CADA vs AI Act for Connected Vehicles

Summary As proposed, the Cloud and AI Development Act (CADA) and the AI Act regulate distinct layers of the connected vehicle stack. The AI Act (Regulation (EU) 2024/1689) governs the AI systems embedded in vehicles—classifying autonomous driving and safety features as high-risk. CADA (COM(2026) 502 final) governs the infrastructure layer: the cloud computing services, data centres, and computational capacity used to train, test, and operate these systems. For automotive legal teams, this creates a dual compliance obligation: ensuring the vehicle AI meets safety and fundamental rights standards under the AI Act, while ensuring the underlying cloud infrastructure meets EU sovereignty assurance levels under CADA. The two instruments are complementary, not overlapping; the AI Act does not cover aspects of sovereignty, which is the specific gap CADA aims to fill.

Detail

The regulatory landscape for connected and autonomous vehicles is becoming increasingly layered. To navigate this, legal counsel must distinguish between the application layer (the software and algorithms inside the vehicle) and the infrastructure layer (the cloud and compute resources supporting development and operation).

The AI Act: The Regulator of Vehicle AI Systems

The AI Act is the primary instrument governing the AI systems themselves. Under the AI Act, AI systems intended to be used as safety components of products covered by Union harmonisation legislation—such as vehicle type-approval regulations—are classified as high-risk AI systems. This classification captures critical automotive use cases, including autonomous driving, driver monitoring, and vehicle control systems.

Compliance with the AI Act for these high-risk systems is rigorous. Providers must implement robust risk management systems, ensure high-quality data governance, maintain technical documentation, and guarantee human oversight. The penalties for non-compliance are severe: under Article 99 of the AI Act, infringements regarding prohibited practices can result in fines of up to €35 million or 7% of total worldwide annual turnover, while other high-risk infringements can attract fines of up to €15 million or 3%.

Crucially, the AI Act focuses on the output and safety of the AI. It does not regulate where the compute is located, who owns the cloud provider, or whether a third-country government could compel access to the underlying infrastructure. As the CADA Explanatory Memorandum explicitly states, the AI Act "does not cover aspects of sovereignty."

CADA: The Regulator of the Cloud and Compute Layer

CADA targets the "plumbing" of the AI ecosystem. It defines a "cloud computing service" as a digital service enabling on-demand access to scalable computing resources. Recital 10 clarifies the boundary: "Only the delivery and making available of an AI system forms part of the service. The AI system itself and its underlying model are excluded from the scope of this definition."

This distinction is vital for the automotive sector. If a cloud provider offers infrastructure where an automotive company trains its autonomous driving models, CADA applies to that provider's sovereignty and sustainability standards. If the automotive company deploys an AI system in a car, the AI Act applies to that system. CADA addresses the strategic dependency on third-country cloud providers, ensuring that the infrastructure supporting critical automotive R&D and operations remains resilient and under EU control.

Complementarity, Not Overlap

The CADA proposal is designed to reinforce, not replace, the AI Act. Recital 47 notes that while the AI Act ensures a high level of protection of health, safety, and fundamental rights, it leaves a gap regarding sovereignty. CADA fills this gap by establishing a Union cloud computing sovereignty framework (Article 16) comprising four assurance levels.

For connected vehicles, this means a bifurcated regulatory reality:

1. The AI Act ensures the autonomous driving algorithm is safe, unbiased, and transparent.
2. CADA ensures the cloud platform hosting the fleet data or training the model is not subject to extraterritorial laws that could compromise data confidentiality or operational continuity.

This is particularly relevant for "software-defined vehicles," where over-the-air updates and continuous learning rely heavily on cloud connectivity. The sovereignty of the cloud becomes a prerequisite for the security of the vehicle.

Specific Automotive Provisions in CADA

CADA explicitly identifies the automotive sector as a strategic priority. Recital 18 states that the Cloud and AI Leadership Initiatives should "accelerate the development and uptake of industrial AI across the Union's strategic industrial sectors," specifically listing "transport, including aerospace, automotive." It further mandates that these initiatives should "support the development, testing and deployment of innovative software platforms contributing to the Union industrial leadership in software defined vehicles and autonomous driving."

This focus is operationalized through several key articles:

• Article 8 (Frontier AI Priority Projects): The Commission may recognize projects as "frontier AI priority projects" if they are pioneering, involve at least three Member States, and pool computing resources. Advanced automotive AI projects could qualify, unlocking access to EU high-performance computing resources.
• Article 9 (Computing Support): The Union and Member States must ensure sufficient AI computing resources are allocated to support these frontier projects, matching Member State contributions with Union high-performance computing (EuroHPC) capacity.
• Article 7 (National Strategies): Member States must adopt national cloud and AI strategies within one year of entry into force, which will likely include specific measures for strategic sectors like automotive.

Sovereignty, Risk Assessments, and Procurement

For public sector bodies or entities procuring cloud services for automotive R&D, CADA introduces strict procurement rules. Under Article 16, a sovereignty framework with four assurance levels is established. Article 29 requires Member States and Union entities to conduct risk assessments to determine which level is appropriate for specific public sector activities.

If a public entity procures cloud services to support critical automotive infrastructure or public transport AI, Article 30 mandates that they procure only services recognized at Union assurance levels 2, 3, or 4. This ensures that the cloud infrastructure supporting critical vehicle systems is not subject to third-country control.

Furthermore, Article 31 allows private sector entities in critical sectors (listed in Annex I of the NIS2 Directive) to conduct similar impact assessments. This enables private automotive manufacturers to voluntarily align their cloud procurement with CADA's sovereignty standards, mitigating supply chain risks.

The Assurance Levels and Personnel Requirements

The sovereignty framework relies on independent audits for levels 2, 3, and 4 (Article 20). The criteria for these levels, detailed in Annex II, impose strict requirements on personnel and control:

• Level 2: Personnel requirements are conditional. If the public sector body determines that imposing Union citizenship requirements are necessary, the provider must ensure such personnel are available.
• Levels 3 & 4: Personnel requirements are mandatory. The personnel involved in the provision of the service must be Union citizens, and where appropriate, hold national security clearances.
• Cybersecurity Certification: Level 2 and 3 require a European cybersecurity certificate of at least "substantial" assurance, while Level 4 requires "high" assurance.

These requirements ensure that the human and technical elements of the cloud supply chain are under EU control, preventing unauthorized access or service disruption by third-country actors.

What this means for you

For in-house counsel and compliance officers in the automotive sector, the interplay between CADA and the AI Act requires a strategic, bifurcated approach:

1. Segment Your Compliance Teams: Ensure your AI Act compliance team focuses on the AI models and systems embedded in vehicles (data quality, bias mitigation, safety logs, conformity assessment). Simultaneously, your IT, procurement, and infrastructure teams must assess CADA compliance for the cloud providers supporting these models.
2. Audit Your Cloud Stack: If you use third-country cloud providers for training autonomous driving models or hosting vehicle telemetry data, assess their status under CADA's sovereignty framework. If you are a public entity or procuring on behalf of one, you may be legally required to migrate to EU-assured cloud services (Union assurance levels 2-4) for critical use cases.
3. Leverage CADA for Compute Access: Explore whether your advanced AI projects for autonomous driving qualify as "frontier AI priority projects" under Article 8. If so, you may gain prioritized access to EU high-performance computing resources, which are increasingly scarce and critical for training large-scale models.
4. Monitor National Cloud Strategies: CADA requires Member States to adopt national cloud and AI strategies (Article 7). These strategies will likely include specific measures for strategic sectors like automotive. Stay informed on your national strategy to anticipate local procurement preferences, incentives, and potential data localisation requirements.
5. Prepare for Sovereignty Audits: If you provide cloud services to the automotive sector, prepare for independent audits (for assurance levels 2-4) under CADA. This includes demonstrating that customer data remains in the Union, that personnel are Union citizens (for higher levels), and that there is no third-country control that could disrupt service or access data.
6. Review Software Supply Chains: CADA requires transparency on software supply chains, including source code audits for third-country components. Ensure your software bill of materials (SBOM) is complete and that you have migration plans for critical third-party components.

Common misconceptions

"CADA replaces the AI Act for vehicles." Incorrect. The AI Act remains the primary regulator for the AI systems in vehicles. CADA regulates the cloud infrastructure. You must comply with both if you develop AI in the cloud. The AI Act governs the safety of the car; CADA governs the sovereignty of the cloud.

"Only public sector automotive entities are affected by CADA." Incorrect. While CADA's procurement rules target public authorities, its data centre acceleration zones and cloud sovereignty framework affect all cloud providers and automotive companies using those services. Private sector entities in critical sectors may also conduct impact assessments under Article 31.

"CADA's sovereignty rules apply to the AI model's code." Incorrect. CADA's assurance levels focus on the service provider's establishment, data location, personnel, and supply chain. The AI model itself is governed by the AI Act's technical requirements. However, CADA does require transparency on software supply chains, including source code audits for third-country components.

"Frontier AI designation is automatic for all advanced automotive AI." Incorrect. Article 8 sets strict criteria: the project must be pioneering, involve at least three Member States, and pool computing resources. It is a competitive designation, not a blanket classification.

"Personnel must be Union citizens for all cloud levels." Incorrect. Under Annex II, Union citizenship for personnel is conditional at Level 2 (only if the public body requires it) but mandatory at Levels 3 and 4.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)

Related

• How does CADA support software-defined vehicles?
• CADA and Civil Protection: How the Act Secures Crisis Response Cloud
• CADA, EDF and EDIP: How the Cloud Act complements defence funding
• CADA and Telco Cloud: How the Act affects network convergence and 5G strategies
• Why does CADA emphasise secure and verifiable compute for sensitive sectors?

This is general information about a draft EU regulation, not legal advice.