Summary As proposed, the Cloud and AI Development Act (CADA, COM(2026) 502 final) is designed to be consistent with the Data Act (Regulation (EU) 2023/2854), which its explanatory memorandum calls "an enabler for the proposal." The Data Act tackles vendor lock-in and makes switching between data-processing services possible; CADA would build the supply of trusted, sovereign European cloud and the demand for it through assurance levels and procurement rules. The two are meant to work together: the Data Act provides the right and the means to switch providers; CADA would dictate which providers may be used for sensitive public-order activities. In-house counsel should run them as complementary, not interchangeable, regimes.
Detail
The relationship is foundational to the EU's digital strategy: CADA does not seek to replace the Data Act but to rely on it. The Data Act's switching and portability machinery is what makes CADA-driven migration to sovereign providers feasible.
The Data Act as an "enabler"
The explanatory memorandum states the proposal "is consistent with the rules on switching between data processing services introduced by the Data Act," which "seeks to enable cloud users to freely choose the provider that best meets their needs and combine offers of different providers in a multi-cloud approach." But it also identifies the Data Act's limit: it "does not contain elements to shape up a more competitive offer of European cloud computing services or encourage the entry into the market of a more diverse set of cloud computing service providers." In the memorandum's words, the Data Act "opens the path towards a possible reduction of dependencies on non-EU providers but does not build the road towards a more sovereign and trusted EU cloud computing sector," and its switching and interoperability provisions "make it possible for users to embrace European cloud computing services more strongly. The Data Act is thus an enabler for the proposal."
So the Data Act addresses the mechanics of switching (interoperability, portability, switching charges); CADA would address the availability of sovereign alternatives and the obligation to use them in defined cases.
Distinct but complementary objectives
- Data Act (Regulation (EU) 2023/2854): an internal-market and competition instrument that removes sources of vendor lock-in so providers compete on quality, innovation and price, and gives users the right to switch.
- CADA (proposal COM(2026) 502 final): a sovereignty, security-of-supply and public-order instrument. Article 16 would establish the four-level Union assurance framework; Article 29 would require public-sector risk assessments; Article 30 would tie procurement to assurance levels.
CADA also cross-refers to the Data Act in its sovereignty criteria: Article 18(1)(b), part of the "associated third country" test for level 3, asks whether a third country's measures would conflict with the lawful-access-to-non-personal-data requirements in Article 32(2)–(3) of the Data Act.
Practical interaction: switching to sovereign clouds
The interplay is clearest in migration. CADA would push public bodies toward services at the assurance level their Article 29 risk assessment requires; the Data Act provides the legal and technical route to get there. If a Member State concludes that an activity needs level 3 and its current provider does not qualify, the Data Act's portability and switching obligations help ensure the incumbent cannot unjustifiably obstruct the move. The memorandum's framing — the Data Act makes it "possible for users to embrace European cloud computing services more strongly" — is precisely this enabling role.
Consistency with the wider digital acquis
The memorandum situates CADA alongside the Digital Markets Act (DMA) and the AI Act. The DMA regulates designated gatekeepers for fairness and contestability; the memorandum notes that while some cloud providers could be regulated under both CADA and the DMA, the DMA "does not contain measures that would actively promote the uptake of sovereign cloud computing services" and "intervenes at a different level." The AI Act regulates AI systems for safety and fundamental rights. CADA intervenes on the uptake and use of cloud services and their sovereignty — a different layer from all three.
Open strategic autonomy, not closure
It is worth noting how the memorandum positions this combination internationally. The proposal is described as "fully compatible with the EU's June 2025 Communication on an International Digital Strategy," creating "a transparent, non-discriminatory blueprint for digital autonomy" that is "fully consistent with the Union's international commitments and partnerships" and that "will secure access to the internal market to entities from partner countries that meet required levels of Union assurance." The Data Act's pro-competition, anti-lock-in logic and CADA's assurance framework are meant to pull in the same direction: a more open, contestable market that nonetheless lets the Union demand sovereignty where public order requires it. For counsel, the practical upshot is that CADA's sovereignty requirements are not a blanket "buy European" rule — qualifying third-country-connected providers can still be used where they meet the relevant assurance level, and the Data Act keeps switching open in either direction.
Multi-cloud: a shared instinct
The Data Act's multi-cloud logic resurfaces inside CADA. Article 29(9) requires Member States and Union entities, in their risk assessments, to consider whether a multi-vendor or multi-cloud strategy is appropriate, and Recital 65 explains that this should rest on a context-specific assessment of operational, regulatory and resilience factors aimed at limiting dependency on a single provider. The Data Act makes multi-cloud technically and contractually feasible by curbing lock-in; CADA makes it a governance consideration for the public sector. The two reinforce each other: a public body that has structured its estate for portability under the Data Act is better placed to satisfy a CADA assessment that points toward multi-cloud resilience.
Contractual implications
For in-house counsel, this shapes cloud service agreements. Existing agreements should be checked against the Data Act's switching and interoperability duties. New agreements — especially for public bodies or critical private entities — should also align with CADA's sovereignty criteria (Annex II: Union establishment, infrastructure and data location, third-country-control safeguards). The Data Act's switching rights are the practical backstop if a provider later fails to meet evolving sovereignty standards.
What this means for you
Run a two-track strategy; do not treat one regime as a substitute for the other.
1. Audit contracts for Data Act compliance. Confirm data portability via standardised interfaces, contractual switching assistance, and the removal of lock-in clauses the Data Act targets.
2. Prepare for CADA risk assessments. Public bodies — and private entities in the NIS2 Annex I sectors, which "may carry out similar assessments" under Article 31 — should be ready to determine whether activities contribute to public order, which assurance level applies, and whether the current provider qualifies.
3. Plan for sovereign migration. The Data Act gives the right to switch; CADA would give the mandate to do so for public-order reasons. Member States must run risk assessments within one year of entry into force, and any required migration must complete within a reasonable transition period not exceeding 12 months (Article 29(6)). Note that CADA would also introduce fees in some areas (for example, the EuroCloud Federation), which can affect total cost of ownership.
4. Diligence third-country control. For levels 2–4, providers must address third-country control through the Annex II safeguards, verified by independent audit (Article 20). Confirm your providers can evidence this.
5. Use the Data Act in negotiations. Lock in favourable switching terms now to reduce the cost and risk of future CADA-driven migrations.
Common misconceptions
"Data Act compliance means CADA compliance." No. The Data Act lets you switch; it does not make a provider sovereign. A provider can fully meet the Data Act's switching rules yet be disqualified from levels 2–4 by third-country exposure under CADA.
"CADA replaces the Data Act." No. The two coexist and complement each other. The Data Act remains the instrument for portability and switching; CADA would add sovereignty and procurement rules and explicitly treats the Data Act as an enabler.
"Only the public sector is affected." Mostly the mandatory procurement rules target public bodies, but Article 31 lets NIS2 Annex I private entities run similar assessments, and they may face comparable pressure to migrate, leveraging Data Act switching rights.
"Data Act switching windows automatically cover CADA's timelines." No. CADA's 12-month maximum transition period under Article 29(6) is a specific deadline that may be tighter than general Data Act switching arrangements, so plan migrations proactively.
Official sources
- EU AI Act (Regulation (EU) 2024/1689)
- Data Act (Regulation (EU) 2023/2854)
- Data Governance Act (Regulation (EU) 2022/868)
Related
- CADA Multi-Cloud Guidance vs. Data Act: How They Interact
- CADA vs the Data Governance Act: How do they interact?
- Why does CADA call the Data Act an 'enabler'?
- CADA for SaaS Providers: How NIS2, Data Act and Sovereignty Tiers Stack
- CADA for Cloud Providers: How it stacks with NIS2, DORA & the Data Act
This is general information about a draft EU regulation, not legal advice.