Does CADA conflict with any other EU law?

As proposed, the Cloud and AI Development Act (CADA) is explicitly designed to be complementary to, not conflicting with, existing EU legislation such as t

Summary As proposed, the Cloud and AI Development Act (CADA) is explicitly designed to be complementary to, not conflicting with, existing EU legislation such as the AI Act, GDPR, Data Act, NIS2, and the Digital Markets Act. The proposal harmonises sovereignty and sustainability standards to remove internal market barriers, while respecting the specific scopes of adjacent laws. However, significant legal tensions exist between the EU's general principle of free data flow and CADA's strict data localisation requirements for high-sovereignty tiers. Additionally, CADA leverages the public-order exception in the WTO Agreement on Government Procurement (GPA) to justify restricting public procurement to sovereign services, ensuring compliance with international trade commitments.

Detail

The Cloud and AI Development Act (CADA), proposed by the European Commission on 3 June 2026 (COM(2026) 502 final), establishes a framework to strengthen Europe's cloud and AI ecosystem. A central legal design principle of CADA is consistency and complementarity with the existing EU regulatory landscape. The proposal does not seek to replace or contradict instruments like the AI Act, GDPR, Data Act, NIS2, or the Digital Markets Act (DMA); rather, it fills specific gaps—particularly regarding sovereignty, operational continuity, and supply-side capacity—that those instruments do not address.

Complementarity with Existing Instruments

CADA is drafted to operate alongside several key pieces of EU legislation, as detailed in the Explanatory Memorandum and Recitals:

The Data Act: CADA is consistent with the Data Act's rules on switching between data processing services. While the Data Act removes vendor lock-in and enables multi-cloud approaches, it "does not contain elements to shape up a more competitive offer of European cloud computing services." CADA complements this by building the road towards a more sovereign and trusted EU cloud computing sector.
The Digital Markets Act (DMA): The DMA covers cloud computing services as core platform services for gatekeepers, focusing on fairness and market contestability. CADA operates at a different level, focusing on the "uptake and use of the services provided" to promote sovereign cloud adoption. The two acts can apply simultaneously to large providers without conflict.
The AI Act: The AI Act harmonises rules for AI systems to ensure safety and fundamental rights but "does not cover aspects of sovereignty." CADA reinforces the AI Act's objectives by ensuring that the cloud infrastructure underpinning AI development and deployment is resilient and sovereign.
NIS2 and Cybersecurity Act: NIS2 improves cybersecurity risk management for cloud providers but is "fully focused on technical cybersecurity as opposed to broader sovereignty considerations." CADA complements this by addressing broader sovereignty considerations, such as data confidentiality and operational autonomy. The proposal also aligns with the European Cybersecurity Certification Scheme for Cloud Services (EUCS), leveraging it to ensure audited services meet high cybersecurity standards within the sovereignty framework.
GDPR and Data Privacy Framework: CADA is fully compatible with the GDPR. While the GDPR and the EU-US Data Privacy Framework address data transfers, they "do not remove sovereignty concerns about dependence on third-country providers." CADA complements these by ensuring data remains under effective EU supervision and operational autonomy.

Tension Point: Free Flow of Data vs. Sovereignty Localisation

A primary area of legal tension in CADA is the balance between the EU's fundamental principle of free data flow and the proposal's strict data localisation requirements for high-assurance cloud services.

Recital 64 of the CADA proposal explicitly states that "the free flow of data within the Union is an essential condition for the proper functioning of the internal market." It asserts that Member States must ensure data is not confined to the territory of a single Member State and may be stored and processed across the Union without unjustified restrictions.

However, the proposal simultaneously establishes a sovereignty framework (Articles 16–24) that requires data to remain exclusively within the Union for services offering Union assurance levels 1 through 4. For Union assurance levels 2, 3, and 4, Annex II mandates that "customer data, including metadata and telemetry data... remain exclusively within the Union unless the public sector body explicitly requires otherwise."

This creates a potential friction point with national laws that might impose stricter data localisation within a single Member State. CADA aims to prevent this by establishing a harmonised EU-wide standard, thereby preventing a "fragmentation of the internal market" where divergent national sovereignty criteria hinder providers from operating seamlessly across borders. The proposal seeks to reconcile sovereignty needs with the single market's requirement for cross-border data mobility by ensuring data flows freely within the Union, even if it cannot leave it.

WTO GPA and Public Procurement Restrictions

CADA introduces significant changes to public procurement by requiring contracting authorities to procure cloud services based on their sovereignty assurance level. Article 30 mandates that Union entities and public sector bodies whose activities contribute to the preservation of public order must only procure cloud computing services recognised as having Union assurance levels 2, 3, or 4. For other public sector activities, a minimum of Union assurance level 1 is required.

This restriction raises questions regarding the EU's international trade commitments, specifically the World Trade Organization Agreement on Government Procurement (WTO GPA). The GPA generally prohibits discrimination against foreign suppliers in public procurement. However, CADA relies on the public-order exception under Article III:2(a) of the WTO GPA.

Recital 64 clarifies this legal basis, stating that "where necessary and in duly justified circumstances, the Union retains the right, in accordance with Article III:2(a) of the WTO GPA, to adopt or maintain measures necessary to protect public morals, order or safety." The proposal argues that identifying and addressing risks such as critical dependencies, unauthorised access to Union data, technology leakage, sabotage, and espionage by third-country actors is fundamental for preserving Union public order. Therefore, restricting procurement to services that meet specific sovereignty criteria is a necessary and proportionate measure under the WTO GPA's public-order exception.

Risk Assessments and Proportionality

To ensure that sovereignty requirements do not disproportionately restrict the market, CADA introduces a risk assessment mechanism. Article 29 requires Member States and Union entities to conduct risk assessments to identify public sector activities that contribute to the preservation of public order. These assessments determine which Union assurance level (2, 3, or 4) is appropriate for specific activities.

This risk-based approach ensures that the highest levels of assurance (and thus the strictest localisation and control requirements) are only applied where necessary. For example, defence, national security, and law enforcement activities may require Union assurance levels 3 or 4, which impose strict criteria on personnel citizenship, infrastructure location, and absence of third-country control. In contrast, less sensitive public sector activities may only require Union assurance level 1. This tiered system is designed to be proportionate, limiting the impact on the free flow of data and market access to only those areas where public order is at risk.

The Third-Country Derogation Mechanism

A critical nuance in the sovereignty framework concerns non-EU providers. CADA does not ban non-EU providers outright. Annex II, Section 3.1(g) (Union assurance level 3) states that a provider subject to the control of a third country "may be audited for Union assurance level 3 where the Commission has adopted an implementing act under Article 18."

Article 18 ("Associated third countries") empowers the Commission to adopt decisions identifying third countries that provide sufficient assurances (e.g., via an adequacy decision and absence of conflicting laws). This mechanism allows for a derogation from the general prohibition on third-country control for Level 3, provided the specific third country is formally recognised by the Commission. This is distinct from Level 4, which generally requires no third-country control.

What this means for you

For in-house counsel and compliance officers, understanding the interplay between CADA and existing laws is critical for several reasons:

Procurement Compliance: You must align your cloud procurement strategies with Article 30. If your organisation is a contracting authority or a private entity in a high-criticality sector (as defined in Article 31), you must conduct risk assessments under Article 29 to determine the required Union assurance level. Failure to procure from recognised providers could result in non-compliance.
Data Architecture: Review your data flow architectures. If you provide cloud services to the public sector, you must ensure that data for Union assurance levels 2–4 remains exclusively within the EU. This may require significant technical changes, such as disabling cross-border data replication for certain workloads or ensuring that subcontractors also comply with localisation rules.
International Trade Defences: If you are a non-EU provider, understand that CADA's restrictions are justified under the WTO GPA public-order exception. Challenging these restrictions on trade grounds may be difficult, as the EU has explicitly linked them to public order and security. Focus instead on meeting the criteria for Union assurance level 3, which allows for third-country providers if the Commission has adopted an implementing act recognising the third country as providing sufficient assurances (Article 18).
Penalties and Enforcement: Member States must lay down penalties for infringements of the sovereignty framework (Article 24). These penalties must be "effective, proportionate and dissuasive." Compliance officers should monitor national implementations of these penalty regimes, as they will vary by Member State.

Common misconceptions

Misconception: CADA replaces the GDPR or AI Act.
- Reality: CADA is complementary. The GDPR continues to govern personal data processing, and the AI Act continues to govern AI safety and fundamental rights. CADA adds a layer of sovereignty and operational autonomy requirements.
Misconception: CADA bans all non-EU cloud providers.
- Reality: CADA does not ban non-EU providers outright. It establishes a sovereignty framework where non-EU providers can qualify for Union assurance level 3 if the Commission adopts an implementing act recognising their home country as providing sufficient safeguards (Article 18). However, for the highest assurance levels (3 and 4), the criteria are stringent and often difficult for non-EU providers to meet without specific Commission decisions.
Misconception: CADA violates the WTO GPA.
- Reality: CADA explicitly relies on the public-order exception in the WTO GPA (Article III:2(a)). The proposal argues that protecting against critical dependencies and unauthorised data access is a matter of public order, making the procurement restrictions legally defensible.
Misconception: Data must stay in one Member State.
- Reality: Recital 64 explicitly states that data must not be confined to a single Member State. CADA aims to harmonise sovereignty criteria across the EU to prevent fragmentation, allowing data to flow freely within the Union while keeping it out of third countries.

Official sources

This is general information about a draft EU regulation, not legal advice.