Summary The proposed Cloud and AI Development Act (CADA, COM(2026) 502 final) is designed to be consistent with the GDPR, but it pursues a different objective. The GDPR protects the fundamental right to the protection of personal data; CADA, as proposed, would address technological sovereignty, operational autonomy and public order. CADA would not replace GDPR obligations β€” its explanatory memorandum says the notion of sovereignty "goes beyond data transfers and relates to operational autonomy too." Instead it would layer sovereignty criteria (the four Union assurance levels) and public-sector risk assessments on top of existing data-protection rules. GDPR compliance would be necessary but not sufficient.

Detail

CADA would build a framework to strengthen Europe's cloud and AI ecosystem and reduce dependence on third-country providers. A recurring question is how this sovereignty-focused proposal sits with the General Data Protection Regulation (Regulation (EU) 2016/679).

The explanatory memorandum states that the proposal "is consistent with existing rules on the processing of personal data, including the General Data Protection Regulation (GDPR) and the EU-US Data Privacy Framework." It adds that "while the EU-US Data Privacy Framework addresses transatlantic data transfers, it does not remove sovereignty concerns about dependence on third-country providers," and that the proposal "complements the EU-US Data Privacy Framework as the notion of sovereignty goes beyond data transfers and relates to operational autonomy too."

Distinct but complementary objectives

The GDPR ensures a high level of protection for natural persons regarding the processing of personal data, through principles such as lawfulness, fairness, transparency and data minimisation. Its centre of gravity is the individual's rights.

CADA, as proposed, is driven by economic security, technological sovereignty and public order. Its concern is dependence on non-European cloud providers β€” including the risk of foreign-authority access to data and the risk of service disruption for geopolitical reasons β€” risks that sit largely outside the GDPR's frame.

Recital 63 of the proposal sits at the intersection. It provides that in their risk assessments "Union entities and Member State shall assess the sensitivity, criticality and magnitude of personal and non-personal data processed in cloud environment," and that such processing "may include … personal data within the meaning of Regulation (EU) 2016/679." It also notes that "[w]here cloud computing services are used to process personal data, Regulation (EU) 2016/679 provides for an obligation to agree on organisational and technical measures to comply with that Regulation," and that those mandatory agreements could be relied on to help demonstrate that the necessary Union assurance levels are met. CADA therefore does not create a parallel data-protection regime; it folds GDPR-compliant measures into a broader sovereignty assessment.

The role of risk assessments (Article 29)

Article 29 would require Member States and Union entities to carry out risk assessments to (a) identify public-sector activities using cloud services that contribute to the preservation of public order β€” in the sectors of Annexes I or II of the NIS2 Directive and in national security, internal security, external border management, defence, justice or law enforcement β€” and (b) determine which Union assurance level (2, 3 or 4) is appropriate.

Article 29(2) lists the aspects the assessment must consider β€” three, not a longer enumeration:

  • the sensitivity, criticality and magnitude of the non-personal data processed, "including the potential impact on public order and the nature, scope, context and purpose of processing of personal data, as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects";
  • the risk and consequent impact on public order of unlawful access, under Union law, to such data by a third country or a legal entity established in a third country;
  • the risk and consequent impact on public order of possible service disruption.

The first limb deliberately echoes GDPR concepts: the "rights and freedoms of data subjects" are the same interests a GDPR Data Protection Impact Assessment protects. A robust DPIA can therefore feed the CADA assessment β€” but the CADA assessment goes further, weighing sovereignty risks such as the provider's legal jurisdiction and exposure to extraterritorial access.

Sovereignty vs. data protection

GDPR compliance would not equate to CADA compliance. A provider can be fully GDPR-compliant β€” strong contractual safeguards, sound technical measures β€” yet not meet CADA's higher assurance levels. Levels 2, 3 and 4 turn on Annex II criteria including Union establishment, data and infrastructure located in the Union, and mitigation of third-country control. Where a provider is subject to third-country control, CADA would generally require independent third-party audit against those criteria; for level 3 specifically, a third-country-controlled provider may be audited only if the Commission has recognised that country as an "associated third country" under Article 18.

Recital 64 reinforces the wider lens, describing the need to address "critical dependencies, unauthorised access to Union data, technology leakage, sabotage and espionage by third-country actors" and calling for "a prudent but firm political, legal and operational response." That reaches beyond the GDPR's focus on individual rights to systemic risks to the Union's digital infrastructure.

Subcontractors and the mandatory-agreement bridge

Recital 63 also links the two regimes through the contractual chain. Where a cloud service processes personal data, the GDPR requires mandatory organisational and technical-measures agreements between controller and processor β€” and, the recital notes, "[w]here the cloud computing service provider relies on subcontractors in the provision of the services, the same agreements apply to the subcontractors." It adds that where specific technical and organisational measures are needed under CADA to keep personal data processed in line with the Regulation, "such specific measures could be foreseen in the mandatory agreements pursuant to Regulation (EU) 2016/679 and could be relied on to demonstrate that the necessary Union assurance levels are met." In other words, the GDPR processor agreements are not duplicated by CADA; they can be drafted to carry sovereignty commitments too, providing evidence toward an assurance level. This is a deliberate efficiency β€” but it also means a thin or generic GDPR processor agreement would leave a gap when CADA recognition is sought.

Procurement

For public bodies the interplay is sharpest in procurement. Under Article 30, Union entities and public sector bodies whose activities are not identified as contributing to public order must use level-1 services; those whose activities are so identified must procure only level 2, 3 or 4 services. So a GDPR-compliant service might still be ineligible for a sensitive public-sector use unless it also carries the required assurance level β€” pushing public buyers toward providers that can meet both regimes.

A worked contrast

Picture a Member State health authority moving patient-administration workloads to the cloud. The GDPR analysis is familiar: identify the lawful basis, run a DPIA given the special-category data, put a controller–processor agreement in place, ensure security of processing, and address any international transfers through adequacy or appropriate safeguards. A provider could clear all of that. The CADA analysis then asks a separate set of questions under Article 29: does this activity contribute to the preservation of public order in a NIS2 health-sector context; what is the sensitivity, criticality and magnitude of the data, personal and non-personal; what is the risk of unlawful third-country access; what is the risk of service disruption. The answer might require a level-2, 3 or 4 service β€” and if the incumbent provider is subject to third-country control without adequate mitigation, GDPR adequacy alone would not save the procurement. The two assessments share inputs (the DPIA feeds the data-sensitivity limb) but reach independent conclusions.

What this means for you

  1. Integrate the assessments. When running a DPIA for a cloud service, evaluate sovereignty risks in parallel: not only risks to data subjects but the risks of third-country access and service disruption that Article 29(2) requires.
  2. Revisit vendor contracts. Ensure agreements address both GDPR duties (data-processing agreements) and CADA sovereignty expectations (data localisation, third-country-access safeguards). For public-sector buyers, confirm the provider holds the needed assurance-level recognition.
  3. Track recognised services. CADA would have the Commission maintain a central repository of recognised services (Article 22); public buyers would draw from it.
  4. Plan for migration. If a risk assessment requires moving to a higher level, Article 29(6) sets a reasonable transition period not exceeding 12 months, taking account of technical feasibility, continuity and data portability.

Common misconceptions

"GDPR compliance is enough for CADA." No. GDPR addresses individual rights; CADA would address sovereignty and public order. A GDPR-compliant provider can still fail CADA's higher levels, particularly on third-country control and data localisation.

"CADA replaces the GDPR." No. The memorandum states CADA is consistent with the GDPR. It would add a sovereignty layer; both apply.

"Only personal data matters for CADA." No. Recital 63 and Article 29(2) require assessing both personal and non-personal data β€” the sensitivity of operationally critical or commercially sensitive non-personal data matters just as much in setting the required assurance level.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.