Summary As proposed, the Cloud and AI Development Act (CADA) would create targeted market opportunities for AI startups and scale-ups by mandating that Member States pursue an objective of awarding at least 25% of their cloud and AI innovation procurement to innovative SMEs. The proposal explicitly acknowledges that public authorities often face "limited financial resources, reduced purchasing power, [and] insufficient technical or procurement expertise," which CADA aims to mitigate through centralized procurement and simplified access. Simultaneously, the Act establishes a "frontier AI priority project" mechanism (Articles 8–9) to allocate high-performance computing resources to collaborative European projects, while the new Union cloud sovereignty framework creates a distinct, protected market segment for EU-based providers who can meet strict assurance criteria.

Detail

The Cloud and AI Development Act (CADA), presented as Commission Proposal COM(2026) 502 final, is designed to strengthen Europe's cloud and AI ecosystem by addressing capacity gaps, reducing dependencies on third-country providers, and fostering innovation. For AI startups, scale-ups, and small-to-medium-sized enterprises (SMEs), the proposal introduces specific provisions intended to level the playing field against larger incumbents. The impact on these entities can be understood through three primary lenses: public procurement access, computing resource allocation, and the emerging sovereign cloud market.

1. Public Procurement and Market Access for SMEs

A significant barrier for AI startups is often the inability to compete for large public sector contracts due to complex procurement processes, high administrative burdens, and limited financial buffers. CADA directly addresses this structural disadvantage in Article 33, which focuses on the monitoring of procurement of innovation in cloud and AI.

The proposal sets a clear, albeit aspirational, target for Member States: they shall "pursue as objective that at least 25% of their procurement for cloud computing services and AI systems be awarded to innovative SMEs" (Article 33(4)). To ensure this is not merely rhetorical, Member States are required to include specific plans in their national cloud and AI strategies on how they intend to achieve this objective.

The legislative text explicitly grounds this measure in the reality faced by smaller entities. Recital 74 notes that "Contracting authorities of Member States frequently encounter significant difficulties in procuring digital solutions such as data centre services, cloud computing services, software and AI systems. Limited financial resources, reduced purchasing power, insufficient technical or procurement expertise prevent public-sector bodies from effectively accessing such services."

CADA aims to mitigate this by empowering the Commission to act as a central purchasing body. By aggregating demand, the Commission can leverage collective buying power to negotiate better terms and lower prices, effectively lowering the entry barrier for SMEs who might otherwise be priced out or unable to navigate complex tender procedures alone. Furthermore, the proposal mandates that Member States monitor and report annually on SME participation trends, including the number of contracts awarded to SMEs and their share of total contract value (Article 33(3)). This reporting requirement creates transparency and accountability, ensuring that the stated objectives of supporting SMEs are actively tracked and that barriers to participation are identified and addressed.

2. Access to Computing Resources for Frontier AI

For AI startups working on cutting-edge models, access to high-performance computing (HPC) is often a critical bottleneck that can stifle innovation. CADA addresses this through Articles 8 and 9, which establish a framework for "frontier AI priority projects."

Article 8 sets out the criteria for the Commission to recognize a project as a "frontier AI priority project." These projects must support "grand challenge 3" set out in Annex I of the Regulation (which focuses on developing next-generation multimodal frontier AI models) and meet specific cumulative criteria:

  • Being a pioneering project focused on the support and scaling-up of frontier AI technologies.
  • Being undertaken by a European digital infrastructure consortium (EDIC) established pursuant to Decision (EU) 2022/2481 or another legal entity eligible for funding under Union law.
  • Involving the participation of at least three Member States.

Once a project is recognized under Article 8, Article 9 mandates that the Union and Member States ensure sufficient AI computing resources are allocated to support its development. Specifically, Article 9(2) states that the Union shall "at least match the AI computing resources contributed by Member States to frontier AI priority projects" to the extent that sufficient capacity is available within the Union's share of European high-performance computing access time.

While this mechanism primarily targets large-scale, collaborative projects involving multiple Member States, it signals a strategic intent to reserve and allocate compute capacity for European AI innovation. For startups, the opportunity lies in partnering with larger entities, research institutions, or established industry players to form consortia that might qualify for "frontier AI priority project" status. The proposal also notes that the Union and Member States shall "endeavour to provide sufficient computing resource for AI industrial innovation, physical AI and public sector AI projects" (Article 9(3)), suggesting broader potential support beyond just frontier AI, though the specific allocation mechanisms for these categories remain to be detailed in secondary legislation.

3. The Sovereign Cloud Market Opportunity

CADA introduces a "Union cloud computing sovereignty framework" consisting of four assurance levels (Article 16). This framework creates a new, protected market segment for cloud and AI providers who can demonstrate compliance with strict sovereignty criteria, effectively shielding them from competition with non-EU hyperscalers in sensitive sectors.

For AI startups and scale-ups, this represents a significant commercial opportunity. Public sector bodies are required to procure cloud computing services that meet specific Union assurance levels based on risk assessments (Article 30). Specifically:

  • Public sector bodies whose activities have not been identified as contributing to the preservation of public order must use services recognized as having Union assurance level 1 (Article 30(2)).
  • Contracting authorities whose activities have been identified as contributing to the preservation of public order (e.g., in national security, defense, justice, law enforcement) must only procure services recognized as having Union assurance levels 2, 3, or 4 (Article 30(3)).

Achieving these assurance levels requires meeting cumulative criteria set out in Annex II. For example, Union assurance level 1 requires the provider to be established in the Union, with infrastructure and assets located in the Union, and customer data remaining exclusively within the Union (Annex II, Section 1.1). Higher levels introduce stricter requirements, such as personnel being Union citizens (conditional at L2, mandatory at L3/L4) and obtaining European cybersecurity certificates of at least "substantial" (L2/L3) or "high" (L4) assurance.

Startups that build their architecture from the ground up to meet these sovereignty criteria can position themselves as preferred suppliers for public sector contracts. By being listed in the central repository of recognized services (Article 22), they gain visibility and trust for potential public sector buyers, effectively bypassing competition from non-EU hyperscalers that may not meet these stringent localization and control requirements. The proposal also encourages the use of open-source solutions (Article 41), which can lower development costs and increase transparency for startups entering this market.

What this means for you

For CTOs, founders, and architects at AI startups and scale-ups, CADA presents both immediate action items and long-term strategic considerations.

1. Align with Sovereignty Standards Early If you plan to sell to the public sector, begin aligning your cloud and AI infrastructure with the criteria for Union assurance level 1 as defined in Annex II immediately. This includes ensuring your legal entity is established in the EU, your infrastructure is located in the Union, and your data processing remains exclusively within the Union. Proactively demonstrating compliance will position you to be listed in the central repository of recognized services, giving you a competitive edge in public procurement. For higher assurance levels, prepare for the requirement of Union citizenship for personnel and rigorous third-party audits.

2. Leverage Procurement Support Mechanisms Stay informed about national cloud and AI strategies, as Member States must include plans for achieving the 25% SME procurement target (Article 33(4)). Engage with national "Centres for AI" (established under Article 5), which are tasked with helping organizations accelerate digital transformation and connecting them with European providers. These centers can serve as critical entry points to the European AI innovation ecosystem and may offer guidance on navigating the new procurement landscape.

3. Explore Collaborative Compute Access While Articles 8 and 9 primarily target large-scale frontier AI projects, they highlight the EU's commitment to allocating compute resources for European AI innovation. Consider partnering with research institutions, other startups, or established industry players to form consortia that might qualify for "frontier AI priority project" status or access to allocated EuroHPC capacity. This collaborative approach can mitigate the high costs of compute resources and provide access to resources that would otherwise be unattainable for a single startup.

4. Monitor Delegated and Implementing Acts Many specifics of CADA, such as the detailed criteria for Union assurance levels, audit procedures, and the methodology for risk assessments, will be defined in delegated and implementing acts. Keep a close watch on these developments, as they will provide the concrete technical and operational requirements you need to meet for compliance and recognition. The Commission is empowered to amend Annex II to update criteria based on technological developments (Article 16(2)).

Common misconceptions

Misconception 1: CADA bans the use of non-EU cloud providers. This is incorrect. CADA does not ban non-EU providers. Instead, it establishes a risk-based framework where public sector bodies must use services that meet specific "Union assurance levels" based on the sensitivity of their activities. For non-critical public sector activities, Union assurance level 1 is required, which can potentially be met by providers subject to third-country control if they implement sufficient legal, technical, and organizational measures to ensure operational autonomy and data confidentiality (Annex II, Section 1.1(g)). However, for critical public order activities, higher assurance levels (2, 3, or 4) impose stricter requirements, such as prohibiting third-country control (Annex II, Sections 3.1(g) and 4.1(g)), effectively limiting the market for non-EU providers in these sensitive areas.

Misconception 2: The 25% SME procurement target is a mandatory quota. The proposal uses the language "pursue as objective" (Article 33(4)), indicating an aspirational target rather than a strict legal quota. However, Member States are required to include plans in their national strategies on how they intend to achieve this objective and to report annually on SME participation trends. This creates a strong political and administrative pressure to meet the target, and failure to do so could impact future funding or regulatory standing.

Misconception 3: All AI startups will automatically get access to HPC resources. Access to computing resources under Articles 8 and 9 is not automatic or universal. It is specifically tied to "frontier AI priority projects" that meet strict criteria, including pioneering nature, involvement of at least three Member States, and support for specific grand challenges. Startups working on less critical or non-frontier AI applications may not qualify for this specific support mechanism, though they may benefit from broader initiatives under the Cloud and AI Leadership Initiatives or the Centres for AI network.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.