enter without restructuring they’ve shown zero interest in doing. That’s a real moat. It just covers maybe 10% of addressable public contracts, and none of the private sector, which isn’t bound by any of this.
There’s a second problem, and it’s the one that gets skipped when people only read the regulation. Tripling data center capacity takes serious money. CADA tries to help, faster permitting, better access to energy, land and financing, but European VC is still structurally smaller than the US market at every stage past Series A. And the Delaware flip hasn’t gone anywhere. Founders still reincorporate in the US to reach deeper capital pools. A company that flips to raise its Series C stops qualifying for the sovereignty tiers it was built to serve in the first place. That’s not a hypothetical. Several portfolio companies will face that exact choice in the next 18 months, and it runs straight against what CADA is trying to accomplish.
The law builds the demand side. It does nothing for the supply side. Brussels can write four tiers into a regulation. It can’t manufacture the growth-stage capital that lets a startup clear Level 3 while competing on price with a hyperscaler that’s had fifteen years to optimize everything. CADA assumes qualified providers will just show up because the demand exists. Investors have to answer whether the supply actually shows up. Right now, that only happens if later-stage European capital gets a lot deeper, a lot faster, and that’s a harder problem than passing a procurement law.
Watch two things this year. How individual member states turn the four tiers into actual procurement guidance, because that’s where the real market gets drawn, country by country. And whether the first tenders under the new rules go to genuinely EU-native providers, or whether hyperscaler subsidiaries figure out how to check the Level 2 box without changing anything real about who owns or runs them. If that second thing happens at scale, the sovereignty premium funds are paying for today shrinks fast.
The term sheet isn’t wrong to exist. It’s wrong if it’s priced off a slide claiming 100% of public cloud spend is addressable, when the Commission’s own numbers say it’s closer to 30%, and the truly defensible piece is under 10%. Read the tier breakdown before the growth chart.
