How does CADA relate to the Data Act?

Summary As proposed, the Cloud and AI Development Act (CADA) and the Data Act play complementary but distinct roles in EU digital policy. The Data Act (Regulation (EU) 2023/2854), already in force, acts as an enabler by mandating cloud switching and interoperability, removing vendor lock-in. CADA builds on this by actively shaping a competitive, sovereign European cloud offer — introducing Union assurance levels and public-procurement obligations the Data Act does not contain.

Detail

The relationship turns on a distinction between enabling market mobility (the Data Act) and building strategic autonomy (CADA). Both address cloud computing, but at different points in the value chain.

The Data Act as an enabler

The Data Act (Regulation (EU) 2023/2854) focuses on fair access to and use of data. For cloud services, its main contribution is removing technical and contractual barriers to switching providers. As the CADA explanatory memorandum notes, the proposal is "consistent with the rules on switching between data processing services" introduced by the Data Act. By enabling switching and removing key sources of lock-in, the Data Act lets cloud users freely choose providers and combine offers in a multi-cloud approach, so providers compete on quality, innovation and price.

But the CADA memorandum is explicit about the limits: the Data Act "opens the path towards a possible reduction of dependencies on non-EU providers but does not build the road towards a more sovereign and trusted EU cloud computing sector." It does not, on its own, shape a more competitive European offer or guarantee trustworthy alternatives to switch to. The memorandum therefore describes the Data Act as "an enabler for the proposal."

CADA: shaping a competitive and sovereign offer

CADA addresses the supply side. The memorandum notes that three non-EU hyperscalers control over 70% of the European cloud market, exposing European users to risks of operational discontinuity and to third-country jurisdictions with extraterritorial laws. CADA responds with measures absent from the Data Act:

1. Union assurance levels: Article 16 establishes a Union cloud computing sovereignty framework of four assurance levels, with criteria set out in Annex II, that providers must meet to serve Union entities and public sector bodies.
2. Public-procurement obligations: Article 30 requires that activities not identified as contributing to public order use at least Union assurance level 1 (Article 30(2)), while activities identified as contributing to public order procure only services recognised at levels 2, 3 or 4 (Article 30(3)).
3. Strategic capacity: CADA includes mechanisms to designate data centre strategic projects (Article 14) and to monitor the Union's compute capacity gap (Article 15), supporting the aim to triple EU capacity in five-to-seven years.

Distinct but complementary

In short: the Data Act ensures that, if a trusted European provider exists, users can technically and contractually switch to it; CADA creates the regulatory incentives for such providers to emerge and be trusted by the public sector. For in-house counsel, Data Act compliance (portability and switching) is a practical prerequisite for CADA's sovereignty framework to function, but CADA adds new, distinct obligations on service classification, risk assessments and procurement.

What this means for you

For in-house counsel and compliance officers, the interplay creates a two-layer compliance landscape.

1. Ensure Data Act readiness first

• Interoperability: Ensure contracts and architectures allow transfer of data and workloads to other providers.
• Contractual terms: Review contracts to remove terms that hinder switching, consistent with the Data Act's switching obligations.

2. Prepare for CADA's sovereignty assessments

• Risk assessments: Under Article 29, Member States and Union entities must carry out risk assessments to determine the appropriate Union assurance level. Article 29(9) requires them to consider whether a multi-vendor or multi-cloud strategy is appropriate.
• Private sector: Under Article 31, entities listed in Annex I to the NIS2 Directive (Directive (EU) 2022/2555) that are not public sector bodies may carry out similar assessments; the Commission may, in duly justified cases, require such assessments via delegated act.
• Procurement strategy: If your organisation is a contracting authority, prepare to procure services meeting the relevant Union assurance levels, which require providers to meet the cumulative criteria in Annex II (such as Union establishment, data residency and limits on third-country control).

3. Monitor legislative progress CADA is a proposal. Its obligations, deadlines and penalty rules (Article 24) may change. Track the delegated and implementing acts, particularly on the risk-assessment methodology (Article 29(3)) and the assurance-level criteria.

Common misconceptions

Misconception 1: The Data Act makes cloud services sovereign. The Data Act does not define or certify sovereignty; it facilitates movement between providers. A non-EU hyperscaler can comply with the Data Act's switching rules while remaining subject to third-country laws. CADA addresses that gap directly.

Misconception 2: CADA replaces the Data Act. CADA does not repeal or replace the Data Act. The two are designed to work together — the Data Act's switching provisions are cited as an enabler for CADA's goals.

Misconception 3: Only the public sector is affected by CADA's sovereignty rules. The procurement obligations in Article 30 apply to contracting authorities, but providers seeking to serve the public sector must obtain recognition under the Union assurance levels, and private entities in high-criticality sectors may carry out impact assessments (Article 31). Public-sector demand also shapes the wider market.

Misconception 4: The Data Act's focus on competition conflicts with CADA's focus on sovereignty. The memorandum treats them as consistent. By removing lock-in, the Data Act actually strengthens European providers — users can switch to them more easily — supporting CADA's aim of reducing dependence on non-EU incumbents.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)
• Data Act (Regulation (EU) 2023/2854)

Related

• CADA and the Chips Act 2.0: how the two relate
• How does CADA relate to the Cybersecurity Act and EUCS?
• How does CADA relate to the AI Act?
• CADA vs GDPR and the EU-US Data Privacy Framework: How They Relate
• Why was the Cloud and AI Development Act (CADA) proposed?

This is general information about a draft EU regulation, not legal advice.