Does CADA replace the AI Act?

Summary No. As proposed, the Cloud and AI Development Act (CADA) would not replace the EU AI Act. The two are complementary instruments addressing different layers of the digital stack. The AI Act regulates the safety, fundamental-rights impact, and market placement of AI systems and general-purpose AI models; CADA, as proposed, focuses on the underlying cloud infrastructure, data-centre deployment, and sovereign procurement frameworks that support AI development. The Commission's own materials state CADA "reinforces key objectives of the AI Act" and notes that the AI Act "does not cover aspects of sovereignty."

Detail

The European Commission's proposal for the Cloud and AI Development Act (CADA), COM(2026) 502 final, is designed to work alongside existing digital legislation, not to supplant it. To see why CADA would not replace the AI Act, it helps to distinguish their scopes, objectives, and legal bases.

Distinct scopes and objectives

The EU AI Act (Regulation (EU) 2024/1689) is a product-safety and fundamental-rights regulation. It sets harmonised rules for the development, placement on the market, and use of AI systems in the Union, using a risk-based approach: prohibiting certain AI practices (Article 5), classifying high-risk AI systems (Article 6 with Annexes I and III), imposing obligations on high-risk systems (Articles 8 to 27), and addressing general-purpose AI models (Articles 51 to 56). Its purpose is to improve the functioning of the internal market while ensuring trustworthy AI and a high level of protection of health, safety, and fundamental rights.

By contrast, CADA is an industrial and infrastructure policy instrument. Article 1 of the proposal defines its subject matter as establishing a framework for strengthening the Union's cloud and AI ecosystem, in particular through:

• establishing the Cloud Leadership Initiative and the AI Leadership Initiative;
• setting the framework for the accelerated deployment of data centres across the Union;
• enabling the availability of a sovereign cloud and AI offer to safeguard the Union's public order;
• reducing dependencies on critical technologies;
• fostering the adoption of cloud computing services across the public sector.

Where the AI Act governs what AI systems may do and how they must behave to be safe, CADA, as proposed, would govern where and how the computational infrastructure that runs those systems is built, owned, and procured. CADA's stated general objectives are the competitiveness and innovation capacity of the Union's cloud and AI ecosystem and improving the functioning of the single market by increasing the Union's resilience and strategic autonomy in cloud and AI (Article 1(2) and (3)).

Legal consistency and complementarity

The proposal expressly aligns itself with the AI Act. The Explanatory Memorandum states: "The proposal also reinforces key objectives of the AI Act. The AI Act harmonises rules for AI systems and general-purpose AI models to be placed on the EU market, improving the functioning of the internal market and promoting the uptake of human-centric and trustworthy AI along the value chain. The AI Act ensures a high level of protection of health, safety and fundamental rights. It does not cover aspects of sovereignty."

That last sentence is key. The AI Act does not address the industrial or sovereignty questions of who owns the data centres and cloud infrastructure. CADA would fill that gap with a "Union cloud computing sovereignty framework" of four assurance levels (Article 16), letting public-sector bodies assess and procure cloud services against criteria such as data localisation, personnel requirements, and absence of third-country control (Annex II).

CADA would also support the AI Act's goals by helping develop sovereign AI capacity. The AI Leadership Initiative is aimed at strengthening the Union's AI ecosystem, providing compute and resources that European AI developers need. Without such infrastructure support, those developers could struggle to access secure, compliant capacity to train and deploy AI systems that meet the AI Act's standards.

Different legal bases

The two regulations rest on different Treaty bases. The AI Act is based on Articles 114 and 16 TFEU (the internal market and data protection). CADA draws on the cumulative legal basis of Articles 114 and 173(3) TFEU, combining internal-market harmonisation with the promotion of industrial competitiveness and innovation. That dual basis reflects CADA's broader industrial-policy mandate, which extends beyond the AI Act's product-safety focus.

What this means for you

For CTOs, architects, and SMEs weighing the practical impact, understanding the interplay between CADA and the AI Act would matter for both compliance and infrastructure planning.

1. Two regimes, not one. If you develop or deploy AI systems, the AI Act's requirements on risk management, data governance, transparency, and human oversight would still apply. Separately, as proposed, if you are a public-sector body or buy on its behalf, you could be required to procure cloud services at a specific CADA assurance level. You could not simply pick the cheapest or most capable provider; the sovereignty recognition would also count.
2. Infrastructure strategy. CADA would encourage sovereign cloud services for public-order activities. Public-sector activities identified under the Article 29 risk assessment as contributing to public order would have to be served by services recognised at Union assurance level 2, 3, or 4 (Article 30(3)); other public-sector activities would use level 1 services (Article 30(2)). This could shape provider choice based on EU establishment, data localisation, and supply-chain transparency.
3. Innovation and procurement. CADA would require contracting authorities to include non-price "Union added value" award criteria in procurement of innovative cloud services and AI systems, rewarding a tenderer's contribution to a European cloud and AI ecosystem (Article 32). For SMEs bidding for public contracts, demonstrating that contribution could be a competitive advantage.
4. Sovereignty as an added dimension. CADA's framework would add scrutiny of third-country control and access to data. You would want assurance that your providers can meet CADA's criteria. This complements, rather than duplicates, the AI Act's data-governance requirements.

Common misconceptions

• "CADA makes the AI Act obsolete." Incorrect. The AI Act would remain the primary regulation for AI safety and fundamental rights. CADA does not repeal or amend it; it would provide the infrastructure and procurement framework to help meet the AI Act's goals in a more sovereign way.
• "CADA applies to all AI developers." As proposed, CADA's sovereignty and procurement rules primarily target the public sector and contracting authorities. General AI developers are subject to the AI Act, but could be affected indirectly where their clients require sovereign cloud services.
• "Sovereignty recognition replaces AI Act conformity." No. A provider's CADA assurance level would speak to its infrastructure's sovereignty and security, not to the AI systems running on it. High-risk AI systems would still need their own conformity assessment under the AI Act.
• "CADA is only about data centres." While CADA includes significant provisions on data-centre acceleration zones and strategic projects, it also covers cloud sovereignty, the Cloud and AI Leadership Initiatives, and public procurement of cloud and AI services. It is a broad ecosystem framework, not just an infrastructure measure.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)

Related

• CLOUD Act vs EU-US Data Privacy Framework vs CADA: which addresses sovereignty?
• How does CADA reinforce the EU AI Act?
• Does the AI Act or CADA cover cloud sovereignty?
• Does CADA protect EU data from the US CLOUD Act?
• CADA vs the US CLOUD Act: how do they differ?

This is general information about a draft EU regulation, not legal advice.