CADA vs Gaia-X

Summary The proposed Cloud and AI Development Act (CADA) does not explicitly mention Gaia-X, as Gaia-X is an industry-led, voluntary initiative rather than binding EU legislation. However, CADA establishes a mandatory, harmonised sovereignty framework through four "Union assurance levels" that effectively codifies the trust and data sovereignty principles Gaia-X has long advocated. While Gaia-X conformity may inform compliance efforts and serve as evidence during audits, it does not substitute for the formal recognition process under CADA's national competent authorities. A provider cannot rely on a Gaia-X label to satisfy public procurement obligations under the proposed regulation.

Detail

To understand the interaction between the proposed Cloud and AI Development Act (CADA) and Gaia-X, it is essential to distinguish between voluntary industry standards and binding regulatory requirements. Gaia-X is a federated ecosystem initiative driven by European industry stakeholders, aiming to create a secure, interoperable, and trustworthy cloud infrastructure. It relies on voluntary adherence to a set of principles and technical specifications. In contrast, CADA is a legislative proposal (COM(2026) 502 final) that creates a legally enforceable framework for cloud computing sovereignty within the European Union, specifically targeting the "availability of a sovereign cloud and artificial intelligence (AI) offer to safeguard the Union's public order" as stated in Article 1(1)(c).

The Regulatory Gap CADA Fills

CADA introduces a "Union cloud computing sovereignty framework" consisting of four assurance levels (Union assurance levels 1, 2, 3, and 4), as detailed in Article 16 and Annex II of the proposal. These levels define cumulative criteria that cloud computing service providers must meet to offer services to Union entities and public sector bodies. The criteria cover establishment in the Union, location of infrastructure and assets, data residency, personnel citizenship, cybersecurity certification, and the absence of third-country control.

The explanatory memorandum explicitly positions CADA as the regulatory backbone that the industry has been anticipating. It notes that the proposal aims to "mitigate the risks stemming from the EU's reliance on third countries for cloud computing services via a single EU-wide sovereignty framework." It provides a "harmonised and auditable set of criteria at different levels of sovereignty," addressing the fragmentation that voluntary initiatives like Gaia-X have struggled to overcome across Member States. The memorandum further clarifies that while existing Union law addresses cybersecurity and data protection, "there is no cross-cutting Union regulatory framework establishing a harmonised understanding of what constitutes a trusted cloud computing service for mitigating such risks."

Gaia-X Conformity vs. CADA Recognition

Gaia-X's conformity assessment scheme evaluates providers against its own trust framework, which shares significant thematic overlap with CADA's sovereignty criteria. For instance, both frameworks emphasise data residency within the EU, transparency regarding subcontractors, and protection against extraterritorial access by third-country authorities. However, CADA's framework is prescriptive and legally binding for public procurement, whereas Gaia-X remains a market-driven signal of trust.

Crucially, CADA does not automatically recognise Gaia-X compliance as equivalent to meeting a Union assurance level. Article 17 establishes a specific mechanism for recognition. Cloud computing service providers must submit an application for recognition to the national competent authority of their establishment. The process is tiered:

• Union assurance level 1: Providers carry out a conformity self-assessment and issue an EU statement of conformity (Article 19).
• Union assurance levels 2, 3, and 4: Providers must undergo independent third-party audits by accredited auditing organisations (Article 20).

The audit criteria are strictly defined in Annex II, and the evidence required is listed in Annex III. While Gaia-X conformity may serve as valuable evidence during the audit process for CADA recognition—demonstrating that a provider already adheres to high standards of data governance and security—it does not bypass the legal requirement for formal recognition by a national competent authority. The auditing organisation must assess compliance against the specific CADA criteria, not the Gaia-X specifications. Article 20(1) states that audited providers must undergo independent audits to obtain an audit report and opinion from an auditing organisation. This opinion is then submitted to the national competent authority for the final recognition decision.

Specific Divergences in Criteria

While the philosophies align, the technical and legal criteria diverge in ways that prevent automatic equivalence:

1. Personnel Citizenship: For Union assurance levels 3 and 4, Annex II mandates that personnel, including those of subcontractors, must be Union citizens (Annex II, 3.1(d) and 4.1(d)). Gaia-X focuses on data sovereignty and control but does not impose a mandatory citizenship requirement for all operational personnel. A provider could be Gaia-X conformant but fail the CADA citizenship test for higher tiers.
2. Cybersecurity Certification Levels: CADA requires specific assurance levels for cybersecurity certificates. For levels 2 and 3, a certificate of at least "substantial" assurance is required (Annex II, 2.1(e) and 3.1(e)). For level 4, a "high" assurance level is mandatory (Annex II, 4.1(e)). Gaia-X has its own certification scheme, but unless it is explicitly mapped to the "substantial" or "high" levels defined under the European cybersecurity certification scheme (EUCS) or national schemes, it does not automatically satisfy CADA.
3. Third-Country Control: CADA's criteria for levels 3 and 4 strictly prohibit control by a third country or legal entity established in a third country, unless a specific derogation under Article 18 is granted by the Commission (Annex II, 3.1(g) and 4.1(g)). Gaia-X allows for participation by non-EU entities under certain conditions, which may not align with the strict "no third-country control" rule of CADA's higher tiers.

Scope Beyond Cloud Infrastructure

CADA's scope extends beyond technical cloud infrastructure to include AI systems and broader ecosystem resilience. Article 1 outlines the subject matter, which includes strengthening the cloud and AI ecosystem, accelerating data centre deployment, and enabling sovereign cloud offers. Gaia-X, while focused on cloud and data interoperability, does not cover the full breadth of CADA's obligations, such as the mandatory risk assessments for public sector activities (Article 29) or the procurement rules for Union added value (Article 32).

The proposal also addresses the role of open source, which is a core tenet of Gaia-X. Article 41 encourages Union entities and public sector bodies to use open standards and components released under an open source licence. Article 43 establishes an EU Open Source Solutions Catalogue, which may integrate with or complement existing industry catalogues. This alignment suggests that CADA supports the technical philosophy of Gaia-X while imposing stricter legal guardrails on their deployment in the public sector.

What this means for you

For in-house counsel, compliance officers, and public procurement teams, the relationship between CADA and Gaia-X requires a strategic adjustment in how you manage cloud procurement and vendor compliance.

1. Do not rely solely on Gaia-X labels for public contracts. If your organisation is a contracting authority or Union entity, you cannot accept a Gaia-X conformity label as sufficient proof of compliance with CADA's sovereignty requirements. You must verify that the provider has been formally recognised under Article 17 for the specific Union assurance level required by your risk assessment (Article 29). A Gaia-X label is a market signal, not a legal certificate of conformity under CADA.
2. Leverage Gaia-X for audit readiness. If your cloud providers are already Gaia-X conformant, use this status to streamline the CADA audit process. The documentation generated for Gaia-X conformity (e.g., data flow diagrams, subcontractor lists, security policies) will likely satisfy many of the evidence requirements in Annex III of CADA. However, ensure that the documentation explicitly maps to CADA's cumulative criteria in Annex II. The auditor must be able to trace every Gaia-X claim to a specific CADA requirement.
3. Monitor national competent authority guidance. Since recognition is handled by national competent authorities (Article 25), interpretative guidance may vary initially. Stay engaged with your Member State's designated authority to understand how they weigh industry certifications like Gaia-X during the audit evaluation. While the criteria are harmonised, the administrative process is national.
4. Prepare for multi-tier procurement strategies. CADA requires different assurance levels for different use cases. Non-critical public services may only require Union assurance level 1 (Article 30(2)), while activities contributing to public order may require levels 2, 3, or 4 (Article 30(3)). Ensure your vendors can demonstrate compliance at the specific tier required, not just a generic "sovereign" claim. A provider might be Gaia-X conformant (potentially meeting level 1 or 2 criteria) but fail the strict personnel or control requirements for level 4.
5. Review subcontractor chains. CADA's criteria for levels 2–4 are strict regarding subcontractors. Annex II requires that subcontractors involved in service provision also meet establishment and location criteria. Gaia-X's federated approach often involves complex subcontracting; ensure these chains are fully transparent and compliant with CADA's stricter residency and control rules. The "subcontractor" definition in CADA is broad and includes any third party contributing to the provision of the service.

Common misconceptions

"Gaia-X conformity equals CADA compliance." This is incorrect. Gaia-X is a voluntary industry standard. CADA is a binding regulation. A provider can be Gaia-X conformant but fail to meet specific CADA criteria, such as the strict personnel citizenship requirements for Union assurance level 3 (Annex II, Section 3.1(d)) or the "high" cybersecurity assurance level for level 4 (Annex II, 4.1(e)). Conversely, a provider might meet CADA's legal criteria without participating in the Gaia-X ecosystem.

"CADA replaces Gaia-X." CADA does not abolish Gaia-X. Instead, it provides a legal floor for sovereignty. Gaia-X may continue to offer additional value through industry collaboration, innovation, and interoperability standards that go beyond the minimum legal requirements of CADA. The two frameworks are complementary, not mutually exclusive. Gaia-X can serve as a pre-compliance step, but it is not the final step for public procurement.

"Only EU-based providers can comply." While CADA's criteria strongly favour EU-based providers (e.g., establishment in the Union, data residency), Article 18 allows for the recognition of third countries for Union assurance level 3 if they meet specific cumulative criteria, including adequacy decisions and safeguards against third-country control. However, this is a high bar, and most Gaia-X participants are EU-based. The derogation mechanism in Article 18 is the only path for a third-country-controlled provider to reach level 3, and it requires a specific Commission implementing act.

"Self-assessment is enough for all tiers." Only Union assurance level 1 allows for conformity self-assessment by the provider (Article 19). Levels 2, 3, and 4 require independent third-party audits by accredited organisations (Article 20). Assuming Gaia-X's self-certification mechanisms apply to higher CADA tiers is a significant compliance risk. The CADA audit must be performed by an independent auditing organisation that meets the strict independence criteria in Article 20(4).

"CADA only applies to the public sector." While the procurement obligations fall on contracting authorities and public bodies, the sovereignty framework reaches any provider wanting to serve them. Furthermore, Article 31 allows private sector entities in high-criticality sectors (Annex I of NIS2) to conduct similar impact assessments, and the market signal of CADA recognition is likely to influence private procurement decisions as well.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)
• Data Act (Regulation (EU) 2023/2854)

Related

• Does Gaia-X conformity satisfy CADA sovereignty tiers?
• CADA for SaaS Providers: How NIS2, Data Act and Sovereignty Tiers Stack
• CADA for CTOs: Mapping EU Compliance, Sovereignty Tiers & Procurement
• EUCS vs CADA: Does cybersecurity certification guarantee sovereignty tiers?
• EuroCloud Federation vs Gaia-X: How CADA's Public Cloud Relates to Industry Standards

This is general information about a draft EU regulation, not legal advice.