Summary As proposed, the Cloud and AI Development Act (CADA) explicitly positions its support for defence-related AI and computing infrastructure as "in full complementarity with, and without prejudice to" the European Defence Fund (EDF) and the European Defence Industry Programme (EDIP). CADA would provide the foundational compute capacity and sovereign cloud environments necessary for defence innovation, while EDF and EDIP would fund the specific development of defence capabilities. There is no regulatory overlap or conflict; rather, the instruments are designed to operate in tandem, with CADA ensuring the technological sovereignty and security of the underlying infrastructure that defence programmes rely upon.
Detail
The relationship between the proposed Cloud and AI Development Act (CADA) and existing EU defence funding instrumentsβspecifically the European Defence Fund (EDF) and the European Defence Industry Programme (EDIP)βis one of strategic synergy and operational complementarity. CADA does not seek to replace, duplicate, or interfere with the funding mechanisms of EDF or EDIP. Instead, it establishes the critical digital infrastructure and computational sovereignty required for the European defence sector to operate independently and securely.
Complementary Roles: Infrastructure vs. Capability
The core distinction lies in the subject matter and legal function of each instrument. EDF and EDIP are financial instruments designed to fund research, development, and procurement of specific defence capabilities, technologies, and industrial capacities. They address the "what" and "who" of defence innovationβfunding the creation of drones, cyber-defence tools, advanced weaponry, and the industrial base required to produce them.
In contrast, CADA addresses the "where" and "how" of the digital environment in which these capabilities are developed, tested, and deployed. It focuses on the underlying cloud infrastructure, data sovereignty, and computing capacity. As proposed, CADA aims to reduce the EU's dependence on third-country cloud providers and ensure that sensitive data, including that related to defence and national security, remains under EU control.
Recital 19 of the CADA proposal explicitly clarifies this relationship. It states that the Cloud and AI Leadership Initiatives "could support the development of advanced capabilities in full complementarity with, and without prejudice to, dedicated Union instruments in support of the defence industry, including the European defence fund ('EDF') and the European defence industry programme ('EDIP')." This legal phrasing is critical: it ensures that CADA's measures do not undermine the specific mandates, funding streams, or operational autonomy of EDF and EDIP. Instead, CADA enhances their effectiveness by providing a secure, sovereign digital foundation upon which defence capabilities can be built without reliance on foreign infrastructure.
CADA's Role in Defence AI and Compute
CADA introduces several mechanisms that directly benefit the defence sector, even though defence-specific activities are largely excluded from the scope of the AI Act (Regulation (EU) 2024/1689) for military and national security purposes.
1. Sovereign Cloud Assurance Levels CADA proposes a Union cloud computing sovereignty framework with four assurance levels. For defence and national security activities, which are often identified as contributing to the preservation of public order, Member States and Union entities would be required to conduct risk assessments under Article 29. If these assessments determine that activities have public order relevance, contracting authorities must procure cloud services recognized as offering Union assurance levels 2, 3, or 4 under Article 30(3). This ensures that defence data is hosted on infrastructure that meets strict criteria regarding data localization, personnel citizenship, and the absence of third-country control.
2. Compute Capacity for Frontier and Industrial AI Article 9 of CADA mandates that the Union and Member States ensure sufficient AI computing resources are allocated to support frontier AI priority projects. While Article 8 defines criteria for "frontier AI priority projects," the broader initiative supports industrial AI, which includes defence applications. By tripling EU data centre capacity and ensuring balanced geographic deployment, CADA mitigates the risk of defence R&D being bottlenecked by a lack of sovereign compute. This is particularly relevant for high-performance computing needs in simulation, modelling, and AI training for autonomous systems.
3. Secured Computing Infrastructures Recital 20 emphasizes that the Union should foster the availability of "highly secured computing infrastructures for the training, testing and deployment of defence-related AI models and systems." This aligns directly with the needs of EDF-funded projects, which increasingly rely on advanced AI for autonomous systems, cyber defence, and intelligence analysis. CADA provides the regulatory framework to ensure these infrastructures are available within the Union and free from extraterritorial interference.
No Overlap in Legal Instruments
It is crucial for legal and compliance teams to understand that CADA, EDF, and EDIP are distinct legal instruments with different legal bases and objectives.
- CADA is a Regulation proposal based on Articles 114 and 173(3) TFEU, focusing on the internal market for cloud services, data centre deployment, and technological sovereignty. It imposes obligations on cloud service providers, data centre operators, and public sector buyers regarding the infrastructure used.
- EDF is a Regulation (EU) 2021/694 establishing a financial framework for defence research and capability development. It operates through calls for proposals and grants to fund specific projects.
- EDIP is a separate legislative proposal aimed at boosting the competitiveness and resilience of the European defence industrial and technological base through direct funding and procurement.
There is no "overlap" in the sense of conflicting obligations. A defence contractor participating in an EDF-funded project does not need to comply with CADA's procurement rules for the grant agreement itself. However, if that contractor or the public authority using the resulting technology needs to host the associated data or run the AI models on cloud infrastructure, CADA's sovereignty requirements would apply to the procurement of that cloud service. The instruments operate on different layers of the value chain: EDF/EDIP fund the capability; CADA regulates the cloud environment.
Implications for Defence Procurement
For public authorities involved in defence procurement, CADA introduces a new layer of due diligence. Under Article 29, Member States must conduct risk assessments to determine which public sector activities contribute to the preservation of public order. Defence activities, by their nature, are likely to be classified as such. Consequently, Article 30(3) would require that cloud computing services procured for these activities must be recognized as offering Union assurance levels 2, 3, or 4.
This means that even if a defence system is funded by EDF, the cloud environment used to develop, test, or operate that system must meet CADA's sovereignty criteria. This creates a direct link between defence funding programmes and CADA's compliance framework. The "without prejudice" clause in Recital 19 ensures that this requirement does not invalidate EDF funding but rather sets the conditions for the infrastructure supporting the funded work.
What this means for you
For in-house counsel and compliance officers in the defence and aerospace sectors, the interplay between CADA and EDF/EDIP requires a nuanced compliance strategy.
1. Distinct Compliance Tracks Maintain separate compliance tracks for funding instruments and infrastructure procurement. Your team must continue to adhere to EDF and EDIP grant agreements, which have their own intellectual property, reporting, and eligibility rules. Simultaneously, your IT and procurement teams must assess whether your cloud and AI service providers meet CADA's Union assurance levels. These are parallel obligations that must be managed independently but coherently.
2. Risk Assessments for Defence Activities If you are a public authority or a contractor acting on behalf of one, you must engage in the risk assessment process outlined in Article 29 of CADA. Given the sensitive nature of defence data, it is highly probable that your activities will be deemed to contribute to the preservation of public order. This triggers the obligation under Article 30 to procure only cloud services with Union assurance levels 2, 3, or 4. You should begin identifying cloud providers that are already recognized or are in the process of achieving such recognition to avoid procurement delays.
3. Sovereign Cloud as a Prerequisite for Defence AI As EDF and EDIP increasingly fund AI-driven defence capabilities, the availability of sovereign compute becomes a critical bottleneck. CADA aims to alleviate this by supporting the deployment of secure, EU-based data centres. Ensure that your supply chain contracts include clauses requiring suppliers to use sovereign-compliant cloud infrastructure for any data processing related to defence projects. This mitigates the risk of third-country access to sensitive defence data, a key concern addressed by CADA's sovereignty framework.
4. No Prejudice to Existing Funding Be reassured that CADA does not alter the eligibility criteria or funding mechanisms of EDF and EDIP. You do not need to restructure your EDF grant applications to account for CADA. However, you should factor in the potential cost and timeline implications of migrating to sovereign cloud services as part of your overall project planning. The "without prejudice" language in Recital 19 is your safeguard: CADA supports the ecosystem but does not interfere with the specific funding rules of defence instruments.
Common misconceptions
Misconception 1: CADA replaces EDF or EDIP for defence spending. Reality: CADA does not provide direct funding for defence R&D or procurement. It provides a regulatory and infrastructural framework. EDF and EDIP remain the primary financial instruments for defence capability development. CADA ensures the digital environment for these capabilities is sovereign and secure.
Misconception 2: Defence activities are fully excluded from CADA. Reality: While the AI Act excludes AI systems used exclusively for military, defence, or national security purposes from its scope (Recital 24), CADA's provisions on cloud sovereignty and data centre deployment apply broadly. Public sector bodies, including those in defence, must comply with CADA's procurement rules for cloud services (Articles 29 and 30). The exclusion in the AI Act does not extend to the cloud infrastructure used to support those activities.
Misconception 3: EDF-funded projects automatically comply with CADA's sovereignty requirements. Reality: There is no automatic compliance. A project funded by EDF may still use non-sovereign cloud services unless the contracting authority explicitly requires Union assurance levels under CADA. Compliance with CADA is a separate obligation that must be actively managed through procurement decisions.
Misconception 4: CADA imposes new reporting burdens on EDF grant recipients. Reality: CADA does not introduce reporting requirements for EDF or EDIP grant agreements. Its reporting obligations are directed at cloud service providers (e.g., transparency reports under Article 23) and Member States (e.g., risk assessment results under Article 29). Defence contractors are not directly required to report to CADA authorities unless they are also cloud service providers.
Official sources
Related
- Which CADA assurance level should defence workloads use?
- When do CADA defence-related provisions take effect?
- CADA Defence Cloud: Sovereignty Pressure, Assurance Levels & Foreign Law Immunity
- What secure-compute infrastructure does CADA provide for defence AI?
- CADA and Civil Protection: How the Act Secures Crisis Response Cloud
This is general information about a draft EU regulation, not legal advice.