CADA vs Data Act

Summary As proposed, the Cloud and AI Development Act (CADA) and the Data Act function as complementary pillars of the EU's digital sovereignty strategy. The Data Act (Regulation (EU) 2023/2854) removes technical and contractual barriers to cloud switching, ensuring users can move between providers without vendor lock-in. CADA, conversely, uses public procurement to stimulate the supply of sovereign, European cloud services. Specifically, Article 32 mandates "Union added value" criteria in procurement, while Article 33 sets a target for awarding at least 25% of innovation procurement to SMEs. Together, they create a market where users can freely switch (Data Act) to a diverse ecosystem of compliant European providers (CADA). For technical leaders, this means designing architectures that are both portable under the Data Act and aligned with CADA's sovereignty and innovation criteria.

Detail

The relationship between CADA and the Data Act is foundational to the EU's strategy for a resilient, competitive cloud ecosystem. While the Data Act focuses on the ability to switch providers by mandating interoperability, data portability, and limiting unfair contractual terms, CADA focuses on the incentive and capacity to switch by fostering a competitive European market and defining sovereignty standards.

The explanatory memorandum of CADA explicitly frames the Data Act as an "enabler" for the proposal. It states that the Data Act "opens the path towards a possible reduction of dependencies on non-EU providers" by enabling switching and removing key sources of vendor lock-in. However, the memorandum notes that the Data Act "does not contain elements to shape up a more competitive offer of European cloud computing services or encourage the entry into the market of a more diverse set of cloud computing service providers." CADA fills this gap by stimulating the entry and growth of diverse European cloud providers through demand-side measures.

CADA's Procurement Framework: Driving Demand for Sovereignty and Innovation

CADA introduces specific procurement mechanisms to ensure that public spending strengthens the EU's technological sovereignty and industrial base. These mechanisms are designed to work in tandem with the switching capabilities granted by the Data Act.

Article 32: Union Added Value Criteria Article 32 mandates that in public procurement procedures for innovative cloud computing services and AI systems, contracting authorities shall include non-price award criteria that evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem. These criteria must be linked to the subject matter of the contract, expressly set out in procurement documents, and remain "ancillary and not decisive in the award of the contract."

Specifically, Article 32(3) allows authorities to evaluate the extent to which:

• The tenderer contributes to strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
• The tenderer has integrated technologies developed in the Union, including research and development results stemming from Union-funded research and development programmes.
• The service is delivered, to the greatest extent feasible, through critical computing, storage, and networking hardware components designed and/or manufactured in the Union.

This provision ensures that when public authorities procure cloud services, they actively favor providers that contribute to EU technological autonomy. For a CTO, this means that European providers who align with these criteria become more attractive procurement targets, increasing the viable pool of providers to which an organization might switch under the Data Act's portability rules.

Article 33: Monitoring and SME Participation Article 33 focuses on monitoring the procurement of innovation in cloud and AI, with a specific emphasis on supporting Small and Medium-sized Enterprises (SMEs). Member States must monitor and report on their use of innovation procurement and take measures to identify barriers to SME participation. The article sets a clear objective: Member States shall pursue the objective that "at least 25% of their procurement for cloud computing services and AI systems be awarded to innovative SMEs."

This provision directly impacts the market landscape by encouraging the growth of smaller, agile European providers. By mandating SME-friendly strategies, such as dividing contracts into lots, CADA ensures that the market is not dominated solely by large incumbents. A diversified market of EU providers, ranging from large sovereign hyperscalers to niche SMEs, is essential for the Data Act's switching mechanisms to be effective; users need viable alternatives to switch to.

Synergy with the Data Act's Switching Provisions

The Data Act enables switching by requiring cloud providers to ensure interoperability and to provide assistance in switching services to another provider. It also restricts contractual terms that unfairly hinder switching. CADA complements this by ensuring that the providers to whom users switch are robust, sovereign, and innovative.

1. Reducing Lock-in Through Competition: The Data Act reduces technical and contractual lock-in. CADA reduces market lock-in by fostering a competitive supply of European alternatives. Without CADA's demand-side measures, the Data Act's switching rights might only allow users to switch between a few dominant non-EU providers. CADA ensures that European providers are competitively positioned and capable of absorbing this switched demand.
2. Sovereignty and Portability: CADA's Union Assurance Levels (UAs) provide a standardized framework for assessing sovereignty. When a public sector body switches providers under the Data Act, it can use CADA's risk assessments (Article 29) to determine the appropriate UA level (1–4) for the new provider. This ensures that switching does not compromise security or sovereignty standards.
3. Contractual Alignment: Contracts for cloud services must now reflect both the Data Act's switching obligations and CADA's procurement criteria. For example, a contract awarded under CADA's Article 32 criteria might include clauses that guarantee compliance with Data Act portability standards, ensuring that the "European added value" is not undermined by future lock-in risks. The Data Act's provisions on switching and interoperability make it possible for users to embrace European cloud computing services more strongly, while CADA ensures those services are available and meet sovereignty requirements.

What this means for you

For CTOs, architects, and SMEs, the interaction between CADA and the Data Act requires a strategic shift in how cloud services are evaluated, procured, and managed.

For CTOs and Architects:

• Design for Sovereignty and Portability: When designing cloud architectures, ensure that systems are not only technically portable (as required by the Data Act) but also capable of meeting CADA's Union Assurance Levels. This may involve selecting providers that offer transparent supply chains and EU-based data residency.
• Leverage Multi-Cloud Strategies: CADA encourages multi-vendor strategies (Article 29(9)) to limit dependency. Use the Data Act's switching rights to negotiate better terms and ensure that your architecture can seamlessly distribute workloads across multiple EU-compliant providers.
• Evaluate Procurement Criteria: When bidding for public contracts, explicitly address Article 32's "Union added value" criteria. Highlight how your solution uses EU-designed hardware or software, integrates EU research results, and contributes to the European supply chain. This is no longer optional for public sector bids; it is a mandated evaluation criterion.

For SMEs:

• Target Innovation Procurement: Article 33 creates a specific pathway for SMEs. Focus on innovative cloud and AI solutions that can be procured through the mechanisms highlighted in Article 33. Ensure your offerings are modular and can be offered in lots, as this is a key strategy Member States must employ to meet the 25% SME award target.
• Demonstrate European Value: Clearly document your use of EU-based technologies, open-source components, and local talent. This evidence will be crucial for meeting the Article 32 criteria and competing against larger incumbents.
• Prepare for Switching: As the market becomes more dynamic, ensure your services are interoperable and compliant with Data Act switching requirements. This will make you a more attractive option for public bodies looking to diversify their supplier base.

Common misconceptions

Misconception 1: CADA replaces the Data Act's switching rules.

• Reality: CADA does not replace the Data Act. The Data Act remains the primary legal basis for technical switching and data portability. CADA complements it by shaping the market supply and procurement demand. They are distinct but synergistic instruments. The Data Act is an "enabler" for CADA, not a competitor.

Misconception 2: Article 32's "Union added value" is a decisive factor in procurement.

• Reality: Article 32(2) explicitly states that non-price award criteria, including Union added value, must be "ancillary and not decisive in the award of the contract." Technical and financial criteria directly connected to performance requirements remain primary. The EU added value is a quality differentiator, not a quota or a veto power.

Misconception 3: SMEs are exempt from CADA's sovereignty requirements.

• Reality: While Article 33 encourages SME participation, SMEs must still comply with the Union Assurance Levels if they wish to serve public sector bodies. However, CADA provides support mechanisms, such as simplified technical documentation and access to innovation procurement, to help SMEs meet these standards.

Misconception 4: The Data Act guarantees that switching will be easy if the provider is non-compliant.

• Reality: The Data Act mandates provider assistance in switching, but the ease of switching also depends on the technical architecture and the availability of viable alternatives. CADA's role is to ensure that these alternatives (European providers) exist and are robust enough to handle the switched workload securely.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• Data Act (Regulation (EU) 2023/2854)

Related

• CADA Article 30 and the Central Repository: How they work together
• CADA Article 33: How often must Member States report innovation procurement data?
• CADA Article 33: How Member States Report Innovation Procurement Data
• CADA Procurement & WTO GPA: How Union Added Value Criteria Work
• CADA Procurement vs AI Act: How Public Bodies Must Buy Cloud & AI

This is general information about a draft EU regulation, not legal advice.