Summary As proposed, the Cloud and AI Development Act (CADA) is designed to be fully compatible with the EU's June 2025 Communication on an International Digital Strategy. The explanatory memorandum says CADA creates a "transparent, non-discriminatory blueprint for digital autonomy" that lets the EU build resilient, sovereign tech infrastructure at home while offering a legally sound model for international partnerships abroad. Crucially, the memorandum states the proposal "will secure access to the internal market to entities from partner countries that meet required levels of Union assurance", rather than imposing blanket bans on non-EU providers. CADA is a proposal and not yet in force.

Detail

The relationship between CADA and the EU's broader international engagement is defined by a balance between technological sovereignty and global cooperation. As proposed, the regulation does not seek to isolate the European cloud and AI ecosystem but to integrate it into a secure, rules-based framework.

Alignment with the June 2025 International Digital Strategy The explanatory memorandum states that the proposal "is fully compatible with the EU's June 2025 Communication on an International Digital Strategy." This alignment is central to the proposal's framing. The strategy aims to position the EU as a hub for trusted, sovereign, scalable digital infrastructure, and CADA would operationalise this by creating a harmonised regulatory environment that reduces strategic dependencies on third-country providers while remaining open to international cooperation.

A transparent, non-discriminatory blueprint The memorandum says the proposal "creates a transparent, non-discriminatory blueprint for digital autonomy that allows the EU to build resilient, sovereign tech infrastructures at home while providing a trusted, legally sound model for international partnerships and multilateral governance abroad." In practice this means the criteria for whether a cloud computing service is trusted and sovereign would be clearly defined, auditable and applied uniformly across the Union. For in-house counsel and compliance officers, that transparency removes much of the ambiguity associated with ad hoc national sovereignty tests: by establishing a single EU-wide sovereignty framework (the Union assurance levels in Article 16, with criteria in Annex II), CADA would tie market access to objective compliance rather than arbitrary national preferences.

Securing market access for partner-country entities Contrary to the misconception that CADA is protectionist, the memorandum states the proposal "will secure access to the internal market to entities from partner countries that meet required levels of Union assurance." This is achieved through the mechanism of "associated third countries" under Article 18.

As proposed, Article 18 allows the Commission to adopt implementing acts identifying third countries for which cloud computing service providers — even if subject to the control of that third country or a legal entity established there — may be audited against the criteria for Union assurance level 3 under Annex II. To qualify, a third country must fulfil cumulative criteria, including that it:

  • is subject to a relevant adequacy decision adopted under Article 45 of Regulation (EU) 2016/679 (the GDPR);
  • has no measures enabling control over the provider in a way that would conflict with the lawful-access requirements for non-personal data in Article 32(2)–(3) of the Data Act (Regulation (EU) 2023/2854);
  • has no measures compelling the provider to degrade or disrupt service continuity, or to give effect to restrictive measures such as sanctions or embargoes, unless those are legitimate under Member State or Union law;
  • has no measures impeding the provision of state-of-the-art technologies and services by the provider;
  • maintains an open market to Union cloud computing services; and
  • grants equivalent levels of access to public procurement procedures for cloud services subject to the control of a Union Member State or entity, or of a legal entity established in the Union.

If these conditions are met, the Commission could allow such providers to be audited at Union assurance level 3. Where available information shows a country no longer fulfils the requirements, the Commission must repeal, amend or suspend the decision, and it must publish a list of qualifying (and no-longer-qualifying) countries. This keeps the EU engaged with international partners while safeguarding against unauthorised access to Union data or disruption of services. (Note that the highest tier, level 4, allows no derogation for third-country control, so the associated-third-country route applies to level 3.)

Legal basis and objectives Article 1 establishes a framework for strengthening the Union's cloud and AI ecosystem, including "enabling the availability of a sovereign cloud and artificial intelligence (AI) offer to safeguard the Union's public order" and "reducing dependencies on critical technologies." As proposed, the regulation rests on the cumulative legal basis of Articles 114 and 173(3) TFEU, aiming both to improve the functioning of the single market and to enhance EU industrial competitiveness. This dual basis means the sovereignty measures are framed not just as defensive but as drivers of innovation and investment in European capabilities.

What this means for you

For in-house counsel and compliance officers managing cross-border cloud operations, CADA as proposed introduces a structured pathway for non-EU providers to operate in the EU.

  1. Assess your third-country status: If your cloud provider is established outside the EU, monitor whether its home country could be designated as an "associated third country" under Article 18. That designation would be relevant for eligibility to be audited at Union assurance level 3, which is among the levels required for public-sector activities contributing to public order.
  2. Monitor Commission decisions: The Commission would adopt implementing acts identifying qualifying third countries and publish a list. Track these to understand whether your provider's jurisdiction meets the cumulative criteria, such as an adequacy decision and the absence of conflicting extraterritorial access measures.
  3. Prepare for audits: Providers seeking recognition at Union assurance levels 2, 3 or 4 must undergo independent third-party audits (Article 20). A provider relying on the associated-third-country route would need to demonstrate the legal, technical and organisational measures that prevent third-country control from interfering with service delivery or data confidentiality.
  4. Procurement implications: Public sector bodies would procure cloud services based on these assurance levels. If your organisation is a public sector body — or a private entity in a critical sector — align your procurement strategy with the risk assessments that determine the required assurance level (Article 29).

Common misconceptions

  • "CADA bans non-EU cloud providers." Incorrect. As proposed, CADA creates a tiered sovereignty framework. Non-EU providers can still operate in the EU — at Union assurance level 1, and potentially at level 3 if their home country is designated an associated third country under Article 18. The goal is risk mitigation, not exclusion by nationality.
  • "Sovereignty means data localisation only." While data location is one criterion, sovereignty under CADA is broader. It includes operational autonomy, protection against service disruption, and prevention of unauthorised access by third-country authorities — addressing the risks of extraterritorial laws.
  • "The rules are fragmented across Member States." CADA aims to harmonise sovereignty criteria EU-wide. The memorandum notes some Member States have developed national approaches to sovereign services; CADA would replace that fragmentation with a single, auditable set of criteria and a central repository of recognised services (Article 22).

Official sources

Related

This is general information about a draft EU regulation, not legal advice.