Summary No. As proposed, the Cloud and AI Development Act (CADA) does not change, amend, or replace your obligations under the General Data Protection Regulation (GDPR). The Commission states the proposal is consistent with existing data-protection rules, and nothing in CADA would alter the legal basis for processing personal data. You would have to comply with both regimes at once: the GDPR governs the lawful processing of personal data, while CADA's proposed sovereignty framework addresses operational autonomy, data confidentiality, and public-order risks that go beyond data protection. Importantly, meeting a CADA "Union assurance level" would not exempt you from the GDPR, and GDPR compliance would not by itself earn you an assurance level.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, aims to strengthen Europe's cloud and AI ecosystem by addressing strategic dependencies and reinforcing the Union's resilience and strategic autonomy (Article 1). A common concern among cloud service providers and data centre operators is whether this new layer conflicts with or supersedes the GDPR. The proposal is clear that it would not.

CADA would be consistent with, not a replacement for, the GDPR The Explanatory Memorandum accompanying the proposal states that it "is consistent with existing rules on the processing of personal data, including the General Data Protection Regulation (GDPR) and the EU-US Data Privacy Framework." It adds that, while the EU-US Data Privacy Framework "addresses transatlantic data transfers, it does not remove sovereignty concerns about dependence on third-country providers," so CADA "complements" that framework because "the notion of sovereignty goes beyond data transfers and relates to operational autonomy too."

CADA would introduce a "Union cloud computing sovereignty framework" comprising four Union assurance levels, with the criteria set out in Annex II (Article 16). Those criteria include data localisation, personnel requirements, third-country control, and cybersecurity. Meeting them would not displace your GDPR obligations, and being GDPR-compliant would not automatically grant any assurance level.

How the two regimes would apply at the same time Cloud providers would have to navigate two distinct but overlapping sets of requirements:

  1. GDPR (data protection): the rights of data subjects, lawful bases for processing, data minimisation, and the conditions under which personal data may be transferred to third countries (for example, adequacy decisions or appropriate safeguards such as Standard Contractual Clauses).
  2. CADA (sovereignty and public order): as proposed, the resilience of the cloud supply chain, preventing unauthorised third-country access to data, and ensuring operational continuity and autonomy.

For example, under CADA's Union assurance level 1, customer data (including metadata and telemetry) processed, stored, and transferred by the provider and its subcontractors would have to "remain exclusively within the Union, unless the public sector body explicitly requires otherwise" (Annex II, point 1.1(c)). That is a stricter residency rule than the GDPR, which permits transfers outside the EU where appropriate safeguards are in place. So if you serve public-sector clients at a CADA assurance level, you could be required to keep data in the EU even where the GDPR would legally permit a transfer.

GDPR obligations would remain independent of the assurance levels Recital 63 of the proposal states that the criteria under the Union assurance levels "should not affect obligations of cross-border cooperation provided by Union law." It also notes that where cloud computing services are used to process personal data, the GDPR "provides for an obligation to agree on organisational and technical measures" (in practice, data processing agreements), and that where the provider relies on subcontractors, "the same agreements apply to the subcontractors." Recital 63 adds that specific technical and organisational measures required under CADA "could be foreseen in the mandatory agreements" under the GDPR and "could be relied on to demonstrate that the necessary Union assurance levels are met." In other words, you could use your GDPR agreements as a vehicle for CADA measures, but you could not use CADA compliance to bypass the GDPR.

Public-sector risk assessments and the GDPR Under Article 29, Member States and Union entities would carry out risk assessments to identify which public-sector activities preserve public order and to determine which Union assurance level (2, 3, or 4) is appropriate. Those assessments would consider, among other things, "the sensitivity, criticality, and magnitude of the non-personal data processed" and "the nature, scope, context and purpose of processing of personal data, as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects." This process would inform procurement decisions (Article 30), but it would not change the legal basis for processing personal data under the GDPR. The GDPR would remain the instrument protecting individual rights, while CADA would act as a procurement and operational filter for public-sector resilience.

What this means for you

For cloud service providers and data centre operators, the practical implication, as proposed, is dual compliance. You could not treat CADA and the GDPR as interchangeable or hierarchical.

  • Contractual alignment: Review your data processing agreements with public-sector clients. As proposed, CADA's technical and organisational measures could be folded into those agreements, including clauses that restrict data transfers or subcontracting beyond standard GDPR requirements.
  • Data residency vs transfer safeguards: Pursuing a Union assurance level would require strict data localisation within the EU (Annex II), which is stricter than the GDPR's safeguard-based transfer regime. You would need to technically isolate EU-bound data from global infrastructure that might be exposed to third-country laws.
  • Subcontractor oversight: Under both the GDPR and CADA as proposed, you remain responsible for your subcontractors. Annex II level 1 requires "full transparency around the use of subcontractors," plus due diligence, contractual obligations, and ongoing oversight. Ensure supply-chain audits cover both data-protection standards and CADA's sovereignty criteria.
  • Public-sector procurement: Public buyers would use the Article 29 risk assessments to decide which assurance level to procure. Where an activity is identified as contributing to public order, they would be required to procure services recognised at Union assurance level 2, 3, or 4 (Article 30(3)). Winning those contracts would depend on meeting the sovereignty criteria, not just GDPR compliance.

Common misconceptions

Misconception 1: "If I am GDPR-compliant, I automatically meet CADA's sovereignty requirements." Reality: No. The GDPR allows transfers to third countries with appropriate safeguards; CADA's assurance levels would require customer data to remain exclusively within the Union and, at the higher levels, that the provider not be subject to third-country control (Annex II). GDPR compliance would be a baseline, not a substitute for assurance.

Misconception 2: "CADA would remove the need for data processing agreements." Reality: No. Recital 63 confirms the GDPR obligation to agree organisational and technical measures would remain. CADA measures could be integrated into those agreements, but the agreement itself would still be required for any processing of personal data.

Misconception 3: "CADA only applies to personal data." Reality: No. The proposed sovereignty framework covers both personal and non-personal data. Article 29 requires risk assessments to weigh the sensitivity, criticality, and magnitude of non-personal data as well, and the assurance-level criteria in Annex II protect customer data generally.

Misconception 4: "GDPR transfer mechanisms like SCCs are enough for CADA compliance." Reality: No. As proposed, CADA addresses risks the GDPR transfer mechanisms do not fully cover, such as the risk of service disruption or third-country control. The assurance levels would require specific measures to prevent third-country access and ensure continuity, which go beyond the legal safeguards of SCCs.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.