How does CADA support health-data reuse for AI models?

Summary As proposed, the Cloud and AI Development Act (CADA) explicitly mandates the secure reuse of health data for AI models by requiring the Cloud and AI Leadership Initiatives to "facilitate secure, privacy-enhancing health data reuse for AI models and tools in healthcare." This obligation is found in Article 4(7)(d). The proposal does not create new legal rights to access personal data; rather, it establishes a funding and technical ecosystem to enable privacy-enhancing technologies (PETs) like federated learning and synthetic data generation. This framework directly supports frontier AI development under Article 4(3) and operationalizes these goals through the network of Experience and Acceleration Centres for AI under Article 5. CADA acts as the technological enabler for the legal access rights established by the European Health Data Space (EHDS), ensuring that when data is made available, the infrastructure exists to process it securely without compromising patient privacy.

Detail

The Cloud and AI Development Act (CADA), as set out in the proposal COM(2026) 502 final, addresses a critical bottleneck in the EU's digital health strategy: the gap between the legal availability of health data and the technical capacity to use it securely for AI. While the European Health Data Space (EHDS) focuses on the legal framework for secondary use, CADA focuses on the "how"—providing the technical means, funding, and infrastructure to make secure data reuse a reality.

The Legal Mandate: Article 4(7)(d)

The core of CADA's support for health data reuse is located in Title II, which establishes the "Cloud and AI Leadership Initiatives." These initiatives are designed to bridge the gap between advanced research and sustainable market deployment.

Specifically, Article 4 sets out the operational objectives of these initiatives. Article 4(7) targets the "development and adoption of AI models and systems across the Union's public sectors." Within this paragraph, Article 4(7)(d) contains a precise, mandatory instruction for the initiatives:

"(d) facilitate secure, privacy-enhancing health data reuse for AI models and tools in healthcare;"

This provision is not merely a suggestion; it is a binding operational objective for the Commission and Member States implementing the Leadership Initiatives. It signals a policy shift towards funding and deploying technologies that allow AI models to be trained on sensitive health data without the data itself needing to be centralized or exposed. This includes support for:

• Federated learning: Where models are trained locally on data and only model updates are shared.
• Synthetic data generation: Creating artificial datasets that mimic real patient data without containing actual personal information.
• Secure multi-party computation: Allowing computation on data held by multiple parties without revealing the underlying data.

By mandating this, CADA aims to remove the technical friction that currently prevents healthcare providers from sharing data, even when legal permissions (like those under the EHDS) exist.

Link to Frontier AI and Strategic Projects

The support for health data reuse is intrinsically linked to the EU's broader ambition to lead in frontier AI. Article 4(3) establishes an operational objective to "advance Union's capabilities in frontier AI," explicitly noting that these projects should support "pioneering projects in frontier AI that develop frontier AI models and systems as strategic assets, including in key sectors such as cybersecurity."

While Article 4(3) does not explicitly name healthcare, the explanatory memorandum and the structure of the "Grand Challenges" in Annex I clarify the connection. Grand Challenge 8: Public Sector AI specifically targets "critical domains (such as healthcare...)" and emphasizes the need for "privacy-preserving frameworks, (such as federated learning and high-fidelity synthetic data generation), that make it possible to train of models without compromising the confidentiality of underlying datasets."

Furthermore, Article 8 sets the criteria for recognizing "frontier AI priority projects." While Article 8 itself focuses on the criteria for designation (e.g., involvement of at least three Member States), the projects selected under this article are expected to address the "grand challenges" listed in Annex I. Therefore, a project aiming to develop a frontier AI model for clinical decision support using federated learning would be a prime candidate for designation as a frontier AI priority project, unlocking specific computing resources and support under Article 9.

This creates a direct pipeline:

1. Article 4(7)(d) mandates the development of privacy-enhancing health data reuse tools.
2. Annex I (Grand Challenge 8) identifies healthcare as a priority domain for these tools.
3. Article 8 allows projects in this domain to be designated as "frontier AI priority projects."
4. Article 9 ensures these projects receive matched computing resources from the Union and Member States.

The Role of Experience and Acceleration Centres for AI

The practical implementation of these objectives relies on the network of Experience and Acceleration Centres for AI (Centres for AI), established under Article 5. These centres are built upon the existing European Digital Innovation Hubs (EDIHs) and are tasked with accelerating the adoption of AI at regional and local levels.

Article 5(2) outlines the objectives of these Centres, which include:

• "(a) support the integration and scaling-up of AI use cases in strategic industrial and public sectors..."
• "(b) accelerate the broad adoption of cloud and AI technologies at regional and local levels, notably for SMEs, SMCs and public sector bodies..."
• "(c) leverage relevant infrastructure to accelerate the development and fine-tuning of AI models and systems."

For health data reuse, the Centres for AI serve as the critical interface between healthcare providers (hospitals, research institutes) and AI developers. They provide:

• Technical Expertise: Guidance on implementing PETs like federated learning.
• Secure Infrastructure: Access to the computing environments necessary to test and validate AI models without moving raw data.
• Skills Development: Training for healthcare staff on how to use these new tools, as mandated by Article 4(8)(b) which calls for a "common cloud and AI curriculum."

By decentralizing support through these Centres, CADA ensures that smaller hospitals and regional health authorities are not left behind in the AI revolution, providing them with the same access to secure data-reuse technologies as large academic medical centres.

Interaction with the European Health Data Space (EHDS)

It is vital to distinguish the roles of CADA and the proposed European Health Data Space (EHDS). The EHDS is a horizontal regulation focused on creating a single market for health data, establishing legal rights for secondary use, and setting up governance bodies (Health Data Access Bodies).

CADA, conversely, is an ecosystem and infrastructure regulation. As noted in the explanatory memorandum, the proposal is "consistent with existing and forthcoming data laws." The relationship is complementary:

• EHDS answers the question: "Who has the legal right to access this health data, and under what conditions?"
• CADA answers the question: "What technical infrastructure and tools are available to process this data securely and efficiently once access is granted?"

Without CADA's focus on "privacy-enhancing health data reuse," the legal rights granted by the EHDS might remain theoretical for many providers who lack the technical capacity to implement secure data-sharing protocols. CADA ensures that the "sovereign cloud" and "secure infrastructure" required to exercise EHDS rights are actually built and available.

Support for Public Sector and SMEs

The proposal explicitly recognizes that public sector bodies often lack the resources to implement sophisticated privacy-enhancing technologies. Article 4(7)(c) promotes the "sharing and reusing of training data and AI models across the Union's public services." When combined with the mandate in Article 4(7)(d), this creates a mechanism for public health data to be securely pooled and used to train better AI models, which can then be reused across the public sector.

For SMEs, this is a significant opportunity. Instead of needing to negotiate complex data-sharing agreements for raw data (which carries high legal and technical risk), SMEs can leverage the secure environments and tools supported by the Leadership Initiatives and Centres for AI. They can develop and validate their AI models using synthetic or federated approaches, reducing the barrier to entry for innovation in the health-tech sector.

What this means for you

For CTOs, data architects, and health-tech SMEs, the provisions in CADA signal a strategic shift towards infrastructure-led innovation in healthcare AI.

1. Prioritize Privacy-Enhancing Technologies (PETs): If your solution involves health data, ensure it is built on or compatible with PETs such as federated learning, homomorphic encryption, or synthetic data generation. CADA explicitly favors these approaches in Article 4(7)(d). Positioning your technology as a "privacy-enhancing" solution aligns directly with the operational objectives of the Cloud and AI Leadership Initiatives, making you a prime candidate for funding and support.
2. Engage with Centres for AI: As the network of Experience and Acceleration Centres for AI expands, these hubs will become key partners for testing and validating AI models in healthcare. They can provide access to secure computing environments and expertise in navigating the intersection of AI, cloud, and health data regulations. Reach out to your national Centre for AI to understand how they can support your specific use case.
3. Monitor Frontier AI Opportunities: The proposal highlights frontier AI as a strategic asset. If your company is developing advanced AI models for healthcare, look for opportunities to participate in the "grand challenges" or priority projects mentioned in Article 8 and Annex I. These projects often involve significant funding and support for scaling up technologies that address major societal challenges, including healthcare.
4. Leverage Public-Private Partnerships: The proposal encourages collaboration between public sector bodies and private providers. For SMEs, this means seeking partnerships with hospitals, research institutions, or public health agencies that are looking to adopt AI but need secure, compliant technical solutions. CADA's framework makes such collaborations more feasible by providing the necessary technological and regulatory clarity.

Common misconceptions

Misconception 1: CADA grants new rights to access health data. CADA does not create new legal rights to access personal health data. Data access remains governed by the GDPR, national laws, and the forthcoming EHDS regulation. CADA focuses on the technical and market mechanisms to enable secure reuse, not the legal permission to access data.

Misconception 2: CADA replaces the EHDS. CADA and the EHDS are complementary, not substitutive. The EHDS establishes the legal framework for data access and secondary use. CADA provides the technological ecosystem, funding, and infrastructure support to make that data usable in a secure, sovereign, and efficient manner.

Misconception 3: Only large corporations can benefit from CADA's health data provisions. While large-scale infrastructure is involved, the proposal explicitly aims to support SMEs and start-ups. The Centres for AI and the Leadership Initiatives are designed to lower barriers to entry for smaller players by providing access to resources, expertise, and secure environments that they might not otherwise afford.

Misconception 4: CADA mandates data centralization. On the contrary, CADA's focus on "privacy-enhancing" reuse (Article 4(7)(d)) and the support for federated learning in Annex I suggests a preference for distributed approaches where data remains local. The goal is to enable AI training without moving raw data to a central repository.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• CADA for Pharma: Frontier AI, Health Data Reuse & NIS2 Impact Assessments
• How does CADA enable data pooling for automotive AI models?
• Does CADA conflict with GDPR for health data in the cloud?
• When do CADA research-support measures take effect?
• When can AI startups start benefiting from CADA support?

This is general information about a draft EU regulation, not legal advice.