Summary The proposed Cloud and AI Development Act (CADA) does not replace sector-specific data initiatives like the European Health Data Space (EHDS) or the Financial Data Access (FIDA) framework. Instead, it provides the foundational sovereign infrastructure required to host them securely. While EHDS and FIDA define what data is shared and how it is governed, CADA defines the sovereignty assurance of the cloud environments hosting that data. Together, they form complementary layers: data spaces manage the information flow and legal rights, while CADA ensures the digital estate remains under EU control, protecting public order and operational continuity against third-country interference.

Detail

The European Union's digital strategy relies on a "nexus" of interconnected regulations. The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, is designed to strengthen the EU's cloud and AI ecosystem by reducing dependencies on non-European providers and ensuring operational autonomy. However, CADA does not operate in a vacuum. It intersects critically with sector-specific data initiatives, particularly the European Health Data Space (EHDS) and the proposed Financial Data Access (FIDA) framework, as well as the broader Data Governance Act (DGA).

To understand this relationship, it is essential to distinguish between data governance and infrastructure sovereignty. Initiatives like EHDS and FIDA are primarily concerned with data governance: they define which data can be accessed, by whom, for what purposes, and under what legal safeguards. For example, the EHDS framework aims to facilitate the secondary use of health data for research and policy-making while protecting individual privacy. Similarly, FIDA seeks to empower consumers and businesses to access their financial data securely. These frameworks answer the question: "What is being shared and how?"

CADA, by contrast, addresses the foundational layer. It answers the question: "Where is this data stored, processed, and who controls the infrastructure?"

Complementary Layers: Data Spaces vs. Sovereign Cloud

The CADA proposal explicitly recognizes that data sovereignty extends beyond the legal transfer of data. As stated in the explanatory memorandum, "the notion of sovereignty goes beyond data transfers and relates to operational autonomy too." This is crucial for data spaces. A health data space can have robust privacy rules under the EHDS, but if the cloud platform hosting that data is controlled by a third-country provider subject to extraterritorial laws (such as the US CLOUD Act), the EU's strategic autonomy is compromised.

CADA introduces a Union cloud computing sovereignty framework with four assurance levels (Article 16). This framework allows public authorities to assess the risk of their cloud providers based on criteria such as:

  • The location of infrastructure and personnel.
  • The citizenship of personnel handling data (conditional at L2, mandatory at L3/L4).
  • The absence of third-country control or influence.
  • The security of the software supply chain.

For data spaces like EHDS and FIDA, this means that while the data space rules permit the sharing of sensitive health or financial information, CADA ensures that the platform facilitating this sharing meets strict EU-defined sovereignty standards. This prevents a scenario where data is legally protected by EU law but technically accessible by foreign authorities due to the jurisdiction of the cloud provider.

The Critical Link: Risk Assessments (Article 29)

A key mechanism linking CADA to data-space initiatives is the obligation for Member States and Union entities to conduct risk assessments. Article 29 of CADA mandates that by [date of entry into force plus 1 year], and thereafter every two years, Member States and Union entities shall carry out risk assessments to:

  1. Identify public sector activities using cloud computing services that contribute to the preservation of public order (including sectors falling under Annex I or II of the NIS2 Directive, and areas like national security, defense, justice, and law enforcement).
  2. Determine which Union assurance level (2, 3, or 4) is appropriate for these activities.

This provision is vital for high-stakes data spaces. For instance, the EHDS will likely handle sensitive personal health data that may be deemed critical for public order or national health security. Under CADA, a Member State must assess whether the cloud services supporting the EHDS infrastructure require a higher assurance level (e.g., Union assurance level 3 or 4) to mitigate risks of unauthorized access or service disruption.

Similarly, in the financial sector, FIDA relies on the secure exchange of financial data. Financial entities are often considered critical under the NIS2 Directive. CADA's risk assessment framework allows public authorities and potentially private entities in high-criticality sectors (as referenced in Article 31) to evaluate their dependencies. If a financial data space relies on cloud infrastructure, the risk assessment determines the necessary level of sovereignty assurance, ensuring that the financial sector's operational resilience is not undermined by external geopolitical pressures.

Synergy with the Data Governance Act (DGA)

The CADA proposal also complements the Data Governance Act (DGA), which facilitates data sharing through data intermediaries and altruistic data sharing. While the DGA creates the legal pathways for data to move, CADA ensures that the computational resources processing this data are resilient and sovereign. The explanatory memorandum notes that CADA "places a specific focus on open source as a lever to boost technological sovereignty," which aligns with the DGA's goal of reducing vendor lock-in and fostering a competitive market for data services.

Sector-Specific Application: Health and Finance

  • Health (EHDS): The EHDS aims to create a secure environment for health data reuse. CADA supports this by mandating that public sector bodies procuring cloud services for health data must consider sovereignty risks. If health data is classified as contributing to public order (e.g., during a pandemic or for national health security), CADA's Article 30 may require the use of cloud services with higher assurance levels (2, 3, or 4), ensuring that European health data remains under European control.
  • Finance (FIDA): The financial sector is highly sensitive to operational continuity. CADA's focus on "operational autonomy" and "prevention of harm that could undermine public order" (Explanatory Memorandum) directly supports the stability required for FIDA. By encouraging the use of sovereign cloud services for critical financial infrastructure, CADA helps mitigate the risk of service degradation or disruption by third-country actors, thereby supporting the resilience of the EU's financial data ecosystem.

What this means for you

For public-sector and procurement officers, the interaction between CADA and data-space initiatives means you must adopt a two-pronged approach to digital infrastructure:

  1. Align Procurement with Sovereignty Levels: When procuring cloud services for initiatives like EHDS or financial data platforms, you cannot rely solely on data protection compliance (GDPR) or sector-specific data rules. You must also determine the required Union assurance level based on the risk assessment mandated by Article 29. If your activity involves critical health or financial data, you may be required to procure services recognized at Union assurance level 2, 3, or 4.
  2. Conduct Mandatory Risk Assessments: You are obligated to carry out risk assessments to identify which public sector activities contribute to public order. This assessment will dictate the minimum assurance level for your cloud providers. Ensure your procurement documents reflect these requirements, as Article 30 stipulates that contracting authorities must procure only cloud computing services that meet the determined assurance level.
  3. Leverage the Central Repository: Use the central repository of recognized services (established under Article 22) to identify providers that meet the necessary sovereignty criteria. This simplifies compliance and ensures that the infrastructure supporting your data spaces is vetted for EU autonomy.
  4. Plan for Migration: If your current cloud provider for a data-space initiative does not meet the required assurance level, Article 29(6) allows for a transition period of up to 12 months to migrate to a compliant service. Start planning these migrations early to avoid service disruption.

Common misconceptions

"CADA replaces the EHDS or FIDA data rules."

  • Correction: No. CADA does not define what data can be shared or the rights of data subjects. EHDS and FIDA govern the data itself. CADA governs the infrastructure (cloud and AI) that hosts and processes that data. They are complementary, not substitutive.

"GDPR compliance is enough for sovereignty."

  • Correction: GDPR ensures data protection and lawful transfer, but it does not guarantee operational autonomy or protection against third-country extraterritorial laws (like the CLOUD Act). CADA addresses these broader sovereignty risks, including service disruption and strategic dependency, which GDPR does not cover.

"Only national security agencies need to worry about CADA's assurance levels."

  • Correction: While defense and law enforcement are explicitly mentioned, Article 29 requires risk assessments for any public sector activity that contributes to public order, which can include critical health data (EHDS) and financial stability (FIDA). Procurement officers in health and finance sectors must assess their specific risks.

"CADA only applies to the public sector."

  • Correction: While the procurement obligations fall on contracting authorities, the sovereignty framework reaches any provider wanting to serve them. Furthermore, Article 31 allows private sector entities in high-criticality sectors (like finance) to conduct similar impact assessments, and the market pressure from public procurement often drives private sector adoption of sovereign standards.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.