Does CADA require automotive firms to use EU sovereign cloud?

Summary No, the proposed Cloud and AI Development Act (CADA) does not directly mandate private automotive firms to use EU sovereign cloud services. The mandatory procurement rules and the Union cloud computing sovereignty framework apply strictly to public sector bodies and Union entities. However, private automotive firms that qualify as essential or important entities under the NIS2 Directive (Directive (EU) 2022/2555) are explicitly permitted to conduct voluntary impact assessments regarding sovereignty risks under Article 31. While not legally required, these firms may face indirect market pressure to align with sovereign standards due to "spillover effects" from public procurement, as noted in Recital 66.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a comprehensive framework to strengthen the European cloud and AI ecosystem. A primary objective is to reduce dependencies on third-country providers and safeguard the Union's public order through a tiered "Union cloud computing sovereignty framework." For the automotive sector—a critical pillar of the EU economy and a major consumer of cloud computing for connected vehicles, autonomous driving, and supply chain management—the question arises: does this proposal impose a direct legal obligation to migrate to sovereign cloud infrastructure?

The answer is negative regarding a direct mandate. CADA distinguishes sharply between the obligations of the public sector and the voluntary measures available to the private sector.

The Public Sector Mandate: Article 30

The core of CADA's sovereignty framework is Article 30, which governs public procurement. This article imposes binding obligations on "contracting authorities" (public sector bodies) and "Union entities."

Under Article 30(2), public sector bodies whose activities have not been identified as contributing to the preservation of public order must procure cloud services recognised at Union assurance level 1.

More critically, Article 30(3) mandates that contracting authorities whose activities have been identified as contributing to the preservation of public order (e.g., in areas of national security, internal security, defence, justice, or law enforcement) "shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4."

These assurance levels, defined in Annex II, impose strict criteria regarding establishment in the Union, location of infrastructure and personnel, data localisation, and the absence of third-country control. However, the scope of Article 30 is explicitly limited to "contracting authorities" and "Union entities." Private automotive manufacturers, suppliers, and service providers do not fall under the definition of a contracting authority in this context. Therefore, they are not legally bound by the mandatory procurement thresholds set out in Article 30.

Article 31: Voluntary Impact Assessments for Private Entities

The specific provision addressing private sector entities is Article 31, titled "Impact assessments." This article creates a permissive, rather than mandatory, framework for private companies.

Article 31(1) states:

"Entities referred to in Annex I of Directive (EU) 2022/2555 who are not public sector bodies may carry out similar assessments as those set out in Article 29."

Directive (EU) 2022/2555 is the NIS2 Directive, which classifies entities in various sectors, including the automotive sector (specifically "manufacture of motor vehicles" and related supply chain components), as essential or important entities. Consequently, an automotive firm falling within the scope of NIS2 Annex I is legally empowered to conduct an impact assessment similar to the risk assessments required for the public sector under Article 29.

These assessments allow private firms to evaluate:

• The sensitivity, criticality, and magnitude of data processed.
• The risk of unlawful access by third countries or legal entities established in third countries.
• The risk of service disruption.

Crucially, the text uses the word "may," indicating a voluntary right, not an obligation. Article 31(2) further clarifies that the Commission "may issue guidance" on the methodology for these assessments.

While Article 31(3) provides a mechanism for the Commission to adopt delegated acts requiring impact assessments for entities in sectors of "high criticality" under specific circumstances, this is a discretionary power. As of the current proposal, there is no automatic requirement for all automotive firms to conduct these assessments. The burden remains on the private entity to decide if such an assessment is necessary for its risk management strategy.

Indirect Pressure: The Spillover Effect

Although CADA does not directly regulate private automotive firms, the proposal acknowledges that the regulatory landscape will create significant indirect pressure. Recital 66 explicitly describes this dynamic:

"Public procurement frequently serves as a primary signal of market direction. Requirements imposed by or on public authorities to adopt specific assurance levels offered by cloud computing services tend to be mirrored by private-sector entities operating in regulated industries, with subsequent spillover effects contributing to broader market realignment over time."

The automotive industry is deeply integrated with public infrastructure. This includes:

• Smart Mobility: Integration with municipal traffic management systems and smart city infrastructure.
• Public Safety: Compliance with safety standards that may involve data exchange with public authorities.
• Supply Chain: Participation in public procurement chains where public authorities are the end-users or integrators.

If public authorities (e.g., transport ministries, police forces, or municipal governments) are mandated by Article 30 to procure only Union assurance level 2, 3, or 4 services, the automotive firms supplying them may find themselves de facto required to meet similar standards to ensure interoperability, data compatibility, and trust. A private supplier using a non-sovereign cloud provider might be unable to integrate with a public authority's sovereign cloud environment, effectively excluding them from public contracts.

Furthermore, Recital 66 notes that these spillover effects contribute to "broader market realignment." As the public sector drives demand for sovereign cloud, the market supply will shift, potentially making non-sovereign options less competitive or available for regulated industries.

Strategic Implications for the Automotive Sector

For automotive firms, the absence of a direct mandate does not equate to a lack of risk. The proposal encourages a "sovereign cloud and artificial intelligence (AI) offer to safeguard the Union's public order" (Article 1(1)(c)). While private firms are not the primary target of the sovereignty framework, they operate within an ecosystem where the public sector is the dominant driver of compliance.

The proposal also establishes mechanisms like the EuroCloud Federation (Article 34) and common procurement frameworks (Article 37) to facilitate the sharing of sovereign cloud capacity. While participation is voluntary, these mechanisms aim to lower the cost and complexity of adopting sovereign solutions, making them more attractive to private entities seeking to future-proof their operations against potential regulatory shifts.

What this means for you

For legal counsel, compliance officers, and strategic planners in the automotive industry, the implications of the proposed CADA are nuanced but significant.

1. Verify NIS2 Classification: Determine immediately if your organisation is classified as an "essential" or "important" entity under Annex I of Directive (EU) 2022/2555 (NIS2). If you are, you have the explicit right under Article 31(1) to conduct a sovereignty impact assessment. Even if not mandatory, this is a powerful tool for demonstrating due diligence to regulators and stakeholders.

2. Monitor Commission Guidance: Keep a close watch on the Commission's potential issuance of guidance under Article 31(2). While the current proposal is silent on specific methodologies, future guidance could establish de facto standards for what constitutes a robust sovereignty assessment in the automotive sector.

3. Anticipate Indirect Mandates: Do not assume that the lack of a direct legal requirement protects you from market exclusion. If your primary customers are public authorities or if your supply chain is heavily integrated with public infrastructure, you may face contractual requirements to match their sovereign cloud standards (Union assurance levels 2–4). Recital 66 confirms that this "spillover" is an intended outcome of the legislation.

4. Audit Current Cloud Providers: Conduct a preliminary review of your current cloud providers against the criteria in Annex II of CADA. Even if you are not legally required to switch now, understanding where your providers stand on Union establishment, data localisation, and third-country control will prepare you for potential future requirements or customer demands.

5. Prepare for Delegated Acts: Be aware that Article 31(3) reserves the right for the Commission to adopt delegated acts requiring impact assessments for sectors of "high criticality." If the automotive sector is deemed to be of high criticality in the future, the voluntary nature of Article 31 could shift to a mandatory requirement.

Common misconceptions

• Misconception 1: CADA forces all EU companies, including automotive firms, to use EU sovereign cloud providers.

  • Reality: CADA mandates sovereign cloud procurement only for public sector bodies and Union entities under Article 30. Private companies, including automotive firms, are not legally required to switch providers, though they may choose to do so voluntarily or due to market pressures.

• Misconception 2: Article 31 requires automotive firms to conduct impact assessments.

  • Reality: Article 31(1) states that entities in the NIS2 scope may carry out similar assessments. It is a permissive provision ("may"), not a mandatory one ("shall"), unless the Commission later adopts delegated acts under Article 31(3) to require them for specific high-criticality circumstances.

• Misconception 3: If an automotive firm is not public, it is completely unaffected by CADA.

  • Reality: While not directly regulated, private firms face significant indirect pressure. Recital 66 explicitly states that public procurement requirements tend to be "mirrored by private-sector entities," creating spillover effects that could alter market dynamics and supply chain requirements.

• Misconception 4: Sovereign cloud means all data must stay in the EU under all circumstances.

  • Reality: The criteria for Union assurance levels vary. While higher levels (3 and 4) have strict data localisation requirements, lower levels (like Level 1) may allow for data transfer under specific conditions and safeguards, provided the public sector body explicitly requires otherwise. The specific requirements are detailed in Annex II.

Related

• Does CADA require telecoms to use EU sovereign cloud?
• Does CADA require public hospitals to use sovereign cloud?
• Does CADA require energy operators to use EU sovereign cloud?
• Does CADA require banks to use EU sovereign cloud providers?
• What sovereign-cloud pressure does CADA create for automotive?

This is general information about a draft EU regulation, not legal advice.