How does CADA reduce research dependence on non-EU cloud providers?

Summary As proposed, the Cloud and AI Development Act (CADA) reduces research dependence on non-EU cloud providers by establishing a four-tier Union sovereignty framework and mandating Member States to conduct risk assessments that identify high-dependency use cases. Specifically, Article 29 obliges public authorities to determine which activities require higher assurance levels (2, 3, or 4), effectively barring non-compliant third-country providers from critical research infrastructure. Additionally, the proposal establishes a binding obligation to develop a common cloud and AI curriculum and a network of Experience and Acceleration Centres to build domestic expertise, reducing reliance on external technical support.

Detail

The Cloud and AI Development Act (CADA), as set out in COM(2026) 502 final, addresses the EU's strategic vulnerability regarding its heavy reliance on non-European cloud computing service providers. While the proposal covers a broad spectrum of ecosystem strengthening, its mechanisms for reducing research dependence are rooted in three pillars: a harmonised sovereignty framework, mandatory public sector risk assessments, and targeted capacity-building measures.

The Sovereignty Framework and Assurance Levels

At the core of CADA's approach is the introduction of a Union cloud computing sovereignty framework comprising four assurance levels (Article 16). This framework moves beyond traditional cybersecurity certifications to address "sovereignty" risks, such as the extraterritorial application of third-country laws that could grant foreign authorities access to EU data or allow them to disrupt service continuity.

Recital 24 explicitly states that the Cloud and AI Leadership Initiatives should "ensure the uptake of cloud computing services provided by European cloud computing service providers across the public and private sectors to ensure that cloud adoption is consistent with the objective of strengthening the Union's technological autonomy." It further notes that this is particularly crucial in sectors such as healthcare and education, which involve the processing of critical data. By creating a formal recognition mechanism for services that meet these sovereignty criteria, CADA aims to create a viable market for European providers, thereby reducing the structural dominance of non-EU hyperscalers.

The criteria for these levels are detailed in Annex II. For the highest levels (3 and 4), providers must demonstrate that they are not subject to the control of a third country, that their personnel are Union citizens, and that their infrastructure and data remain exclusively within the Union. These strict requirements are designed to ensure that critical research data cannot be accessed or disrupted by foreign jurisdictions.

Mandatory Risk Assessments under Article 29

The most direct mechanism for reducing dependence in the public and research sectors is found in Article 29. This article imposes a binding obligation on Member States and Union entities to carry out risk assessments. These assessments are not merely advisory; they are the trigger for procurement restrictions.

Under Article 29(1), Member States and Union entities must, within one year of the Regulation's entry into force (and thereafter every two years), identify public sector activities that contribute to the preservation of public order. This includes sectors falling under Annex I or II of the NIS2 Directive, as well as national security, internal security, external border management, defence, justice, and law enforcement.

Crucially for the research sector, Recital 49 clarifies that "public order concerns" include "economic security risks." Consequently, research activities involving critical data, frontier AI, or strategic industrial applications may be identified as contributing to public order. The risk assessment must determine which Union assurance level (2, 3, or 4) is appropriate for these identified activities. Article 29(2) specifies that these assessments must consider:

• The sensitivity, criticality, and magnitude of the non-personal and personal data processed.
• The risk of unlawful access by a third country or a legal entity established in a third country.
• The risk of service disruption.

Once a risk assessment determines that a research activity or public sector function has public order relevance, Article 30 mandates that contracting authorities may only procure cloud computing services that have been recognised as offering Union assurance levels 2, 3, or 4. Since non-EU providers are generally unable to meet the strict criteria for these higher assurance levels (particularly regarding data localisation and absence of third-country control, as detailed in Annex II), this effectively restricts their access to critical EU research infrastructure.

Building Domestic Capacity: Curriculum and Centres

Recognising that regulatory restrictions alone are insufficient to shift market dynamics, CADA includes supply-side measures to build domestic capability. Article 5 establishes a network of Experience and Acceleration Centres for AI (Centres for AI) across Member States. These centres, built upon the existing European Digital Innovation Hubs, are tasked with supporting the integration and scaling-up of AI use cases in strategic industrial and public sectors, including research.

Furthermore, Article 4(8)(b) mandates the development of a "common cloud and AI curriculum." This educational initiative aims to equip workers in both the public and private sectors with advanced competencies. Recital 23 supports this by stating that a dedicated curriculum "should be developed to equip workers... with advanced competencies to reduce dependence on non-EU providers and develop next-generation capabilities." While Recitals provide context, the binding obligation to develop this curriculum is articulated in Article 4(8)(b) (an operational objective of the Cloud and AI Leadership Initiatives) and reinforced by Article 7(2), which requires Member States to include measures to support the Centres for AI in their national cloud and AI strategies. By reducing the skills gap and ensuring that EU researchers and IT professionals are trained on European cloud stacks and sovereign architectures, the proposal aims to break the cycle of dependence on non-EU providers for technical expertise and support.

Procurement of Innovation and European Added Value

To further incentivise the shift away from non-EU providers, Article 32 introduces "Union added value" criteria for public procurement of innovative cloud computing services and AI systems. Contracting authorities must include non-price award criteria that evaluate a tenderer's contribution to strengthening the digital technology supply chain in the Union. This includes the use of software or hardware designed or manufactured in the Union and the integration of technologies developed in the Union. While this criterion is not decisive, it provides a structured way for public sector buyers to prioritise European solutions, thereby fostering a competitive market for domestic cloud providers in the research and public sectors.

What this means for you

For public-sector and procurement officers managing research infrastructure, CADA introduces a significant shift in how cloud services are evaluated and procured.

1. Conduct Mandatory Risk Assessments: You must prepare to conduct risk assessments under Article 29 for all public sector activities, including those in research and higher education. Identify which datasets and computational tasks are critical to public order or economic security. These assessments will dictate whether you are restricted to Union assurance levels 2, 3, or 4.
2. Verify Sovereign Recognition: When procuring cloud services for critical research workloads, you must verify that the provider has been formally recognised under Article 17 as meeting the required Union assurance level. Relying solely on GDPR compliance or standard cybersecurity certifications will no longer be sufficient for high-dependency use cases.
3. Leverage European Added Value: Utilise the non-price award criteria outlined in Article 32 to favour providers who demonstrate a strong contribution to the European digital supply chain. This can help support emerging European cloud providers and reduce long-term strategic dependencies.
4. Engage with Centres for AI: Collaborate with your Member State's Experience and Acceleration Centres for AI (Article 5) to access support in migrating to sovereign cloud environments and to upskill your teams through the common cloud and AI curriculum mandated by Article 4(8)(b).

Common misconceptions

• "CADA bans all non-EU cloud providers." This is incorrect. CADA does not impose a blanket ban. Non-EU providers can still operate in the EU market, particularly for lower-risk use cases that only require Union assurance level 1 (which allows for self-assessment and has less stringent third-country control requirements). However, for critical public sector and research activities identified as high-dependency, the higher assurance levels effectively exclude providers subject to third-country control.
• "Sovereignty is just about data location." While data localisation is a component (Annex II), CADA's sovereignty framework is much broader. It includes criteria on the absence of third-country control over the provider, the prevention of service disruption by foreign authorities, and the use of European hardware and software stacks. A provider can keep data in the EU but still fail to meet assurance levels 3 or 4 if it is subject to extraterritorial laws of a third country.
• "Research institutions are exempt." Research institutions, particularly those receiving public funding or operating as public sector bodies, are not exempt. Article 29 explicitly includes Union entities and Member States in the risk assessment obligation. Given the strategic importance of research data, many research activities will likely be classified as requiring higher assurance levels.
• "The curriculum is just a suggestion." While Recital 23 uses the phrase "should be developed," the binding obligation to develop the common cloud and AI curriculum is found in Article 4(8)(b), which lists it as an operational objective of the Cloud and AI Leadership Initiatives that "shall" be pursued.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• Does CADA favour EU startups over non-EU AI providers?
• When do CADA research-support measures take effect?
• What sovereign-cloud pressure does CADA create for research?
• CADA and cross-border research: Sovereignty rules for EU collaborations
• How does CADA reduce cloud costs and lock-in for startups?

This is general information about a draft EU regulation, not legal advice.