Summary The GDPR and the proposed Cloud and AI Development Act (CADA) answer different questions about the same data. The GDPR (Regulation (EU) 2016/679) governs the lawful processing of personal data and protects individuals' privacy rights. CADA, as proposed, would establish a framework for cloud sovereignty — operational autonomy, infrastructure resilience and independence from third-country control. CADA would not replace the GDPR; the Commission states the proposal is "consistent with existing rules on the processing of personal data, including the General Data Protection Regulation (GDPR)." The key conceptual gap CADA fills: sovereignty, in the Commission's words, "goes beyond data transfers and relates to operational autonomy too" — covering non-personal data, service continuity and freedom from foreign legal compulsion, none of which the GDPR was designed to address.
Detail
The cleanest way to separate the two is by what each protects, on what legal basis, and against which risk.
The GDPR is a fundamental-rights instrument protecting natural persons with regard to the processing of their personal data. It governs how organisations collect, store, process and share personal information, built on principles such as lawfulness, fairness, transparency, purpose limitation, data minimisation and accountability — backed by data-subject rights and breach-notification duties.
CADA (COM(2026) 502 final, proposed by the European Commission on 3 June 2026) is a strategic internal-market and industrial-policy proposal. Its subject matter, in Article 1(1), is to establish a framework for strengthening the cloud and AI ecosystem — including increasing computing capacity, accelerating data-centre deployment, enabling "a sovereign cloud and artificial intelligence (AI) offer to safeguard the Union's public order," reducing dependencies on critical technologies, and fostering public-sector cloud adoption.
Consistency and complementarity
The Commission is explicit that the two coexist. The explanatory memorandum states the proposal "is consistent with existing rules on the processing of personal data, including the General Data Protection Regulation (GDPR) and the EU-US Data Privacy Framework." It then identifies the gap CADA addresses: "while the EU-US Data Privacy Framework addresses transatlantic data transfers," the proposal complements it because "the notion of sovereignty goes beyond data transfers and relates to operational autonomy too."
CADA's core instrument — the "Union assurance levels" under Article 16 — is not about privacy in the GDPR sense. It is about operational autonomy, confidentiality and resilience against external disruption. A service could comply fully with the GDPR's transfer rules (say, via Standard Contractual Clauses) yet still fail CADA's higher levels if it is subject to a third country that could disrupt service continuity or reach non-personal data.
Scope and application
The GDPR applies to any organisation processing the personal data of individuals in the EU, wherever the organisation is established. CADA's sovereignty framework (Title IV) primarily targets cloud computing service providers seeking to serve Union entities and public-sector bodies, together with those buyers, who under Article 29 would carry out risk assessments to set the assurance level appropriate to their activities. CADA's reach also extends to non-personal data, which the GDPR does not govern at all.
Key differences in obligations
- GDPR: data-subject rights (access, rectification, erasure), lawful bases for processing, data protection impact assessments, breach notification. Penalties can reach up to €20 million or 4% of total worldwide annual turnover.
- CADA (as proposed): Annex II criteria on Union establishment, location of infrastructure, assets and personnel, freedom from third-country control, software supply-chain transparency (including an SBOM) and cybersecurity certification. To reach level 3 or 4, a provider would have to show, among other things, that infrastructure, assets and personnel are located in the Union, that personnel are Union citizens, and that the provider is not subject to third-country control. CADA would not set its own maximum fine: under Article 24, Member States would lay down penalty rules that are "effective, proportionate and dissuasive," and recipients could seek compensation for damage from a provider's infringement.
What this means for you
For in-house counsel and compliance teams, CADA and the GDPR would run as two parallel — and intersecting — compliance tracks across cloud procurement and data-processing agreements.
1. Procurement and risk assessment. Public-sector bodies and Union entities would carry out risk assessments under Article 29 to set the appropriate Union assurance level — separate from, but parallel to, GDPR compliance. A GDPR-compliant provider does not automatically meet CADA's sovereignty criteria; you would have to evaluate establishment, infrastructure, personnel and control structures against the level your risk assessment requires.
2. Contractual updates. GDPR data-processing agreements would need to sit alongside contract terms addressing CADA criteria — infrastructure location, personnel screening, SBOM transparency and guarantees against third-country interference. For level 1, a self-assessment and EU statement of conformity would suffice (Article 19); for levels 2 to 4, independent third-party audits would be mandatory (Article 20).
3. Penalties and enforcement. Unlike the GDPR's harmonised fine tiers, CADA would leave penalty levels to Member States, subject to the "effective, proportionate and dissuasive" standard. Recipients could also seek compensation under Article 24. Build appropriate liability and indemnification terms into cloud contracts.
4. Transition and deadlines. As proposed, CADA would apply one year after entry into force. National cloud and AI strategies would be due within one year of entry into force (Article 7), and the first risk assessments would be due by the same point under Article 29. Start mapping current providers against the assurance levels to surface gaps early.
Common misconceptions
"CADA replaces the GDPR for cloud services." No. They are complementary. The GDPR continues to govern personal-data processing; CADA would govern the sovereignty and resilience of the infrastructure. The Commission states the proposal is consistent with the GDPR, and CADA would not affect the GDPR's rules on third-country transfers.
"GDPR compliance ensures cloud sovereignty." It does not. The GDPR protects privacy rights; it does not address operational autonomy, non-personal data or service continuity. A provider can be GDPR-compliant yet still subject to a third country that could access data or disrupt service — precisely the gap CADA's assurance levels are designed to close.
"Only public-sector bodies need to worry about CADA." The procurement rules target public-sector bodies and Union entities, but the sovereignty framework reaches any provider wanting to serve them. Separately, Article 31 would allow private-sector entities within the meaning of the NIS2 Directive to conduct comparable impact assessments, and CADA's capacity and innovation measures would affect the wider market.
Official sources
Related
- GDPR data localisation vs CADA sovereignty levels: are they the same?
- Data sovereignty vs operational autonomy under CADA: what's the difference?
- Data residency vs data sovereignty under CADA: what is the difference?
- CADA acceleration zone vs data centre strategic project: what is the difference?
- CLOUD Act vs EU-US Data Privacy Framework vs CADA: which addresses sovereignty?
This is general information about a draft EU regulation, not legal advice.