Summary No, the proposed Cloud and AI Development Act (CADA) does not replace or amend the AI Act. The two regulations are complementary instruments with distinct legal bases and objectives. The AI Act focuses on product safety, fundamental rights, and harmonised rules for placing AI systems on the market. In contrast, CADA targets technological sovereignty, market uptake, and the resilience of the cloud and AI ecosystem. Companies must comply with both frameworks simultaneously; CADA adds new obligations regarding data centre deployment, sovereign cloud procurement, and open-source software reuse that exist alongside AI Act requirements.

Detail

The proposed Cloud and AI Development Act (CADA), formally titled the Regulation establishing a framework of measures for strengthening Europe's cloud and AI ecosystem, is designed to work in tandem with the existing AI Act (Regulation (EU) 2024/1689). It is crucial for legal teams to understand that CADA is not a revision, replacement, or amendment of the AI Act. Instead, it addresses a different set of strategic challenges facing the European Union, specifically the "gap" in sovereignty that the AI Act does not cover.

Distinct Objectives and Legal Bases

The AI Act and CADA pursue separate, albeit overlapping, policy goals. The AI Act, which entered into force on 1 August 2024, establishes a risk-based regulatory framework to ensure that AI systems placed on the EU market are safe, transparent, and non-discriminatory. Its primary focus is on protecting health, safety, and fundamental rights, prohibiting certain AI practices (such as social scoring under Article 5), and imposing strict obligations on high-risk AI systems and general-purpose AI models.

CADA, proposed by the European Commission on 3 June 2026 (COM(2026) 502 final), addresses the Union's dependence on third-country cloud providers and the shortage of domestic computing capacity. As stated in the explanatory memorandum, the proposal aims to "address the limited and geographically concentrated availability of computing capacity in the EU and the risks associated with dependence on cloud and AI supplied by non-European providers." Its objectives are to increase computing capacity, ensure attractive conditions for sustainable deployment, address data sovereignty, and protect public order by making cloud services more resilient.

Legally, the AI Act is based on Article 114 TFEU (internal market harmonisation) and Article 16 TFEU (protection of personal data). CADA also draws on Article 114 TFEU for its harmonisation measures regarding the single market but additionally relies on Article 173(3) TFEU to enhance the EU's industrial competitiveness and innovation capacity. This dual legal basis allows CADA to introduce supply-side measures, such as supporting research and innovation initiatives, which fall outside the scope of the AI Act.

Complementary Scope: Product Safety vs. Sovereignty and Uptake

The AI Act regulates the product (the AI system or model) and its lifecycle from development to market placement. CADA regulates the ecosystem and the infrastructure that supports AI, as well as the procurement decisions of public and private entities.

  1. AI Act (Product Safety): Focuses on technical requirements for high-risk AI systems, such as risk management, data governance, transparency, and human oversight. It applies to providers, deployers, and importers of AI systems.
  2. CADA (Sovereignty and Uptake): Focuses on the underlying cloud computing services and data centres. It introduces a "Union cloud computing sovereignty framework" with four assurance levels (Article 16) to help public sector bodies and critical private entities mitigate risks associated with third-country control. It also mandates Member States to designate "data centre acceleration zones" (Article 10) to streamline permitting and expand capacity.

The explanatory memorandum explicitly states: "The proposal also reinforces key objectives of the AI Act... The AI Act ensures a high level of protection of health, safety and fundamental rights. It does not cover aspects of sovereignty." Conversely, CADA does not introduce new product safety requirements for AI systems themselves but rather sets conditions for the cloud services that host them and the procurement processes that acquire them.

Interaction in Practice

For in-house counsel, this means managing two parallel compliance tracks. A company deploying a high-risk AI system must ensure the system itself complies with the AI Act's technical requirements. Simultaneously, if that system is hosted on a cloud service used by a public sector body or a critical private entity (as defined in Annex I to the NIS2 Directive), the cloud provider may need to be recognised under one of CADA's Union assurance levels (Articles 17–22).

Furthermore, CADA introduces specific procurement obligations. Article 30 requires public contracting authorities to procure cloud computing services that meet at least Union assurance level 1, and higher levels for activities contributing to public order. Article 32 introduces "Union added value" criteria in public procurement for cloud and AI services, encouraging the use of European hardware and software. These procurement rules are distinct from the AI Act's market surveillance and enforcement mechanisms.

What this means for you

For in-house counsel and compliance officers, the coexistence of the AI Act and CADA creates a multi-layered compliance landscape. You cannot assume that AI Act compliance exempts you from CADA obligations, nor does CADA override AI Act duties.

1. Dual Compliance Obligations

  • AI Act: Continue to focus on risk assessments, technical documentation, conformity assessments, and post-market monitoring for your AI systems. Ensure your providers and deployers meet the strict requirements for high-risk AI systems and general-purpose AI models.
  • CADA: Assess your cloud infrastructure and procurement processes. If you are a cloud computing service provider aiming to serve the public sector, you must prepare for recognition under the Union assurance levels (Article 17). This involves self-assessment for Level 1 or independent third-party audits for Levels 2–4 (Article 20).

2. Procurement and Contracting

  • Public Sector: If you are a public authority, you must conduct risk assessments (Article 29) to determine the appropriate Union assurance level for your cloud services. You must also apply Union added value criteria (Article 32) in your tenders, which may favour providers with European supply chains.
  • Private Sector: Entities in critical sectors (e.g., finance, energy) under the NIS2 Directive may conduct similar impact assessments (Article 31) and face indirect pressure to adopt sovereign cloud solutions due to public procurement spillover effects.

3. Data Centre Deployment

  • If you operate or plan to build data centres, monitor the designation of "data centre acceleration zones" in your Member State (Article 10). These zones offer streamlined permitting processes (Article 13) but also impose sustainability requirements (Article 11). Note that specific data centre KPIs are defined in Delegated Regulation (EU) 2024/1364, not directly in CADA.

4. Deadlines and Timelines

  • AI Act: Prohibitions apply from 2 February 2025; general provisions and governance rules apply from 2 August 2025; full application from 2 August 2026.
  • CADA: As a proposal, its entry into force is pending. However, if adopted, it would enter into force on the 20th day following publication and apply one year later. Member States would be required to designate national competent authorities and establish national cloud and AI strategies within one year of entry into force (Article 7).

5. Penalties

  • AI Act: Fines can reach up to €35 million or 7% of global turnover for prohibited practices under Article 99.
  • CADA: Member States must lay down penalties for infringements of the sovereignty framework (Article 24). These penalties must be effective, proportionate and dissuasive. While specific fine amounts are not fixed in the proposal, they will be determined by national laws.

Common misconceptions

Misconception 1: CADA replaces the AI Act's governance structure.

  • Reality: CADA does not replace the AI Office or the European Artificial Intelligence Board established by the AI Act. Instead, CADA introduces new national competent authorities (Article 25) specifically for enforcing the cloud sovereignty framework. The AI Board will still advise on AI adoption, but CADA creates a separate enforcement track for cloud services.

Misconception 2: AI Act compliance ensures cloud sovereignty.

  • Reality: The AI Act focuses on the safety and rights-compliance of the AI system itself. It does not assess whether the underlying cloud infrastructure is controlled by third countries or whether data remains within the EU. CADA's assurance levels (Article 16) specifically address these sovereignty risks, which are outside the AI Act's scope.

Misconception 3: CADA applies to all AI providers.

  • Reality: CADA primarily targets cloud computing service providers (as defined in Article 2, point (1)) and data centre operators. AI system providers are only indirectly affected through procurement requirements and the need to host their systems on compliant cloud infrastructure. The AI Act, by contrast, directly regulates AI providers.

Misconception 4: The two laws conflict.

  • Reality: The explanatory memorandum states that CADA is "fully compatible" with the AI Act. They address different layers of the technology stack. The AI Act regulates the algorithm; CADA regulates the infrastructure and the market conditions for its deployment.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.