CADA vs the Data Governance Act

Summary The proposed Cloud and AI Development Act (CADA) does not amend or repeal the Data Governance Act (DGA, Regulation (EU) 2022/868), but it imposes a mandatory "sovereignty layer" on the cloud infrastructure underpinning DGA-enabled data sharing. While the DGA establishes the legal framework for how data moves—via data intermediaries and altruism organisations—it does not prescribe the geographic or jurisdictional controls of the hosting environment. CADA fills this gap by requiring that public sector bodies and critical private entities host and process this data using cloud services that meet specific "Union assurance levels" (Levels 1–4). Consequently, an entity can be fully compliant with the DGA's neutrality and transparency rules yet remain non-compliant with CADA if the underlying cloud provider fails to meet the required assurance tier for public-order-relevant activities.

Detail

The relationship between the Data Governance Act (DGA) and the proposed Cloud and AI Development Act (CADA) is one of functional complementarity and layered compliance. The DGA creates the legal framework for data intermediation and data altruism, ensuring that third parties can facilitate data sharing without becoming data controllers themselves. CADA, conversely, regulates the environment in which that data resides and is processed, focusing on technological sovereignty, operational autonomy, and the protection of public order.

1. Distinct Regulatory Scopes: Flow vs. Foundation

The DGA and CADA address different points in the data value chain. The DGA governs the intermediation of data, ensuring neutrality, security, and transparency when third parties access data held by others. It also establishes a framework for data altruism, allowing individuals and entities to donate data for public interest purposes. Crucially, the DGA does not prescribe specific cloud sovereignty standards or mandate that data remain within specific geographic or jurisdictional boundaries beyond general EU data protection rules (such as the GDPR).

CADA, as proposed in COM(2026) 502 final, fills this gap by establishing a "Union cloud computing sovereignty framework" under Article 16. This framework defines four "Union assurance levels" (Level 1 to Level 4) based on cumulative criteria including the location of infrastructure, the citizenship of personnel, and the absence of third-country control. While the DGA enables the flow of data, CADA dictates the trustworthiness of the cloud infrastructure hosting that data, particularly for public sector and critical private sector activities.

As stated in the CADA explanatory memorandum, the proposal complements the DGA by ensuring that the infrastructure supporting data sharing is sovereign and resilient. The DGA opens the door for data sharing; CADA ensures the room in which that sharing happens is secure from third-country interference.

2. CADA's Impact on Data Sharing Infrastructure

For entities operating under the DGA, CADA introduces significant operational constraints if their data processing activities fall within CADA's scope. This is particularly relevant for:

• Public Sector Bodies: Under Article 29, Member States and Union entities must conduct risk assessments to determine the appropriate Union assurance level for their public sector activities. If a public body uses a DGA-compliant data intermediary to share data, the cloud service hosting that intermediary's operations or the public body's own data processing must meet the assurance level determined by the risk assessment. For activities contributing to public order (e.g., healthcare, justice, defence), Article 30(3) mandates the use of services recognised at Union assurance levels 2, 3, or 4.
• Data Altruism Organisations: If a data altruism organisation registered under the DGA processes data for public interest purposes, it may be subject to CADA's sovereignty requirements if it is considered a public sector body or if the data processed is deemed critical to public order. The DGA does not exempt these organisations from CADA's infrastructure rules.
• Common Data Spaces: The DGA supports the creation of common data spaces, which are often built on cloud infrastructure. CADA explicitly addresses this by requiring that the cloud services supporting these spaces meet the appropriate sovereignty criteria. A common data space cannot simply rely on any cloud provider; it must use providers that have undergone the conformity self-assessment (for Level 1) or independent third-party audits (for Levels 2–4) as detailed in Articles 19 and 20.

3. Risk Assessments and Assurance Levels: The Critical Link

The operational bridge between the DGA and CADA is the risk assessment mandated by Article 29. Member States and Union entities must carry out these assessments to identify public sector activities that use cloud computing services. These assessments must determine:

• The sensitivity, criticality, and magnitude of the data processed (including data shared via DGA mechanisms).
• The risk of unlawful access by third countries.
• The risk of service disruption.

Based on this assessment, the entity must procure cloud services that meet the corresponding Union assurance level. For example, if a hospital (a public sector body) uses a cloud service to host patient data shared via a DGA-compliant intermediary, and the risk assessment identifies this activity as contributing to public order, the hospital must use a cloud service recognised at Union assurance level 2, 3, or 4 (Article 30(3)). A service that is DGA-compliant (in terms of data intermediation rules) but only meets Union assurance level 1 would be non-compliant with CADA for this specific use case.

4. The Sovereignty Criteria: What Changes for Data Spaces?

The criteria for the higher assurance levels (2, 3, and 4) impose strict requirements on the infrastructure hosting DGA data spaces:

• Location and Personnel: For Levels 2, 3, and 4, the infrastructure, assets, and personnel must be located in the Union (Annex II, 2.1(b), 3.1(b), 4.1(b)). For Levels 3 and 4, personnel must be Union citizens, and where appropriate, hold national security clearance (Annex II, 3.1(d), 4.1(d)).
• Third-Country Control: For Level 3 and 4, the provider and its subcontractors must not be subject to the control of a third country, unless a specific derogation under Article 18 applies (Annex II, 3.1(g), 4.1(g)). This is a critical differentiator from the DGA, which does not restrict the ownership of the underlying cloud provider.
• Cybersecurity Certification: For Levels 2 and 3, the service must obtain a European cybersecurity certificate of at least assurance level "substantial" (Annex II, 2.1(e), 3.1(e)). For Level 4, the requirement is "high" (Annex II, 4.1(e)). Note that the "substantial" level applies to both L2 and L3; only L4 requires "high".

5. Interaction with the Data Act

While this FAQ focuses on the DGA, it is worth noting that CADA also interacts with the Data Act (Regulation (EU) 2023/2854). The Data Act facilitates switching between cloud providers and interoperability. CADA complements this by ensuring that when entities switch or select providers for public-order-relevant data, they select providers that meet the sovereignty criteria. The Data Act enables the choice; CADA defines the qualifications of the chosen provider for sensitive use cases.

What this means for you

For in-house counsel, compliance officers, and data stewards, the interaction between CADA and the DGA requires a dual-layer compliance strategy:

1. Map Data Flows to Cloud Infrastructure: Identify all data sharing activities conducted under the DGA (e.g., via data intermediaries or altruism organisations). Map these flows to the underlying cloud services used. Determine if the data processor or the data holder is a public sector body or a private entity in a critical sector (as defined in Annex I to the NIS2 Directive).
2. Conduct CADA Risk Assessments: If you are a public sector body, you must conduct the risk assessments mandated by Article 29. This assessment will determine the minimum Union assurance level required for your cloud services. Do not assume that DGA compliance with a data intermediary automatically satisfies CADA's sovereignty requirements for the infrastructure hosting the data.
3. Review Cloud Contracts: Ensure that your cloud service providers can demonstrate compliance with the relevant Union assurance levels. For Level 1, this requires an EU statement of conformity (Article 19). For Levels 2–4, it requires a positive audit opinion from an independent auditing organisation (Article 20). Include clauses in your contracts requiring providers to notify you of any material changes that could affect their assurance level status (Article 23).
4. Monitor Third-Country Control: CADA's higher assurance levels (2–4) have strict criteria regarding third-country control. Ensure that your cloud provider, and its subcontractors, are not subject to the control of a third country in a way that compromises operational autonomy or data confidentiality. This is particularly relevant for data intermediaries that may have global operations.
5. Prepare for Penalties: Non-compliance with CADA's sovereignty framework can result in penalties. Article 24 requires Member States to lay down rules on penalties that are "effective, proportionate and dissuasive." Recipients of cloud services may also seek compensation for damages resulting from a provider's infringement of CADA obligations.

Common misconceptions

"DGA compliance equals CADA compliance." This is incorrect. The DGA ensures that data intermediaries are neutral and secure, but it does not mandate the specific sovereignty levels required by CADA. A cloud service can be DGA-compliant (in terms of data intermediation rules) but fail to meet CADA's Union assurance level 2 or 3 criteria for public sector use.

"CADA only applies to hyperscalers." CADA applies to all cloud computing service providers that offer services to Union entities and public sector bodies. Smaller providers can also achieve recognition by meeting the assurance level criteria through self-assessment (Level 1) or audit (Levels 2–4).

"Data altruism is exempt from sovereignty rules." Data altruism organisations are not automatically exempt. If they are public sector bodies or if the data they process is deemed critical to public order, they must comply with CADA's assurance level requirements. The DGA's public-interest mandate does not override CADA's public-order safeguards.

"The DGA overrides CADA's hosting requirements." No. CADA explicitly states that it complements the DGA and the Data Act. The DGA enables sharing; CADA secures the infrastructure. Both sets of rules apply cumulatively. The DGA does not contain elements to shape up a more sovereign offer, which is the specific gap CADA addresses.

"Common data spaces are automatically sovereign." No. A common data space is a logical construct. The physical and logical infrastructure hosting it must still meet CADA's assurance levels if the data processed is sensitive or contributes to public order. The space itself does not confer sovereignty; the underlying cloud provider does.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)
• Data Governance Act (Regulation (EU) 2022/868)

Related

• CADA Multi-Cloud Guidance vs. Data Act: How They Interact
• DGA vs CADA: Does Data Governance Act compliance satisfy CADA?
• How does CADA interact with the Data Act?
• Why does CADA call the Data Act an 'enabler'?
• CADA for SaaS Providers: How NIS2, Data Act and Sovereignty Tiers Stack

This is general information about a draft EU regulation, not legal advice.