How does CADA support EHDS and FIDA AI use cases through compute access?

Summary As proposed in COM(2026) 502 final, the Cloud and AI Development Act (CADA) would establish a mechanism to allocate specific AI computing resources to strategic initiatives, directly benefiting high-stakes sectors like healthcare and finance. Article 9 mandates that the Union and Member States "endeavour to provide sufficient computing resource" for "public sector AI projects" and "AI industrial innovation," creating a pathway for AI use cases reliant on sensitive data under the European Health Data Space (EHDS) and the Financial Information and Data Access (FIDA) framework. To qualify for this support, projects must align with the strategic criteria in Article 8 and, crucially, be hosted on infrastructure meeting the strict "Union assurance levels" defined in Annex II. This ensures that while compute access is accelerated, the sovereignty and data protection requirements of EHDS and FIDA are maintained through the cloud layer.

Detail

The proposed CADA addresses a critical bottleneck in the EU's digital ecosystem: the shortage of high-performance computing (HPC) capacity required to train and deploy advanced AI models. For CTOs and architects in regulated sectors, the intersection of compute availability, data sovereignty, and sector-specific compliance is paramount. CADA would bridge the gap between raw computational power and the legal imperatives for handling sensitive personal health data (EHDS) and financial data (FIDA).

Compute Allocation for Strategic AI Projects

Article 9 of the proposal establishes the core obligation for the Union and Member States to ensure the allocation of AI computing resources. While Article 9(1) focuses on "frontier AI priority projects" that meet the criteria in Article 8, the scope of support is broader. Article 9(3) explicitly states that the Union and Member States shall "endeavour to provide sufficient computing resource for AI industrial innovation, physical AI and public sector AI projects."

This provision is pivotal for healthcare and finance. AI models in these sectors often require massive datasets for training and inference but are historically constrained by the lack of sovereign, high-capacity infrastructure within the EU. By guaranteeing compute access for "public sector AI projects," CADA would provide the necessary infrastructure to scale AI applications that serve public interest goals—such as improving diagnostic accuracy in healthcare or enhancing fraud detection in finance—without forcing entities to rely on non-EU hyperscalers that may not meet EU sovereignty standards.

The text of Article 9(2) further reinforces this by stating that the Union shall "at least match the AI computing resources contributed by Member States to frontier AI priority projects," ensuring a baseline of support for projects that demonstrate Union-wide strategic value.

Criteria for Priority Projects and Strategic Alignment

Article 8 sets out the specific criteria for recognizing projects as "frontier AI priority projects." To qualify, a project must be a "pioneering project, focused on the support and scaling-up of frontier AI technologies" and involve broad participation from entities across the Union, typically through a European digital infrastructure consortium (EDIC) or similar legal structure.

However, the compute support mechanism is not limited solely to frontier AI. The broader operational objectives of the Cloud and AI Leadership Initiatives, detailed in Article 4, explicitly include accelerating the uptake of industrial AI and public sector AI. Article 4(7) lists "accelerating the technological development and uptake of AI models and systems in critical public sector domains" as a key operational objective, specifically citing healthcare. Similarly, Article 4(5) addresses the acceleration of industrial AI across strategic sectors.

For an AI use case leveraging EHDS data or FIDA financial data to benefit from the compute support mechanisms, it would need to demonstrate alignment with these strategic goals. The proposal emphasizes that these projects should contribute to the Union's technological sovereignty and involve broad participation. This means that isolated commercial pilots might not qualify for the highest tiers of compute support unless they are part of a coordinated, Union-level effort or fall under the "public sector AI" or "AI industrial innovation" categories defined in Article 9(3).

Sovereignty and Data Assurance Levels: The Critical Link

A defining feature of CADA is the integration of compute access with its sovereignty framework. The proposal introduces four "Union assurance levels" for cloud computing services, detailed in Annex II. For AI use cases involving sensitive health data (under EHDS) or financial data (under FIDA), the hosting infrastructure must meet specific assurance levels to ensure data confidentiality and operational autonomy.

Article 29 requires Member States and Union entities to conduct risk assessments to determine the appropriate Union assurance level for their activities. For high-risk activities, such as those involving sensitive health records or critical financial infrastructure, the risk assessment would likely dictate the need for Union assurance levels 2, 3, or 4. These levels impose strict requirements:

• Data Localization: Customer data must remain exclusively within the Union (Annex II, 2.1(c), 3.1(c), 4.1(c)).
• Personnel: Personnel involved in the provision of the service must be Union citizens, with security clearances where necessary (Annex II, 3.1(d), 4.1(d)).
• No Third-Country Control: The provider must not be subject to the control of a third country, unless a specific derogation under Article 18 applies (Annex II, 3.1(g), 4.1(g)).
• Cybersecurity: Providers must obtain a European cybersecurity certificate of at least assurance level "substantial" (for levels 2 and 3) or "high" (for level 4) (Annex II, 2.1(e), 3.1(e), 4.1(e)).

Therefore, the compute resources allocated under Article 9 would ideally be sourced from data centers and cloud providers recognized as offering the requisite assurance levels. This ensures that AI models trained on EHDS or FIDA data are not only computationally supported but also legally compliant with EU data sovereignty standards. The proposal aims to decouple the EU's AI development from third-country dependencies, ensuring that sensitive data remains under EU jurisdiction and control.

Integration with Sectoral Regulations

CADA is designed to complement, not replace, sector-specific regulations like EHDS and FIDA. EHDS aims to facilitate secure cross-border data flows for health purposes, while FIDA seeks to improve access to financial data for innovation. CADA supports these goals by providing the underlying compute infrastructure and ensuring that the cloud services hosting these AI workloads meet high sovereignty standards.

For instance, an AI project using EHDS data to train a diagnostic model would need to process data in a secure environment. Under CADA, this environment would need to be audited and recognized under the appropriate Union assurance level. The compute access provided by Article 9 would enable such projects to scale, provided they adhere to the sovereignty criteria. Similarly, financial institutions using FIDA data for AI-driven risk assessment would benefit from compute resources that ensure their data is not accessible to third-country authorities, thereby maintaining compliance with both CADA and financial regulatory requirements.

What this means for you

For CTOs, data architects, and compliance officers in the healthcare and finance sectors, CADA presents a new strategic landscape:

• Access to Sovereign Compute: You may gain access to prioritized AI computing resources for projects that align with Union strategic goals. This can reduce the cost and complexity of scaling AI models that require sensitive data, provided the project is designated as a "public sector AI project" or "AI industrial innovation" under Article 9(3).
• Infrastructure Selection is Non-Negotiable: You must ensure that your cloud providers are recognized under the appropriate Union assurance levels. For health and finance AI, this likely means Levels 2, 3, or 4. Verify that your provider has the necessary audit reports and recognition under Article 17.
• Project Design for Eligibility: Structure your AI projects to align with the "public sector AI" or "industrial AI" categories defined in Article 4. Demonstrating broad participation across Member States (as per Article 8) increases the likelihood of receiving compute support.
• Data Sovereignty by Design: Design your data pipelines to keep sensitive data within the Union. Use cloud services that guarantee data localization and prevent third-country access, as required by the assurance levels in Annex II.
• Collaboration is Key: Engage with Member States and Union entities to participate in joint AI initiatives. Broad participation and collaboration are key criteria for priority projects under Article 8.

Common misconceptions

"CADA replaces EHDS or FIDA." No. CADA complements these regulations by providing the compute infrastructure and sovereignty framework. EHDS and FIDA govern data access and sharing rights, while CADA governs the infrastructure and compute support. They operate in parallel.

"Any AI project can access compute under Article 9." No. Compute support is prioritized for projects that meet specific criteria, such as frontier AI priority projects (Article 8) or public sector AI projects. General commercial AI projects may not qualify unless they align with strategic Union objectives and are part of a coordinated effort.

"Sovereignty assurance levels are optional." For public sector procurement and high-risk activities, specific Union assurance levels are mandatory. Private sector entities in critical sectors are encouraged to conduct similar risk assessments (Article 31), and market trends will likely push for higher assurance levels to ensure resilience.

"Compute access is guaranteed for all EU-based providers." No. Compute resources are allocated based on strategic priorities and available capacity. Providers must demonstrate that their projects contribute to the Union's technological sovereignty and industrial competitiveness.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)

Related

• How does CADA support AI-driven health data reuse compatibly with EHDS?
• CADA Frontier AI vs AI Act GPAI: Definitions, Stacking & Compute Access
• CADA vs FIDA: How the Cloud Act interacts with Financial Data Access
• CADA vs EHDS & FIDA: How Sovereign Cloud Complements Data Spaces
• Does EHDS secondary-use infrastructure need CADA recognition?

This is general information about a draft EU regulation, not legal advice.