Summary The EU AI Act and the proposed Cloud and AI Development Act (CADA) regulate different layers of the same stack. The AI Act (Regulation (EU) 2024/1689) is a product-safety and fundamental-rights regulation for AI systems — what they may do and how they must be governed. CADA, as proposed in COM(2026) 502 final, targets the infrastructure and market beneath them: cloud sovereignty, data-centre capacity and dependence on non-EU providers. They do not overlap and CADA would not replace the AI Act. The Commission itself frames CADA as reinforcing the AI Act, noting that the AI Act "does not cover aspects of sovereignty" — the gap CADA is designed to fill.
Detail
The cleanest way to separate the two instruments is to ask what each one regulates, on what legal basis, and against which policy failure.
The AI Act: rules for AI systems
The AI Act is, in the Commission's own words in the CADA explanatory memorandum, an instrument that "harmonises rules for AI systems and general-purpose AI models to be placed on the EU market" and "ensures a high level of protection of health, safety and fundamental rights." It is built on a risk-based structure:
- Prohibited practices — a defined set of AI uses (for example social scoring and certain biometric practices) are banned outright.
- High-risk AI systems — systems used in sensitive contexts must meet obligations on risk management, data governance, technical documentation, logging, transparency, human oversight and conformity assessment.
- General-purpose AI models — providers face transparency obligations, with additional duties for models posing systemic risk.
- Minimal-risk AI — largely unregulated.
The decisive point for this comparison is the last line of the relevant passage in the CADA memorandum: the AI Act "does not cover aspects of sovereignty." It says nothing about where compute is located, who controls the provider, or whether a foreign government could compel access to the underlying infrastructure.
CADA: infrastructure, capacity and sovereignty
CADA is a proposal — not yet in force — that addresses the infrastructure and market structure under the AI layer. Its subject matter, in Article 1(1), is to establish a framework for strengthening the cloud and AI ecosystem through five measures: the Cloud and AI Leadership Initiatives; accelerated deployment of data centres; the availability of a "sovereign cloud and artificial intelligence (AI) offer to safeguard the Union's public order"; reducing dependencies on critical technologies; and fostering public-sector adoption of cloud services.
CADA would pursue two general objectives. Under Article 1(2), the first is "to ensure the conditions necessary for the competitiveness and innovation capacity of the Union's cloud and AI ecosystem." Under Article 1(3), the second — described as "separate from and complementary to" the first — is "to improve the functioning of the single market by laying down a uniform Union legal framework for increasing the Union's resilience and strategic autonomy in cloud and AI technologies." Where the AI Act governs the software, CADA would govern the platform and the supply chain beneath it.
Key differences in scope
| Feature | EU AI Act | CADA (proposal) |
|---|---|---|
| Status | In force since 1 August 2024; obligations phasing in. | Proposal (COM(2026) 502 final); not yet adopted. |
| Primary focus | Safety, fundamental rights and transparency of AI systems. | Cloud sovereignty, data-centre capacity, supply-chain resilience. |
| Regulated actors | Providers, deployers, importers and distributors of AI systems. | Cloud computing service providers, data-centre operators, contracting authorities, public-sector bodies, Union entities. |
| Sovereignty | Not covered. | Central: Article 16 would establish a Union cloud computing sovereignty framework of four assurance levels. |
| Infrastructure | Not covered. | Data-centre acceleration zones, single information points, strategic-project designation. |
| Public procurement | No cloud-procurement mandate. | Under Article 30, procurement would be tied to assurance levels set by a risk assessment. |
How they would work together
The two instruments are complementary by design. The AI Act would keep the AI system running on the cloud safe and rights-compliant; CADA would aim to keep the cloud beneath it resilient and free from third-country interference.
A concrete example: a public body running a high-risk AI system for law enforcement is subject to the AI Act for that system. Separately, under CADA Article 29, the relevant Member State or Union entity would carry out a risk assessment to decide whether that activity "contributes to the preservation of public order" — and law enforcement is expressly named in Article 29(1). If it does, Article 30(3) would require the contracting authority to procure only cloud services recognised at Union assurance level 2, 3 or 4. The AI Act question (is the system safe?) and the CADA question (is the cloud sovereign enough?) are answered independently.
What this means for you
For in-house counsel and compliance teams, the practical task is to map two parallel — not overlapping — compliance tracks.
1. Mapping obligations
- If you develop or deploy AI systems: the AI Act applies. Classify each system by risk, build the technical documentation, and meet transparency and oversight duties.
- If you provide cloud computing services: CADA's sovereignty framework would apply. Under Article 16 and Annex II, you would seek recognition at one of four Union assurance levels, with criteria covering establishment, location of infrastructure and personnel, third-country control and software supply chain.
- If you are a public-sector body or Union entity: you may face both. The AI Act governs any high-risk AI you use; under CADA Article 29 you would carry out (or rely on) a risk assessment, then procure under Article 30 at the resulting assurance level.
2. Timelines
- AI Act: already in force (1 August 2024). The Article 5 prohibitions apply from 2 February 2025; general-purpose AI rules from 2 August 2025; most high-risk obligations from 2 August 2026.
- CADA: a proposal only. As drafted, it would enter into force on the 20th day after publication and apply one year later. Interim milestones in the text include national cloud and AI strategies within one year of entry into force (Article 7) and designation of at least one data-centre acceleration zone within six months (Article 10).
3. Penalties
- AI Act: fines up to €35 million or 7% of total worldwide annual turnover for breaching the Article 5 prohibitions, and up to €15 million or 3% for most other infringements.
- CADA: under Article 24, Member States would set the penalty rules for provider infringements of the sovereignty chapter; these must be "effective, proportionate and dissuasive." CADA does not itself fix a maximum fine. Article 24 also provides that recipients may seek compensation for damage from a provider's infringement.
4. Strategic planning
Assess current providers against CADA's proposed assurance levels now. Reliance on a non-EU hyperscaler may not, on its own, satisfy the higher tiers for public-order-relevant activities, so multi-cloud or EU-controlled options are worth scoping early. Data-centre operators should track the acceleration-zone and permitting measures separately.
Common misconceptions
"CADA replaces the AI Act." No. They regulate different layers — the AI system versus the cloud beneath it — and an organisation deploying public-sector or critical-infrastructure AI would likely need to comply with both.
"The AI Act already covers data sovereignty." It does not. The Commission states plainly that the AI Act "does not cover aspects of sovereignty." CADA is the instrument proposed to address third-country control, extraterritorial access and operational continuity.
"CADA only affects the public sector." The procurement obligations fall on contracting authorities and public bodies, but the sovereignty framework reaches any provider wanting to serve them, and CADA's data-centre and innovation measures affect the wider market.
"CADA is just about data centres." Data centres are one part. CADA also proposes the cloud sovereignty framework, the Cloud and AI Leadership Initiatives, public-sector adoption measures and a public-sector cloud federation.
Official sources
Related
- CADA vs the Digital Markets Act (DMA) for cloud: what is the difference?
- CLOUD Act vs EU-US Data Privacy Framework vs CADA: which addresses sovereignty?
- CADA Union assurance level 1 vs level 2: what is the difference?
- Sovereign cloud vs public cloud: what's the difference under CADA?
- How does CADA reinforce the EU AI Act?
This is general information about a draft EU regulation, not legal advice.