Summary The EU Data Act and the proposed Cloud and AI Development Act (CADA) address different layers of the cloud stack. The Data Act governs data access, sharing and cloud-switching rights; CADA, as proposed, focuses on cloud sovereignty assurance and the physical deployment of computing infrastructure. For in-house counsel, this means meeting the Data Act's interoperability and switching obligations now, while preparing for CADA's proposed sovereignty risk assessments and procurement requirements. The two are complementary, with the Data Act acting as an enabler for the market shift CADA seeks to drive.
Detail
The Data Act (Regulation (EU) 2023/2854) is already in force and focuses on data governance — enabling users to access their data, switch providers and share data with third parties. CADA (COM(2026) 502 final), a proposal, focuses on infrastructure and sovereignty, aiming to reduce dependence on non-EU cloud providers and accelerate data-centre deployment across the Union.
1. The Data Act: enabling switching and interoperability
The Data Act aims to unlock the value of data by reducing vendor lock-in. As the CADA memorandum notes, "by enabling switching and removing key sources of vendor lock-in, the Data Act seeks to ensure that cloud computing service providers in the EU compete on quality, innovation, and price."
Key Data Act obligations include data portability (users receiving their data in a structured, commonly used, machine-readable format), cloud switching (providers assisting users in moving to another provider), and interoperability to support multi-cloud strategies.
However, the CADA memorandum states that the Data Act "does not contain elements to shape up a more competitive offer of European cloud computing services or encourage the entry into the market of a more diverse set of cloud computing service providers." It opens a path toward European services but does not build a framework ensuring those services meet specific sovereignty or security standards.
2. CADA: sovereignty assurance and infrastructure deployment
CADA, as proposed, would address the strategic gap left by the Data Act. Where the Data Act makes switching possible, CADA would make sovereign services required for certain public-sector activities and would incentivise their development.
Sovereignty framework CADA would introduce a "Union cloud computing sovereignty framework" with four assurance levels (Article 16). Unlike the Data Act, which is neutral as to provider origin, CADA sets specific criteria for "Union assured" services.
- Risk assessments: Member States and Union entities would conduct risk assessments to determine which public-sector activities require Union assurance levels 2, 3 or 4 (Article 29).
- Procurement obligations: Contracting authorities whose activities contribute to public order must only procure services recognised at Union assurance levels 2, 3 or 4 (Article 30(3)); all other public bodies must use services with at least Union assurance level 1 (Article 30(2)).
- Third-country control: To qualify for higher levels, providers must demonstrate that no third-country laws allow unlawful access to Union data or disruption of service continuity (Annex II), addressing risks such as the US CLOUD Act.
Infrastructure deployment While the Data Act deals with data flows, CADA would address physical infrastructure:
- Data centre acceleration zones: Member States would designate zones with streamlined permitting (Article 10).
- Strategic projects: The Commission could designate data-centre projects as "strategic" where they meet at least two criteria such as supporting essential public functions, sustainability or supply-chain resilience (Article 14).
- Capacity monitoring: The Commission would monitor the Union's compute-capacity gap (Article 15).
3. Complementary focus
The CADA memorandum treats the Data Act as an enabler. The Data Act removes technical and contractual barriers to switching; CADA would then build the demand and trust framework for European providers by harmonising sovereignty criteria, driving demand through procurement, and accelerating the build-out of data centres and European cloud stacks.
What this means for you
For in-house counsel and compliance officers, the interplay calls for a dual-track strategy.
1. Immediate obligations under the Data Act (in force)
- Switching readiness. Ensure cloud contracts include data-portability and switching-assistance clauses, and that architectures support interoperability.
- Data sharing. Implement mechanisms for the data-access and B2B sharing rights the Data Act creates, including data generated by connected products.
- Enforcement. The Data Act is enforced by competent authorities designated by each Member State, which set the applicable penalties; confirm your obligations against your national implementing rules rather than assuming a single EU-wide fine cap.
2. Upcoming obligations under CADA (proposal stage)
- Sovereignty risk assessments. If you are a public sector body — or a NIS2 Annex I entity that may run impact assessments — begin preparing for the assessments under Article 29, identifying services tied to public order.
- Procurement strategy. Map current and future providers against Annex II criteria (infrastructure location, third-country control), since procurement could be restricted to specific assurance levels.
- Supply-chain transparency. Prepare for the detailed audit evidence on software supply chains, subcontractors and third-country control set out in Annex III.
- Penalties and compensation. As proposed, Member States would lay down effective, proportionate and dissuasive penalties for infringements (Article 24); the proposal does not set fixed fine amounts.
3. Strategic alignment
- Multi-cloud. Use the Data Act's switching rights to diversify providers, and CADA's framework to prioritise European providers for sensitive workloads.
- Vendor engagement. Ask current providers about their roadmap toward CADA's Union assurance levels, audit readiness and third-country control measures.
Common misconceptions
"CADA replaces the Data Act." No. CADA would not repeal or replace it. They operate in parallel: the Data Act for data access and switching, CADA for sovereignty and infrastructure.
"The Data Act mandates European cloud providers." No. The Data Act is provider-neutral; it facilitates switching but does not dictate provider location or sovereignty standards. CADA would introduce mandatory use of services meeting specific assurance levels for public-sector activities.
"CADA only applies to the public sector." While the procurement mandates (Article 30) primarily target public bodies, the sovereignty framework and infrastructure rules affect the wider market: NIS2 Annex I entities may conduct impact assessments (Article 31), and providers must comply with the assurance criteria to serve the public sector.
"GDPR and CADA cover the same ground." No. GDPR protects personal data and privacy rights; CADA, as proposed, addresses operational autonomy, data sovereignty and protection from third-country legal access. A provider can be GDPR-compliant yet fail Union assurance level 3 if it is subject to third-country laws permitting data access.
Official sources
- GDPR (Regulation (EU) 2016/679)
- Cybersecurity Act (Regulation (EU) 2019/881)
- Data Act (Regulation (EU) 2023/2854)
- Data Governance Act (Regulation (EU) 2022/868)
Related
- CLOUD Act vs EU-US Data Privacy Framework vs CADA: which addresses sovereignty?
- Does CADA protect EU data from the US CLOUD Act?
- CADA vs the Digital Networks Act: where is the boundary for data centres?
- CADA vs the Data Governance Act (DGA): how do they compare?
- CADA vs the Cybersecurity Act: what does each cover?
This is general information about a draft EU regulation, not legal advice.