Summary The proposed Cloud and AI Development Act (CADA) reduces dependence on third-country providers through a three-pronged strategy: boosting domestic supply via the Cloud and AI Leadership Initiatives, mandating sovereign cloud procurement for critical public-sector activities, and establishing a harmonised Union assurance framework to replace fragmented national approaches. As proposed, CADA would require public authorities to conduct risk assessments and procure cloud services that meet specific Union assurance levels, thereby shielding critical infrastructure and data from extraterritorial third-country laws and operational disruptions. The Commission's explanatory memorandum explicitly frames the proposal as a response to the Union's "critical strategic dependencies" and the risk that "three non-EU hyperscalers control over 70% of the European cloud market."

Detail

The Cloud and AI Development Act (CADA) is a legislative proposal designed to strengthen Europe's cloud and AI ecosystem by addressing the EU's critical reliance on a limited number of non-European cloud computing service providers. The proposal recognises that the current market landscape creates significant vulnerabilities. As noted in the explanatory memorandum, the Union faces a "pronounced dependence on a limited pool of third-country providers," with the market share of EU providers decreasing from 29% in 2017 to 15% in 2022. This concentration exposes the EU to "critical strategic dependencies and concentration risks," including vulnerabilities arising from the extraterritorial application of third-country laws, potential disruptions affecting service continuity, and reduced control over data and infrastructure.

CADA tackles this dependence through three interconnected levers: supply-side capacity building, demand-side procurement mandates, and a harmonised sovereignty framework.

1. Supply-Side Levers: Building Domestic Capacity

CADA aims to increase the availability of European cloud and AI capabilities through the Cloud and AI Leadership Initiatives (Title II). These initiatives support research, innovation, and the large-scale deployment of cutting-edge cloud and AI technologies. By fostering the development of open cloud computing stacks, energy-efficient data centres, and frontier AI, CADA seeks to create credible European alternatives to non-European incumbents.

The proposal specifically targets the "capacity gap" and the lack of geographically balanced deployment. It supports projects that develop cloud computing stack alternatives for strategic sectors and facilitates the co-design of hardware and software within the Union. The goal is to ensure that European businesses and public administrations have access to high-quality, sovereign cloud services, thereby reducing the structural need to rely on third-country providers for critical workloads. This includes measures to accelerate the deployment of data centres, such as designating "data centre acceleration zones" and streamlining permitting processes to triple EU capacity within five to seven years.

2. Demand-Side Levers: Mandating Sovereign Procurement

A core mechanism for reducing dependence is the regulation of public procurement. CADA introduces strict requirements for Union entities and Member States when procuring cloud computing services, effectively using public spending to drive market transformation.

Risk Assessments (Article 29): Member States and Union entities are required to carry out risk assessments to identify public sector activities that contribute to the preservation of public order. These assessments must consider the sensitivity of data, the risk of unlawful access by third countries, and the risk of service disruption. The risk assessment determines which Union assurance level (1, 2, 3, or 4) is appropriate for the specific activity. The assessment must be updated every two years or whenever necessary.

Procurement Obligations (Article 30): Based on these risk assessments, contracting authorities face mandatory procurement rules:

  • Union Assurance Level 1: For public sector activities not identified as contributing to the preservation of public order, authorities must use cloud computing services recognised as offering Union assurance level 1. This establishes a baseline of trust for all public cloud usage.
  • Union Assurance Levels 2, 3, or 4: For activities identified as contributing to the preservation of public order (such as national security, defence, justice, or critical infrastructure), authorities must only procure cloud computing services recognised as offering Union assurance levels 2, 3, or 4. These higher levels impose stricter criteria regarding data localisation, personnel citizenship, and absence of third-country control.

This mechanism directly channels public spending towards services that meet EU-defined sovereignty standards, creating a guaranteed market for European providers and reducing the procurement of non-compliant third-country services in critical sectors.

3. The Sovereignty Framework: Harmonising Assurance

The cornerstone of CADA's approach to dependence is the Union cloud computing sovereignty framework (Article 16). Currently, Member States have developed divergent national approaches to identifying sovereign services, which fragments the internal market and complicates compliance for providers. CADA establishes a single, harmonised framework with four assurance levels, each with specific, auditable criteria set out in Annex II of the proposal.

Recital 46 of the explanatory memorandum highlights the urgency of this framework, stating that the Union's critical dependence on a limited number of cloud providers subject to third-country control exposes the Union to "critical strategic dependencies and concentration risks." These risks include vulnerabilities arising from the extraterritorial application of third-country laws, potential disruptions to service continuity, and reduced control over personal and non-personal data.

The framework ensures that cloud services are assessed against transparent, EU-wide criteria rather than opaque national standards. For higher assurance levels (2–4), providers must undergo independent third-party audits to demonstrate compliance with criteria such as:

  • Data Localisation: Customer data must remain exclusively within the Union.
  • Personnel Requirements: Personnel involved in service provision must be Union citizens (for levels 3 and 4), or Union citizens if the public body requires it (for level 2).
  • Absence of Third-Country Control: Providers and subcontractors must not be subject to the control of a third country or a legal entity established in a third country, unless specific derogations apply (e.g., for associated third countries under Article 18).
  • Software Supply Chain Transparency: Providers must maintain a Software Bill of Materials (SBOM) and demonstrate controls over remote features that could disrupt service.

By creating a central repository of recognised services (Article 22), CADA enables public procurers to easily identify compliant providers, streamlining the shift away from non-sovereign options.

4. Supporting Mechanisms: EuroCloud and Open Source

CADA further reduces dependence by fostering collaboration and openness. The EuroCloud Federation (Article 34) facilitates the sharing of public sector data centre and cloud computing services between Union entities and Member States. This allows public bodies to leverage idle capacity and share resources, reducing the need to purchase additional capacity from external, potentially third-country, providers.

Additionally, CADA promotes the use of open-source solutions (Article 41) to reduce vendor lock-in and enhance technological autonomy. By encouraging the reuse of open-source software and maintaining an EU Open Source Solutions Catalogue (Article 43), the proposal aims to ensure that the EU's digital infrastructure is built on transparent, auditable, and non-proprietary foundations, further mitigating the risks associated with dependence on single, third-country vendors.

What this means for you

For public-sector procurement officers, CADA introduces a fundamental shift in how cloud services are evaluated and purchased. The era of selecting cloud providers based solely on price or feature sets is ending; sovereignty and resilience will become primary award criteria.

1. Conduct Rigorous Risk Assessments: You will need to systematically review your organisation's cloud-dependent activities. Under Article 29, you must determine which activities contribute to the preservation of public order. This is not a one-time exercise; assessments must be updated every two years or whenever necessary. You must evaluate the sensitivity of your data and the potential impact of third-country access or service disruption on public order.

2. Align Procurement with Assurance Levels: Your procurement specifications will need to explicitly require Union assurance levels.

  • For general administrative tasks, ensure you procure services recognised at Union assurance level 1.
  • For critical functions (e.g., justice, defence, critical infrastructure), you are legally required to procure services at Union assurance levels 2, 3, or 4. Procuring non-compliant services for these activities would constitute a breach of CADA.

3. Leverage the Central Repository: When drafting tenders, use the central repository of recognised cloud computing services (Article 22) to identify eligible providers. This repository will list services that have been audited and recognised by national competent authorities, simplifying your due diligence process.

4. Prepare for Transition: If your current cloud provider does not meet the required assurance levels, you must plan for migration. Article 29(6) notes that if a risk assessment requires migration, it must occur within a reasonable transition period not exceeding 12 months. Start planning your exit strategies from non-compliant vendors now.

5. Engage with the EuroCloud Federation: Consider joining the EuroCloud Federation to access shared public sector cloud capacity. This can provide a cost-effective, sovereign alternative to commercial hyperscalers, particularly for handling peak loads or specific sovereign workloads.

Common misconceptions

Misconception 1: CADA bans all third-country cloud providers. CADA does not impose a blanket ban on all third-country providers. Instead, it creates a tiered system. Third-country providers can still compete for Union assurance level 1 if they meet the criteria, such as being established in the Union and keeping data within the Union. For higher assurance levels (2–4), third-country control is generally prohibited, but the Commission may adopt implementing acts to allow audits for providers from associated third countries that meet strict safeguards (Article 18). The focus is on risk-based procurement, not exclusion for its own sake.

Misconception 2: Sovereignty is the same as cybersecurity. While related, sovereignty and cybersecurity are distinct. Cybersecurity focuses on technical protection against attacks, while sovereignty addresses operational autonomy, data confidentiality, and protection from extraterritorial legal claims by third countries. CADA complements existing cybersecurity frameworks (like the Cybersecurity Act) by adding these sovereignty dimensions. A service can be cyber-secure but still not sovereign if it is subject to third-country laws that allow data access.

Misconception 3: Only large public bodies are affected. CADA applies to all Union entities and public sector bodies. While the specific assurance levels may vary based on risk assessments, the obligation to procure recognised services (at least level 1) is universal for public cloud procurement. Smaller authorities should not assume they are exempt; they must still ensure their cloud services meet the baseline Union assurance level 1.

Misconception 4: The EU assurance levels are static. The assurance levels and their criteria are dynamic. The Commission is empowered to adopt delegated acts to amend Annex II and Annex III to reflect new legal or technical developments (Article 16(2)). Procurement officers must stay updated on any changes to the criteria, as compliance requirements may evolve.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.