How does CADA support AI-driven health data reuse compatibly with EHDS?

Summary As proposed, the Cloud and AI Development Act (CADA) facilitates privacy-enhancing health data reuse for AI through Operational Objective 7 of the Cloud and AI Leadership Initiatives, which explicitly mandates the facilitation of "secure, privacy-enhancing health data reuse for AI models and tools in healthcare." This legislative intent aligns with the European Health Data Space (EHDS) secondary-use rules by ensuring that such data processing occurs within sovereign cloud environments that meet specific Union assurance levels (Levels 2–4). While EHDS governs who can access health data and for what purposes, CADA governs where and how the infrastructure is structured to guarantee data confidentiality, operational autonomy, and protection against third-country interference.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a comprehensive framework to strengthen Europe's cloud and AI ecosystem. A critical component of this framework is the Cloud and AI Leadership Initiatives, designed to support research, innovation, and large-scale capacity building. Within these initiatives, Article 4 sets out specific operational objectives. Operational objective 7 explicitly targets "increasing the development and adoption of AI models and systems across the Union's public sectors."

Under Article 4(7), the proposal mandates measures to:

• Accelerate the technological development and uptake of AI models and systems in critical public sector domains.
• Develop AI models that improve public service delivery, decision-making, and administrative procedures.
• Promote the sharing and reusing of training data and AI models across the Union's public services.
• Facilitate secure, privacy-enhancing health data reuse for AI models and tools in healthcare.

This provision directly addresses the challenge of data fragmentation and siloed health records. By explicitly mentioning "privacy-enhancing health data reuse," CADA signals a legislative intent to support technologies that allow data to be utilized for AI training and inference without exposing raw, identifiable patient data. This aligns with the broader EU strategy for the European Health Data Space (EHDS), which aims to create a secure, interoperable environment for the secondary use of health data for research, public health, and policy-making.

Alignment with EHDS Secondary-Use Rules

The EHDS regulation establishes rules for the secondary use of health data, ensuring that data is processed securely and that patients retain control over their information. CADA complements this by providing the infrastructure and sovereignty framework necessary to host and process this data. While EHDS defines who can access data and for what purposes, CADA defines where and how the computing resources must be structured to ensure trust.

CADA introduces a Union cloud computing sovereignty framework with four assurance levels (Article 16). For health data, which is highly sensitive, public sector bodies are required to conduct risk assessments (Article 29) to determine the appropriate assurance level. Given the critical nature of health data and its impact on public order and fundamental rights, health-related AI systems would likely require Union assurance levels 2, 3, or 4.

• Union Assurance Level 2: Requires that infrastructure, assets, and personnel are located in the Union, and that customer data remains exclusively within the Union unless explicitly required otherwise by the public sector body. Crucially, it mandates a European cybersecurity certificate of at least 'substantial' assurance under a scheme established under Regulation (EU) 2019/881 (Annex II 2.1(e)).
• Union Assurance Level 3: Adds stricter requirements, including that personnel must be Union citizens (where the public sector body requires it) and prohibits third-country control over the provider and subcontractors, unless specific derogations apply under Article 18 (Annex II 3.1(d) and 3.1(g)).
• Union Assurance Level 4: The highest level, requiring 'high' assurance cybersecurity certification (Annex II 4.1(e)) and strict separation from third-country influence, ensuring the highest degree of operational autonomy.

By requiring health data processing to occur in services recognized at these assurance levels, CADA ensures that the data remains under Union jurisdiction, protected from extraterritorial access by third-country authorities (such as those exercising powers under laws like the US CLOUD Act). This creates a trusted environment where EHDS-compliant data sharing can occur without compromising sovereignty.

Technical and Operational Implications

For CTOs and architects, this means that AI models trained on health data must be hosted in cloud environments that have been formally recognized under the CADA framework. The proposal emphasizes the use of privacy-enhancing technologies (PETs) and secure data spaces. The explanatory memorandum notes that AI models should be used to support better decision-making in healthcare, facilitating data reuse while ensuring security and data protection.

The EuroCloud Federation (Article 34) is also relevant here. It facilitates the sharing of public sector data centre services and cloud computing services between Union entities and public sector bodies. This federation could serve as the backbone for cross-border health data collaborations, allowing Member States to share idle capacity and secure resources for AI training, provided they meet the stringent sovereignty and security criteria.

Furthermore, Article 32 introduces Union added-value criteria in public procurement. Contracting authorities must evaluate tenders based on the extent to which they contribute to strengthening the digital technology supply chain in the Union, including the use of hardware and software designed or manufactured in the Union. This incentivizes the development of European health AI solutions that are natively sovereign.

What this means for you

For CTOs, architects, and SMEs evaluating the practical impact of CADA on health AI projects, the following actions are critical:

1. Audit Your Cloud Providers: If you are developing AI models for healthcare using public sector data or providing services to public health bodies, you must verify that your cloud provider is recognized under the CADA sovereignty framework. Look for services that have obtained a Union assurance level 2, 3, or 4. Services at Level 1 may not suffice for sensitive health data depending on the risk assessment conducted by the public sector body (Article 29).
2. Implement Privacy-Enhancing Technologies (PETs): CADA explicitly supports "privacy-enhancing health data reuse." Invest in technologies such as federated learning, homomorphic encryption, or secure multi-party computation. These technologies allow AI models to be trained on decentralized data without moving raw data to a central server, aligning with both CADA's sovereignty goals and EHDS privacy requirements.
3. Prepare for Sovereign Hosting Requirements: Ensure that your infrastructure, personnel, and data flows remain within the EU. For higher assurance levels (3 and 4), you may need to demonstrate that your staff are Union citizens and that your provider is not subject to third-country control. This may require restructuring supply chains and subcontracting agreements.
4. Leverage the EuroCloud Federation: Consider participating in the EuroCloud Federation to access shared, sovereign computing resources. This can reduce costs for SMEs and startups by providing access to high-performance computing capacity that meets CADA's strict sovereignty and security standards.
5. Align with EHDS Compliance: Ensure that your data governance frameworks are compatible with EHDS secondary-use rules. CADA provides the technical and sovereign layer, but you must still comply with EHDS requirements for data access, consent management, and patient rights.

Common misconceptions

• Misconception 1: CADA replaces EHDS.
  • Reality: CADA and EHDS are complementary. EHDS regulates the data—who can access it, for what purposes, and under what conditions. CADA regulates the infrastructure—where the data is hosted, who controls the cloud provider, and how the computing environment is secured. You need both to ensure legal and sovereign compliance.
• Misconception 2: All cloud providers will automatically qualify.
  • Reality: Only cloud providers that undergo independent audits and are recognized by national competent authorities as meeting the specific Union assurance levels (1–4) can be used for public sector health AI projects. Many global hyperscalers may not qualify for Levels 3 and 4 due to third-country control issues.
• Misconception 3: Data can be processed outside the EU if encrypted.
  • Reality: For Union assurance levels 2, 3, and 4, customer data (including metadata and telemetry) must remain exclusively within the Union unless the public sector body explicitly requires otherwise. Encryption alone does not satisfy the data localization requirement for these higher assurance levels.
• Misconception 4: SMEs are excluded from health AI opportunities.
  • Reality: CADA includes specific measures to support SMEs, such as simplified conformity assessments for Level 1 and targeted procurement criteria (Article 32) that favor European added value. The EuroCloud Federation also aims to provide SMEs with access to sovereign computing resources.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• CADA and EHDS: What hospitals must know about sovereign cloud for health data
• EHDS vs CADA: Does health data compliance cover cloud sovereignty?
• CADA vs EHDS: How the Cloud Act governs health data hosting
• Does health data under EHDS need a CADA sovereignty tier?
• How does CADA support EHDS and FIDA AI use cases through compute access?

This is general information about a draft EU regulation, not legal advice.