CADA vs the Data Governance Act (DGA)

Summary The proposed Cloud and AI Development Act (CADA) and the Data Governance Act (DGA) address different layers of the EU's digital ecosystem. CADA, as proposed, focuses on cloud sovereignty, infrastructure deployment and public procurement; the DGA facilitates data sharing through intermediaries and data altruism. CADA would not replace or amend the DGA's data-reuse rules — instead it would establish a separate sovereignty framework that dictates which cloud services public authorities can use, based on risk assessments.

Detail

CADA, proposed by the European Commission on 3 June 2026 (COM(2026) 502 final), and the DGA (Regulation (EU) 2022/868, in force since 2022) serve distinct purposes. The DGA is concerned with unlocking data value through trust frameworks for data-intermediation services and data altruism for the public good. CADA, as proposed, targets the underlying infrastructure and supply-chain risks of cloud and AI, focusing on reducing strategic dependencies on third-country providers.

Divergent regulatory objects: data flow vs infrastructure sovereignty

The DGA governs the flow of and access to data. It sets rules for "data intermediation services" (neutral third parties facilitating data sharing) and a framework for "data altruism" (entities collecting data for societal benefit), removing barriers to data reuse, particularly from public-sector bodies.

CADA, as proposed, governs the infrastructure where data is processed and the provenance of the services doing that processing. Article 1 of the proposal establishes a framework for strengthening the cloud and AI ecosystem through measures including:

• establishing the Cloud and AI Leadership Initiatives;
• setting a framework for the accelerated deployment of data centres across the Union;
• enabling the availability of a sovereign cloud and AI offer to safeguard the Union's public order;
• reducing dependencies on critical technologies;
• fostering the adoption of cloud computing services across the public sector.

Where the DGA asks "Can this data be shared?", CADA would ask "Is the cloud service processing this data sufficiently sovereign to protect public order?"

The sovereignty framework vs data-reuse rules

The DGA simplifies the conditions under which public-sector bodies make data available for reuse. CADA, as proposed, would introduce a "Union cloud computing sovereignty framework" (Article 16) sorting cloud services into four "Union assurance levels" based on the criteria in Annex II.

Under CADA, public-sector bodies would conduct risk assessments (Article 29) to determine the appropriate level. If an activity is identified as contributing to the preservation of public order — in sectors under Annex I or II of NIS2 (Directive (EU) 2022/2555), or in national security, internal security, border management, defence, justice or law enforcement — contracting authorities must only procure services recognised at Union assurance level 2, 3 or 4 (Article 30(3)). For other public-sector activities, at least Union assurance level 1 is required (Article 30(2)).

This layers compliance: the DGA may allow a public body to share data, while CADA would dictate the standards the cloud provider hosting that data must meet. The DGA facilitates the what and who of data sharing; CADA would regulate the infrastructure control and third-country influence behind it.

Procurement and market dynamics

CADA would also shape demand through procurement. Article 32 would require contracting authorities, in procurement for innovative cloud services and AI systems, to include non-price award criteria evaluating the tenderer's contribution to a European cloud and AI ecosystem — for instance, the use of software or hardware designed or manufactured in the Union. CADA would also introduce a common procurement framework (Articles 37–40) under which the Commission could act as a central purchasing body for participating Member States and Union entities, leveraging collective buying power.

No overlap in penalties or direct obligations for data intermediaries

CADA's obligations would fall mainly on cloud providers seeking recognition under the sovereignty framework (Article 17) and on public-sector bodies as procurers. The DGA's obligations fall on data intermediaries and data-altruism entities. There is no direct conflict: a data-intermediation service might need to run on a CADA-recognised provider if it serves public-sector clients, but the DGA itself imposes no sovereignty criteria.

What this means for you

For in-house counsel and compliance officers, the interplay matters for public-sector contracts and cloud strategy.

1. Public-sector procurement. If you provide cloud services to EU public authorities, prepare for CADA's framework. Recognition would require conformity assessment (self-assessment for level 1; independent audits for levels 2–4) and registration in the central repository (Article 22). Failure could disqualify you from public contracts regardless of DGA compliance.
2. Data-strategy alignment. Ensure DGA-enabled initiatives (e.g. data altruism) are hosted on infrastructure meeting the necessary CADA assurance level where the data is sensitive or processed for public bodies. The DGA enables the sharing; CADA would secure the environment.
3. Supply-chain audits. Higher CADA assurance levels require strict controls over subcontractors, personnel and third-country influence (Annex II). Audit your cloud supply chains for extraterritorial risks such as laws requiring third-country data access.
4. Monitoring deadlines. As proposed, Member States would designate national competent authorities and acceleration zones within set timelines (e.g. an acceleration zone within six months of entry into force, Article 10), and would carry out the first risk assessments within one year of entry into force (Article 29). Track the implementation schedule.

Common misconceptions

• "CADA replaces the DGA's data-sharing rules." No. CADA would not govern data reuse or altruism; it would govern cloud-infrastructure sovereignty. The DGA remains the instrument for data access and intermediation.
• "The DGA imposes sovereignty requirements on cloud providers." No. The DGA focuses on neutrality and interoperability for data intermediaries; it contains no "sovereign cloud" criteria. CADA is the dedicated instrument for that.
• "All cloud services must meet the highest CADA assurance level." No. CADA uses a risk-based approach: only public-sector activities identified as contributing to public order require levels 2–4; general public-sector activities require at least level 1. Private-sector entities are not directly mandated to use specific levels, though NIS2 Annex I entities may run impact assessments (Article 31).

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Governance Act (Regulation (EU) 2022/868)

Related

• CLOUD Act vs EU-US Data Privacy Framework vs CADA: which addresses sovereignty?
• GDPR data localisation vs CADA sovereignty levels: are they the same?
• Does CADA protect EU data from the US CLOUD Act?
• CADA vs the US CLOUD Act: how do they differ?
• CADA vs the Digital Networks Act: where is the boundary for data centres?

This is general information about a draft EU regulation, not legal advice.