Does CADA make it easier for European AI startups to compete with hyperscalers?

Summary As proposed, the Cloud and AI Development Act (CADA) would significantly lower barriers for European AI startups by replacing fragmented national sovereignty rules with a single, EU-wide recognition framework for cloud services. Grounded in the Draghi report's call to regain control over data and cloud computing, the proposal aims to reduce the market dominance of non-European hyperscalers. By mandating that public authorities prioritize services meeting specific "Union assurance levels," creating a central repository for visibility, and ensuring access to frontier AI compute, CADA would create a level playing field where smaller, sovereign European providers can compete on trust and autonomy rather than just scale.

Detail

The European Commission's proposal for the Cloud and AI Development Act (CADA), COM(2026) 502 final, is explicitly designed to address the EU's critical dependence on a limited number of third-country cloud providers. The proposal is grounded in the strategic imperative identified in the Draghi report on the future of European competitiveness, which states that the EU must "maintain a foothold in areas where technological sovereignty is required" and "reduce critical external dependencies by strengthening homegrown cloud and AI capabilities and infrastructure." The Draghi report specifically calls on the Commission to "take targeted actions aimed at regaining and retaining control over data and cloud computing services, expanding domestic computational capacity and establishing a robust financial and talent flywheel to drive innovation."

CADA operationalizes this by establishing a unified sovereignty framework that allows smaller European providers to compete on trust and autonomy rather than just scale. The proposal's explanatory memorandum notes that the current landscape is characterized by a "pronounced dependence on a limited pool of third-country providers," with three non-EU hyperscalers controlling over 70% of the European cloud market. CADA seeks to reverse this by creating a harmonised mechanism that strengthens the Union's long-term strategy for technological autonomy.

Leveling the Playing Field Through Union Assurance Levels

The core mechanism enabling startups to compete is the introduction of four "Union assurance levels" under Article 16. Currently, hyperscalers dominate because they possess the resources to navigate disparate national security requirements and certification schemes across Member States. CADA harmonizes these into a single EU-wide framework, reducing the complexity and cost of market entry for smaller players.

Under Article 17, a cloud computing service provider can apply for recognition by the national competent authority of its establishment. Once recognized, that status is valid across the entire Union. This eliminates the need for startups to undergo redundant, costly certifications in each Member State. Crucially, the proposal includes a specific derogation for small and medium-sized enterprises (SMEs) to drastically reduce administrative burden. Article 17(3) states that the EU statement of conformity issued by SMEs for Union assurance level 1 "shall be directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority." This automatic recognition allows startups to bid for public contracts immediately upon self-certification, bypassing the lengthy evaluation processes that often favor larger incumbents.

For higher assurance levels (2, 3, and 4), the proposal requires independent third-party audits under Article 20. However, the criteria in Annex II are designed to be achievable for providers who are established in the Union and maintain their infrastructure and personnel within the EU. By standardizing these criteria, CADA ensures that a startup in one Member State can compete for contracts in another without facing unique, non-harmonized national hurdles.

Procurement Signals and Public Sector Demand

CADA transforms public procurement from a passive market into an active driver for sovereign cloud adoption. Article 30 mandates that contracting authorities must, as a minimum, procure cloud computing services recognized as having Union assurance level 1. For activities deemed to have "public order relevance" (such as national security, internal security, defence, justice, or law enforcement), authorities must procure services with Union assurance levels 2, 3, or 4, as determined by risk assessments under Article 29.

This creates a guaranteed baseline of demand for European providers who can meet these sovereignty criteria. The proposal explicitly notes that public procurement frequently serves as a "primary signal of market direction," and requirements imposed by public authorities tend to be mirrored by private-sector entities.

Furthermore, Article 32 requires contracting authorities to include "Union added value" as a non-price award criterion in public procurement for innovative cloud and AI services. This criterion evaluates the extent to which a tenderer contributes to strengthening the EU's digital supply chain, uses hardware/software designed or manufactured in the Union, and integrates Union-developed technologies. Article 32(3) specifies that authorities should evaluate whether the tenderer contributes to "strengthening the digital technology supply chain in the Union" and delivers the service using "hardware components designed or manufactured in the Union." This explicitly allows startups to win contracts by demonstrating their contribution to European technological autonomy, even if their price is not the lowest. The proposal suggests a maximum weighting of 15 out of 120 points for this criterion, ensuring it remains proportionate but decisive in favor of local innovation.

Compute Access and Infrastructure Support

Recognizing that startups often lack access to the massive compute resources required for AI development, CADA establishes the "Cloud and AI Leadership Initiatives" under Title II. Article 3 outlines the general objective of achieving large-scale capacity throughout the Union's cloud and AI ecosystem. Article 4 specifies operational objectives, including supporting the development of open cloud computing stacks (Article 4(2)) and advancing capabilities in frontier AI (Article 4(3)).

Article 9 is particularly relevant for AI startups, as it mandates that the Union and Member States ensure sufficient AI computing resources are allocated to support "frontier AI priority projects" and other industrial innovation. The proposal states that the Union shall "match, on a proportional basis and within the limits of available European high-performance computing ('EuroHPC') capacity, the AI computing resources contributed or committed by the Member States to the designated frontier AI priority projects." By coordinating access to EuroHPC capacity, CADA aims to prevent compute scarcity from being a bottleneck for European startups.

Recital 24 further reinforces this by stating that the initiatives should ensure the uptake of cloud computing services provided by European providers, leveraging outcomes from European digital infrastructure consortiums (EDICs) to share infrastructure and best practices. The proposal also establishes a network of "Experience and Acceleration Centres for AI" (Article 5) to support the integration and scaling-up of AI use cases, specifically targeting SMEs and public sector bodies.

Marketplace Visibility and the Central Repository

To solve the "chicken and egg" problem of visibility, Article 22 establishes a central repository of cloud computing services recognized as offering Union assurance levels 1-4. The Commission is required to maintain this repository, which must be publicly available and regularly updated on a dedicated website.

This creates a single, authoritative marketplace where public authorities can identify compliant European providers. For a startup, being listed in this central repository is a powerful signal of trust and compliance, reducing the friction for public buyers to discover and select smaller, local providers over established global incumbents. The repository ensures that once a provider is recognized, their status is visible to all potential customers across the Union, eliminating the information asymmetry that often favors large, well-known brands.

Common Misconceptions

Misconception 1: CADA bans non-European hyperscalers. CADA does not ban non-European providers. Instead, it creates a tiered system where access to certain public sector contracts is restricted to providers meeting specific sovereignty criteria (Union assurance levels). Hyperscalers can still compete if they obtain recognition under these levels. For example, Article 18 allows the Commission to adopt implementing acts identifying third countries where cloud computing services subject to their control may be audited for Union assurance level 3, provided specific safeguards are met. However, they must meet strict criteria regarding data localization, personnel citizenship, and absence of third-country control. This forces all providers, large or small, to compete on the same sovereignty metrics.

Misconception 2: Only large incumbents can afford compliance. While higher assurance levels (2-4) require independent audits under Article 20, the proposal explicitly lowers barriers for Level 1. The automatic recognition of SME self-assessments for Level 1 under Article 17(3) is designed specifically to make compliance affordable for startups. Additionally, the "Union added value" criteria under Article 32 allow smaller providers to offset price disadvantages by demonstrating their strategic value to the EU ecosystem. The proposal also notes that the Cloud and AI Leadership Initiatives will support the development of open-source solutions and cloud stacks, reducing dependency on proprietary, expensive technologies.

Misconception 3: CADA replaces the AI Act. CADA complements, but does not replace, the AI Act. The AI Act (Regulation (EU) 2024/1689) regulates the safety and fundamental rights implications of AI systems themselves. CADA regulates the cloud infrastructure and sovereignty aspects of the services that host and deliver these systems. As the explanatory memorandum states, the AI Act "does not cover aspects of sovereignty." A startup must comply with both: the AI Act for its algorithm's safety, and CADA for its cloud service's sovereignty status if it wishes to serve the public sector.

Misconception 4: CADA is only about data centres. While CADA includes measures to accelerate data centre deployment (Title III), its impact on startups extends far beyond physical infrastructure. The sovereignty framework, procurement mandates, compute access initiatives, and open-source promotion (Title IV, Chapter V) directly address the software, talent, and market access barriers that startups face.

What this means for you

For European cloud service providers and data center operators, particularly SMEs and startups, CADA presents a structural opportunity to capture public sector market share that was previously inaccessible due to scale and certification costs.

1. Prioritize Level 1 Certification: As a startup, your immediate goal should be to prepare for Union assurance level 1. Ensure your infrastructure, assets, and customer data remain within the Union (Annex II, Section 1). Prepare your EU statement of conformity, as this will grant you automatic recognition across the EU without the delay of national authority review under Article 17(3).
2. Leverage the Central Repository: Once recognized, ensure your service is listed in the central repository established under Article 22. This visibility is critical for procurement officers scanning for compliant vendors. The repository is designed to be the primary source of truth for public buyers.
3. Market "Union Added Value": In your procurement bids, explicitly detail how your service strengthens the EU digital supply chain. Use the criteria in Article 32(3) to structure your proposal, highlighting any use of EU-designed hardware, open-source components, or local R&D. This non-price criterion can be the deciding factor in winning contracts.
4. Monitor Frontier AI Opportunities: If you are an AI-focused startup, track the designation of "frontier AI priority projects" under Article 8. Align your solutions with the operational objectives in Article 4 to position yourself for potential support and compute resource allocation under Article 9.
5. Prepare for Audits if Scaling Up: If you aim to serve high-security public order sectors, you will need Union assurance levels 2-4. Begin building relationships with auditing organizations now, as these require independent third-party audits under Article 20. Ensure your supply chain transparency and software bill of materials (SBOM) are robust, as these are key audit criteria (Annex II, Section 2(i)).
6. Engage with Acceleration Centres: Connect with the "Experience and Acceleration Centres for AI" under Article 5. These hubs are tasked with supporting SMEs in their digital transformation and providing access to relevant upskilling and reskilling schemes.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)

Related

• When can AI startups start benefiting from CADA support?
• What sovereign-cloud market opportunity does CADA create for startups?
• What CADA compliance burden do AI startups face?
• CADA vs the European Electronic Communications Code: How do they interact?
• How does CADA reduce cloud costs and lock-in for startups?

This is general information about a draft EU regulation, not legal advice.