Summary As proposed, the Cloud and AI Development Act (CADA) does not explicitly mandate that funding be awarded exclusively to European cloud providers. However, its structural design creates a powerful market environment that strongly incentivises the uptake of sovereign, EU-based services. The proposal aims to promote "open European alternatives" across the technology stack and uses demand-side measuresβsuch as mandatory sovereignty assurance levels for public procurementβto drive market share toward providers meeting strict Union criteria. Crucially, all financial support and procurement activities remain subject to existing State aid rules and the principle of non-discrimination, ensuring that any preferential treatment is legally justified by security and sovereignty objectives rather than arbitrary nationality-based preference.
Detail
The Cloud and AI Development Act, proposed by the European Commission on 3 June 2026 (COM(2026) 502 final), establishes a comprehensive framework to strengthen Europe's cloud and AI ecosystem. A central pillar of this framework is addressing the Union's heavy reliance on third-country providers, which currently control over 70% of the European cloud market. While CADA does not create a new, standalone EU funding pot with explicit nationality-based quotas, it leverages existing Union funding programmes and public procurement rules to create a market environment that favours providers capable of meeting high levels of Union assurance.
Promoting Open European Alternatives
The proposal places a specific focus on open source and open standards as a lever to boost technological sovereignty, in line with the EU Open Source Strategy. Recital 15 states that the Cloud and AI Leadership Initiatives should "promote the development of technologies relying on open standards, open specifications and open source and foster the development of innovative, competitive and resilient cloud and AI technologies." This includes fostering work on open standards and creating open-source software foundations to support the design, development, and maintenance of open-source components. By prioritising open, interoperable solutions, the framework reduces vendor lock-in and lowers barriers for European providers to compete with incumbent hyperscalers.
Furthermore, Article 41 explicitly requires the Union and Member States to "encourage Union entities and public sector bodies to use and facilitate the reuse of open standards and components released under an open source licence when building their cloud and AI ecosystem or stack." This creates a demand-side pull for European open-source solutions, which are often developed by EU-based entities, thereby indirectly favouring providers who contribute to or rely on these ecosystems.
Funding Routes and Union Programmes
CADA's supply-side measures, particularly the Cloud and AI Leadership Initiatives, are designed to be supported by funding from Union programmes such as Horizon Europe and the Digital Europe Programme, as well as the InvestEU Programme (Recital 28). These initiatives target "grand challenges" such as developing European open cloud stacks and advancing frontier AI capabilities (Article 6). While these programmes are generally open to competition, their operational objectivesβsuch as supporting the development of cloud computing stacks that support the Union's technological autonomy (Article 4(2))βnaturally align with projects led by or in close partnership with European entities.
The proposal also highlights the potential for support through the European Competitiveness Fund (ECF) and Innovative Partnership for Critical Energy Infrastructure (IPCEI) frameworks, which often involve cross-border collaboration among Member States and private investors to build strategic capacity. Recital 43 notes that data centre strategic projects designated by the Commission "should be granted the competitiveness seal where they fulfil the conditions set out in Regulation (EU) 2026/XXX [on establishing the European Competitiveness Fund] (ECF), as high-quality projects that contribute to the objective of the European Competitiveness Fund." This linkage ensures that funding flows toward projects that directly address the Union's capacity gaps and sovereignty goals.
Demand-Side Measures and Sovereignty Assurance
The most significant mechanism favouring European or sovereign providers is the demand-side pressure created by the Union cloud computing sovereignty framework. Article 16 establishes four Union assurance levels, with criteria detailed in Annex II. To achieve higher assurance levels (particularly Levels 3 and 4), providers must demonstrate that their infrastructure, assets, and personnel are located in the Union, and that they are not subject to the control of third countries (Annex II, Sections 3 and 4).
Article 30 mandates that contracting authorities whose activities contribute to the preservation of public order (e.g., in sectors covered by NIS2, defence, or justice) must only procure cloud computing services recognised as offering Union assurance levels 2, 3, or 4. Since meeting these criteria often requires EU establishment and operational independence from third-country laws, this effectively creates a protected market segment for providers that can demonstrate these sovereignty attributes.
Furthermore, Article 32 requires contracting authorities to include "Union added value" as a non-price award criterion in public procurement for innovative cloud and AI services. This criterion allows authorities to evaluate tenders based on the tenderer's contribution to strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union. Article 32(3) specifies that this includes evaluating the extent to which the tenderer "contributes to strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union" and "has integrated technologies developed in the Union."
State Aid and Non-Discrimination Constraints
Crucially, CADA operates within the existing EU legal framework for State aid and competition law. Recital 89 explicitly states: "If any of the measures provided for by this Regulation constitute State aid, the provisions concerning such measures are without prejudice to the application of Articles 107 and 108 TFEU." This means that while the Commission may support strategic projects, such as data centre strategic projects designated under Article 14, any public funding must comply with State aid rules. Member States must ensure that support measures address market failures proportionately without unduly distorting competition.
Moreover, Recital 64 emphasises that the Union maintains an "open and non-discriminatory framework for market access, in accordance with the TFEU and subject to international commitments." Restrictions on access to public procurement are permitted only where necessary and proportionate to protect public order, such as preventing unauthorised access to Union data or service disruption by third-country actors. Therefore, any preference for European providers must be justified by these specific security and sovereignty risks, not merely by origin. The proposal ensures that "contracting authorities whose activities have been identified on the basis of the Member State risk assessment should therefore procure only the cloud computing service providing the appropriate level of assurance between levels 2 and 4" (Recital 64), grounding these restrictions in objective risk assessments rather than nationality.
What this means for you
For cloud service providers and data centre operators, CADA's approach means that "being European" is less about corporate headquarters and more about operational sovereignty and compliance with Union assurance criteria.
- Sovereignty as a Competitive Advantage: If you are a provider established in the EU, you are well-positioned to meet the criteria for Union assurance levels. You should prepare for independent third-party audits (for Levels 2β4) to demonstrate compliance with Annex II criteria, such as data localisation, personnel location, and absence of third-country control. Achieving these recognitions will be essential for accessing the lucrative public sector market, which is mandated to procure only from recognised providers for sensitive activities.
- Leveraging Union Added Value: In public tenders, you can differentiate your offer by highlighting your contribution to the European digital supply chain. This includes using EU-designed hardware, integrating technologies developed in the Union, or contributing to open-source European cloud stacks. Documenting these contributions will allow you to score higher on the "Union added value" criterion introduced in Article 32.
- State Aid Compliance: If you are seeking public funding for data centre projects or infrastructure, be prepared for rigorous State aid scrutiny. Support measures must be proportionate and address specific market failures. Ensure that your applications clearly demonstrate how the project contributes to Union strategic goals, such as filling capacity gaps or enhancing security, to justify public support.
- Open Source Participation: Engaging with open-source initiatives and contributing to European open cloud stacks can enhance your market position. The proposal encourages the creation of open-source software foundations and catalogues, providing opportunities for smaller EU providers to compete on quality and innovation rather than just scale.
Common misconceptions
Misconception 1: CADA bans non-European cloud providers. This is incorrect. CADA does not impose a blanket ban on third-country providers. Instead, it creates a tiered sovereignty framework. Non-European providers can still operate in the EU, particularly for non-critical public sector activities (Union assurance level 1) or private sector clients. However, for high-security public sector use cases (levels 2β4), the criteria are so stringent regarding data localisation and control that they effectively limit eligibility to providers with substantial EU operational independence.
Misconception 2: All EU funding under CADA is reserved for EU companies. CADA does not create a closed funding pool exclusive to EU nationals. Funding from Union programmes like Horizon Europe or the Digital Europe Programme is generally open to competition, provided applicants meet specific eligibility criteria. While the objectives favour EU capacity building, the selection processes must adhere to EU procurement and State aid rules, which prohibit arbitrary discrimination. Preference is given based on technical merit and alignment with sovereignty goals, not solely on nationality.
Misconception 3: "European provider" means any company with an EU office. Under CADA's sovereignty framework, simply having an office in the EU is insufficient for higher assurance levels. Annex II criteria require that infrastructure, assets, and personnel be located in the Union, and that the provider is not subject to the control of a third country. This means that a US-based hyperscaler with EU data centres may still fail to meet Level 3 or 4 criteria if its parent company is subject to third-country laws that could compel data access or service disruption.
Related
- Who decides which CADA projects get funding? Commission vs Member States
- IPCEI-CIS and CADA: How EU Funding Powers Sovereign Cloud
- GBER and CADA: How State Aid Exemptions Apply to Cloud & AI Funding
- What is the European Competitiveness Fund and how does CADA use it?
- What is the capacity gap and how does it trigger funding under CADA?
This is general information about a draft EU regulation, not legal advice.