Summary The EU-US Data Privacy Framework (DPF) and the proposed Cloud and AI Development Act (CADA) answer different questions. The DPF provides a lawful basis for transferring personal data from the EU to the United States under the GDPR. It does not remove the sovereignty risk of depending on third-country-controlled cloud providers. CADA, as proposed in COM(2026) 502 final, would address that risk through a "Union cloud computing sovereignty framework" of four assurance levels (Article 16) covering operational autonomy and protection against foreign-compelled access or service disruption. For counsel: the DPF determines whether a transfer is lawful; CADA's assurance levels would determine whether a provider is eligible for sensitive public-sector procurement. CADA is a proposal, not yet in force.

Detail

For compliance officers working at the intersection of data protection and technological sovereignty, the distinction between the DPF and CADA matters. Both touch data that crosses borders, but they address fundamentally different risks.

The DPF is a transfer mechanism. It facilitates the transfer of personal data from the EU to the United States within the GDPR framework, by underpinning an adequacy decision for certified US organisations. Its scope is data-protection rights: it does not, by itself, neutralise the risk that a third country could exercise extraterritorial control over the cloud infrastructure — for example through laws that may compel a provider to disclose data or disrupt a service. In other words, a transfer can be lawful under the DPF while the provider remains exposed to foreign legal compulsion.

CADA, by contrast, would target that broader dependency. As proposed, Article 16 would establish four "Union assurance levels" (1 to 4) that cloud computing service providers must meet to provide services to Union entities and public-sector bodies. The framework reaches beyond data-protection compliance to operational autonomy and confidentiality: the criteria in Annex II address establishment and location in the Union, location (and at higher tiers citizenship) of personnel, software supply-chain control, and the absence of third-country control over the provider.

The two are complementary, not substitutive. The DPF (or another GDPR transfer tool) makes a personal-data transfer lawful. CADA would aim to ensure the hosting environment is resilient against geopolitical risk — including the extraterritorial reach of third-country laws such as the US CLOUD Act. A provider can be DPF-certified yet still fail to reach Union assurance level 2, 3 or 4 because of third-country control, and thereby be ineligible for certain sensitive public-sector contracts.

A narrow bridge exists at level 3. Under Article 18, the Commission may, by implementing act, identify "associated third countries" whose providers — though subject to that country's control — may be audited against the criteria for Union assurance level 3, but only where the country meets cumulative criteria including a GDPR adequacy decision and the absence of measures enabling foreign access to data, service disruption or improper restrictive measures. Even then the provider must additionally demonstrate the legal, technical and organisational measures that prevent foreign data access and service disruption. There is no Article 18 route to level 4.

For counsel, this dictates a two-layered due diligence process. First, confirm that any transfer of personal data is lawful under the GDPR — via the DPF for certified US recipients or another transfer mechanism. Second, assess the provider's status under the CADA sovereignty framework, particularly where the service supports public order or critical functions. Member States and Union entities would carry out risk assessments under Article 29 to set the appropriate Union assurance level; a DPF-certified provider could still fall short of level 2, 3 or 4 on third-country-control grounds.

What this means for you

For in-house counsel and compliance officers, the proposed convergence of the DPF and CADA would require mapping data flows against sovereignty requirements.

1. Treat these as two obligations, not one. The DPF would remain a primary tool for legitimising transatlantic personal-data transfers under the GDPR. Separately, if you are a public-sector body — or a private entity in a high-criticality sector under Annex I or II of the NIS2 Directive (Directive (EU) 2022/2555) — you would also need to evaluate providers against CADA's assurance levels. As proposed, Article 29 places a risk-assessment obligation on Member States and Union entities to identify which public-sector activities require higher assurance levels (2, 3 or 4), and Article 31 allows private entities in critical sectors to carry out similar impact assessments.

2. Anticipate procurement exclusions. Article 30 would tie procurement to assurance levels: activities not identified as contributing to the preservation of public order would use level 1 (Article 30(2)); activities with public-order relevance would require level 2, 3 or 4 (Article 30(3)). A US-based provider participating in the DPF could still be excluded from certain critical contracts unless it can demonstrate the stricter sovereignty criteria — limits on third-country access and protection against service disruption.

3. Prepare for the risk assessment and its review. Article 29 assessments must consider at least the sensitivity, criticality and magnitude of the data, the risk of unlawful third-country access, and the risk of service disruption (Article 29(2)). Keep documentation robust: the Commission may review national results and, where it finds the chosen level inadequate, adopt implementing acts specifying the required assurance level (Article 29(5)).

4. Plan for CADA enforcement, separately from GDPR. Where the DPF relies on data-protection supervisory authorities, CADA would have its own enforcement. Under Article 24, Member States would lay down penalties for provider infringements that are "effective, proportionate and dissuasive," and the provision also addresses compensation for damage suffered through a provider's infringement. CADA does not itself fix a maximum fine. Build liability and compensation terms into cloud contracts.

5. Start auditing providers now. Although timelines depend on the legislative procedure, begin assessing current providers against the Annex II criteria to anticipate requirements. Early identification of providers unlikely to reach levels 2-4 can prevent costly migration delays — and any required migration would have to occur within a transition period not exceeding 12 months (Article 29(6)).

Common misconceptions

"The DPF ensures full sovereignty." No. The DPF concerns the lawfulness of transfers and privacy protections. It does not prevent a third country from compelling access to data or disrupting a service through other legal avenues, such as national-security laws. As proposed, CADA addresses that gap by requiring safeguards against extraterritorial reach.

"CADA replaces the DPF." No. Transfers of personal data still need a lawful basis under the GDPR, and the DPF provides one for certified US recipients. CADA would add a sovereignty assessment for the cloud infrastructure itself. The two would operate in parallel: one governs transfer legality, the other the resilience and sovereignty of the hosting environment.

"Only public-sector entities are affected." No. While CADA's procurement rules (Article 30) target public-sector bodies, Article 31 allows private entities in critical sectors to carry out impact assessments, and providers wanting to serve the public sector would have to meet the assurance levels — shifting market expectations. Private buyers may feel the spillover as sovereignty standards rise.

"Compliance is a one-time certification." No. As proposed, CADA requires ongoing monitoring. Under Article 23, a recognised provider must, on becoming aware of any material change in circumstances that may affect its audit opinion or recognition, notify the auditing organisation and the national competent authority. A change in ownership, jurisdiction or service architecture could trigger reassessment and loss of recognition.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.