Summary Gaia-X is an industry-led, voluntary association for federated, interoperable European cloud and data infrastructure. The Cloud and AI Development Act (CADA) is a proposed EU regulation — COM(2026) 502 final, published 3 June 2026 and not yet in force. As proposed, CADA would create a binding "Union cloud computing sovereignty framework" of four Union assurance levels (Article 16), with formal recognition by national competent authorities (Article 17) and mandatory use of recognised services in public procurement (Article 30). Gaia-X carries no legal weight: it cannot make a service eligible for a public contract that requires a Union assurance level. The two are complementary — Gaia-X specifications can help a provider build toward CADA's technical criteria, but only CADA, if adopted, would impose enforceable obligations.
Detail
The clearest way to separate the two is by what each one is. CADA would be law; Gaia-X is an industry standard and trust framework. Both aim at European digital sovereignty, but they operate on different planes.
CADA: a proposed binding regulation
CADA is a legislative proposal. If adopted in its current form, it would be a directly applicable EU regulation. Its sovereignty chapter (Title IV) establishes, under Article 16, "a Union cloud computing sovereignty framework comprising four Union assurance levels, the criteria for which are set out in Annex II, that cloud computing service providers shall meet in order to provide their cloud computing services to Union entities and public sector bodies."
The mechanics that give CADA force would be:
- Recognition, not self-declaration. Under Article 17, a provider that wants to be recognised at a Union assurance level applies to the national competent authority of establishment. For level 1 the provider self-assesses and issues an EU statement of conformity (Article 19); for levels 2, 3 and 4 it must undergo an independent third-party audit (Article 20).
- A public, central repository. The Commission would maintain a publicly available repository of recognised services (Article 22), and recognitions or revocations would be recorded there.
- Procurement obligations. Public sector bodies and Union entities whose activities do not contribute to the preservation of public order would have to use level 1 services; those whose activities do (sectors under Annex I or II of the NIS2 Directive, plus national security, defence, justice and law enforcement) would have to procure only level 2, 3 or 4 services (Article 30), as determined by a risk assessment (Article 29).
- Penalties. Member States would lay down "effective, proportionate and dissuasive" penalties for infringements by providers (Article 24).
Gaia-X: a voluntary industry initiative
Gaia-X is an industry-led association building specifications for a federated, interoperable European cloud and data ecosystem. It is not legislation.
- Voluntary. Organisations participate by choice; there is no legal penalty for staying out.
- Specifications and labels. Gaia-X defines technical and contractual rules (its labelling framework references existing standards) to enable interoperability and to describe sovereignty properties of a service.
- No enforcement authority. Gaia-X has no regulator and no power to fine; adoption is driven by the market.
- Complementary to CADA. Gaia-X conformity might help a provider evidence parts of CADA's Annex II criteria, but it does not substitute for the Article 17 recognition process.
Key differences in practice
| Feature | CADA (proposed) | Gaia-X |
|---|---|---|
| Nature | Proposed EU regulation (law, if adopted) | Industry-led association (framework/labels) |
| Status | Binding if adopted; currently a proposal | Voluntary |
| Enforcement | National competent authorities; penalties (Article 24) | Market pressure, reputation, contracts |
| Sovereignty model | Four Union assurance levels, criteria in Annex II (Article 16) | Voluntary labels describing trust/sovereignty |
| Assurance/audit | Self-assessment for level 1 (Article 19); independent audit for levels 2–4 (Article 20) | Self-description or voluntary conformity |
| Who is bound | Public sector buyers and Union entities (mandatory); providers seeking recognition | Voluntary across providers, users, data holders |
| Legal basis | Articles 114 and 173(3) TFEU | Association statutes |
How they interact
CADA and Gaia-X are not mutually exclusive. As proposed, CADA would set the minimum legal requirements for public sector cloud, anchored in Annex II criteria (data and personnel located in the Union, controls on third-country access and on service disruption, software supply chain measures, and cybersecurity certification). A provider could use Gaia-X specifications to structure and document its offering against those criteria. But even a Gaia-X-conformant provider would still need to complete the Article 17 recognition route — including an independent audit for levels 2, 3 or 4 — before it could be procured for public sector activities requiring those levels.
What this means for you
For CTOs, architects and SMEs building or selling cloud services into the EU public sector:
1. Treat recognition as the gating step. If you target public sector buyers, plan for the Article 17 recognition process. For level 1 you self-assess and publish an EU statement of conformity (Article 19); for levels 2–4 you must commission an independent third-party audit, at your own expense, with annual review (Article 20). Gaia-X conformity alone would not make you eligible.
2. Use Gaia-X to reduce friction, not to skip steps. Aligning your architecture with Gaia-X specifications can help you produce and organise the evidence an auditor needs against Annex II (and Annex III, which lists the audit evidence). It does not replace the audit.
3. Know which level you can realistically reach. The criteria are cumulative and tighten sharply: level 2 adds, for example, that data generated by the service is not used to train or fine-tune third-country AI systems; levels 3 and 4 require that personnel involved in providing the service are Union citizens, with national security clearance "where appropriate". If you are an SME, note that under Article 17(3) your EU statement of conformity for level 1 would be directly and automatically recognised in all Member States, without prior recognition by the evaluating authority.
4. Design for portability. Risk assessments must consider whether a multi-vendor or multi-cloud strategy is appropriate (Article 29(9)), and migration where required must complete within a transition period not exceeding 12 months (Article 29(6)). Build for interoperability and exit — an area where Gaia-X work is directly useful.
Common misconceptions
- "Gaia-X is mandatory under CADA." No. Gaia-X is voluntary, and CADA does not require Gaia-X conformity. Gaia-X may help demonstrate parts of CADA's criteria, but it is not the legal route to recognition.
- "CADA replaces GDPR, the Data Act and the AI Act." No. As proposed, CADA would complement them — its explanatory memorandum notes it is consistent with the GDPR and that sovereignty "goes beyond data transfers and relates to operational autonomy too."
- "Only large providers need to worry about CADA." No. SMEs are in scope, but CADA includes specific support: automatic Union-wide recognition of an SME's level 1 statement of conformity (Article 17(3)), and a single information point obligation to give SMEs a dedicated channel (Article 12(4)).
- "Gaia-X gives legal protection." No. Gaia-X offers technical and contractual trust frameworks, not legal obligations or remedies. Only a regulation such as CADA, if adopted, would do that.
Official sources
- EU AI Act (Regulation (EU) 2024/1689)
- GDPR (Regulation (EU) 2016/679)
- Data Act (Regulation (EU) 2023/2854)
Related
- Digital sovereignty vs digital autonomy under CADA: what's the difference?
- Data sovereignty vs operational autonomy under CADA: what's the difference?
- Data residency vs data sovereignty under CADA: what is the difference?
- CLOUD Act vs EU-US Data Privacy Framework vs CADA: which addresses sovereignty?
- CADA Union assurance level 1 vs level 2: what is the difference?
This is general information about a draft EU regulation, not legal advice.