CADA vs the Digital Markets Act (DMA) for cloud

Summary The Digital Markets Act (DMA) and the proposed Cloud and AI Development Act (CADA) address distinct layers of the cloud ecosystem. The DMA regulates the conduct of designated gatekeepers to keep the market fair and contestable, while CADA — as proposed — focuses on the uptake and use of cloud services, building a sovereign offer and steering public-sector procurement toward it. For in-house counsel, the DMA imposes behavioural restrictions on a narrow set of gatekeepers, whereas CADA would impose procurement obligations and sovereignty assurance criteria on contracting authorities and the providers selling to them. The Commission itself frames the two as complementary, operating at different levels.

Detail

The European Commission's proposal for the Cloud and AI Development Act (CADA, COM(2026) 502 final) is, by the Commission's own explanatory memorandum, "consistent with the Digital Markets Act (DMA)." Both instruments touch cloud computing, but they operate at different points and pursue different policy goals. Understanding the distinction matters for any compliance function managing cloud strategy.

The DMA: regulating gatekeeper conduct for contestability The DMA, Regulation (EU) 2022/1925, designates large digital platforms as "gatekeepers." Per the CADA explanatory memorandum, the DMA "covers cloud computing services as a core platform service, meaning that cloud computing service providers designated as gatekeepers would have to comply with a set of obligations to increase fairness and market contestability." The memorandum notes that, so far, no cloud computing service provider has been designated as a gatekeeper for its cloud services. It records that on 18 November 2025 the Commission opened three market investigations on cloud computing services under the DMA — two of which would assess whether two providers should be designated as gatekeepers for their cloud services (that is, whether they act as important gateways between business users and end users).

The DMA's stated aim, as the CADA memorandum puts it, is "maintaining and promoting a fair and contestable cloud market in the Union, regulating specific behaviours of companies designated as gatekeepers." It does not contain measures that actively promote the uptake of sovereign cloud computing services. Its focus is market dynamics and contestability, not the operational or geopolitical sovereignty of the infrastructure.

CADA: intervening at the level of uptake and use The Commission expressly states that the DMA "intervenes at a different level than the proposal, which focuses on the uptake and use of the services provided." As proposed in Article 1, CADA "establishes a framework for strengthening the cloud and AI ecosystem at Union level," including by "enabling the availability of a sovereign cloud and artificial intelligence (AI) offer to safeguard the Union's public order" and "reducing dependencies on critical technologies."

CADA would not regulate competitive conduct the way the DMA does. Instead, it would create a demand-side framework that shapes which services public-sector bodies and certain entities use. CADA would introduce a Union cloud computing sovereignty framework with four Union assurance levels (1–4). Under Article 29, Member States and Union entities would carry out risk assessments to identify public-sector activities that contribute to the preservation of public order and the appropriate assurance level for them. Under Article 30, where activities are identified as contributing to public order in the relevant sectors, contracting authorities would only procure cloud services recognised at Union assurance level 2, 3 or 4. This would create a market pull for sovereignty-recognised services, independent of whether a provider is a DMA gatekeeper.

Key distinctions in scope and mechanism

1. Who is targeted: The DMA targets a narrow subset of large "gatekeeper" providers. CADA would reach the providers seeking to sell to the public sector and the contracting authorities and Union entities that buy.
2. Regulatory lever: The DMA prohibits specific conduct (e.g. self-preferencing, unfair terms hindering switching). CADA would use sovereignty assurance levels and procurement obligations to drive adoption.
3. Policy goal: The DMA aims at fairness and contestability. CADA aims, in the words of its second general objective, at "increasing the Union's resilience and strategic autonomy in cloud and AI technologies."
4. Overlap: A single provider could face both. A gatekeeper would still owe DMA behavioural obligations while separately seeking CADA recognition to win public contracts. The DMA would not, however, help a provider achieve sovereignty recognition; it only constrains gatekeeper conduct.

Interaction with the Data Act The Commission also notes CADA is consistent with the Data Act, whose switching and interoperability provisions make it possible for users "to embrace European cloud computing services more strongly" — an enabler for the proposal. The Data Act removes lock-in; it does not build the sovereign offer. CADA would supply the criteria and incentives for that offer to exist and be trusted.

What this means for you

For in-house counsel and compliance officers, the DMA and a future CADA would create a dual-compliance landscape.

For cloud service providers:

• DMA: If designated as a gatekeeper, you must meet behavioural obligations under Regulation (EU) 2022/1925, including interoperability, no self-preferencing, and not unfairly hindering switching. The DMA provides for fines of up to 10% of total worldwide annual turnover.
• CADA (as proposed): To win public-sector contracts for sovereignty-sensitive activities, you would seek recognition under the Union cloud sovereignty framework — independent audits for the higher Union assurance levels, with criteria addressing matters such as data localisation, personnel and protection against third-country control (see CADA Annexes for assurance-level detail). Losing recognition would mean exclusion from the relevant procurement.

For public-sector bodies and contracting authorities:

• Procurement strategy: You would build the Union assurance levels into procurement. Under Article 30, for activities identified as contributing to public order in the relevant sectors, you would only procure services recognised at assurance level 2, 3 or 4; for activities not so identified, you would use services recognised at assurance level 1.
• Risk assessments: Under Article 29, you would run risk assessments by one year after entry into force and thereafter every two years (or whenever necessary), considering data sensitivity, the risk of unlawful third-country access, and the impact of service disruption on public order.
• DMA benefits: You could use DMA-driven switching and interoperability to ease migration toward sovereignty-recognised providers.

Penalties:

• DMA: Up to 10% of total worldwide annual turnover.
• CADA (as proposed): Article 24 would have Member States lay down penalties for infringements by cloud providers, "effective, proportionate and dissuasive," with compensation rules. The proposal does not set specific fine amounts.

Common misconceptions

Misconception 1: The DMA ensures cloud sovereignty. It does not. The DMA constrains gatekeeper conduct. A provider can be DMA-compliant yet still exposed to third-country laws that affect EU sovereignty. CADA would address that gap through its assurance framework.

Misconception 2: CADA would replace the DMA for cloud providers. No. The Commission frames them as complementary, operating at different levels. A provider would meet DMA conduct rules if designated a gatekeeper and, separately, CADA sovereignty requirements to sell into the public sector.

Misconception 3: All public-sector cloud use would need the highest assurance levels. No. CADA would take a risk-based approach. Under Article 29 and Article 30, only activities identified as contributing to public order in the relevant sectors would require assurance level 2, 3 or 4; other activities would use level 1. Private-sector entities in the relevant sectors may carry out similar assessments under Article 31 but are not bound by the same mandatory procurement rules.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• Data Act (Regulation (EU) 2023/2854)

Related

• Digital sovereignty vs digital autonomy under CADA: what's the difference?
• CADA vs the EU AI Act: what is the difference?
• CADA vs the Digital Networks Act: where is the boundary for data centres?
• CLOUD Act vs EU-US Data Privacy Framework vs CADA: which addresses sovereignty?
• CADA Union assurance level 1 vs level 2: what is the difference?

This is general information about a draft EU regulation, not legal advice.