Summary As proposed, the Cloud and AI Development Act (CADA) does not replace the General Data Protection Regulation (GDPR) but layers strict, operational data-residency requirements on top of it for public sector cloud procurement. To align compliance, you must ensure that customer data remains exclusively within the Union to meet CADA's Union Assurance Level 1 criteria (Annex II, 1.1(c)), a requirement that often supersedes GDPR's allowance for lawful international transfers. Crucially, for third-country providers seeking recognition at Union Assurance Level 3, CADA explicitly ties eligibility to GDPR Article 45 adequacy decisions (Article 18(1)(a)), creating a direct legal bridge where a country must be "adequate" under GDPR before its providers can even be considered for CADA Level 3.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, introduces a "Union cloud computing sovereignty framework" designed to mitigate strategic risks associated with dependence on non-European cloud providers. For in-house counsel and compliance officers, the critical challenge is navigating the intersection of CADA's technical and operational sovereignty requirements with the GDPR's rules on international data transfers. While the GDPR focuses on the lawfulness of transferring personal data outside the EU through safeguards like Standard Contractual Clauses (SCCs), CADA focuses on the physical location and control of data and infrastructure to preserve public order and operational autonomy.

CADA's Data Residency Requirements: The Baseline

CADA establishes four "Union assurance levels" for cloud computing services. The foundational requirement for data localisation is set out in Annex II, Section 1 (Union assurance level 1).

To be recognised as offering Union Assurance Level 1, a cloud computing service provider must meet cumulative criteria. Specifically, Annex II, 1.1(c) mandates that:

"the customer data, including metadata and telemetry data, that is processed, stored and transferred by the cloud computing service provider, and by the subcontractors, which are involved in the provision of the service, remain exclusively within the Union, unless the public sector body explicitly requires otherwise and at any time, including before, during or after the configuration or use of the service;"

This is a strict residency rule. It applies to the primary provider and its subcontractors. Unlike the GDPR, which permits transfers outside the EU if appropriate safeguards are in place, CADA's Level 1 criteria generally prohibit data from leaving the Union unless the public sector body explicitly permits it. This creates a higher bar for sovereignty than GDPR alone.

For higher assurance levels (Levels 2, 3, and 4), the criteria become more stringent. Annex II, 2.1(c) (Level 2) and Annex II, 3.1(c) (Level 3) repeat the requirement that customer data remains exclusively within the Union. At Union Assurance Level 4, Annex II, 4.1(c) specifies that sensitive customer data identified via risk assessment must remain exclusively within the Union.

The Role of Article 18 and Associated Third Countries

A common point of confusion is whether non-EU providers can ever qualify for these levels. CADA addresses this through Article 18, which deals with "Associated third countries."

Article 18(1) allows the Commission to adopt implementing acts identifying third countries whose cloud computing service providers may be audited against the criteria for Union Assurance Level 3. Crucially, this is not an open door. Article 18(1)(a) sets a mandatory cumulative criterion:

"it is subject to a relevant adequacy decision adopted under Article 45 of Regulation (EU) 2016/679;"

This provision explicitly ties CADA's sovereignty framework to the GDPR's adequacy mechanism. A third country must first be deemed "adequate" under GDPR Article 45 before its providers can even be considered for Union Assurance Level 3. This means that for a non-EU provider to access the highest tiers of EU public sector procurement (under Level 3), it must reside in a jurisdiction that the EU has already certified as providing an adequate level of data protection.

Furthermore, Article 18(1) lists additional cumulative criteria, including that the third country has no measures enabling it to exercise control over the provider in a way that conflicts with lawful access to non-personal data, and no measures to compel the degradation of service continuity.

Aligning with GDPR Transfer Rules

For providers already compliant with GDPR, CADA adds a layer of operational constraint rather than replacing GDPR's legal bases for transfer.

  1. For EU-Based Providers: If you are an EU-established provider meeting CADA's Level 1 criteria, you are already keeping data in the EU. Therefore, you are not making international transfers subject to Chapter V of the GDPR. Your GDPR compliance focuses on intra-EU processing, while CADA compliance focuses on demonstrating that infrastructure and subcontractors also keep data within the Union.
  2. For Non-EU Providers: If you are a non-EU provider, you cannot meet the Level 1, 2, or 3 data residency criteria (which require data to remain exclusively in the Union) unless you establish EU infrastructure. Even then, to qualify for Level 3, your home country must have an adequacy decision under GDPR Article 45. If your country lacks adequacy, you cannot qualify for Level 3 under CADA, regardless of your GDPR transfer mechanisms (like SCCs). CADA's sovereignty framework is stricter than GDPR's transfer tools; SCCs are not a substitute for CADA's residency and control requirements.

Risk Assessments and Procurement Obligations

Article 29 requires Member States and Union entities to carry out risk assessments to determine which Union assurance level is appropriate for specific public sector activities. These assessments consider the sensitivity, criticality, and magnitude of data processed.

Article 30 then mandates procurement rules based on these assessments:

  • Public sector bodies whose activities are not identified as contributing to the preservation of public order must use services recognised as having Union Assurance Level 1.
  • Contracting authorities whose activities are identified as contributing to public order (e.g., national security, defence, law enforcement) must only procure services recognised as having Union Assurance Level 2, 3, or 4.

This means that for most standard public sector cloud usage, Level 1 is the minimum. Since Level 1 requires data to remain exclusively in the Union, your GDPR transfer impact assessments (TIAs) for international transfers may become less relevant for these specific contracts, as the data physically does not leave the EU. However, you must still ensure that any subcontractors used within the EU also adhere to this residency rule.

Penalties and Enforcement

CADA introduces its own penalty regime under Article 24. Member States must lay down rules on penalties applicable to infringements by cloud computing service providers. These penalties must be effective, proportionate and dissuasive. Criteria for imposing penalties include the nature, gravity, scale, and duration of the infringement, as well as the financial benefits gained.

Importantly, Article 24(3) grants recipients of cloud computing services the right to seek compensation from providers for any damage or loss suffered due to an infringement of CADA's obligations. This creates a direct civil liability risk for providers who fail to maintain data residency or other assurance level criteria.

What this means for you

For in-house counsel and compliance officers, aligning CADA and GDPR requires a two-track approach:

  1. Map Your Data Flows to CADA's Residency Rules: Audit your cloud architecture to ensure that for any public sector contract requiring Level 1 or higher, customer data (including metadata and telemetry) does not leave the Union. This is stricter than GDPR's "adequate protection" standard. You must technically enforce this boundary, even for backup and disaster recovery sites.
  2. Verify Third-Country Status via GDPR Article 45: If you are a non-EU provider aiming for Level 3, confirm that your home country has an adequacy decision under GDPR Article 45. Without this, CADA recognition at Level 3 is impossible. Monitor the Commission's list of adequate countries, as CADA eligibility is directly dependent on this GDPR status.
  3. Prepare for Risk Assessments: Engage with public sector clients early to understand their risk assessments under Article 29. If their activities are deemed to impact public order, you will need to demonstrate compliance with Level 2, 3, or 4 criteria, which include stricter requirements on personnel citizenship, cybersecurity certification, and third-country control.
  4. Update Subcontractor Contracts: Ensure all subcontractors involved in service provision are contractually bound to keep data within the Union. CADA's criteria apply to the provider and its subcontractors. A breach by a subcontractor is a breach by the provider.

Common misconceptions

  • "GDPR Standard Contractual Clauses (SCCs) are enough for CADA compliance." No. SCCs facilitate lawful data transfers under GDPR, but CADA's Union Assurance Levels 1, 2, and 3 require data to remain exclusively within the Union. SCCs allow data to leave the EU; CADA's residency criteria generally prohibit it. They are not interchangeable.
  • "CADA replaces GDPR transfer rules." No. CADA complements GDPR. For public sector procurement, CADA's residency rules may restrict transfers so heavily that GDPR transfer mechanisms are rarely used. However, GDPR still applies to the processing of personal data within the EU. You must comply with both.
  • "Any non-EU provider can qualify for Level 3 if they use EU data centres." No. Even with EU data centres, a non-EU provider can only qualify for Level 3 if their home country has an adequacy decision under GDPR Article 45 (Article 18(1)(a)). Without adequacy, they are ineligible for Level 3 recognition, regardless of their technical setup.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.