How does CADA fit into the wider EU digital rulebook?

Summary The proposed Cloud and AI Development Act (CADA) is designed to sit alongside, not replace, the EU's existing digital rulebook. While the AI Act regulates AI safety, the Data Act enables switching, NIS2 ensures technical cybersecurity, and DORA secures financial resilience, none of these instruments address technological sovereignty or strategic autonomy. As proposed in COM(2026) 502 final, CADA fills this specific gap by establishing a harmonised framework for public procurement and data-centre deployment. It ensures that EU public bodies can procure cloud and AI services that safeguard public order and operational autonomy against third-country interference, creating a "sovereignty layer" that complements the technical and market-focused rules of its predecessors.

Detail

The European Commission's proposal for the Cloud and AI Development Act (CADA), published in June 2026, is explicitly framed as a complementary instrument within the EU's digital ecosystem. The explanatory memorandum provides a detailed mapping of CADA's consistency with key existing and proposed legislation, including the AI Act, the Data Act, the Data Governance Act (DGA), the NIS2 Directive, the Digital Operational Resilience Act (DORA), and the Cybersecurity Act. The central thesis of the proposal is that while the current acquis addresses data protection, market fairness, and technical security, it leaves a critical void regarding sovereignty—the ability of the Union to retain control over its infrastructure, data, and supply chains.

CADA and the AI Act: Safety versus Sovereignty

The relationship between CADA and the AI Act (Regulation (EU) 2024/1689) is one of distinct but complementary layers. The AI Act is a product-safety and fundamental-rights regulation that "harmonises rules for AI systems and general-purpose AI models to be placed on the EU market." It focuses on ensuring a high level of protection for health, safety, and fundamental rights through a risk-based approach.

However, the explanatory memorandum states plainly that the AI Act "does not cover aspects of sovereignty." It does not regulate where the compute infrastructure is located, who controls the provider, or whether a foreign government could compel access to the underlying hardware. CADA addresses this gap. While the AI Act ensures that an AI system is safe and trustworthy, CADA ensures that the cloud environment hosting that system is resilient and free from third-country interference. For public-sector bodies, this means a dual compliance track: the AI Act governs the algorithm, while CADA governs the platform.

CADA and the Data Act: Enabling Switching

The Data Act (Regulation (EU) 2023/2854) is described in the CADA proposal as an "enabler." It introduces rules on switching between data processing services to reduce vendor lock-in and ensure fair access to data. The explanatory memorandum notes that CADA is "consistent with the rules on switching between data processing services introduced by the Data Act."

However, the Data Act does not actively shape a more competitive offer of European cloud services or encourage the entry of a diverse set of EU providers. It removes barriers to switching but does not provide the strategic direction for where to switch. CADA provides that direction. By establishing Union assurance levels and procurement criteria, CADA creates the demand-side incentives to steer the switching enabled by the Data Act toward sovereign, EU-based providers. The Data Act gives users the right to switch; CADA gives them the criteria to choose a sovereign provider.

CADA and NIS2: Technical Cybersecurity versus Jurisdictional Sovereignty

The NIS2 Directive (Directive (EU) 2022/2555) mandates high common levels of cybersecurity risk management for essential entities, including cloud providers and data centres. The explanatory memorandum clarifies that NIS2 "is fully focused on technical cybersecurity as opposed to broader sovereignty considerations."

CADA addresses the "non-technical" risks that NIS2 does not cover, such as the risk of a third-country government compelling a provider to access data or degrade service quality due to geopolitical tensions. The proposal notes that while certification under the Cybersecurity Act (which builds on NIS2) can address technical criteria, it is "not suited for addressing sovereignty concerns that go beyond these technical elements." Therefore, CADA and NIS2 are complementary: NIS2 secures the technology (firewalls, incident response), while CADA secures the jurisdictional control (ownership, data location, personnel citizenship) over that technology.

CADA and DORA: Sectoral versus Horizontal Resilience

The Digital Operational Resilience Act (DORA) applies specifically to the financial sector, imposing ICT risk management and operational resilience requirements on financial entities and their critical third-party providers. The explanatory memorandum explains that DORA has a "sectoral scope and is specific to the financial sector."

CADA, by contrast, applies horizontally across all public sectors and critical infrastructure. It supports DORA's objectives by ensuring that the cloud providers used by financial institutions meet high EU-wide sovereignty standards. While DORA focuses on the financial entity's ability to withstand ICT disruptions, CADA focuses on reducing the structural dependency on non-EU providers that could cause such disruptions in the first place. For a public-sector body in the financial sector, compliance with both is likely: DORA for operational resilience processes, and CADA for the sovereignty assurance level of the cloud service procured.

CADA and the Cybersecurity Act / EUCS

The Cybersecurity Act (and its proposed revision) establishes the European Cybersecurity Certification Scheme for Cloud Services (EUCS). The explanatory memorandum highlights that CADA "complements the Cybersecurity Act's focus on cloud cybersecurity with sovereignty considerations."

CADA leverages the EUCS by requiring, for higher Union assurance levels (Levels 2–4), that cloud services obtain relevant cybersecurity certifications (specifically at least "substantial" assurance for Levels 2 and 3, and "high" for Level 4). However, CADA goes further by adding legal and operational sovereignty criteria—such as data localisation, personnel citizenship, and protection against third-country legal orders—which the EUCS does not cover. The proposal explicitly states that the two instruments "fill long-standing gaps in sovereignty and non-technical risks" when read together.

The Unique Value of CADA: A Sovereignty Framework

The central theme of CADA is sovereignty. The explanatory memorandum repeatedly emphasises that existing laws address data protection (GDPR), cybersecurity (NIS2), and market fairness (Data Act), but none provide a harmonised framework for technological sovereignty. The EU's dependence on non-EU hyperscalers poses risks related to operational discontinuity and data access under third-country laws.

CADA addresses this by establishing four "Union assurance levels" (Article 16) that define criteria for trusted cloud services. This allows public authorities to conduct risk assessments (Article 29) and procure services that match the sensitivity of their data and the criticality of their operations. It creates a uniform Union legal framework for increasing the Union's resilience and strategic autonomy, ensuring that the single market functions without fragmentation caused by divergent national sovereignty standards.

What this means for you

For public-sector officers, procurement authorities, and compliance teams, CADA transforms the landscape of digital procurement. You can no longer rely solely on technical cybersecurity certificates or data protection clauses. You must now evaluate the "sovereignty profile" of your providers.

1. Conduct Risk Assessments: Under Article 29, you must carry out risk assessments to determine which public sector activities contribute to the preservation of public order. This assessment will dictate the minimum "Union assurance level" (1, 2, 3, or 4) you must require from your cloud providers.
2. Update Procurement Criteria: Article 32 requires you to include "Union added value" criteria in your tenders. This means evaluating how much of the service's supply chain, software, and hardware is designed or manufactured in the Union.
3. Leverage the EuroCloud Federation: Article 34 establishes the EuroCloud Federation, allowing you to share idle cloud capacity with other public bodies. This can reduce costs and increase bargaining power, but requires compliance with specific technical and organisational measures.
4. Plan for Migration: If your current providers do not meet the required assurance levels, you must plan for migration. Article 29(6) provides a transition period of up to 12 months for migration, but you must start assessing your dependencies now.

Common misconceptions

Misconception 1: CADA replaces the AI Act or NIS2. No. CADA is complementary. The AI Act regulates the AI systems themselves; CADA regulates the cloud infrastructure they run on. NIS2 regulates technical cybersecurity; CADA regulates sovereignty and jurisdictional risks. You must comply with all applicable laws.

Misconception 2: CADA bans non-EU cloud providers. No. CADA does not ban non-EU providers. However, for high-risk public sector activities (Union assurance levels 2–4), the criteria are so strict (e.g., data must remain exclusively in the Union, personnel must be Union citizens) that many non-EU providers may struggle to qualify without significant restructuring. For lower-risk activities (Level 1), non-EU providers can qualify if they meet the basic criteria, including being established in the Union or meeting specific transparency and security standards.

Misconception 3: Sovereignty is just about data localisation. No. While data localisation is a key component (especially for Levels 2–4), sovereignty under CADA also includes operational autonomy, personnel screening, software supply chain transparency, and protection against third-country legal orders that could disrupt service. It is a holistic framework, not just a data residency rule.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)
• Data Act (Regulation (EU) 2023/2854)
• Data Governance Act (Regulation (EU) 2022/868)
• Digital Decade Policy Programme (Decision (EU) 2022/2481)

Related

• What single checklist covers CADA plus the main EU digital laws?
• How should an SME plan compliance across CADA and the other EU digital laws?
• How does CADA support the Digital Decade Policy Programme?
• CADA and the Preparedness Union Strategy: How Article 29 Secures Digital Resilience
• CADA vs the Digital Networks Act: Connectivity vs. Compute

This is general information about a draft EU regulation, not legal advice.