Summary As proposed, the Cloud and AI Development Act (CADA) would reach a wide range of actors in the EU cloud and AI ecosystem, not only large technology companies. Whether it applies to you depends on your role, not your size. If you provide cloud computing services, operate a data centre, are a public sector body or Union entity buying cloud, or are a contracting authority, CADA would touch you — but the obligations differ sharply by role. Cloud providers face a voluntary-but-commercially-decisive sovereignty recognition framework; public buyers face procurement duties tied to assurance levels; data centre operators benefit from accelerated permitting. The starting point is to map your organisation against the subject matter in Article 1 and the defined terms in Article 2.

Detail

Working out whether CADA would apply to you means looking at two things: which defined category you fall into, and which activity you carry out in the cloud and AI value chain. As proposed, the Regulation is built to cover that chain end to end — from infrastructure providers through to public sector buyers.

1. The scope: Article 1 and the definitions in Article 2

Article 1 sets out the subject matter: the proposal would establish a framework to strengthen the Union cloud and AI ecosystem through measures including the Cloud and AI Leadership Initiatives, accelerated data centre deployment, a sovereign cloud offer to safeguard public order, reduced dependencies on critical technologies, and greater public sector cloud adoption. Article 2 then defines the actors and concepts that determine who is in scope. The headline categories to map yourself against are:

  • Cloud computing service provider (CSP): Article 2(2) defines this as "a legal entity which provides a cloud computing service." A cloud computing service is defined in Article 2(1) by reference to point (30) of Article 6 of the NIS2 Directive (Directive (EU) 2022/2555) — broadly, a digital service enabling on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources. IaaS, PaaS and SaaS all fall within this, including services that host AI systems.
  • Data centre operator: Article 2(11) defines this by reference to Delegated Regulation (EU) 2024/1364.
  • Public sector body: Article 2(6) defines this by reference to point (1) of Article 2 of Directive (EU) 2019/1024 (the Open Data Directive) — state, regional and local authorities, bodies governed by public law, and associations of such bodies.
  • Union entities: Article 2(7) covers the Union institutions, bodies, offices and agencies set up by or under the TEU, the TFEU or the Euratom Treaty.
  • Contracting authorities: Article 2(22) defines these by reference to Article 2(1) of Directive 2014/24/EU.

2. Obligations attach by role, not uniformly

CADA does not impose one set of rules on everyone. As proposed, the obligations attach according to the role you play.

Cloud computing service providers

If you are a CSP that wants to serve public sector bodies or Union entities, the cloud sovereignty framework in Title IV applies. Article 16(1) establishes four Union assurance levels, with criteria set out in Annex II, that providers "shall meet in order to provide their cloud computing services to Union entities and public sector bodies."

  • Level 1 rests on a conformity self-assessment and an EU statement of conformity (Article 19). SMEs issuing that statement are directly and automatically recognised across the Union (Article 17(3)).
  • Levels 2–4 require independent third-party audits (Article 20) and recognition by the national competent authority of establishment (Article 17).
  • In practice, you cannot win public contracts for public-order activities unless your service is recognised at the appropriate level (Article 30).

Data centre operators

If you build or operate data centres, the measures in Title III may apply. Member States are to designate data centre acceleration zones (Article 10); projects in those zones benefit from streamlined permitting, including a permit-granting limit that, as proposed, must not exceed 12 months (Article 13). The Commission may also designate "data centre strategic projects" by decision (Article 14).

Public sector bodies and Union entities

If you are a public authority or Union entity, CADA imposes demand-side duties. Under Article 29, Member States and Union entities must carry out risk assessments — by one year after entry into force and every two years thereafter — to identify public sector activities that contribute to the preservation of public order and the assurance level appropriate to them. Article 30 then turns that into a procurement rule: for activities not identified as public-order activities, you must use services recognised at Level 1 (Article 30(2)); for activities that do contribute to public order in the listed sectors and domains, you may only procure services recognised at Level 2, 3 or 4 (Article 30(3)), subject to narrow derogations (Article 30(4)).

Private sector entities

The strict procurement mandates target public buyers. Article 31 addresses private sector entities through impact assessments; the proposal does not subject ordinary private-to-private cloud contracts to the assurance-level recognition requirements. That said, if you supply the public sector, the sovereignty framework reaches you commercially.

What this means for you

For in-house counsel and compliance leads, even though CADA is only a proposal and not yet in force, the prudent steps are:

  1. Classify yourself against Article 2. Decide whether your core activity meets the cloud computing service definition in Article 2(1); if so, you are a CSP. Check separately whether you are also a data centre operator, public sector body or contracting authority — a single organisation can hold more than one role.
  2. If you are a CSP, examine your supply chain and data flows. The Annex II criteria turn on where infrastructure, personnel and customer data sit and who controls the provider. Map subcontractors and data locations now.
  3. If you are a public buyer, prepare your procurement templates. You will need to require a specific assurance level and verify recognition via the central repository (Article 22) rather than accept a vendor's self-description.
  4. Track national implementation. Member States must designate national competent authorities by one year after entry into force (Article 25(1)); those designations will tell you who evaluates and supervises you.
  5. Build audit readiness if you target the public sector at higher levels. Independent audits (Article 20) will probe your software supply chain, personnel arrangements and data localisation.

Common misconceptions

"CADA only applies to Big Tech hyperscalers." No. As proposed, the framework reaches any legal entity providing a cloud computing service (Article 2(2)) that wants to serve the public sector — including mid-sized European providers and niche SaaS firms. SMEs get a lighter Level 1 route (Article 17(3)), but they are not carved out.

"If I am a private company, CADA cannot touch me." The hard procurement mandates target public buyers, and Article 31 deals with private entities via impact assessments. But if you supply cloud to the public sector, the sovereignty framework determines your eligibility for those contracts.

"CADA replaces the AI Act." No — they are complementary. The AI Act (Regulation (EU) 2024/1689) regulates AI systems (prohibited practices, high-risk requirements, transparency). CADA, as proposed, regulates cloud infrastructure, sovereignty and public procurement. An organisation may need to comply with both.

"Data localisation is absolute under CADA." The Annex II criteria require customer data to remain within the Union, but at several levels this is qualified by "unless the public sector body explicitly requires otherwise." Localisation is the default, not an unconditional rule.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.