Does CADA help reduce EU dependence on non-EU cloud and AI?

Summary Yes, as proposed, the Cloud and AI Development Act (CADA) explicitly aims to reduce the EU's critical dependence on non-European cloud and AI providers. The proposal establishes the Cloud and AI Leadership Initiatives to bridge the gap between research and large-scale deployment, specifically targeting technological autonomy to safeguard public order and economic security. By mandating the development of sovereign European cloud stacks and leveraging public procurement to drive uptake, CADA would create a regulatory and market environment designed to shift reliance away from third-country hyperscalers.

Detail

The Cloud and AI Development Act (CADA) is built on the premise that the EU's current reliance on a limited pool of third-country cloud providers poses significant risks to its economic security, sovereignty, and resilience. The explanatory memorandum highlights a stark trend: while the EU market for cloud computing is growing, the market share of EU providers decreased from 29% in 2017 to 15% in 2022 and has remained stagnant. Currently, three non-EU hyperscalers control over 70% of the European cloud market. This dependence exposes European users to risks related to operational discontinuity and extraterritorial laws that may conflict with EU fundamental rights and data protection frameworks.

To address this structural vulnerability, CADA introduces the Cloud and AI Leadership Initiatives. These initiatives are not merely funding mechanisms but a coordinated framework designed to strengthen the Union's technological base and reduce external dependencies.

Developing Autonomous Cloud Stacks

A central pillar of this strategy is found in Article 4(2), which outlines operational objective 2. This objective mandates the support for the development and deployment of cloud computing stacks that support the Union's technological autonomy. The proposal requires initiatives to:

• Develop and pilot secure, resilient, and performant open cloud computing stacks covering on-device edge, connectivity, data, and AI tools for strategic sectors.
• Develop AI-optimized servers and baseline software based on processors, accelerators, and quantum accelerators designed and manufactured in the Union.
• Boost data availability for AI via open-source middleware platforms underpinning common European data spaces.
• Foster the creation of open-source software foundations supporting open-source components.

By focusing on "open cloud computing stacks" and hardware designed in the Union, CADA seeks to create credible European alternatives that are not subject to the same geopolitical vulnerabilities as third-country infrastructure. The goal is to ensure that the underlying software and hardware layers of the cloud ecosystem are developed and controlled within the Union, thereby reducing the risk of supply chain disruption or unauthorized access.

Promoting the Uptake of European Providers

Developing technology is insufficient without market adoption. Article 4(8)(a) addresses this by setting an operational objective to promote the broad adoption of AI by private and public sector organizations, including SMEs and small mid-caps (SMCs), through the network of Experience and Acceleration Centres for AI (Centres for AI). The proposal aims to ensure that cloud adoption is consistent with the objective of strengthening the Union's technological autonomy, particularly in sectors involving critical data, such as healthcare and education.

Furthermore, the proposal leverages public procurement to drive this shift. Member States are required to conduct risk assessments to determine which public sector activities contribute to the preservation of public order. For activities identified as high-risk, contracting authorities must procure cloud services that meet specific "Union assurance levels," which are designed to ensure data sovereignty and operational autonomy. This creates a guaranteed demand for European providers who can meet these stringent sovereignty criteria, effectively using the public sector's purchasing power to reshape the market.

The Strategic Autonomy Rationale

The explanatory memorandum frames these measures as essential for regaining control over data and cloud computing services. It cites Mario Draghi's report on European competitiveness, which calls for reducing critical external dependencies by strengthening homegrown cloud and AI capabilities. The proposal argues that computing infrastructures are no longer mere technical assets but strategic resources critical to the Union's economic security.

The memorandum explicitly states that the proposal aims to:

1. Increase computing capacity and AI developed and deployed in the EU.
2. Ensure attractive conditions for the deployment of sustainable and innovative computing capacity.
3. Address concerns regarding data sovereignty and operational continuity.
4. Help protect public order by making the supply of cloud computing services more resilient.

By establishing a harmonized sovereignty framework and supporting the deployment of domestic capacity, CADA aims to ensure that the EU is not just a consumer of advanced digital technologies but a global hub for trusted, sovereign, and scalable digital infrastructure.

What this means for you

For public-sector procurement officers, cloud providers, and strategic planners, CADA introduces a structured approach to evaluating cloud and AI suppliers based on sovereignty and risk, rather than just price and performance.

1. Mandatory Risk Assessments

You will be required to carry out risk assessments for public sector activities that use cloud computing services. These assessments must identify activities that contribute to the preservation of public order, such as those in national security, defense, justice, or critical infrastructure. The assessment will determine the required Union assurance level for the cloud services used.

2. Procurement Requirements

Based on these risk assessments, you will be obligated to procure cloud services that meet specific Union assurance levels:

• High-Risk Activities: For activities identified as contributing to the preservation of public order, contracting authorities must only procure cloud services recognized as offering Union assurance levels 2, 3, or 4.
• Standard Activities: For other activities, a minimum of Union assurance level 1 is required.

3. Evaluation of European Added Value

When procuring innovative cloud computing services and AI systems, you must include non-price award criteria that evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem. This includes assessing:

• The use of software or hardware designed or manufactured in the Union.
• The integration of technologies developed in the Union.
• The innovation required to deliver the service contributing to the security of supply.

4. Support for SMEs

The proposal encourages the division of procurement into lots and other measures to improve access for SMEs. You are expected to monitor and report on the participation of SMEs in your procurement procedures, with a target that at least 25% of relevant innovation procurement be awarded to innovative SMEs.

Common misconceptions

"CADA bans non-EU cloud providers." No. CADA does not explicitly ban non-EU providers. However, it establishes strict sovereignty criteria (Union assurance levels) that non-EU providers must meet to serve the public sector. For the highest levels of assurance (levels 3 and 4), the criteria are stringent regarding third-country control, potentially making it difficult for many non-EU providers to qualify without significant structural changes.

"The EU Cloud Stacks initiative is a single government-built cloud." No. The proposal supports the development of open cloud computing stacks and fosters open-source foundations. It aims to create a competitive market of European providers using these stacks, rather than building a single monolithic state-owned cloud. The EuroCloud Federation is a mechanism for public bodies to share capacity, not a retail cloud service for the general public.

"Sovereignty only means data location." No. CADA's definition of sovereignty goes beyond data residency. It includes operational autonomy, protection against extraterritorial access, supply chain security, and the ability to maintain service continuity without interference from third-country laws.

Related

• How do Centres for AI help startups and spin-offs scale up?
• Does CADA help share AI models and data across public services?
• Can a non-EU company benefit from the Centres for AI under CADA?
• Why did the EU create the Cloud and AI Leadership Initiatives?
• Who sets the rules for establishing Centres for AI under CADA?

This is general information about a draft EU regulation, not legal advice.