Does the Data Act's egress-fee removal affect CADA cloud procurement?

Summary The proposed Cloud and AI Development Act (CADA) does not regulate data egress fees or switching charges; that regulatory burden remains entirely with the Data Act (Regulation (EU) 2023/2854). The Data Act phases out excessive switching fees to lower migration costs, directly supporting CADA's strategic objective of reducing dependencies on non-EU providers. While the Data Act removes the financial friction of leaving incumbent hyperscalers, CADA Article 30 provides the mandatory procurement framework that drives the demand for sovereign EU alternatives. Without the Data Act's removal of egress fees, the migration required by CADA could be economically prohibitive; without CADA's mandates, the Data Act's fee removal might not generate sufficient demand for EU providers.

Detail

To understand the intersection of the Data Act and the proposed CADA, it is necessary to distinguish between the mechanism of switching and the mandate to switch. These two instruments operate as complementary pillars of the EU's digital sovereignty strategy. The Data Act addresses market distortions caused by vendor lock-in and high switching costs, while CADA addresses strategic dependencies on third-country infrastructure and the need for a trusted, sovereign cloud offer.

The Data Act's Role in Removing Egress Fees

The Data Act was designed to ensure fair access to data and reduce vendor lock-in in the cloud market. A critical component of this regulation is the limitation on switching charges. Under the Data Act, cloud computing service providers are prohibited from charging excessive fees for switching services. The regulation mandates that switching costs be limited to the actual costs incurred by the provider to facilitate the switch, effectively phasing out punitive egress fees that previously discouraged customers from moving their workloads to competitors.

By capping these fees, the Data Act lowers the economic barrier to migration. For public sector bodies and large enterprises, this means that the financial risk of moving data and applications from incumbent, often non-EU, hyperscalers to new or smaller EU-based providers is significantly reduced. The explanatory memorandum for CADA explicitly acknowledges this relationship, stating that the Data Act "does not contain elements to shape up a more competitive offer of European cloud computing services" but acts as an "enabler" for the proposal. The Data Act's cloud switching and interoperability provisions "make it possible for users to embrace European cloud computing services more strongly."

However, the Data Act alone does not create demand for sovereign services; it merely removes the obstacles to switching. It creates the possibility of migration but does not compel it.

CADA's Procurement Mandate and Sovereignty Levels

While the Data Act facilitates the ability to switch, CADA creates the obligation to switch in specific contexts. CADA establishes a Union cloud computing sovereignty framework comprising four assurance levels (Union assurance levels 1 through 4), as set out in Article 16 and Annex II. These levels define the criteria for trusted cloud computing services, ranging from basic establishment in the Union (Level 1) to strict requirements regarding personnel citizenship, infrastructure location, and the absence of third-country control (Levels 3 and 4).

Article 30 of CADA sets out the specific procurement obligations for contracting authorities, creating a demand-side pull for these sovereign services:

1. Baseline Requirement: Under Article 30(2), Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognized as having at least Union assurance level 1.
2. Public Order Requirement: Under Article 30(3), contracting authorities whose activities have been identified as contributing to the preservation of public order (e.g., sectors under the NIS2 Directive, national security, defense, justice, or law enforcement) must only procure cloud computing services recognized as having Union assurance levels 2, 3, or 4.

Article 30(4) includes derogations allowing authorities to deviate from these requirements only in exceptional circumstances, such as when no recognized service exists in the central repository, when previous tenders failed to yield suitable participants, or when compliance would result in disproportionate costs.

The Synergy: Lowering Costs to Enable Sovereign Procurement

The interaction between the Data Act and CADA is deeply synergistic. Without the Data Act's restrictions on egress fees, the mandatory migration required by CADA Article 30 could be prohibitively expensive for public authorities. High switching costs would act as a de facto barrier to compliance, allowing incumbent non-EU providers to retain market share through financial friction rather than service quality. The Data Act ensures that the "switching" mechanism is economically viable.

Conversely, without CADA's procurement mandates, the removal of egress fees under the Data Act might not lead to a significant shift toward EU providers. Public buyers might lack the strategic direction or legal incentive to migrate away from established non-EU incumbents, even if the cost of doing so is lower. CADA provides the demand-side push by legally requiring public entities to prioritize sovereign services, while the Data Act ensures that this push is not blunted by artificial financial barriers.

CADA further supports this transition by introducing "Union added value" criteria in public procurement under Article 32. Contracting authorities must include non-price award criteria that evaluate a tenderer's contribution to the European cloud ecosystem, such as the use of hardware designed or manufactured in the Union. This incentivizes providers to invest in local infrastructure and supply chains, further reducing long-term dependencies.

CADA Does Not Regulate Egress Fees

It is crucial to note that CADA does not introduce new rules on data egress fees, switching charges, or the commercial terms of data portability. The regulation focuses exclusively on the trustworthiness, sovereignty, and resilience of the service rather than the commercial mechanics of switching. The regulatory burden of ensuring fair switching costs remains squarely with the Data Act and national enforcement authorities.

CADA assumes that the switching mechanisms established by the Data Act will function effectively to allow public authorities to comply with Article 30's procurement requirements. The CADA proposal explicitly states that it is "consistent with the rules on switching between data processing services introduced by the Data Act," but it does not duplicate or override those rules.

What this means for you

For cloud service providers, data centre operators, and public sector buyers, the interplay between the Data Act and CADA presents a clear strategic roadmap.

For EU-based Cloud Providers:

• Market Opportunity: As public sector bodies are mandated by CADA Article 30 to migrate to Union assurance level 1 (or higher) services, demand for compliant EU providers will increase. The removal of egress fees under the Data Act makes your services significantly more attractive to customers currently locked into non-EU incumbents, as the cost of leaving their current provider is now capped.
• Certification is Key: To benefit from this demand, you must seek recognition under the CADA framework. For Level 1, this involves a conformity self-assessment (Article 19). For Levels 2–4, you must undergo independent third-party audits (Article 20). Without this recognition, you cannot be procured by public authorities under Article 30.
• Competitive Positioning: Use Article 32's "Union added value" criteria to your advantage. Highlight your use of EU-designed hardware, local data residency, and adherence to EU legal frameworks in your tenders.

For Non-EU Cloud Providers:

• Barriers to Entry: The combination of CADA's procurement mandates and the Data Act's switching facilitation creates a challenging environment for non-EU providers in the public sector market. Article 30 explicitly restricts public order-critical procurements to services with higher assurance levels, which are difficult for non-EU controlled entities to achieve due to criteria regarding third-country control and personnel citizenship (Annex II).
• Associated Third Countries: There is a narrow pathway for non-EU providers via "associated third countries" under Article 18. If your home country is recognized by the Commission as providing sufficient assurances (e.g., through adequacy decisions and lack of extraterritorial data access laws), your services may be eligible for Union assurance level 3. However, this is subject to strict criteria and Commission discretion.

For Data Centre Operators:

• Infrastructure Demand: The push for sovereign cloud services will drive demand for data centres that can host Union assurance level 3 and 4 services. This includes requirements for infrastructure located exclusively in the Union, personnel based in the Union, and robust cybersecurity certifications.
• Strategic Projects: Consider applying for designation as a "data centre strategic project" under Article 14. Projects that contribute to the balanced distribution of computing capacity or include highly sustainable features may receive support and faster permitting through the data centre acceleration zones established in Title III of CADA.

Common misconceptions

Misconception 1: CADA sets the maximum egress fee. Correction: CADA does not regulate egress fees. This is solely the domain of the Data Act. CADA focuses on the technical and legal criteria for sovereignty, not the commercial terms of switching.

Misconception 2: Removing egress fees automatically means public bodies will switch to EU providers. Correction: Lower switching costs remove a barrier, but they do not create demand. Public bodies are only required to switch to EU sovereign providers if mandated by CADA Article 30. Without this mandate, market forces alone may not drive a rapid shift to EU providers, especially if incumbents offer superior technical capabilities or pricing.

Misconception 3: All public sector cloud procurements must use Level 4 services. Correction: Article 30 distinguishes between activities that contribute to public order and those that do not. Only activities identified as contributing to public order (e.g., defense, justice) must use Level 2, 3, or 4 services. Other public sector activities must use at least Level 1 services. The risk assessment under Article 29 determines the required level.

Misconception 4: Non-EU providers are completely banned from the EU market. Correction: CADA does not ban non-EU providers. It restricts their access to public sector procurements, particularly for sensitive activities. Non-EU providers can still serve private sector customers. Furthermore, non-EU providers may qualify for Level 3 recognition if their home country is designated as an "associated third country" under Article 18, provided they meet strict sovereignty criteria.

Official sources

• Data Act (Regulation (EU) 2023/2854)
• Data Governance Act (Regulation (EU) 2022/868)

Related

• Why does CADA call the Data Act an 'enabler'?
• CADA for SaaS Providers: How NIS2, Data Act and Sovereignty Tiers Stack
• CADA for Cloud Providers: How it stacks with NIS2, DORA & the Data Act
• DGA vs CADA: Does Data Governance Act compliance satisfy CADA?
• If I already comply with the Data Act, do I comply with CADA?

This is general information about a draft EU regulation, not legal advice.