Does the Data Act govern cloud contracts that CADA tiers depend on?

Summary The Data Act (Regulation (EU) 2023/2854) and the proposed Cloud and AI Development Act (CADA) operate on distinct but complementary layers of cloud governance. The Data Act governs the contractual mechanics of switching providers, ensuring interoperability, and prohibiting unfair terms to prevent vendor lock-in. In contrast, CADA establishes a sovereignty framework with four Union assurance levels, where tier recognition is a separate administrative process under Article 17, not a direct consequence of Data Act compliance. While the Data Act does not determine CADA tiers, its provisions on data portability and switching obligations are critical operational enablers for the migration requirements mandated by CADA's risk assessments, particularly under Article 29(6).

Detail

To understand the interaction between these two instruments, it is necessary to distinguish between the contractual and market-access rules of the Data Act and the sovereignty and security criteria of CADA. The Data Act focuses on ensuring that users can switch cloud computing service providers without disproportionate costs or technical barriers. It mandates that providers make their services interoperable and prohibits contractual terms that hinder switching, such as excessive termination fees or unfair notice periods. This creates a baseline of market contestability and user autonomy.

CADA, conversely, is a proposal designed to strengthen the EU's technological sovereignty and reduce dependence on third-country providers. It introduces a "Union cloud computing sovereignty framework" comprising four Union assurance levels. These levels define the criteria a cloud computing service provider must meet to be recognized as offering a specific level of Union assurance. This recognition is not automatic nor is it derived from Data Act compliance. Instead, it is a distinct legal status granted by national competent authorities following a rigorous assessment process.

The Distinct Role of CADA Article 17: Recognition, Not Contract

The cornerstone of CADA's sovereignty framework is Article 17, which establishes the mechanism for the recognition of cloud computing service providers. Under this article, a provider seeking recognition for a specific Union assurance level (1, 2, 3, or 4) must submit an application to the national competent authority of its establishment.

For Union assurance level 1, the provider must submit an EU statement of conformity. For levels 2, 3, and 4, the provider must undergo independent third-party audits and submit the resulting audit report and opinion. The national competent authority then evaluates this evidence. If the evidence is sufficient, the authority prepares a draft recognition decision, which is subject to a review period by other Member States. Only after this process is concluded is the service recognized across the Union at the applicable assurance level.

Crucially, Article 17 operates independently of the Data Act. A cloud provider may fully comply with the Data Act's switching and interoperability rules yet fail to meet the stringent sovereignty criteria of CADA (such as data localization, personnel citizenship, or absence of third-country control) required for higher assurance levels. Conversely, a provider might meet sovereignty criteria but fail Data Act obligations if it engages in unfair contractual practices. Therefore, the Data Act does not "govern" the CADA tiers; it governs the market behavior surrounding the services that may or may not achieve those tiers.

The Data Act as an Enabler for CADA Migration (Article 29)

While the Data Act does not determine tier status, it is functionally essential for the implementation of CADA's demand-side measures, specifically the risk assessments and subsequent migrations mandated by Article 29.

Article 29 requires Member States and Union entities to carry out risk assessments to determine which public sector activities require cloud computing services at Union assurance levels 2, 3, or 4 to preserve public order. If a risk assessment concludes that a current cloud service does not meet the required assurance level, the entity must migrate to a compliant provider.

Article 29(6) explicitly addresses this transition: "Where the risk assessment requires the migration to another cloud computing service, the Member State or Union entity shall migrate within a reasonable transition period that shall not exceed 12 months, taking into account technical feasibility, continuity of service and data portability requirements applicable to such migration."

This is where the Data Act becomes critical. The Data Act's provisions on data portability and the right to switch ensure that the "data portability requirements" referenced in Article 29(6) are legally enforceable. Without the Data Act's mandate for providers to cooperate in switching and to provide data in a machine-readable, interoperable format, the 12-month migration window prescribed by CADA would be technically and legally difficult to achieve. The Data Act removes the contractual friction that could otherwise stall or prevent the migration to a sovereign provider identified through CADA's risk assessment process.

Contractual Implications for In-House Counsel

For in-house counsel and compliance officers, this dual framework creates a layered obligation:

1. Sovereignty Compliance (CADA): You must ensure that your cloud contracts align with the Union assurance level required by your risk assessment under Article 29. If your activities are deemed to contribute to public order, you may be legally required to procure services only from providers recognized under Article 17 at levels 2, 3, or 4.
2. Switching Capability (Data Act): Your existing contracts must be reviewed to ensure they comply with the Data Act's prohibitions on unfair terms and switching barriers. If you need to migrate to a CADA-compliant provider, your current contract must allow for data export and service termination without disproportionate penalties.
3. Migration Planning (CADA Art. 29(6)): If a migration is required, you have a maximum of 12 months to execute it. You should leverage the Data Act's portability rights to negotiate smooth data transfer terms with your current provider, even if that provider does not meet CADA's sovereignty criteria.

What this means for you

As a compliance officer or in-house counsel, you must manage two parallel tracks of obligation:

• Audit Your Current Contracts for Data Act Compliance: Ensure that your cloud service agreements do not contain unfair terms that hinder switching. Verify that data portability clauses are robust enough to support a rapid migration if required. This is your insurance policy for CADA compliance.
• Conduct or Review Risk Assessments (Article 29): Determine which of your cloud workloads fall under the public order relevance threshold. If they do, you must identify providers recognized under Article 17 at the appropriate assurance level (2, 3, or 4).
• Plan for the 12-Month Migration Window: If your current provider does not meet the required CADA assurance level, you must initiate migration immediately. Use the Data Act's switching rights to facilitate this. Document all steps to demonstrate compliance with the "reasonable transition period" requirement of Article 29(6).
• Monitor Recognition Status: Regularly check the central repository maintained by the Commission (under Article 22) to ensure your chosen provider maintains their recognized status. A loss of recognition could trigger a new risk assessment and potential migration requirement.

Common misconceptions

"Data Act compliance equals CADA sovereignty." No. The Data Act ensures fair market practices and switching ease. CADA ensures sovereignty and security. A provider can be Data Act-compliant but fail CADA's sovereignty criteria (e.g., due to third-country control or lack of Union citizenship for personnel).

"CADA recognition is automatic for EU-based providers." No. Recognition under Article 17 requires a formal application, evidence submission (self-assessment or audit), and approval by national competent authorities. It is not a default status for any provider established in the Union.

"The Data Act forces you to choose CADA-tier providers." No. The Data Act is neutral regarding sovereignty. It does not mandate the use of sovereign services. CADA's Article 30 mandates the use of recognized services for specific public sector activities, but this is a CADA obligation, not a Data Act one.

"Migration under CADA can take indefinitely." No. Article 29(6) sets a strict maximum transition period of 12 months for migrations required by risk assessments. Delays beyond this could constitute non-compliance, unless technical feasibility or continuity of service dictates otherwise within that window.

Official sources

• Data Act (Regulation (EU) 2023/2854)
• Data Governance Act (Regulation (EU) 2022/868)

Related

• CADA for SaaS Providers: How NIS2, Data Act and Sovereignty Tiers Stack
• Does CADA depend on the Data Act being fully applicable first?
• Why does CADA call the Data Act an 'enabler'?
• CADA for Cloud Providers: How it stacks with NIS2, DORA & the Data Act
• DGA vs CADA: Does Data Governance Act compliance satisfy CADA?

This is general information about a draft EU regulation, not legal advice.