VERIK
Editorial · Agentic AI Governance
VERIK / V015 / 09 JUN 2026
Five CategoriesGovernance

Sovereignty as a Regulatory Category

On June 3, 2026, the European Commission published its Proposal for a Cloud and AI Development Act as COM(2026) 502, accompanied by a three-part impact assessment under SWD(2026) 502. The proposal sits alongside the Chips Act 2.0 proposal and the revised Cybersecurity Act as the third leg of the Commission's 2026 digital-infrastructure package.

The proposal does three things. It commits research and development funding to next-generation cloud and AI infrastructure. It commits capacity funding for data centers oriented to public-sector workloads. And, in language that has not previously been carried in a binding Commission instrument, it commits to an EU-wide assessment framework for cloud and AI sovereignty and a public-sector adoption mechanism keyed to that assessment.

That third commitment is the unusual one. For the first time in EU regulatory architecture, sovereignty is being instantiated as a formal category against which infrastructure can be assessed.

What the Proposal Names

Verik takes the proposal seriously and agrees with its structural diagnosis. The work this essay attempts is to extend it.

The diagnosis embedded in CADA is that European public-sector workloads currently run on infrastructure whose sovereignty properties are not assessed at the procurement layer. The Commission's supporting documentation frames the problem in three layers: the chip layer, addressed by the Chips Act revision; the cloud layer, addressed by CADA; and the AI layer, addressed jointly by CADA and the AI Act. The proposal's authors describe the layers as interdependent. A sovereign chip running on a non-sovereign cloud does not produce a sovereign workload. A sovereign cloud hosting a non-sovereign AI model does not produce a sovereign decision.

The assessment framework, as proposed, would establish criteria against which a cloud or AI provider could be assessed for compliance with EU sovereignty requirements. Public-sector procurement would then be allowed to require, prefer, or restrict procurement against those criteria. The framework is voluntary for private-sector deployment and binding for public-sector procurement. The Brussels Times coverage of the announcement reports the assessment criteria will be developed through implementing acts during 2026 and 2027.

The category of sovereignty, as the proposal uses the term, is not abstract. It is operational. It points to the location of the data, the location of the compute, the location of the provider's corporate structure, the jurisdiction of the legal entity that can be compelled to produce data, the jurisdiction of the personnel with administrative access, and the supply-chain provenance of the hardware and software stack.

That list is recognizable. It is the list European institutions have been informally applying to procurement decisions for several years. CADA proposes to make it formal, public, and binding for the public sector.

What the Proposal Does Not Yet Name

The structural omission in the CADA proposal, read against the deployment record of the past eighteen months, is that the assessment framework's anchors are infrastructure anchors. Data location. Compute location. Corporate jurisdiction. Personnel jurisdiction. Hardware provenance. Software provenance.

These are the anchors a sovereignty framework can verify with documents. They are the anchors a procurement officer can put on a checklist. They are the anchors a Commission auditor can confirm with a site visit or a contract review.

What the assessment framework does not yet anchor, on the published text, is the substrate on which the agentic workload actually executes. The audit log is not in the assessment criteria. The workspace where the agent's tools resolve is not in the assessment criteria. The verifier that determines whether the agent did what was asked is not in the assessment criteria. The instrumentation of the runtime behavior is not in the assessment criteria.

This is not a complaint about the proposal's drafting. The proposal is an infrastructure instrument. It targets infrastructure. The Commission's accompanying communication on the digital-infrastructure package names the layers it addresses with precision. Substrate-runtime instrumentation is not within the scope the proposal claims.

But the timing matters. CADA was published in the same window that the Five Eyes joint guidance on emerging AI risks underscored that deployment-time behavior is the surface adversaries are exploiting. It was published days before the G7 Cybersecurity Declaration committed to a SBOM-for-AI specification scoped at the artifact rather than the runtime. It was published shortly after the House Homeland Security testimony on critical infrastructure cybersecurity named LLM-assisted offensive operations as already operational.

The institutional record is producing instruments that address the infrastructure, the artifact, and the model. The substrate beneath them, where the runtime behavior lives, is being approached by all three instruments simultaneously without being directly named by any of them.

Sovereignty Without Instrumentation

The conceptual risk in the CADA framework, as currently scoped, is that an EU public-sector workload could satisfy every published sovereignty criterion and still be operationally non-sovereign in the way that matters most.

Consider the structure. A workload runs on a cloud whose data center is in Frankfurt. The provider is incorporated in Luxembourg. Administrative personnel hold EU citizenship. The hardware is sourced from EU and EU-aligned suppliers. The model is fine-tuned and hosted within EU borders. Every infrastructure anchor is satisfied. The CADA assessment framework would, on its published criteria, produce a positive sovereignty determination.

The workload then dispatches an agentic process. The process consults an external tool registry. The process spawns subordinate agents. The process writes a result to an audit log. The audit log is internally consistent. The output is delivered to the public-sector consumer.

The question the CADA framework does not yet ask, because its anchors are at the infrastructure layer, is whether the audit log was written in a form that an EU regulator could independently interrogate. Whether the verifier that signed the output was instrumented in a form the regulator could re-derive. Whether the tool registry the agent consulted is itself within the sovereignty boundary. Whether the subordinate agents spawned during the task were issued credentials traceable to the sovereign workload.

These are runtime questions. They do not appear in the proposal's published criteria. They cannot be answered by infrastructure attestation alone. They require substrate instrumentation: an audit log, a verifier, a workspace, a credential horizon, all of which produce evidence at runtime that the sovereignty boundary was preserved by behavior and not only by location.

The proposal's authors are not unaware of this layer. The Commission's earlier communications on European data sovereignty reference operational transparency and verifiable governance. What CADA does not yet do is connect those concepts to the assessment criteria the framework will use to certify a provider.

The Implementing Acts Question

CADA, like most Commission instruments, will be operationalized through implementing acts that follow the framework legislation. The assessment criteria will be elaborated in those instruments during 2026 and 2027. The question for the agentic governance arc is whether the implementing acts extend the criteria to the runtime substrate, or remain at the infrastructure layer.

There are two reasons to expect the criteria will remain at the infrastructure layer. First, the institutional drafting expertise inside the Commission's Cloud and Data Unit is anchored in infrastructure, contract law, and procurement, not in runtime instrumentation. Second, the verification mechanisms available to the Commission today, on the published record, are document-based. A site visit can confirm a data center location. It is more difficult for a site visit to confirm that an agentic runtime is producing audit evidence in a form independent reviewers can re-derive.

There is one reason to expect the criteria may extend further. The Commission has stated in its supporting communication that CADA is designed to be interoperable with the AI Act, the Cybersecurity Act, and the Data Act. If those instruments evolve toward runtime instrumentation, CADA's implementing acts may follow. The signal would arrive in the 2027 update cycle.

Sovereignty as Diagnostic Language

What CADA does well, regardless of where its implementing acts ultimately land, is establish sovereignty as a regulatory category with binding force. That category did not previously exist in EU law as a procurement criterion. It now does. The vocabulary of sovereignty has been institutionalized.

The diagnostic value of that vocabulary is not in dispute. It gives the regulator a tool to ask the right structural question. The unresolved question is whether the tool has the resolution to detect the answer at the layer where the answer actually lives.

What remains on the table: - Whether the CADA implementing acts scope the sovereignty assessment to runtime audit, workspace, verifier, and credential instrumentation, or remain at infrastructure attestation. - Whether public-sector procurement under CADA will accept document-based sovereignty determinations as sufficient, or require runtime evidence. - Whether interoperability with the AI Act and Cybersecurity Act produces a unified assessment frame or three parallel frames. - Whether the 2027 update cycle extends the framework to the substrate question the deployment record keeps surfacing.

The governance artifact has been retained. The governance function for the substrate beneath it has not yet been named.