Does CADA change any GDPR obligations?

Summary No, the proposed Cloud and AI Development Act (CADA) does not amend the General Data Protection Regulation (GDPR) or alter existing controller and processor obligations. As proposed, CADA establishes a separate framework for cloud sovereignty and public procurement that operates on top of existing data protection rules. You must continue to comply with all GDPR requirements—including data processing agreements, legal bases, and impact assessments—while simultaneously meeting CADA's new "Union assurance levels" for public sector cloud services. The two regimes are complementary, not overlapping.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, is designed to address strategic dependencies, data sovereignty, and the resilience of the EU's cloud infrastructure. A critical question for legal and compliance teams is whether this new instrument supersedes or modifies the GDPR (Regulation (EU) 2016/679). The answer is unequivocally no. CADA and the GDPR are distinct legal instruments with different policy objectives, and the CADA proposal explicitly preserves the full applicability of EU data protection law.

CADA Does Not Amend the GDPR

CADA contains no provisions that repeal, amend, or override the GDPR. The explanatory memorandum of the proposal states that it is "consistent with existing rules on the processing of personal data, including the General Data Protection Regulation (GDPR)." This consistency is not merely aspirational; it is legally embedded in the text.

Recital 63 of the CADA proposal clarifies the relationship: "Where cloud computing services are used to process personal data, Regulation (EU) 2016/679 provides for an obligation to agree on organisational and technical measures to comply with that Regulation." This confirms that the fundamental GDPR obligations—such as establishing a lawful basis for processing, ensuring data minimization, respecting data subject rights, and maintaining security—remain fully in force and unchanged. CADA does not create a "sovereignty exemption" from GDPR rules; rather, it adds a layer of structural requirements regarding where and by whom data is processed, which must be satisfied in addition to GDPR compliance.

Existing Controller and Processor Duties Continue Unchanged

Your legal roles as a data controller or processor under the GDPR are not affected by CADA. If you are a cloud provider processing personal data on behalf of a public sector body, you remain a processor under the GDPR. Your core duties persist:

• Instruction: You must process data only on documented instructions from the controller.
• Security: You must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
• Assistance: You must assist the controller in fulfilling obligations regarding data subject rights, breach notifications, and Data Protection Impact Assessments (DPIAs).
• Agreements: You must conclude a Data Processing Agreement (DPA) that meets the strict requirements of Article 28 of the GDPR.

CADA does not replace the DPA. Instead, it may necessitate additional clauses or specific technical measures to meet the "Union assurance levels" defined in Annex II. These sovereignty requirements must be layered onto your existing GDPR-compliant contracts. For instance, a DPA might need to explicitly guarantee that no third-country personnel access the infrastructure, a requirement driven by CADA's assurance criteria but enforced through the GDPR's contractual framework.

CADA Adds Sovereignty-Tier and Procurement Duties

While CADA leaves GDPR obligations intact, it introduces a new, parallel framework for "Union assurance levels" (Article 16) and mandates specific risk assessments for public sector procurement (Article 29). These are additive requirements that focus on the sovereignty of the infrastructure rather than the privacy of the data.

• Sovereignty Assurance Levels: Under CADA, cloud services are categorized into four assurance levels based on criteria such as data localization, personnel citizenship, and the absence of third-country control (Annex II). For example, Union Assurance Level 3 requires that customer data remain exclusively within the Union and that personnel involved in service provision are Union citizens. These are technical and operational requirements that sit alongside, but do not replace, GDPR security requirements. A provider can be GDPR-compliant (securing data effectively) but fail CADA Level 3 (because a non-EU citizen has access to the admin console).
• Procurement and Risk Assessments: Article 29 of the CADA proposal obliges Member States and Union entities to carry out risk assessments to determine which Union assurance level is appropriate for their public sector activities. If an activity is deemed to contribute to the preservation of public order (e.g., national security, law enforcement, justice), the contracting authority must procure cloud services that meet at least Union Assurance Level 2, 3, or 4 (Article 30). This is a procurement rule, not a data protection rule, but it dictates which providers can be used for specific workloads.

Interaction with GDPR Impact Assessments

Recital 63 of the CADA proposal notes that specific technical and organizational measures required by CADA to ensure personal data is processed in line with the regulation "could be foreseen in the mandatory agreements pursuant to Regulation (EU) 2016/679." This suggests that CADA requirements may be integrated into your GDPR Data Processing Agreements.

Furthermore, when conducting a Data Protection Impact Assessment (DPIA) under GDPR Article 35, you should consider the sovereignty risks identified in the CADA risk assessment process. Risks related to extraterritorial data access (e.g., from third-country laws like the US CLOUD Act) can impact the security and rights of data subjects. Therefore, the CADA risk assessment (Article 29) and the GDPR DPIA (Article 35) are distinct but complementary processes. The former determines the sovereignty tier required for the service; the latter assesses the privacy risk to individuals. Both must be addressed.

What this means for you

For in-house counsel, compliance officers, and data protection officers (DPOs), the practical implication is the management of two parallel, non-overlapping compliance tracks.

1. Maintain GDPR Compliance: Do not assume that meeting CADA sovereignty criteria exempts you from GDPR obligations. You must still maintain valid DPAs, honor data subject requests, and report breaches within 72 hours where applicable. CADA compliance is not a substitute for GDPR compliance.
2. Map CADA Assurance Levels to Workloads: Identify which of your cloud workloads are considered "public order" relevant under Article 29 of the CADA proposal. For these workloads, you will need to procure or provide services that meet the specific Union Assurance Levels (e.g., Level 3 or 4). This may require stricter data localization and personnel screening than the GDPR mandates.
3. Update Contracts: Review your cloud contracts to ensure they include both GDPR-compliant DPA clauses and the additional technical/organizational measures required by the relevant CADA assurance level. For instance, a contract for a Level 3 service might need explicit guarantees that no third-country personnel have access to the infrastructure, a requirement not found in the GDPR but essential for CADA.
4. Prepare for Risk Assessments: Public sector bodies must conduct risk assessments under Article 29 to determine the required assurance level. Private sector entities in critical sectors (listed in Annex I of the NIS2 Directive) may also conduct similar impact assessments (Article 31). Ensure your cloud providers can supply the evidence needed for these assessments, such as software bills of materials (SBOMs), proof of data residency, and certifications of personnel citizenship.

Common misconceptions

"CADA replaces the GDPR for cloud services." No. CADA addresses sovereignty, operational autonomy, and market fragmentation. The GDPR addresses fundamental rights and privacy. They operate in parallel. CADA explicitly states it is without prejudice to the GDPR.

"If a cloud provider is GDPR-compliant, it is automatically CADA-compliant." No. GDPR compliance does not guarantee sovereignty. A provider may be GDPR-compliant (securing data effectively) but still subject to third-country laws that allow data access (e.g., the US CLOUD Act). CADA's assurance levels specifically target these extraterritorial risks, requiring measures like data localization and exclusion of third-country control that go beyond GDPR requirements.

"CADA changes the definition of a processor." No. Your legal role under the GDPR remains unchanged. CADA introduces the concept of "Union assurance levels" for services, but this is a procurement and certification status, not a change to your data protection role.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)

Related

• Why is the GDPR not enough to achieve cloud sovereignty under CADA?
• Which CADA obligations stack with NIS2 obligations?
• Which CADA obligations stack on top of AI Act obligations?
• What GDPR roles do cloud providers keep under CADA?
• CADA vs GDPR: How Processor Due Diligence Changes Under the New Sovereignty Framework

This is general information about a draft EU regulation, not legal advice.