How CADA and the Data Act reduce non-EU cloud dependency

Summary The proposed Cloud and AI Development Act (CADA) and the existing Data Act (Regulation (EU) 2023/2854) operate as complementary instruments to reduce the EU's reliance on non-European cloud providers. The Data Act acts as the "enabler" by removing technical and contractual switching barriers, ensuring users can move between providers without vendor lock-in. However, as the CADA explanatory memorandum states, the Data Act "does not contain elements to shape up a more competitive offer of European cloud computing services." CADA fills this gap by explicitly targeting the "reducing dependencies on critical technologies" under Article 1(1)(d) and establishing a sovereign cloud framework. Together, they create a demand-side mechanism: the Data Act allows public authorities to switch, while CADA Article 30 mandates that they switch to services meeting specific Union assurance levels, thereby reinforcing the shift toward EU-based infrastructure.

Detail

The EU's strategic vulnerability stems from a market structure where three non-EU hyperscalers control over 70% of the European cloud market. This dependence exposes the Union to risks including the extraterritorial application of third-country laws, potential service disruptions, and a loss of operational autonomy. The legislative response involves a two-pronged approach: removing the friction of leaving non-EU providers (Data Act) and creating a structured pathway to adopt sovereign alternatives (CADA).

The Data Act: Removing the Barriers to Exit

The Data Act, which entered into force in 2023, focuses primarily on fair access to and use of data. Its most relevant provision for cloud sovereignty is the framework for switching between data processing services. By mandating interoperability, data portability, and the removal of unfair contractual terms, the Data Act ensures that cloud users can "freely choose the provider that best meets their needs and combine offers of different providers in a multi-cloud approach."

However, the CADA explanatory memorandum is explicit about the limits of this instrument. It notes that while the Data Act "opens the path towards a possible reduction of dependencies on non-EU providers," it "does not build the road towards a more sovereign and trusted EU cloud computing sector." The Data Act is provider-neutral; it facilitates the act of switching but does not incentivize or mandate a switch to a specific type of provider (i.e., an EU-based one). It solves the problem of "how to leave" but not "where to go." Consequently, the Commission characterizes the Data Act as an "enabler" for CADA, providing the necessary technical and legal infrastructure for mobility without addressing the market failure of insufficient European supply.

CADA Article 1: Targeting Critical Dependencies

CADA addresses the supply-side gap and the strategic objective of reducing reliance on third-country technologies. Article 1(1) defines the subject matter of the regulation, listing five specific measures. Crucially, Article 1(1)(d) establishes the framework for "reducing dependencies on critical technologies." This is not merely a passive goal but an active regulatory mandate.

Complementing this is Article 1(1)(c), which aims to enable "the availability of a sovereign cloud and artificial intelligence (AI) offer to safeguard the Union's public order." The proposal recognizes that the current market lacks a "harmonised and auditable set of criteria" for what constitutes a trusted, sovereign service. To remedy this, CADA introduces the "Union cloud computing sovereignty framework" under Article 16, which defines four Union assurance levels. These levels provide a standardized, auditable method for public authorities to identify services that meet specific criteria regarding establishment, infrastructure location, personnel, and third-country control.

By establishing these levels, CADA transforms the abstract goal of "sovereignty" into a concrete procurement requirement. It moves beyond the Data Act's focus on portability to actively shape the market by defining the attributes of the services that public authorities should procure.

Demand-Side Procurement: The Synergy in Action

The true power of the interaction between these two laws lies in public procurement. The Data Act ensures that a public authority is not legally or technically trapped with a non-EU provider. CADA then directs the authority on which provider to select.

Under Article 30 of CADA, contracting authorities are subject to mandatory procurement rules based on risk assessments conducted under Article 29.

• Baseline Requirement: For all public sector activities, authorities must procure cloud services recognized as offering at least Union assurance level 1.
• Public Order Requirement: For activities identified as contributing to the preservation of public order (e.g., national security, defense, justice, law enforcement), authorities must procure services recognized at Union assurance levels 2, 3, or 4.

These higher assurance levels impose strict criteria that effectively exclude providers subject to third-country control or those with infrastructure outside the Union. For instance, Annex II specifies that for levels 2 and 3, infrastructure, assets, and personnel must be located in the Union, and data must remain exclusively within the Union.

Furthermore, Article 32 reinforces this shift by requiring contracting authorities to include "Union added value" as a non-price award criterion. This criterion evaluates the extent to which a tenderer contributes to strengthening the digital technology supply chain in the Union, such as by using hardware or software designed or manufactured in the EU. This creates a competitive advantage for EU-based providers and aligns public spending with the strategic objective of reducing critical dependencies.

The synergy is clear: The Data Act removes the "lock-in" that previously prevented switching, while CADA creates the "pull" by mandating that the switch be made to services that meet Union sovereignty standards. As the explanatory memorandum states, the proposal "provides a sector-specific approach to sovereignty" that the horizontal Public Procurement Directives and the Data Act alone could not achieve.

What this means for you

For public-sector bodies, cloud providers, and legal counsel, the combination of the Data Act and CADA represents a fundamental shift from voluntary switching to mandated sovereignty.

1. For Public Procurement Officers

You are no longer evaluating cloud services solely on price and technical performance. You must now integrate a sovereignty assessment into your procurement lifecycle.

• Conduct Risk Assessments: Under Article 29, you must determine which of your activities contribute to the preservation of public order. This determination dictates the minimum Union assurance level (1, 2, 3, or 4) required for your procurement.
• Verify Recognition: Ensure that any cloud service you procure is listed in the central repository established under Article 22 and recognized by a national competent authority.
• Apply Added Value Criteria: In your tender documents for innovative services, explicitly include the Article 32 criteria. Evaluate how the provider strengthens the EU supply chain, not just their technical capabilities.
• Leverage Switching Rights: Use the Data Act's portability provisions to audit your current contracts. If you are locked into a non-EU provider, the Data Act provides the legal mechanism to exit, while CADA provides the destination.

2. For Cloud Service Providers

To access the public sector market, you must align with the CADA framework.

• Seek Recognition: If you aim to serve public bodies, you must undergo the conformity assessment (self-assessment for Level 1, independent audit for Levels 2-4) to be recognized under Article 17.
• Demonstrate Sovereignty: For higher assurance levels, you must prove that your infrastructure, assets, and personnel are located in the Union and that you are not subject to third-country control.
• Prepare for Audits: Be ready to provide the audit evidence listed in Annex III, including software bills of materials (SBOM), data flow diagrams, and proof of Union establishment.

3. For Legal and Compliance Teams

The interaction creates a dual-compliance track.

• Data Act Compliance: Ensure your contracts include the necessary interoperability and portability clauses to satisfy the Data Act's switching requirements.
• CADA Compliance: Monitor the evolving recognition of providers and the outcomes of Member State risk assessments. Be aware that Article 30 creates a mandatory floor for procurement that supersedes general market choices for public order-relevant activities.

Common misconceptions

"The Data Act forces public bodies to use EU providers." Incorrect. The Data Act is provider-neutral. It ensures that users can switch providers without penalty, but it does not dictate which provider they must choose. It removes the barrier to exit but does not set the destination.

"CADA replaces the Data Act." No. The two regulations are distinct and complementary. The Data Act addresses data access, portability, and switching costs across the entire market. CADA addresses sovereignty, strategic autonomy, and the specific procurement needs of the public sector. The CADA explanatory memorandum explicitly states that the Data Act is an "enabler" for the proposal, not a predecessor to be replaced.

"All cloud services must be hosted in the EU under CADA." Not automatically. The requirement depends on the risk assessment. Article 30(2) mandates Union assurance level 1 for general activities, which allows for some flexibility (e.g., data may leave the Union if explicitly required by the public sector body). However, for activities contributing to public order, Article 30(3) mandates levels 2, 3, or 4, which strictly require data and infrastructure to remain within the Union.

"CADA only affects the public sector." While the mandatory procurement rules in Article 30 apply to contracting authorities and Union entities, the sovereignty framework (Article 16) and the reduction of dependencies (Article 1(1)(d)) create a market-wide signal. Private sector entities in critical sectors (Annex I of NIS2) are also encouraged to conduct similar impact assessments under Article 31, and the demand-side shift is expected to influence private market standards over time.

Official sources

• Data Act (Regulation (EU) 2023/2854)
• Data Governance Act (Regulation (EU) 2022/868)

Related

• Why does CADA call the Data Act an 'enabler'?
• CADA for SaaS Providers: How NIS2, Data Act and Sovereignty Tiers Stack
• CADA for Cloud Providers: How it stacks with NIS2, DORA & the Data Act
• DGA vs CADA: Does Data Governance Act compliance satisfy CADA?
• If I already comply with the Data Act, do I comply with CADA?

This is general information about a draft EU regulation, not legal advice.