Summary The proposed Cloud and AI Development Act (CADA) does not alter the core regulatory obligations of General-Purpose AI (GPAI) model providers under the EU AI Act. Providers must continue to comply with the AI Act's safety, transparency, and governance rules. However, CADA introduces distinct benefits and requirements for providers operating within the EU ecosystem. Specifically, Articles 8 and 9 of the proposal offer strategic compute support for "frontier AI" projects, while the CADA sovereignty framework imposes strict Union assurance levels if providers host public-sector workloads. Compliance with the AI Act is necessary but insufficient for public procurement; CADA adds a separate layer of infrastructure and sovereignty requirements.

Detail

The relationship between the proposed CADA (COM(2026) 502 final) and the existing EU AI Act (Regulation (EU) 2024/1689) is one of strict complementarity. The AI Act regulates the AI system itselfβ€”its safety, fundamental rights impact, and transparency. CADA, by contrast, regulates the infrastructure and market beneath it: cloud sovereignty, data-centre capacity, and supply-chain resilience. For GPAI providers using EU cloud infrastructure, three dimensions define this interaction: unchanged AI Act liabilities, new compute incentives for frontier AI, and public-sector procurement constraints based on sovereignty tiers.

1. AI Act Obligations Remain Unchanged

CADA does not repeal, amend, or supersede the AI Act's specific provisions regarding GPAI models. The explanatory memorandum of CADA explicitly states that the proposal "reinforces key objectives of the AI Act" but clarifies that the AI Act "does not cover aspects of sovereignty." Consequently, a GPAI provider's liability for model safety, bias, copyright compliance, or fundamental rights impacts remains governed exclusively by the AI Act.

Under the AI Act, providers of general-purpose AI models must continue to:

  • Draw up and maintain technical documentation.
  • Provide information and code to downstream providers.
  • Adhere to copyright and data governance rules.
  • For models presenting systemic risk, conduct adversarial testing, monitor for serious incidents, and report to the AI Office.

CADA does not introduce a new product-liability regime for the AI models themselves. It regulates the cloud services and data-centre infrastructure that enable their operation. A provider cannot use CADA compliance as a defence against AI Act violations, nor can AI Act compliance exempt a provider from CADA's infrastructure requirements.

2. Frontier AI Compute Support (Articles 8 and 9)

While CADA does not change compliance burdens, it offers significant operational benefits for GPAI providers developing "frontier AI" technologies. CADA establishes a mechanism to support "frontier AI priority projects" to ensure the EU retains competitive capabilities in advanced AI, addressing the capacity gap identified in the proposal.

Article 8 of the CADA proposal sets out the criteria for the Commission to recognise a project as a "frontier AI priority project." To qualify, a project must:

  • Be a pioneering project focused on the support and scaling-up of frontier AI technologies.
  • Be undertaken by a European digital infrastructure consortium (EDIC) established under Decision (EU) 2022/2481, or another legal entity eligible for funding under Union law.
  • Involve the participation of at least three Member States.
  • Demonstrate that participating Member States pool computing time and other relevant resources to support the project.

Article 9 mandates the allocation of AI computing resources to these recognised projects. The Union and Member States are required to ensure that sufficient AI computing resources are allocated from their compute capacities to support these frontier AI priority projects. Crucially, the Union shall "at least match" the AI computing resources contributed by Member States to these projects, within the limits of available European High Performance Computing (EuroHPC) capacity.

For GPAI providers, this creates a pathway to access subsidised or prioritised compute capacity for training frontier models, provided they structure their projects to meet the collaborative and strategic criteria outlined in Article 8. This is a supply-side incentive designed to reduce dependencies on third-country compute resources, distinct from the regulatory obligations of the AI Act.

3. Hosting Public-Sector Workloads: Sovereignty Assurance Levels

The most significant operational impact of CADA on GPAI and cloud providers arises when their services are used by the public sector. CADA introduces a "Union cloud computing sovereignty framework" with four assurance levels. This framework is triggered not by the nature of the AI model itself, but by the identity of the customer (public vs. private) and the criticality of the workload.

Under Article 29, Member States and Union entities must conduct risk assessments to determine which public-sector activities require higher levels of sovereignty assurance. Article 30 then dictates procurement rules:

  • Minimum Baseline: All public-sector bodies must procure cloud computing services that have been recognised as offering at least Union Assurance Level 1.
  • Public Order Relevance: If a risk assessment determines that a public-sector activity contributes to the preservation of public order (e.g., national security, internal security, external border management, defence, justice, or law enforcement), contracting authorities must only procure services recognised as offering Union Assurance Levels 2, 3, or 4.

For a GPAI provider or the cloud service provider hosting their models, this means that offering services to the EU public sector requires formal recognition under CADA's sovereignty framework. A provider cannot simply claim compliance with the AI Act; they must also demonstrate compliance with the specific technical, organisational, and geopolitical criteria of the relevant Union Assurance Level (set out in CADA Annex II).

For example, to achieve Union Assurance Level 2 or higher, providers must ensure that:

  • Infrastructure, assets, and personnel are located in the Union.
  • Customer data remains exclusively within the Union.
  • There is no effective control by a third country that could compromise service continuity or data confidentiality.
  • The service obtains a European cybersecurity certificate of at least assurance level "substantial" (for Levels 2 and 3) or "high" (for Level 4).

If a GPAI provider's model is hosted on infrastructure that does not meet these sovereignty criteria, they may be excluded from public-sector contracts, regardless of their AI Act compliance. The procurement rules in Article 30 are mandatory for contracting authorities whose activities have been identified as contributing to public order.

What this means for you

For cloud service providers, data-centre operators, and GPAI providers hosting on EU infrastructure, the distinction between AI safety and cloud sovereignty is critical. You must manage two parallel, non-overlapping compliance tracks:

  1. Maintain AI Act Compliance: Continue to monitor your downstream customers (GPAI providers) for their AI Act obligations. Recognise that CADA does not relieve them of these duties. Your role as a host does not transfer the AI Act liability to you, but you must ensure your platform allows for the necessary transparency, logging, and data governance required by the AI Act.
  2. Pursue Sovereignty Recognition: If you aim to serve the public sector, you must apply for recognition under CADA's Union Assurance Levels. This involves independent audits (for Levels 2–4) or self-assessment (for Level 1). Ensure your infrastructure, supply chain, and corporate control structures meet the strict criteria in CADA Annex II, particularly regarding third-country control, data localisation, and personnel location.
  3. Leverage Compute Incentives: If you are involved in frontier AI development, explore the criteria in CADA Article 8. Structuring your projects as cross-border consortia involving at least three Member States could unlock matched compute resources from the EuroHPC capacity, significantly reducing training costs for frontier models. This is a strategic opportunity, not a regulatory mandate.

Common misconceptions

"CADA replaces the AI Act for GPAI providers." No. CADA and the AI Act address different risks. The AI Act addresses safety, fundamental rights, and transparency of the model. CADA addresses sovereignty, capacity, and market resilience of the infrastructure. They apply cumulatively. A provider must comply with both if they operate in the EU and serve the public sector.

"If I comply with the AI Act, I can automatically host public-sector AI workloads." No. AI Act compliance is insufficient for public-sector procurement under CADA. You must also achieve formal recognition under the CADA sovereignty framework (Union Assurance Levels 1–4). Public-sector bodies are legally barred from procuring services that do not meet the required assurance level for their specific risk profile, as determined by the risk assessment under Article 29.

"Frontier AI compute support is guaranteed for all large models." No. Support under CADA Articles 8 and 9 is not automatic. Projects must be recognised as "frontier AI priority projects" by the Commission, which requires meeting strict criteria including broad multi-national participation (at least three Member States), strategic relevance, and pooling of resources.

"CADA only affects cloud providers, not AI model developers." While CADA primarily targets cloud providers, AI model developers who host their models on public-sector clouds or who seek to participate in frontier AI priority projects are directly affected. They must ensure their hosting environment meets the relevant assurance levels and may need to structure their projects to qualify for compute support.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.