CADA vs AI Act

Summary The proposed Cloud and AI Development Act (CADA) introduces a specific definition for "AI agent" in Article 2(5), a term absent from the EU AI Act. As proposed, CADA treats AI agents as strategic assets for European technological sovereignty, funding their orchestration, testing, and large-scale deployment through the Cloud and AI Leadership Initiatives. However, this strategic definition does not create a regulatory exemption: the underlying AI systems powering these agents remain fully subject to the EU AI Act's risk-based obligations. If an AI agent is classified as high-risk, the provider must comply with the AI Act's strict requirements on data governance, human oversight, and transparency, regardless of CADA's support measures.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, represents a distinct legislative layer from the existing EU AI Act (Regulation (EU) 2024/1689). While the AI Act functions as a product-safety and fundamental-rights regulation for AI systems, CADA is an industrial policy instrument designed to strengthen the EU's cloud and AI ecosystem, reduce dependencies on third-country providers, and ensure strategic autonomy. A critical point of interaction—and potential confusion—lies in how each instrument conceptualizes "AI agents."

CADA's Explicit Definition and Strategic Focus

Unlike the AI Act, which regulates "AI systems" broadly without specific terminology for autonomous agents, CADA introduces a precise, operational definition. Article 2(5) of the CADA proposal defines an 'AI agent' as:

"an AI system or a coordinated set of AI systems, that can perceive and act upon their environment, with a degree of autonomy, using tools as needed to achieve specific goals and adapt to changing inputs and contexts."

This definition is significant because it moves beyond the static "system" concept of the AI Act to capture dynamic, autonomous behaviors involving tool use and environmental adaptation. By codifying this term, CADA signals that agents are not merely applications but strategic assets requiring specific industrial policy support to ensure European leadership.

This strategic focus is operationalized through the Cloud and AI Leadership Initiatives established under Title II of CADA. Article 3(2)(f) explicitly identifies an operational objective to "support the development of advanced platforms for the large-scale deployment of AI agents." Furthermore, Article 4(6) details the specific actions the initiative shall take:

• Support the development of advanced resilient and secure platforms for the development, deployment, and orchestration of advanced AI agents at scale.
• Facilitate the development of targeted testing and experimentation methodologies of advanced AI agents and their orchestration throughout their lifecycle.

Additionally, Annex I of the CADA proposal lists "Grand Challenge 7: AI Agents Platform." This challenge aims to develop a European AI agent orchestration framework. The text notes that the focus will be on:

"(i) exploring innovative technological paradigms that enable multiple AI agents to collaborate effectively, surpassing the capabilities of standalone systems while maintaining rigorous security standards; and (ii) on the creation of resilient, cloud-based open platforms dedicated to the large-scale management of AI agents."

The proposal explicitly states that these platforms should be supported by frameworks ensuring "transparency and accountability in multi-agent interactions" and minimizing "unintended autonomous behaviour." This indicates that CADA views the coordination and infrastructure of agents as a key area for EU investment and standardization.

The AI Act: Underlying Obligations Remain

While CADA provides the funding, testing infrastructure, and strategic roadmap for AI agents, the EU AI Act provides the mandatory compliance framework. The AI Act does not use the term "AI agent"; instead, it regulates "AI systems" as defined in Article 3(1) of the AI Act:

"a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments."

Because CADA defines an AI agent as "an AI system or a coordinated set of AI systems," any AI agent falling within the scope of the AI Act is subject to its rules. The AI Act's obligations attach to the underlying technology regardless of whether it is labeled an "agent" under CADA. The CADA proposal explicitly states in its explanatory memorandum that it "reinforces key objectives of the AI Act" and is "consistent with" it, confirming that CADA does not override the AI Act's safety regime.

Key implications for AI agents under the AI Act include:

1. Risk Classification: If an AI agent is used in a high-risk context listed in Annex III of the AI Act (e.g., employment, education, critical infrastructure, law enforcement), it is a high-risk AI system. Providers must comply with strict requirements on risk management, data governance, technical documentation, logging, transparency, human oversight, and accuracy.
2. General-Purpose AI (GPAI): If the AI agent is built upon a general-purpose AI model with systemic risk, the provider of that model must comply with Article 99 (penalties) and the specific obligations in Articles 51–56 of the AI Act, including adversarial testing and systemic risk mitigation.
3. Transparency: If the AI agent interacts directly with natural persons, Article 50 of the AI Act requires that users are informed they are interacting with an AI system, unless obvious from the context.
4. Prohibited Practices: AI agents cannot engage in prohibited practices under Article 5 of the AI Act, such as social scoring or real-time remote biometric identification in public spaces (with narrow exceptions).

CADA's Sovereignty Framework and Agents

CADA also introduces a Union Cloud Computing Sovereignty Framework (Title IV) with four assurance levels. While this framework primarily targets cloud computing service providers, it indirectly impacts AI agents deployed on cloud infrastructure. If an AI agent is hosted via a cloud service, the provider of that service must meet specific Union Assurance Levels (defined in Annex II of CADA) to serve public sector bodies.

For example, Union Assurance Level 2 requires that infrastructure, assets, and personnel are located in the Union, and that data generated by the service is not used to train AI systems operated by third countries. This creates a compliance layer for AI agents hosted on sovereign clouds, ensuring that the autonomy of the agent does not compromise EU data sovereignty or expose it to third-country control.

What this means for you

For CTOs, architects, and SMEs evaluating the practical impact of these regulations, the distinction between CADA's strategic support and the AI Act's compliance burdens is crucial.

1. Leverage CADA for Innovation and Testing

If you are developing AI agents, CADA presents significant opportunities for funding and support. The Cloud and AI Leadership Initiatives explicitly support "targeted testing and experimentation methodologies of advanced AI agents." You should monitor calls for proposals under Grand Challenge 7 and Article 4(6) for opportunities to participate in European testing facilities and orchestration platforms. This can reduce the cost of validating complex, autonomous agent behaviors and accessing high-performance compute resources.

2. Map AI Agents to AI Act Obligations

Do not assume that "AI agent" is a regulatory category exempt from the AI Act. You must map your agent's functionality to the AI Act's definitions:

• Is it a high-risk system? If your agent makes decisions affecting employment, credit, or critical infrastructure, you must implement the AI Act's high-risk requirements (risk management, data quality, human oversight).
• Is it a GPAI-based system? If your agent uses a foundational model with systemic risk, ensure the model provider is compliant with Article 55 of the AI Act, and understand your obligations as a downstream provider.
• Is it transparent? Ensure your agent discloses its AI nature when interacting with users, per Article 50 of the AI Act.

3. Consider Sovereignty for Public Sector Clients

If you aim to sell AI agents to EU public sector bodies, the cloud infrastructure hosting them must comply with CADA's sovereignty framework. Under Article 30, public sector bodies must procure cloud services with at least Union Assurance Level 1. For critical public order activities, they must use Levels 2–4. This means your AI agent's deployment architecture must ensure data localization, personnel location, and absence of third-country control, as detailed in Annex II of CADA.

4. Prepare for Multi-Agent Compliance

CADA's focus on "orchestration" and "multi-agent interactions" suggests future regulatory scrutiny on how agents collaborate. While the AI Act currently focuses on individual systems, the AI Act's Article 15 (accuracy, robustness, cybersecurity) and Article 14 (human oversight) will likely be interpreted to cover the collective behavior of coordinated agent sets. Architects should design observability and control mechanisms into multi-agent systems early to ensure they can be audited and overseen effectively.

Common misconceptions

Misconception 1: "AI Agents are exempt from the AI Act because CADA defines them separately."

• Reality: CADA's definition in Article 2(5) is for strategic and funding purposes. The AI Act regulates "AI systems." Since an AI agent is defined as "an AI system or a coordinated set of AI systems," it is fully subject to the AI Act's risk-based rules. CADA does not create a regulatory safe harbor.

Misconception 2: "CADA replaces the AI Act for autonomous systems."

• Reality: CADA and the AI Act are complementary. CADA builds capacity and ensures sovereignty; the AI Act ensures safety, fundamental rights, and market transparency. CADA explicitly states it is consistent with the AI Act (Recital 4 of CADA). You must comply with both.

Misconception 3: "Only large providers need to worry about AI agent regulations."

• Reality: SMEs developing AI agents are targeted by CADA's support measures (e.g., access to testing facilities, Article 5 Centres for AI). However, SMEs are also subject to the AI Act. If an SME deploys a high-risk AI agent, it must meet the same compliance standards as large incumbents, though simplified documentation may be available under certain conditions.

Misconception 4: "AI Agents don't need human oversight because they are autonomous."

• Reality: The AI Act's Article 14 requires human oversight for high-risk AI systems. CADA's definition of AI agents includes "a degree of autonomy," but this does not negate the need for human oversight where required by the AI Act. CADA's Article 4(6)(b) even supports developing methodologies to minimize "unintended autonomous behaviour," implying that oversight and control are critical design features.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• Cybersecurity Act (Regulation (EU) 2019/881)
• Data Act (Regulation (EU) 2023/2854)

Related

• Why is CADA part of the EU tech sovereignty package with the Chips Act 2.0?
• Why does CADA call the Data Act an 'enabler'?
• Why does CADA borrow the AI Act's definition of 'AI system'?
• Why a Cybersecurity Act certificate cannot prove cloud sovereignty under CADA
• Which CADA obligations stack on top of AI Act obligations?

This is general information about a draft EU regulation, not legal advice.