How does CADA affect medical-device and health-AI vendors?

Summary Under the proposed Cloud and AI Development Act (CADA), medical-device and health-AI vendors face a dual regulatory reality: the existing AI Act governs product safety and risk classification, while CADA targets the underlying cloud infrastructure and procurement conditions. CADA would require public-sector health bodies to conduct risk assessments that often mandate higher "Union assurance levels" for cloud services, effectively pushing health-AI vendors toward sovereign, EU-based hosting to preserve public order. Vendors must navigate a framework where infrastructure location, personnel citizenship, and supply-chain transparency become prerequisites for public contracts.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, does not replace the EU AI Act; rather, it creates the infrastructural and procurement framework that health-AI vendors must navigate to sell into the European public sector and critical industries. For CTOs and architects, the impact is felt primarily through three mechanisms: the sovereignty framework for cloud hosting, the public procurement rules for health data, and the strategic push for European AI capabilities.

1. Sovereign Cloud Requirements for Health-AI Deployment

The most immediate operational impact of CADA on health-AI vendors is the new "Union cloud computing sovereignty framework." CADA introduces four "Union assurance levels" (UAL 1–4) that classify cloud services based on their resilience against third-country interference and data sovereignty risks (Article 16).

Healthcare is explicitly identified as a sector where AI adoption is critical. Recital 19 states that advancements in healthcare "should improve the accuracy of clinical decisions and transform the pharmaceutical sector." Furthermore, Recital 18 highlights that the Cloud and AI Leadership Initiatives aim to accelerate the uptake of AI across strategic sectors, including healthcare, while Recital 22 emphasizes the need to increase the development and adoption of AI models in critical public sector domains like healthcare.

Because health data is highly sensitive and often classified as critical, public-sector health bodies (hospitals, research institutes, and national health services) must perform risk assessments under Article 29. These assessments determine which Union assurance level is required for specific activities. The risk assessment must consider the sensitivity, criticality, and magnitude of the data processed, as well as the risk of unlawful access by a third country (Article 29(2)).

If a health-AI system processes sensitive patient data or supports critical public health functions, the risk assessment will likely require Union assurance level 2, 3, or 4. This has profound implications for vendors:

• Infrastructure Location: To meet higher assurance levels, the infrastructure, assets, and personnel involved in providing the service must be located in the Union (Annex II, Section 2.1(b) and 3.1(b)).
• Data Residency: Customer data, including metadata and telemetry, must remain exclusively within the Union unless the public sector body explicitly requires otherwise (Annex II, Section 2.1(c)).
• Personnel Citizenship: For higher assurance levels (UAL 3 and 4), personnel involved in service provision must be Union citizens and, where appropriate, hold national security clearances when handling classified information (Annex II, Section 3.1(d) and 4.1(d)). Note that for Level 2, Union citizenship is a conditional requirement, applicable only if the public sector body explicitly requires it (Annex II, Section 2.1(d)).
• Third-Country Control: For Level 3 and 4, the provider and its subcontractors must not be subject to the control of a third country, unless the Commission has adopted an implementing act under Article 18 recognizing that third country as providing sufficient safeguards (Annex II, Section 3.1(g)).

For vendors relying on global hyperscalers with third-country control, this creates a significant barrier. CADA aims to reduce dependence on non-European providers (Recital 46), meaning health-AI vendors may need to architect their solutions to run on EU-sovereign cloud stacks or partner with providers who can demonstrate compliance with these stringent sovereignty criteria.

2. Public Procurement and "Union Added Value"

CADA directly influences how health-AI systems are bought by public authorities. Article 32 introduces "Union added value" as a non-price award criterion in public procurement. Contracting authorities must evaluate how a tenderer contributes to strengthening the digital technology supply chain in the Union.

For health-AI vendors, this means that technical superiority alone may not win a contract. Procurement officials will assess:

• The extent to which the vendor integrates technologies developed in the Union.
• Whether the service is delivered using hardware components (chips, servers) designed or manufactured in the Union.
• The vendor's contribution to the development of a European cloud and AI ecosystem.

While this criterion is "ancillary and not decisive" (Article 32(2)(d)), it provides a competitive edge to vendors who localize their supply chain and development efforts within the EU. Furthermore, Article 30 mandates that contracting authorities whose activities contribute to the preservation of public order (which includes critical healthcare infrastructure) must only procure cloud services recognized as offering Union assurance levels 2, 3, or 4 (Article 30(3)). This effectively bars non-compliant global cloud providers from hosting critical health-AI workloads for public entities.

3. Overlap with the AI Act: High-Risk Medical AI

It is crucial to distinguish CADA's scope from the AI Act. The AI Act (Regulation (EU) 2024/1689) classifies AI systems used in medical devices and healthcare as "high-risk" (Annex III, Section 5). This imposes strict obligations on vendors regarding data governance, transparency, and human oversight.

CADA complements this by addressing the infrastructure that runs these high-risk systems. While the AI Act ensures the algorithm is safe and unbiased, CADA ensures the cloud environment hosting the algorithm is sovereign and resilient. Vendors must comply with both:

• AI Act: Ensure the medical AI system meets technical safety standards, uses high-quality training data, and allows for human oversight.
• CADA: Ensure the cloud service hosting the AI system meets the Union assurance level required by the public-sector buyer's risk assessment.

The two regimes are consistent. Recital 45 of CADA notes that the regulation applies to Union entities and public sector bodies when procuring cloud computing services and AI systems. The AI Act governs the product (the AI system), while CADA governs the service environment (the cloud) and the procurement process. The Commission explicitly states in the explanatory memorandum that the AI Act "does not cover aspects of sovereignty," which is the gap CADA is designed to fill.

4. Strategic Support for Health-AI Innovation

Beyond compliance, CADA offers opportunities for health-AI vendors. The "Cloud and AI Leadership Initiatives" (Article 3) aim to support the development and deployment of cutting-edge cloud and AI technologies. Specifically, operational objective 7 focuses on increasing the development and adoption of AI models across the Union's public sectors, including critical domains like healthcare (Article 4(7)).

Vendors may benefit from:

• Access to Compute: Article 9 ensures sufficient AI computing resources are allocated to frontier AI and public sector AI projects. Health-AI vendors working on innovative diagnostic tools may gain access to EuroHPC resources.
• Innovation Procurement: Article 33 encourages Member States to award at least 25% of cloud and AI innovation procurement to SMEs. This creates a dedicated pathway for smaller health-AI startups to secure public contracts and scale their solutions.
• Open Source: Article 41 encourages the use of open-source solutions, which can reduce vendor lock-in and foster transparency in health-AI development.

What this means for you

For CTOs and architects at medical-device and health-AI companies, CADA requires a strategic review of your cloud architecture and go-to-market strategy.

1. Audit Your Cloud Stack: Determine if your current cloud provider can offer Union assurance levels 2, 3, or 4. If you rely on a third-country-controlled hyperscaler, you may need to offer a "sovereign" variant of your service, hosted on EU-based infrastructure with EU-based personnel, to remain eligible for public-sector health contracts.
2. Prepare for Risk Assessments: Engage early with public-sector health buyers. Understand their risk assessment outcomes under Article 29. If they classify your AI system as critical to public order, you must prove your cloud service meets the corresponding Union assurance level.
3. Leverage EU Added Value: Highlight your EU-based development, hardware sourcing, and data residency in procurement bids. Document your contribution to the European digital supply chain to maximize scores under Article 32.
4. Comply with Dual Regulations: Ensure your legal and technical teams coordinate AI Act compliance (product safety) with CADA compliance (infrastructure sovereignty). They are distinct but interconnected requirements for market access.
5. Explore Funding and Compute: Monitor calls for expressions of interest under the Cloud and AI Leadership Initiatives. If your health-AI solution addresses a "grand challenge" (e.g., improving clinical decision accuracy), you may qualify for compute support or funding.

Common misconceptions

• Misconception: CADA replaces the AI Act for medical devices.
  • Reality: No. The AI Act remains the primary regulator for the safety and fundamental rights impact of the AI system itself. CADA regulates the cloud infrastructure and procurement conditions. You must comply with both.
• Misconception: All health-AI vendors must host data in the EU.
  • Reality: CADA mandates data residency for public-sector contracts where the risk assessment requires Union assurance levels 2–4. Private-sector contracts are not directly bound by CADA's procurement rules, though private entities in critical sectors (like NIS2 entities) may conduct similar impact assessments (Article 31). However, market pressure from public-sector standards may spill over into the private sector.
• Misconception: CADA bans non-EU cloud providers.
  • Reality: CADA does not ban non-EU providers outright. However, it creates a tiered sovereignty framework where higher assurance levels (required for critical health data) have strict criteria regarding third-country control, personnel citizenship, and infrastructure location. Non-EU providers may still qualify for Union assurance level 3 if their home country is recognized as providing sufficient safeguards under Article 18, but this is a high bar.
• Misconception: Only large enterprises are affected.
  • Reality: SMEs are specifically targeted for support. Article 33 encourages Member States to award 25% of innovation procurement to SMEs, and CADA's sovereignty framework aims to create opportunities for smaller EU-based providers to compete against global hyperscalers.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)

Related

• Which CADA assurance level applies to patient and medical records?
• When do CADA provisions affect the automotive sector?
• CADA for Pharma: Frontier AI, Health Data Reuse & NIS2 Impact Assessments
• What does CADA mean for automotive suppliers and Tier 1 vendors?
• How does CADA support health-data reuse for AI models?

This is general information about a draft EU regulation, not legal advice.