Summary The proposed Cloud and AI Development Act (CADA) and the Cybersecurity Act address distinct but complementary risks. The Cybersecurity Act focuses on technical cybersecurity certification and supply-chain trustworthiness; CADA, as proposed, adds a harmonised sovereignty framework to mitigate risks around third-country data access, operational autonomy and public order. CADA supplements the Cybersecurity Act by addressing the non-technical sovereignty concerns that certification alone cannot resolve.
Detail
The distinct roles of CADA and the Cybersecurity Act
The key distinction is between technical cybersecurity and technological sovereignty. The proposed CADA and the Cybersecurity Act (with its revision, often called CSA2) operate in tandem but target different risk profiles.
The Cybersecurity Act: technical security. The Cybersecurity Act (Regulation (EU) 2019/881) establishes the EU framework for cybersecurity certification schemes, including the planned European Cybersecurity Certification Scheme for Cloud Services (EUCS), which ENISA has been developing but which has not yet been adopted. Its focus is technical: the security of the ICT supply chain and robust cybersecurity standards. As the CADA explanatory memorandum notes, certification under the Cybersecurity Act "can address technical cybersecurity criteria but is not suited for addressing sovereignty concerns that go beyond these technical elements."
CADA: sovereignty and public order. CADA would fill the non-technical gap with a "Union cloud computing sovereignty framework" designed to mitigate dependencies on third-country providers and protect public order. The memorandum states that "together, the proposal and the CSA2 fill long-standing gaps in sovereignty and non-technical risks." CADA's framework rests on four "Union assurance levels" (Article 16), which set the degree of trust required based on the sensitivity of the data and the criticality of the public-sector activity.
Article 16: the core of CADA's sovereignty framework
As proposed, Article 16(1) provides:
"This Chapter establishes a Union cloud computing sovereignty framework comprising four Union assurance levels, the criteria for which are set out in Annex II, that cloud computing service providers shall meet in order to provide their cloud computing services to Union entities and public sector bodies."
The criteria in Annex II cover, among other things:
- Establishment and location: where the provider and its infrastructure are located (Union-only for higher levels).
- Data localisation: customer data, including metadata and telemetry, remaining within the Union (unless the public sector body explicitly requires otherwise).
- Personnel: at higher levels, screening and Union-citizenship requirements where the public sector body deems them necessary.
- Third-country control: ensuring providers are not subject to third-country control that could compel data access or service disruption (required at Union assurance level 4).
Article 16(2) would empower the Commission to adopt delegated acts under Article 45 to amend the assurance levels in Annex II and the evidence in Annex III. Article 16(3) would require the Commission to "review them at least every 18 months" to keep Annex II and Annex III up to date with legal or technical developments.
How CADA would supplement the Cybersecurity Act
The relationship is one of complementarity, not replacement. A cloud service can be technically secure (certified under EUCS/the Cybersecurity Act) yet still fail CADA's sovereignty requirements if it is controlled by a third country whose laws allow extraterritorial data access.
- Technical vs strategic risk. The Cybersecurity Act ensures the lock is strong; CADA seeks to ensure the key is not held by an adversary, addressing extraterritorial laws, potential service disruption and loss of operational autonomy.
- Public-procurement integration. CADA would integrate sovereignty into procurement: contracting authorities run risk assessments (Article 29) to set the appropriate assurance level, and for public-order activities must procure services recognised at Union assurance level 2, 3 or 4 (Article 30(3)).
- Recognition mechanism. CADA would establish a recognition mechanism (Article 17) under which the national competent authority of establishment assesses whether a provider meets a given assurance level. This is distinct from cybersecurity certification, though such certification is part of the evidence for higher levels — Annex II requires a European cybersecurity certificate of at least 'substantial' assurance for levels 2 and 3, and 'high' for level 4 (once such a scheme is available).
Key differences at a glance
| Feature | Cybersecurity Act (EUCS) | CADA (Cloud and AI Development Act) |
|---|---|---|
| Primary focus | Technical cybersecurity, supply-chain integrity | Technological sovereignty, data access, public order |
| Risk addressed | Vulnerabilities, intrusion, malware | Extraterritorial data access, service disruption, strategic dependency |
| Mechanism | Certification schemes (e.g. EUCS) | Union assurance levels (1–4) and recognition |
| Mandatory for public sector? | No (certification voluntary) | Yes, for services procured by Union entities and public sector bodies |
| Legal basis | Regulation (EU) 2019/881 | Proposed Regulation (CADA) |
What this means for you
For in-house counsel and compliance officers, the interplay creates a two-layer obligation.
For cloud providers:
- Dual compliance. Pursue both technical cybersecurity certification (EUCS, once available) and CADA's Union assurance recognition. Technical security is a prerequisite for higher levels but is not sufficient on its own.
- Evidence preparation. Prepare for independent audits (Article 20) covering both technical security and sovereignty criteria (data flows, personnel, third-country control).
- Transparency. Be ready to disclose subcontractors, data locations and ownership structures; Annex II requires full transparency around the use of subcontractors.
For public-sector buyers:
- Risk assessments. You would be obliged to conduct risk assessments (Article 29) to set the appropriate assurance level — this is not optional.
- Procurement rules. You could procure only cloud services recognised at the required level; for public-order activities, levels 2, 3 or 4.
- Transition planning. Where a risk assessment requires migration, CADA allows a reasonable transition period not exceeding 12 months (Article 29(6)).
Deadlines and penalties:
- Timeline. CADA is a proposal. If adopted, Member States would designate national competent authorities and adopt national strategies within the periods set in the proposal (Articles 7 and 25).
- Penalties. Member States would lay down effective, proportionate and dissuasive penalties for infringements of CADA's sovereignty chapter (Article 24). The proposal does not set fixed fine amounts; relevant factors include the nature, gravity, scale and duration of the infringement.
Common misconceptions
"CADA replaces the Cybersecurity Act." No. CADA complements it. Technical cybersecurity remains the domain of the Cybersecurity Act and EUCS; CADA adds a sovereignty layer on top.
"Only public sector bodies are affected by CADA's sovereignty framework." The mandatory procurement rules apply to the public sector, but the framework reaches the wider market: NIS2 Annex I entities may conduct similar impact assessments (Article 31), and providers must gain recognition to access public-sector business.
"Technical certification is enough for high-security public contracts." No. A service can be EUCS-certified yet fail CADA's Union assurance level 3 or 4 if it is controlled by a third country or processes data outside the Union.
"CADA bans all third-country cloud providers." No. As proposed, Article 18 lets the Commission identify third countries that provide sufficient assurances for Union assurance level 3, conditional on cumulative criteria including a GDPR adequacy decision, no measures enabling unlawful data access, and no measures to disrupt service continuity.
Official sources
- EU AI Act (Regulation (EU) 2024/1689)
- GDPR (Regulation (EU) 2016/679)
- Cybersecurity Act (Regulation (EU) 2019/881)
- Data Act (Regulation (EU) 2023/2854)
Related
- Does the AI Act or CADA cover cloud sovereignty?
- CADA vs the Data Act: what does each regulate for cloud?
- CADA vs the Cybersecurity Act review (CSA2): how are they paired?
- CLOUD Act vs EU-US Data Privacy Framework vs CADA: which addresses sovereignty?
- How does CADA reinforce the EU AI Act?
This is general information about a draft EU regulation, not legal advice.