Summary The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, and the EU AI Act (Regulation (EU) 2024/1689) are complementary instruments, not substitutes. The AI Act harmonises rules for AI systems and general-purpose AI models — their safety, transparency and fundamental-rights impact. The CADA explanatory memorandum states plainly that the AI Act "does not cover aspects of sovereignty." CADA, as proposed, fills that gap: it builds a sovereignty framework for the cloud infrastructure on which AI runs, and it shapes how the public sector procures that infrastructure. The two regimes share definitions — CADA Article 2(3) borrows the AI Act's definition of an "AI system" — but they impose different obligations on different actors, and the memorandum says CADA "reinforces key objectives of the AI Act" rather than replacing them.
Detail
The cleanest way to understand the relationship is by what each instrument regulates. The AI Act regulates the technology — the AI system or model itself. CADA, as proposed, regulates the infrastructure and its procurement — the cloud environment that hosts the technology and the public-sector buying decisions around it.
1. Distinct but complementary scopes
The AI Act lays down harmonised rules for the development, placing on the market and use of AI systems, with the aim of ensuring a high level of protection of health, safety and fundamental rights. The CADA explanatory memorandum is explicit that this leaves sovereignty untouched: the AI Act "ensures a high level of protection of health, safety and fundamental rights. It does not cover aspects of sovereignty." It does not address dependence on third-country providers, the extraterritorial reach of foreign law, or the operational continuity of critical infrastructure.
CADA, as proposed, would address exactly those gaps. Article 16 would establish a "Union cloud computing sovereignty framework comprising four Union assurance levels," with the criteria set out in Annex II, that cloud computing service providers would have to meet in order to serve Union entities and public sector bodies. Where the AI Act asks whether an AI system is safe and rights-respecting, CADA would ask whether the cloud service hosting it is sufficiently sovereign for a given public-sector use.
2. Definitional alignment: Article 2(3)
To avoid fragmentation, CADA reuses the AI Act's terminology rather than coining its own. Article 2(3) defines "AI system" as "an AI system as defined in Article 3, point (1), of Regulation (EU) 2024/1689." So when CADA refers to AI systems — for instance in its research and innovation measures or its procurement rules — it points to the same legal category the AI Act regulates.
The boundary between the two is drawn at the cloud layer. Recital 10 of the proposal explains that CADA's "cloud computing service" definition (Article 2(1), which cross-refers to the NIS2 Directive) "encompasses on-demand access to AI systems … hosted and operated remotely," but that "[o]nly the delivery and making available of an AI system forms part of the service. The AI system itself and its underlying model are excluded from the scope of this definition." In other words, CADA reaches the cloud delivery of AI; the AI system and model themselves stay within the AI Act's remit.
3. Where the regimes meet: public procurement and risk assessment
The interaction becomes concrete on the demand side. The AI Act places obligations on providers and deployers of AI systems. CADA, as proposed, would place obligations on the public bodies that buy the cloud capacity to run them.
- Under Article 29, Member States and Union entities would carry out risk assessments to identify public-sector activities that contribute to the preservation of public order — in the sectors of NIS2 Annexes I and II and in areas such as national security, defence, justice and law enforcement — and to determine which Union assurance level (2, 3 or 4) is appropriate.
- Under Article 30, contracting authorities whose activities are not identified as contributing to public order would use services recognised at Union assurance level 1; those whose activities are so identified would procure only services recognised at level 2, 3 or 4.
A public authority running a high-risk AI system would therefore have to ensure the system complies with the AI Act (risk management, data governance, human oversight) and that the cloud service hosting it carries the assurance level its CADA risk assessment requires.
4. Reinforcing, not duplicating
The memorandum frames CADA as reinforcing the AI Act: by fostering a competitive, trusted EU cloud market it aims to supply the infrastructure on which trustworthy AI can be deployed at scale. CADA's Cloud and AI Leadership Initiatives (Article 3) support research and innovation in areas including frontier AI and physical and industrial AI — supporting, rather than re-regulating, the AI Act's objectives. CADA also adds its own AI-specific terms that the AI Act does not define: "frontier AI" (Article 2(4)) and "AI agent" (Article 2(5)) are original CADA definitions, used for its compute-support measures (Articles 8–9) rather than to re-regulate AI safety.
5. Different governance and enforcement architecture
The two regimes are administered by different institutions. The AI Act is overseen by the AI Office within the Commission, the European Artificial Intelligence Board and national market-surveillance authorities. CADA, as proposed, would rely on national competent authorities designated by each Member State (Article 25), exercising the investigative and enforcement powers in Article 26, with the Commission playing a coordinating and, in recognition disputes, a deciding role. So even where the same organisation is subject to both regimes, it would answer to different supervisors performing different functions — market surveillance for AI safety on one side, sovereignty recognition and enforcement on the other. Mapping which authority does what is part of the compliance exercise.
What this means for you
For in-house counsel and compliance officers — especially in the public sector or critical-infrastructure sectors — the two regimes create parallel, not merged, compliance tracks.
1. Map twice. Classify your AI systems against the AI Act's risk tiers (prohibited, high-risk, transparency-only, minimal) and map the cloud services hosting them against CADA's four Union assurance levels. AI Act work focuses on the system's design, data and oversight; CADA work focuses on the cloud provider's establishment, data localisation, third-country exposure and — where a public sector body requires it — personnel screening.
2. Procurement due diligence. If you are a contracting authority, expect to run an Article 29 risk assessment and to verify that a candidate provider holds recognition at the required level. Levels 2–4 rest on an independent third-party audit (Article 20); level 1 on a conformity self-assessment and EU statement of conformity (Article 19).
3. Two penalty regimes. Under the AI Act's Article 99, fines reach up to €35 million or 7% of total worldwide annual turnover for breaching the Article 5 prohibitions, and up to €15 million or 3% for most other breaches. CADA, by contrast, would not set EU-wide fine ceilings: Article 24 leaves penalties to Member States, requiring only that they be "effective, proportionate and dissuasive," while Article 26 would give national competent authorities investigative and enforcement powers, including ordering the cessation of an infringement and imposing fines.
4. Different clocks. The AI Act entered into force on 1 August 2024; its Article 5 prohibitions apply from 2 February 2025 and most high-risk and governance rules from 2 August 2026. CADA is only a proposal: Article 48 would set entry into force 20 days after publication and application one year later, with national strategies due within one year of entry into force (Article 7).
Common misconceptions
"CADA replaces the AI Act." No. They are separate instruments with different legal bases — CADA on Articles 114 and 173(3) TFEU, the AI Act on Articles 114 and 16 TFEU — and different aims. An organisation deploying AI on cloud infrastructure in the EU would need to comply with both.
"AI Act compliance proves sovereignty." No. The AI Act makes a system safe and rights-respecting; it says nothing about whether the hosting infrastructure is free from foreign-law access or operational disruption. Those are precisely the risks CADA would address.
"CADA only binds cloud providers." No. CADA would impose recognition and audit duties on providers, but it would also bind users — public sector bodies and Union entities — through the Article 29 risk-assessment and Article 30 procurement obligations.
"CADA invents its own definition of an AI system." No. Article 2(3) imports the AI Act's definition verbatim, keeping the two regimes terminologically aligned.
Official sources
- EU AI Act (Regulation (EU) 2024/1689)
- Data Act (Regulation (EU) 2023/2854)
- Data Governance Act (Regulation (EU) 2022/868)
Related
- CADA Multi-Cloud Guidance vs. Data Act: How They Interact
- CADA vs the Data Governance Act: How do they interact?
- How does CADA interact with the Data Act?
- CADA and the Chips Act 2.0: How the EU's Digital Stack Laws Interact
- How does CADA interact with the AI Act for AI deployed by public administrations?
This is general information about a draft EU regulation, not legal advice.