Summary The European Health Data Space (EHDS) and the proposed Cloud and AI Development Act (CADA) regulate different layers of the health-tech stack. The EHDS governs what health data may be accessed, shared and used — including for secondary purposes such as research and public health. CADA, as proposed in COM(2026) 502 final, would govern where and how that data is hosted, by setting sovereignty and resilience requirements for the cloud infrastructure beneath it through four "Union assurance levels" (Article 16). For health-sector entities this would mean a dual track: comply with EHDS data-access rules while procuring cloud services that meet the CADA assurance level appropriate to the activity. CADA is a proposal, not yet in force.
Detail
The EHDS and CADA would create a dual-compliance landscape for the European health sector. The EHDS establishes the rules for what health data can be accessed, shared and used for secondary purposes; CADA, as proposed, would establish the framework for where and how the underlying cloud infrastructure is operated, from a sovereignty and resilience perspective.
Distinct regulatory layers
EHDS: data governance and access. The European Health Data Space Regulation focuses on the flow of health data. It harmonises rules for the primary and secondary use of electronic health data, so that patients, clinicians, researchers and public authorities can access data across borders while maintaining privacy and security safeguards. It defines who may access health data, for what purposes, and under what authorisation. It does not, however, prescribe the sovereignty criteria for the cloud infrastructure that hosts health data spaces. (The EHDS is its own Regulation with its own numbering; CADA does not amend it.)
CADA: infrastructure sovereignty and assurance. CADA addresses strategic dependency on non-EU cloud providers. As proposed, it would introduce a "Union cloud computing sovereignty framework comprising four Union assurance levels" (Article 16), with the criteria set out in Annex II. The framework is designed to safeguard public order and operational autonomy by mitigating the risk that third-country laws could compel data access or disrupt a service.
For the health sector — which processes highly sensitive data and often supports critical public functions — these requirements could be demanding. CADA would distinguish between public-sector activities generally and those identified as "contributing to the preservation of public order." Whether a given health activity falls into the higher category would depend on a risk assessment, not on the health label alone.
Intersection: procurement and risk assessment
The clearest interaction between the two regimes would occur in public procurement and risk management.
- Risk assessments (CADA Article 29). As proposed, Member States and Union entities would, within one year of entry into force and every two years thereafter (or whenever necessary), carry out risk assessments to (a) identify public-sector activities using cloud services that contribute to the preservation of public order, and (b) determine which Union assurance level — 2, 3 or 4 — is appropriate (Article 29(1)). The assessment must consider at least the sensitivity, criticality and magnitude of the data, the risk of unlawful third-country access, and the risk of service disruption (Article 29(2)). Health activities tied to public order (for example large-scale public-health registries or emergency response) could therefore require higher assurance levels than routine clinic administration.
- Procurement obligations (CADA Article 30). Contracting authorities whose activities are identified as contributing to the preservation of public order — in the sectors under Annex I or II of the NIS2 Directive (Directive (EU) 2022/2555), or in national security, internal security, external border management, defence, justice or law enforcement — would have to procure only cloud services recognised at Union assurance level 2, 3 or 4 (Article 30(3)). Activities not so identified would use level 1 (Article 30(2)). The EHDS would mandate secure health-data spaces; CADA would aim to ensure the cloud beneath them is resilient against extraterritorial legal claims and operational disruption.
- Data location and control (CADA Annex II). To reach the higher levels (2-4), a provider would have to demonstrate, among other things, that infrastructure, assets and personnel are located in the Union and that customer data — "including metadata and telemetry data" — remains exclusively within the Union "unless the public sector body explicitly requires otherwise." This complements the EHDS's goal of keeping health data under EU jurisdiction, but adds verified legal and technical assurance about the provider's independence from third-country control.
Comparison: sector data rules vs infrastructure assurance
| Feature | European Health Data Space (EHDS) | CADA (proposal) |
|---|---|---|
| Primary focus | Lawful access, secondary use and sharing of health data. | Sovereignty and resilience of cloud infrastructure. |
| Key mechanism | Health-data access bodies, authorisations for secondary use. | Union assurance levels (1-4), independent audits, risk assessments. |
| Data scope | Electronic health data (personal and non-personal). | Customer data hosted in the cloud, with sensitivity-based criteria. |
| Provider obligation | Data-protection and security standards for data spaces. | Operational autonomy, absence of third-country control, EU data localisation. |
| Oversight | Health-data access bodies and data-protection authorities. | National competent authorities for cloud recognition (CADA Article 25). |
What this means for you
For in-house counsel and compliance officers in the health sector, the proposed convergence of CADA and the EHDS would call for a two-pronged strategy.
1. Map both regimes, not one. Under the EHDS, address the lawful basis and conditions for primary and secondary use of health data. Under CADA, prepare for (or rely on) the risk assessment under Article 29 that would set the Union assurance level for your cloud services. For genuinely public-order-relevant health workloads, expect level 2 or higher, and document the rationale by reference to data sensitivity and the impact of any disruption.
2. Verify cloud-provider sovereignty. When procuring cloud services for health-data activities, confirm the provider holds recognition for the required Union assurance level. For levels 2-4 this would require an independent third-party audit (CADA Article 20). At higher tiers the criteria include that the provider and its subcontractors are established and located in the Union, that customer data stays in the Union, and — at levels 3 and 4 — that the provider is not subject to the control of a third country or a third-country entity (Annex II §§3.1(g), 4.1(g)).
3. Track national designations and transition windows. As proposed, Member States would designate national competent authorities and adopt national cloud and AI strategies within one year of entry into force (Articles 7 and 25). Where a risk assessment requires migration to another cloud service, it would have to occur "within a reasonable transition period that shall not exceed 12 months," taking account of technical feasibility, continuity of service and data portability (Article 29(6)). Scope compliant alternatives early.
4. Consider pooled procurement. Smaller health entities could look to centralised options: the Commission may act as a central purchasing body for data-centre, cloud, software and AI services (CADA Article 37, Chapter IV), and Chapter III would establish a European public-sector cloud federation (the "EuroCloud Federation," Article 34) to help Member States share services. These could reduce the administrative burden of sovereign-cloud procurement.
Common misconceptions
"GDPR compliance is enough for health-cloud sovereignty." No. The GDPR governs data protection; it does not address operational autonomy or the risk that third-country laws could compel data access or service disruption. As proposed, CADA targets that gap. A provider can be GDPR-compliant yet still fail CADA's higher assurance levels because of third-country control or insufficient localisation guarantees.
"The EHDS removes the need for CADA compliance." No. The two address different problems. The EHDS enables and governs the use of health data; CADA would govern the resilience and sovereignty of the infrastructure that hosts it. Meeting EHDS rules would not exempt a buyer from CADA's procurement and assurance obligations — and the EHDS's reliance on secure data spaces arguably makes CADA's framework more relevant, not less.
"Only large health systems need to worry about CADA." No. As proposed, the procurement rules reach all public-sector bodies: activities not tied to public order would still need at least level 1 (Article 30(2)), and public-order-relevant activities (such as emergency medical services, where identified by risk assessment) would need levels 2-4 (Article 30(3)). The proposal also includes measures to ease participation by SMEs and smaller entities.
Official sources
Related
- CADA Union assurance recognition vs ISO 27001: are they comparable?
- CADA public-sector risk assessment vs private-sector impact assessment
- GDPR data localisation vs CADA sovereignty levels: are they the same?
- EUCS high level vs CADA Union assurance level 4: are they equivalent?
- CADA vs the US CLOUD Act: how do they differ?
This is general information about a draft EU regulation, not legal advice.