Summary As proposed, the Cloud and AI Development Act (CADA) and the EU AI Act are complementary instruments addressing different layers. The AI Act (Regulation (EU) 2024/1689) governs the safety, fundamental-rights impact and market placement of AI systems. CADA focuses on cloud infrastructure, compute capacity, and a sovereignty framework for public procurement. The AI Act, in the Commission's words, "does not cover aspects of sovereignty" — the gap CADA addresses. CADA reuses the AI Act's definition of an "AI system" for consistency. The two impose separate, parallel obligations.

Detail

The AI Act (Regulation (EU) 2024/1689) is a product-safety and fundamental-rights regulation. It sets a risk-based framework: prohibited practices (Article 5), high-risk classification (Article 6 with Annexes I and III) and obligations (Articles 8–27), transparency duties (Article 50), and general-purpose AI model rules (Articles 51–56). Its aim is that AI placed on the EU market is safe and trustworthy.

CADA (COM(2026) 502 final) is an industrial and strategic instrument. Its subject matter, in Article 1, includes establishing the Cloud and AI Leadership Initiatives, accelerating data centre deployment, enabling a sovereign cloud and AI offer to safeguard public order, reducing dependencies on critical technologies, and fostering public-sector cloud adoption. It addresses the EU's reliance on third-country providers.

Complementary, not overlapping

CADA's explanatory memorandum states that the proposal "reinforces key objectives of the AI Act." It explains that the AI Act harmonises rules for AI systems and general-purpose AI models, ensures a high level of protection of health, safety and fundamental rights, and — verbatim — "does not cover aspects of sovereignty." CADA fills that gap with a single EU-wide sovereignty framework to mitigate risks from reliance on third-country cloud providers.

The two work in tandem: the AI Act ensures AI systems are safe and rights-compliant, while CADA aims to ensure the underlying cloud infrastructure is resilient and free from controls that could compromise the Union's operational autonomy.

Harmonised definition of "AI system"

Article 2(3) of CADA defines an "AI system" as "an AI system as defined in Article 3, point (1), of Regulation (EU) 2024/1689." This cross-reference keeps CADA consistent with the AI Act when it refers to AI systems in procurement, open-source promotion or public-sector adoption, reducing complexity for those navigating both frameworks.

Sovereignty versus safety

The instruments address different risks. The AI Act addresses risks to health, safety and fundamental rights (e.g. discrimination, bias, physical harm). CADA addresses risks to public order, operational autonomy and security of supply (e.g. third-country access to data, service disruption, dependency).

CADA's "Union cloud computing sovereignty framework" comprises four assurance levels with criteria in Annex II (Article 16). Providers seeking the higher levels undergo independent audits (Article 20) against criteria such as data remaining in the Union, personnel citizenship, freedom from third-country control, and cybersecurity certification. These are distinct from the AI Act's safety and conformity requirements.

Public procurement and adoption

The AI Act applies to deployers of AI systems, including public authorities. CADA goes further for public bodies by requiring them to procure cloud services at the assurance level set by their risk assessment (Article 30). A public authority using AI would thus need the AI system to be AI-Act-compliant and the hosting cloud to meet CADA's sovereignty requirements where applicable — a layered, end-to-end stack.

What this means for you

For in-house counsel and compliance officers, this means two parallel but interconnected tracks.

  1. Dual compliance. Any AI system you place on the market or use must meet the AI Act's classification and obligations. Separately, if you are a public body — or, where delegated acts apply, a NIS2 critical entity — the cloud hosting those systems may need to meet CADA's assurance levels.
  2. Procurement strategy. Public bodies cannot simply pick the cheapest or most advanced provider; under Article 30 they must verify a recognised Union assurance level appropriate to the activity, potentially narrowing the vendor pool to providers that have completed CADA recognition (Article 17).
  3. Definition alignment. To decide whether a tool is an "AI system" under CADA, use the AI Act's Article 3, point (1) definition, as Article 2(3) requires.
  4. Separate assessments. CADA's risk assessments (Article 29) on data sovereignty and third-country control are distinct from any fundamental-rights or conformity assessments under the AI Act; keep separate documentation.
  5. Different timelines. The AI Act is in force, with phased application (prohibitions from 2 February 2025; most high-risk obligations from 2 August 2026). CADA is a proposal; if adopted it would apply one year after entry into force, and the text may still change.

Common misconceptions

  • "CADA replaces the AI Act for cloud providers." False. The AI Act continues to regulate AI systems wherever hosted; CADA regulates the cloud services and strategic deployment. A provider must meet CADA's sovereignty rules to serve the public sector and, separately, the AI Act if it provides AI systems.
  • "Sovereignty is just cybersecurity." False. CADA distinguishes sovereignty from technical cybersecurity; it addresses legal and operational risks such as third-country access or compelled disruption.
  • "All cloud services must be sovereign under CADA." False. As proposed, CADA's sovereignty framework binds public-sector procurement (and, via delegated acts, certain critical entities). Private firms are not automatically required to use sovereign cloud, though they may choose to.
  • "CADA and the AI Act have overlapping penalties." False. The AI Act has its own regime (under Article 99, up to €35 million or 7% of worldwide turnover for prohibited-practice breaches). CADA's penalties under Article 24 apply to cloud providers' infringements of its sovereignty framework and are separate.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.