Summary As proposed, the Cloud and AI Development Act (CADA) satisfies the principle of proportionality by adopting what its explanatory memorandum calls a "targeted and proportionate approach", confined to the core objectives of strengthening EU technological sovereignty, fostering a competitive cloud and AI market, and supporting sustainable computing resources. The proposal would avoid excessive regulation by leveraging existing EU instruments and introducing only the provisions necessary to address structural barriers — the compute capacity deficit and over-reliance on third-country providers — through harmonised sovereignty criteria and streamlined data-centre deployment. CADA is a proposal and not yet in force.

Detail

The European Commission's proposal for CADA (COM(2026) 502 final) is designed to comply with proportionality, a fundamental tenet of EU law requiring that measures not exceed what is necessary to achieve their objectives. The explanatory memorandum and recitals detail how CADA balances the urgent case for strategic autonomy against the need to avoid unnecessary regulatory burden.

Targeted measures for critical bottlenecks

The memorandum states that the proposal "adopts a targeted and proportionate approach to address the critical bottlenecks in the single market, specifically the compute capacity deficit and overreliance on third-country providers." By focusing on these structural barriers, CADA aims to tackle root causes rather than impose broad regulation on all digital services.

The memorandum describes the measures as confined to those essential for the core objectives:

  1. Strengthening EU technological sovereignty.
  2. Fostering a competitive EU cloud and AI market by removing barriers that prevent European providers from scaling.
  3. Supporting an enhanced availability of sustainable computing resources, addressing the energy and infrastructure challenges of data-centre deployment.

As the memorandum puts it, the chosen measures "represent the most suitable and least intrusive means of addressing the identified market and regulatory failures."

Avoiding excessive regulation through harmonisation

To support proportionality, CADA would avoid a fragmented regulatory landscape by introducing harmonised standards that replace divergent national rules — an approach grounded in Article 114 TFEU, which empowers the EU to harmonise national provisions to improve the functioning of the internal market.

Key proportional mechanisms as proposed include:

  • Harmonised sovereignty criteria: The proposal would establish a single EU-wide sovereignty framework with four Union assurance levels (Article 16, with criteria in Annex II). Harmonisation reduces regulatory complexity for investors and data-centre operators who would otherwise face divergent national regimes. As proposed, this framework is meant to provide a proportionate framework to preserve public order, recognising that not all public services require the highest levels of assurance.
  • Streamlined data-centre deployment: CADA would simplify and harmonise data-centre deployment EU-wide. By designating "data centre acceleration zones" and establishing single information points, the proposal aims to reduce administrative burdens and permitting times — a proportional response to current fragmentation in deployment, sustainability requirements and permitting procedures.

Leveraging existing instruments

The proposal is designed to complement rather than duplicate existing EU legislation, leveraging frameworks such as the Data Act, the Digital Markets Act and the AI Act. For instance, while the AI Act harmonises rules for AI systems to protect health, safety and fundamental rights, it does not address sovereignty; CADA would fill that gap without interfering with the AI Act's objectives. Similarly, the proposal supplements the Cybersecurity Act, addressing sovereignty considerations that go beyond technical cybersecurity elements (which a future European Cybersecurity Certification Scheme for Cloud Services could address once adopted).

By building on existing instruments, CADA would introduce only the new provisions necessary for cohesive and efficient implementation, minimising regulatory burden while still addressing the identified market and regulatory failures.

Proportionality in procurement and assurance levels

The sovereignty framework itself is designed with proportionality in mind. The four Union assurance levels allow a nuanced, risk-based approach. As proposed, most public services would not require the highest levels (3 or 4); instead, Member States and Union entities would conduct risk assessments (Article 29) to determine the appropriate level for different public-sector activities. The recitals state this ensures the principles of proportionality and subsidiarity are complied with by assessing the specific cases where protecting public order requires higher assurance.

The proposal also allows derogations from the procurement requirements for Union assurance levels on an exceptional, duly justified basis — for example where the subject matter cannot be supplied by any recognised service and no adequate or reasonable alternative exists, or where applying the requirements would force procurement at disproportionate cost (Article 30(4)). This flexibility is intended to ensure the regulation does not unduly hinder public procurement or innovation.

What this means for you

For in-house counsel and compliance officers, understanding CADA's proportionality framing helps anticipate the regulatory burden and prepare for implementation.

  • Risk-based compliance: Prepare for a risk-based approach to cloud procurement. Not all cloud services would require the highest sovereignty levels. Your organisation would need to conduct risk assessments to determine which activities contribute to public order and thus require Union assurance levels 2, 3 or 4 (Articles 29 and 30).
  • Streamlined processes: The proposal aims to reduce administrative burdens for data-centre operators through single information points and aggregated permitting in acceleration zones. If your organisation deploys data centres, monitor the designation of these zones in your Member State.
  • Harmonised standards: Harmonised sovereignty criteria would make compliance more predictable across the EU. You would still need your cloud providers to demonstrate compliance with the relevant Union assurance level — including criteria on data location, personnel and absence of coercive third-country control (Annex II).
  • Timing: As proposed, several obligations are tied to dates set one year after entry into force — for example the first risk assessments under Article 29. These obligations would only take effect once CADA is adopted; review your current cloud contracts and procurement strategies so you are ready to align with the proposed sovereignty framework.

Common misconceptions

  • Misconception: CADA imposes a one-size-fits-all sovereignty requirement for all cloud services.
    • Reality: As proposed, it uses a tiered system of four assurance levels. Most public services would require only level 1, with higher levels reserved for public-order activities determined by risk assessments.
  • Misconception: CADA duplicates the requirements of the AI Act or GDPR.
    • Reality: It is designed to complement existing laws, addressing sovereignty and operational autonomy that the AI Act and GDPR do not cover, and leveraging existing frameworks to avoid duplication.
  • Misconception: The regulation would significantly increase the cost of public procurement.
    • Reality: The memorandum argues that initial compliance costs would be counterbalanced by a reduced total cost of ownership for IT systems, reduced fragmentation and faster, more reliable procurement. Derogations are also available where costs would be disproportionate (Article 30(4)).

Official sources

Related

This is general information about a draft EU regulation, not legal advice.