How CADA builds on the Data Act and DGA to create a European cloud offer

Summary The proposed Cloud and AI Development Act (CADA) completes the EU's digital sovereignty architecture by addressing the supply-side gap left by the Data Act and the Data Governance Act (DGA). While the Data Act removes vendor lock-in and the DGA enables trusted data sharing, neither instrument creates a sovereign European cloud supply base or mandates the use of EU-based providers. As proposed in COM(2026) 502 final, CADA introduces a four-tier "Union assurance" framework (Article 16) and mandatory demand-side measures (Article 30) that require public authorities to procure only cloud services meeting specific sovereignty criteria. This transforms the EU from a passive consumer of third-country infrastructure into a structured market for sovereign digital infrastructure, ensuring that the "right to switch" under the Data Act is matched by the "ability to choose" a sovereign provider.

Detail

To understand how CADA creates a distinct "European cloud offer," one must first recognize the specific, complementary limitations of the existing data legislative framework. The Data Act and the Data Governance Act (DGA) are foundational enablers of the single market, but they are not sufficient to guarantee technological sovereignty or a robust European cloud supply chain.

The Enabling Role of the Data Act and DGA

The Data Act (Regulation (EU) 2023/2854) focuses on interoperability, data portability, and switching. By mandating that cloud computing service providers allow users to switch services and removing key sources of vendor lock-in, the Data Act ensures that cloud users can freely choose providers and combine offers in a multi-cloud approach. It creates a competitive market where providers compete on quality, innovation, and price. However, as explicitly stated in the CADA explanatory memorandum, the Data Act "does not contain elements to shape up a more competitive offer of European cloud computing services or encourage the entry into the market of a more diverse set of cloud computing service providers." It opens the path towards a possible reduction of dependencies on non-EU providers but "does not build the road towards a more sovereign and trusted EU cloud computing sector."

Similarly, the Data Governance Act (DGA) facilitates trusted data sharing and reuse, creating data intermediation services and data altruism organizations. While this improves data availability for AI training and cloud services, the DGA, like the Data Act, does not address the underlying infrastructure dependencies, the market share of non-European hyperscalers, or the legal jurisdiction over the infrastructure itself.

CADA: Building the Sovereign Supply and Demand

CADA addresses these gaps by establishing a comprehensive framework that targets both supply and demand, with a specific focus on sovereignty and public order. It does not replace the Data Act or DGA but rather provides the necessary "sovereign layer" that allows the benefits of those acts to be realized within a European context.

1. The Sovereignty Framework (Supply Side) CADA introduces a "Union cloud computing sovereignty framework" consisting of four assurance levels (Union assurance levels 1–4), as detailed in Article 16 and Annex II. This framework provides harmonized, auditable criteria for cloud services to be recognized as providing varying degrees of Union assurance.

• Level 1: Requires the provider to be established in the Union, with infrastructure and data remaining exclusively within the Union (unless explicitly required otherwise by the public sector body). It also requires state-of-the-art cybersecurity standards and transparency on subcontractors.
• Levels 2–4: Require increasingly stringent criteria, including independent third-party audits, European cybersecurity certification (at least "substantial" for L2/L3, "high" for L4), and strict controls on third-country influence, personnel citizenship, and software supply chains. Crucially, these levels ensure that data is not used to train third-country AI models and that third-country laws cannot compel service disruption or data access.

This framework creates a clear, legally defined "European cloud offer" that providers can certify against, distinguishing sovereign services from standard commercial offerings. It transforms the abstract concept of "sovereignty" into a verifiable, auditable status.

2. Demand-Side Measures (Article 30) Creating a supply is insufficient without demand. CADA mandates that public sector bodies actively procure these sovereign services. Article 30 sets out strict procurement obligations for contracting authorities and Union entities:

• Baseline Requirement: Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognized as having Union assurance level 1 (Article 30(2)).
• Public Order Requirement: Contracting authorities whose activities have been identified as contributing to the preservation of public order (e.g., in sectors falling under NIS2, national security, defense, justice, law enforcement) must only procure services recognized as having Union assurance levels 2, 3, or 4 (Article 30(3)).

This creates a guaranteed market for European providers who meet these sovereignty criteria, directly counteracting the dominance of third-country hyperscalers. It ensures that the "switching" enabled by the Data Act leads to a viable European alternative.

3. Risk Assessments (Article 29) To implement Article 30, Member States and Union entities must conduct risk assessments (Article 29) to determine which public sector activities require higher assurance levels. These assessments evaluate the sensitivity, criticality, and magnitude of data processed, as well as the risk of unlawful access by third countries or service disruption. This ensures that the level of sovereignty demanded is proportionate to the public order risk, preventing unnecessary burdens on low-risk activities while securing critical infrastructure.

4. Additional Procurement Levers CADA further strengthens the European cloud offer through:

• Union Added Value Criteria (Article 32): Contracting authorities must include non-price award criteria evaluating a tenderer's contribution to the European cloud and AI ecosystem, such as the use of Union-designed hardware or software, or the integration of Union technologies.
• Common Procurement (Chapter IV): The Commission may act as a central purchasing body for Member States, leveraging collective buying power to negotiate better terms and support European providers.
• Open Source Promotion (Chapter V): CADA encourages the use of open-source solutions to reduce vendor lock-in and strengthen technological autonomy, complementing the Data Act's portability goals.

What this means for you

For in-house counsel, compliance officers, and public procurement specialists, CADA introduces concrete obligations that transform how cloud services are sourced and evaluated.

1. Public Sector Procurement Obligations

• Risk Assessment: You must participate in or review the national risk assessment (Article 29) to determine the required Union assurance level for your organization's cloud services. This must be done within one year of the Regulation's entry into force.
• Procurement Compliance: Update procurement procedures to mandate Union assurance levels. If your organization handles public order-relevant data (e.g., law enforcement, critical infrastructure), you cannot procure non-certified or Level 1 services. You must only engage providers recognized under the central repository (Article 22).
• Migration: If a risk assessment requires migration to a higher assurance level, you must migrate within a reasonable transition period, not exceeding 12 months (Article 29(6)). This requires immediate planning for potential provider changes.

2. Private Sector Implications

• NIS2 Entities: Entities listed in Annex I of the NIS2 Directive may conduct similar impact assessments (Article 31) and could be required to adopt risk mitigation measures. While not currently mandatory for all private entities, the trend toward mandatory impact assessments for high-criticality sectors is explicit in the proposal.
• Supplier Due Diligence: If you are a public sector body, you must verify that your cloud providers are listed in the central repository of recognized services. You must also monitor for material changes in the provider's status (Article 23), which could trigger a loss of recognition.

3. Deadlines and Strategic Planning

• National Strategies: Member States must adopt national cloud and AI strategies within one year of entry into force (Article 7).
• Risk Assessments: Initial risk assessments must be completed within one year of entry into force (Article 29(1)).
• Penalties: Member States must lay down rules on penalties for infringements of the sovereignty framework (Article 24). Penalties must be effective, proportionate, and dissuasive, though the specific amounts are left to national law.

Common misconceptions

1. "The Data Act already ensures we can switch to European providers." While the Data Act makes switching technically and contractually easier, it does not create a viable, sovereign European supply base. CADA creates that supply base by defining what "sovereign" means (assurance levels) and mandating its use in public procurement. Without CADA, switching would likely still lead to non-EU hyperscalers due to market dominance and the lack of certified alternatives.

2. "CADA is only about cybersecurity." CADA's sovereignty framework goes beyond technical cybersecurity (covered by the Cybersecurity Act and EUCS). It addresses operational autonomy and legal jurisdiction. For example, Union assurance levels 2–4 require that data not be used to train third-country AI models and that third-country laws cannot compel service disruption or data access. This is a legal and operational sovereignty measure, not just a technical one.

3. "Private companies are not affected by the sovereignty framework." While Article 30 primarily targets public sector procurement, the framework has significant spillover effects. Private entities in critical sectors (NIS2) may be required to conduct impact assessments (Article 31). Furthermore, the "Union added value" criteria (Article 32) and the common procurement framework will shape the broader market, making sovereign-certified services more attractive and potentially necessary for business-to-business contracts involving public data or critical infrastructure.

4. "CADA replaces the Data Act." No. CADA is complementary. The Data Act ensures you can switch; CADA ensures there is a sovereign option to switch to and mandates its use for public order-relevant activities. They operate on different layers of the stack: the Data Act on data portability and market fairness, CADA on infrastructure sovereignty and supply-chain resilience.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)
• Data Act (Regulation (EU) 2023/2854)
• Data Governance Act (Regulation (EU) 2022/868)

Related

• DGA vs CADA: Does Data Governance Act compliance satisfy CADA?
• Why does CADA call the Data Act an 'enabler'?
• CADA for SaaS Providers: How NIS2, Data Act and Sovereignty Tiers Stack
• CADA for Cloud Providers: How it stacks with NIS2, DORA & the Data Act
• DGA Data Intermediaries and CADA: Do Sovereignty Rules Apply?

This is general information about a draft EU regulation, not legal advice.