How CADA Relates to the Digital Markets Act (DMA)

Summary As proposed, the Cloud and AI Development Act (CADA) and the Digital Markets Act (DMA) operate as complementary but distinct regulatory pillars: the DMA regulates the conduct of designated gatekeepers to ensure market contestability, while CADA would establish a sovereignty framework to drive the public sector's uptake of trusted cloud services. As of the proposal, no cloud provider had been designated as a gatekeeper for its cloud services, but on 18 November 2025 the Commission opened three market investigations on cloud computing services under the DMA. The explanatory memorandum states the DMA does not actively promote sovereign cloud uptake; CADA would fill that gap through risk assessments and assurance levels for public procurement, creating a dual-layer compliance landscape for providers serving both regimes.

Detail

The relationship between the proposed CADA and the DMA is defined by divergent objectives despite overlapping subject matter. Both address the cloud computing sector, but they target different market failures and use different mechanisms. Understanding the distinction is useful for in-house counsel navigating the EU digital regulatory landscape.

Distinct Objectives: Contestability vs. Sovereignty The DMA aims to maintain and promote a fair and contestable market, regulating specific behaviours of designated gatekeepers to prevent abuse of their position. As the CADA explanatory memorandum puts it, the DMA "does not contain measures that would actively promote the uptake of sovereign cloud computing services" and "only aims at maintaining and promoting a fair and contestable cloud market in the Union." Its intervention is behavioural and structural.

In contrast, as proposed, CADA's objective is to strengthen the Union's technological sovereignty and resilience, focusing on "the uptake and use of the services provided," particularly by the public sector. CADA would establish a Union cloud computing sovereignty framework comprising four assurance levels (Article 16) to mitigate risks of dependence on third-country providers. The memorandum frames the two as intervening "at a different level."

Gatekeeper Designations and Market Investigations Cloud computing services are classified as a core platform service under the DMA, meaning a provider designated as a gatekeeper would have to comply with a set of obligations. As the memorandum notes, as of the proposal no cloud computing service provider had been designated as a gatekeeper for its cloud services. However, on 18 November 2025 the Commission opened three market investigations on cloud computing services under the DMA. Two will assess whether two providers should be designated as gatekeepers for their cloud services (i.e., whether they act as important gateways between business users and end users). The third will assess whether the DMA can effectively tackle practices that may limit competitiveness and fairness in the cloud sector in the EU.

If providers are designated as gatekeepers, they would face DMA obligations. Simultaneously, the same providers might seek recognition under CADA's sovereignty framework to access public-sector contracts — undergoing CADA audits against Annex II criteria on matters such as data residency and freedom from third-country control.

No Conflict, But Cumulative Obligations The memorandum indicates the proposal is consistent with the DMA and that certain providers could be regulated under both. Where a provider is subject to both, the obligations would be cumulative. The DMA's focus on contestability and switching (also supported by the Data Act) helps create market conditions in which CADA's sovereign alternatives can compete. CADA's Union added value award criteria (Article 32) in public procurement could favour providers that strengthen the EU digital supply chain.

However, the DMA does not provide a mechanism for public authorities to require the use of sovereign cloud services. As proposed, that mechanism would sit within CADA — specifically through Article 29 (risk assessments) and Article 30 (public procurement obligations). Public authorities would use CADA to determine the appropriate assurance level for their activities, regardless of whether the provider is a DMA gatekeeper.

What this means for you

For in-house counsel and compliance officers, the interplay between CADA and the DMA suggests a bifurcated strategy:

1. Monitor Gatekeeper Investigations: With the November 2025 market investigations underway, cloud providers should prepare for possible DMA gatekeeper designation. If designated, you would implement DMA-specific obligations in addition to any CADA sovereignty requirements.
2. Dual-Layer Audits: To serve the public sector under CADA, providers would seek recognition for Union assurance levels (Article 17), with independent third-party audits for levels 2-4 (Article 20). These audits focus on technical and operational sovereignty (e.g., data localisation, freedom from third-country control), distinct from DMA conduct compliance. Expect separate documentation streams.
3. Procurement Strategy: Public-sector clients would increasingly demand CADA-recognised services. Ensure your architectures can demonstrate the relevant assurance level under Annex II, particularly on third-country control and data residency. This is separate from DMA compliance but equally important for public-sector market access.
4. No DMA Exemption for Sovereignty: Do not assume DMA compliance satisfies CADA. As the memorandum notes, the DMA does not address sovereignty or public-order risks; you would independently pursue CADA recognition to access the relevant public procurement.

Common misconceptions

• "DMA compliance ensures CADA recognition." Incorrect. The DMA focuses on market conduct and contestability; as proposed, CADA focuses on technical and operational sovereignty. A provider can be DMA-compliant yet not meet CADA's data-localisation or control criteria for higher assurance levels.
• "CADA replaces the DMA for cloud providers." Incorrect. They are complementary. The DMA regulates gatekeeper behaviour; CADA would regulate public-sector procurement and sovereignty standards. Providers may be subject to both.
• "Only non-EU providers need to worry about CADA." Incorrect. As proposed, CADA's sovereignty framework would apply to all providers seeking to serve the public sector, including EU-based providers, who would also undergo audits to demonstrate they meet the assurance levels.
• "The DMA already ensures public-sector sovereignty." Incorrect. The memorandum states the DMA does not contain measures to promote sovereign cloud uptake. CADA is the instrument proposed to address public-order and sovereignty risks in public procurement.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• How CADA Interacts With GDPR, the AI Act, NIS2 and EU Digital Law
• Why was the Cloud and AI Development Act (CADA) proposed?
• Who does the Cloud and AI Development Act (CADA) apply to?
• Where can I read the official text of the Cloud and AI Development Act (CADA)?
• When was the Cloud and AI Development Act (CADA) proposed?

This is general information about a draft EU regulation, not legal advice.