How does CADA affect EU digital sovereignty and strategic autonomy?

Summary As proposed, the Cloud and AI Development Act (CADA) would put digital sovereignty and strategic autonomy at the centre of EU cloud and AI policy. Article 1 makes resilience and strategic autonomy an explicit general objective and lists "reducing dependencies on critical technologies" as a core measure. The proposal would operationalise this through a Union cloud computing sovereignty framework of four assurance levels, accelerated data-centre deployment, and procurement rules that steer the public sector toward trusted, sovereign services. CADA is a proposal (COM(2026) 502 final), so none of this is in force yet.

Detail

The proposed CADA responds to the EU's reliance on a small number of non-EU cloud providers — the explanatory memorandum notes that three non-EU hyperscalers control over 70% of the European cloud market. As proposed, the Act would help shift the EU from consumer to producer of trusted, sovereign digital infrastructure. Its sovereignty aims are anchored in the objectives set out in Article 1.

Strategic autonomy as an explicit objective Article 1(3), as proposed, sets out the second general objective: to "improve the functioning of the single market by laying down a uniform Union legal framework for increasing the Union's resilience and strategic autonomy in cloud and AI technologies." This is stated as separate from and complementary to the first general objective (competitiveness and innovation, Article 1(2)). A uniform framework is intended to prevent fragmented national approaches that could undermine collective sovereignty.

Reducing critical dependencies Article 1(1)(d) lists, among the framework's measures, "reducing dependencies on critical technologies." The explanatory memorandum frames the current landscape as exposing European users to operational-discontinuity risk, where decisions by third-country actors could disrupt service. CADA would respond by fostering a competitive EU market, supporting domestic capability, and ensuring that public-sector activities underpinning public order are served by appropriately assured cloud services.

The Union cloud computing sovereignty framework Article 16, as proposed, would establish a Union cloud computing sovereignty framework comprising four "Union assurance levels" (Levels 1–4), with the criteria set out in Annex II. Those criteria are cumulative and tighten with each level. They cover, for example:

• Establishment and location: the provider must be established in the Union, with infrastructure in the Union and customer data (including metadata and telemetry) remaining exclusively within the Union — at Level 1, "unless the public sector body explicitly requires otherwise."
• Personnel and control: the upper levels are stricter; Levels 3 and 4 require personnel involved in the service to be Union citizens and prohibit third-country control, whereas Level 1 may permit a provider under third-country control subject to conditions.
• Cybersecurity and supply chain: state-of-the-art cybersecurity, software-supply-chain transparency (including a software bill of materials at the audited levels), and measures against third-country remote access and tampering.

Public procurement and risk assessments The proposal links sovereignty to demand. Under Article 29, Member States and Union entities would conduct risk assessments identifying which activities contribute to the preservation of public order (for example national security, defence, justice, law enforcement, and NIS2 critical sectors) and which assurance level is appropriate. Under Article 30, buyers must then procure accordingly: Level 1 for ordinary activities (Article 30(2)) and Levels 2, 3 or 4 for public-order-relevant ones (Article 30(3)). This would create guaranteed demand for sovereign services and incentivise providers to meet the criteria.

An open, rules-based posture The proposal presents this as compatible with the EU's open international stance. According to the explanatory memorandum, CADA is compatible with the EU's June 2025 Communication on an International Digital Strategy and offers a transparent, non-discriminatory blueprint for digital autonomy. A recital notes that the EU retains the right, in line with the WTO Government Procurement Agreement (Article III:2(a)), to adopt necessary and proportionate measures to protect public morals, order or safety — allowing proportionate restrictions on access to public procurement. The framing is structured autonomy rather than isolationism.

Accelerating infrastructure Sovereignty also needs physical capacity. Title III would accelerate data-centre deployment, including through "data centre acceleration zones" with aggregated baseline permits and a permit-granting time limit not exceeding 12 months (Article 13). The explanatory memorandum states the aim of at least tripling EU data-centre capacity over the next five to seven years.

What this means for you

For public-sector procurement officers, CADA as proposed would fold sovereignty into procurement alongside cost and quality.

• Engage with risk assessments. Align with the national/Union risk assessments under Article 29 to determine whether your activities contribute to public order — this sets the minimum assurance level you may procure.
• Procure assured services. Use Level 1 for ordinary activities and Levels 2, 3 or 4 for public-order-relevant ones, checking the Article 22 central repository for recognised services.
• Evaluate Union added value. Include the Article 32 non-price criteria (EU-designed/manufactured hardware and software, Union-developed technologies), keeping them ancillary and not decisive.
• Consider multi-cloud. Article 29(9) requires you to consider whether a multi-vendor or multi-cloud strategy is appropriate, reducing single-provider dependency.

Common misconceptions

• "CADA bans non-EU cloud providers." No. It creates a tiered framework in which providers can compete if they meet the Annex II criteria. The upper levels are stricter (Union-citizen personnel and no third-country control at Levels 3 and 4). Under Article 18, the Commission may also identify "associated third countries" whose controlled providers may be audited against the Level 3 criteria, subject to cumulative conditions.

• "Sovereignty means only using open-source software." No. The proposal encourages open-source use (for example, Article 41 would require Union entities and public sector bodies to encourage and facilitate open-source solutions over proprietary ones), but it does not mandate exclusive open-source use. The assurance framework focuses on establishment, data location, control and operational autonomy.

• "The sovereignty framework binds all private companies." The mandatory procurement rules and risk assessments target public sector bodies and Union entities. Under Article 31, NIS2 critical-sector entities that are not public bodies may carry out similar assessments, and the Commission may, by delegated act in duly justified circumstances, require impact assessments and mitigation measures for such entities in sectors of high criticality.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)
• Digital Decade Policy Programme (Decision (EU) 2022/2481)

Related

• Why can't existing EU laws already solve cloud sovereignty? (CADA)
• How does CADA relate to the Digital Decade Policy Programme?
• How CADA Interacts With GDPR, the AI Act, NIS2 and EU Digital Law
• What is the EU Tech Sovereignty package and how does CADA fit in?
• CADA vs SecNumCloud: what is the difference between CADA and a national sovereignty label?

This is general information about a draft EU regulation, not legal advice.