How CADA cloud sovereignty interacts with the EU Data Act

Summary As proposed, the Cloud and AI Development Act (CADA) complements the Data Act by closing the gap the Data Act leaves open: technological sovereignty. The Data Act sets rules for portability and switching to reduce vendor lock-in, but it does not mandate the use of sovereign or European providers. CADA would add a harmonised Union cloud computing sovereignty framework with four assurance levels and mandatory procurement rules for public authorities. For in-house counsel, Data Act compliance would be necessary but not sufficient for public-sector contracts or critical activities, which would additionally require CADA's risk assessments and assurance levels.

Detail

The relationship is one of functional complementarity. The Data Act (Regulation (EU) 2023/2854) focuses on competition and user freedom through interoperability and switching. CADA, as proposed, focuses on strategic autonomy and the reduction of critical dependencies on non-European providers through a structured sovereignty framework.

The Data Act: enabling switching, not sovereignty

The CADA Explanatory Memorandum describes the Data Act as an "enabler" for the proposal. By mandating portability and switching, the Data Act removes key sources of lock-in, letting users choose providers and combine offers in a multi-cloud approach. But the Memorandum states the Data Act "opens the path towards reducing dependencies on non-EU providers but does not build the road towards a more sovereign and trusted EU cloud computing sector." In other words, switching provisions make it possible to embrace European services more strongly, but they do not require it.

CADA: introducing the sovereignty framework

CADA addresses this gap with a "Union cloud computing sovereignty framework" (Article 16) of four Union assurance levels (1 to 4), each with criteria in Annex II on data location, personnel, cybersecurity certification, and absence of third-country control.

Unlike the Data Act, CADA actively shapes demand. It would oblige Member States and Union entities to conduct risk assessments (Article 29) to determine the appropriate assurance level, and tie public-sector procurement to those levels:

• Union assurance level 1: required for public sector bodies whose activities are not identified as contributing to the preservation of public order (Article 30(2)).
• Union assurance levels 2, 3 or 4: required for contracting authorities whose activities have been identified as contributing to public order — in NIS2 sectors and the areas of national security, internal security, external border management, defence, justice or law enforcement (Article 30(3)).

Complementarity in practice

Together the two instruments create a two-step picture for public-sector and critical entities:

1. Technical feasibility (Data Act): an entity can move its data and workloads between providers without prohibitive cost or technical barriers.
2. Strategic eligibility (CADA): CADA would determine which providers are eligible for procurement based on sovereignty criteria. An entity might switch easily under the Data Act, yet be barred by CADA from using a non-sovereign provider for public-order activities.

CADA would also add "Union added value" criteria in public procurement (Article 32). For procurements of innovative cloud services and AI systems, contracting authorities would include non-price award criteria assessing a tenderer's contribution to a European cloud and AI ecosystem — including the use of software or hardware designed or manufactured in the Union — though those criteria must be "ancillary and not decisive in the award of the contract" (Article 32(2)(d)).

For private-sector entities in NIS2 high-criticality sectors, CADA allows voluntary impact assessments similar to the public-sector risk assessments (Article 31(1)), and the Commission may, by delegated act and in duly justified cases, require such assessments for non-public bodies in sectors of high criticality (Article 31(3)). This extends the sovereignty logic beyond the public sector.

What this means for you

For in-house counsel and compliance officers, the interaction would require a bifurcated strategy. Data Act compliance alone would not satisfy emerging sovereignty requirements for public-sector contracts or critical operations.

1. Audit current cloud contracts for portability vs sovereignty

• Data Act compliance: verify your contracts include the mandatory portability and switching clauses, and that you have the technical and contractual right to move data to a new provider.
• CADA readiness: assess whether your provider could meet Union assurance level 1 (the baseline for public-sector procurement) — established in the Union, infrastructure and assets in the Union, and customer data exclusively within the Union (Annex II, Section 1). A non-EU hyperscaler may face significant hurdles for public-sector contracts once CADA is adopted.

2. Prepare for sovereignty risk assessments

• Public sector: if you are a contracting authority, establish a process to conduct risk assessments — by one year after entry into force and every two years thereafter under Article 29(1) — to classify activities and determine the required assurance level.
• Private sector (critical infrastructure): if you operate in a NIS2 Annex I sector, monitor for delegated acts under Article 31; even where not mandatory, a voluntary impact assessment can demonstrate due diligence on dependency risk.

3. Procurement strategy adjustments

• Union added value: for innovative cloud/AI procurements, prepare to evaluate bids on the non-price "Union added value" criteria (Article 32), set out expressly in the procurement documents, while keeping them ancillary to the award.
• Multi-cloud strategies: the proposal directs Member States and Union entities to consider whether a multi-vendor or multi-cloud strategy is appropriate (Article 29(9)); use Data Act portability to support resilient, distributed architectures.

4. Penalties and enforcement

• Data Act: non-compliance with Data Act obligations can attract penalties under its own regime.
• CADA: under Article 24, Member States must lay down effective, proportionate and dissuasive penalties for infringements of the sovereignty chapter, and recipients of cloud services would have a right to seek compensation from providers for damage caused by such infringements (Article 24(3)).

Common misconceptions

• "The Data Act ensures sovereignty by letting us switch providers."
  • Correction: The Data Act ensures portability, not sovereignty. It lets you leave a provider but does not require you to move to a sovereign or European one. CADA is the instrument that would mandate sovereign services for specific uses.
• "GDPR compliance is sufficient for cloud sovereignty."
  • Correction: As the proposal explains, mechanisms addressing data transfers do not remove sovereignty concerns about dependence on third-country providers; sovereignty also covers operational autonomy, control over infrastructure, and protection against extraterritorial legal reach.
• "CADA only applies to the public sector."
  • Correction: Its mandatory procurement rules apply to public authorities, but the assurance levels and "Union added value" criteria influence the whole market, and private entities in critical sectors may conduct (or, in duly justified cases, be required to conduct) impact assessments under Article 31.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• Why data residency is not enough for cloud sovereignty under CADA
• Why the EU-US Data Privacy Framework doesn't solve CADA sovereignty
• Which CADA sovereignty tier protects against the US CLOUD Act?
• Data residency vs data sovereignty: the difference under CADA
• Cloud vs AI Sovereignty: How CADA Distinguishes Control Over Data, Compute and Models

This is general information about a draft EU regulation, not legal advice.