Summary The proposed Cloud and AI Development Act (CADA) and the revision of the Cybersecurity Act (CSA2) are designed to operate in tandem, addressing distinct but complementary risks in the EU's digital infrastructure. While CSA2 focuses on technical cybersecurity and ICT supply-chain trustworthiness, CADA introduces a harmonised sovereignty framework to mitigate non-technical risks, such as extraterritorial data access and operational dependency. As stated in the explanatory memorandum, "together, the proposal and the CSA2 fill long-standing gaps in sovereignty and non-technical risks." Crucially, the proposal notes that "work will resume on the European Cybersecurity Certification Scheme for Cloud Services (EUCS)" within this legislative context, making EUCS a technical prerequisite for CADA's higher assurance levels.

Detail

The European Commission's proposal for the Cloud and AI Development Act (CADA), COM(2026) 502 final, explicitly positions itself within the broader EU cybersecurity and digital resilience policy framework. A central pillar of this positioning is its relationship with the revision of the Cybersecurity Act (CSA2). The explanatory memorandum states that CADA "complements the Cybersecurity Act (CSA2) revision, which addresses supply chain risks." By distinguishing between technical security and broader sovereignty concerns, the proposal aims to create a holistic regulatory environment for cloud and AI services.

Complementary Roles: Technical Security vs. Sovereignty

The CADA proposal draws a clear line between the scope of CSA2 and its own objectives. The explanatory memorandum notes that "certification under the Cybersecurity Act can address technical cybersecurity criteria but is not suited for addressing sovereignty concerns that go beyond these technical elements." CSA2, through its establishment of cybersecurity certification schemes, ensures that ICT products and services meet robust technical standards for security and resilience. It focuses on the "trustworthiness of the hardware and software ICT supply chain."

In contrast, CADA addresses "non-technical risks" and "sovereignty considerations." The proposal identifies that the EU's dependence on third-country cloud providers exposes users to risks such as the extraterritorial application of foreign laws, potential service disruptions, and loss of operational autonomy. CADA's sovereignty framework, detailed in Article 16, establishes four "Union assurance levels" based on criteria such as data localisation, personnel citizenship, and freedom from third-country control. These criteria extend beyond what traditional cybersecurity certifications can verify, focusing instead on legal and operational independence.

The explanatory memorandum clarifies that while the Directive on Security of Network and Information Systems (NIS2) "improves the cybersecurity risk management of cloud computing service providers and data centres," it "does not contain measures to boost the uptake and use of such services and is fully focused on technical cybersecurity as opposed to broader sovereignty considerations." Similarly, CADA is not a replacement for NIS2 or CSA2 but a layer that sits above them to ensure that the services meeting those technical standards are also free from third-country coercion.

Filling Long-Standing Gaps

The proposal argues that previous regulatory efforts have left critical vulnerabilities unaddressed. The explanatory memorandum states that "together, the proposal and the CSA2 fill long-standing gaps in sovereignty and non-technical risks." This synergy is crucial for the public sector and critical infrastructure. While CSA2 ensures that the hardware and software are secure from technical breaches, CADA ensures that the provider of those services cannot be compelled by a third country to grant access to data or disrupt services.

This distinction is vital for public procurement. Under CADA, Member States and Union entities must conduct risk assessments (Article 29) to determine the appropriate Union assurance level for their cloud services. A service might be technically secure under CSA2 standards but still fail to meet Union assurance level 2, 3, or 4 under CADA if it is subject to third-country control. Thus, CADA adds a layer of assurance that CSA2 does not provide.

The proposal explicitly notes that "the Data Act opens the path towards a possible reduction of dependencies on non-EU providers but does not build the road towards a more sovereign and trusted EU cloud computing sector." It is in this specific gapβ€”where technical security exists but sovereignty is lackingβ€”that CADA operates, supported by the technical backbone of CSA2.

The Role of EUCS and Certification Levels

A key technical component of this interplay is the European Cybersecurity Certification Scheme for Cloud Services (EUCS). The CADA proposal states that "work will resume on the European Cybersecurity Certification Scheme for Cloud Services (EUCS)" in this legislative context. EUCS, developed by ENISA, is a certification scheme under the CSA2 framework.

CADA leverages EUCS as a mechanism to demonstrate compliance with cybersecurity standards within its sovereignty framework. Annex II of the CADA proposal, which sets out the criteria for Union assurance levels, explicitly requires providers aiming for levels 2, 3, and 4 to obtain a European cybersecurity certificate.

  • Union Assurance Level 2: Requires a European cybersecurity certificate of at least assurance level 'substantial'.
  • Union Assurance Level 3: Also requires a certificate of at least assurance level 'substantial'.
  • Union Assurance Level 4: Requires a certificate of at least assurance level 'high'.

The text clarifies that "Until the establishment of such a scheme, national cybersecurity certification schemes shall apply, where they exist. Where no Union or national cybersecurity certification schemes exist, the audited provider is to demonstrate that the service complies with the highest cybersecurity standards under applicable Union law."

This integration means that EUCS certification becomes a prerequisite for higher tiers of CADA sovereignty recognition, linking technical security directly to sovereignty status. It is important to note that the cybersecurity certification addresses the technical criteria (e.g., encryption, access control, incident response), while the CADA assurance level addresses the sovereignty criteria (e.g., location of personnel, absence of third-country control).

Legislative Context and Implementation

The CADA proposal is consistent with the EU's broader digital strategy, including the Digital Decade targets and the AI Act. It relies on the CSA2 revision to provide the technical backbone for trust, while CADA provides the legal and operational safeguards for autonomy. The proposal emphasizes that "cloud computing services in Europe must meet high cybersecurity standards, which calls for a robust cybersecurity framework that provides a comprehensive response to today's geopolitical security challenges."

By aligning CADA with CSA2 and EUCS, the EU aims to avoid fragmentation and ensure that sovereignty measures are built on a foundation of verified technical security. The proposal also notes that it "supplements the Cybersecurity Act's focus on cloud cybersecurity with sovereignty considerations," reinforcing that the two instruments are mutually reinforcing rather than overlapping.

What this means for you

For in-house counsel, compliance officers, and cloud service providers, understanding the interplay between CADA and CSA2 is critical for future-proofing cloud strategies and procurement processes.

1. Dual Compliance Requirements Organisations, particularly those providing services to the public sector or critical infrastructure, will likely need to comply with both regimes. You must ensure that your cloud services meet the technical cybersecurity requirements of CSA2 (via EUCS or national schemes) while also satisfying the sovereignty criteria of CADA. This means conducting audits not just for technical vulnerabilities, but for legal exposure to third-country laws and operational dependencies. A provider cannot claim CADA compliance without first securing the requisite CSA2/EUCS certification level.

2. Procurement and Risk Assessments Under CADA, public sector bodies must perform risk assessments (Article 29) to determine the required Union assurance level. As a provider, you must be prepared to demonstrate compliance with both technical certifications (CSA2/EUCS) and sovereignty criteria (CADA). For private sector entities in critical sectors (e.g., NIS2 entities), impact assessments similar to those in Article 31 may become mandatory or strongly encouraged. Ensure your vendor risk management processes account for both technical security and sovereignty risks. A service that is technically secure but lacks the necessary EUCS 'substantial' or 'high' rating will fail CADA compliance for public-order-relevant activities.

3. Audit and Certification Readiness CADA requires independent third-party audits for Union assurance levels 2, 3, and 4 (Article 20). These audits will likely incorporate assessments of your CSA2/EUCS certification status. Prepare for audits that scrutinise your supply chain, data localisation practices, and freedom from third-country control. Ensure your documentation clearly separates technical security measures from sovereignty safeguards, as auditors will need to verify compliance with distinct criteria sets. Note that for Level 4, the requirement for a 'high' assurance level under EUCS is a strict gatekeeper.

4. Monitoring Legislative Developments Since CADA is a proposal and CSA2 is under revision, the final text may evolve. Monitor the progress of EUCS, as its finalisation will directly impact the timeline for CADA's higher assurance levels. The proposal states that "work will resume on the European Cybersecurity Certification Scheme for Cloud Services (EUCS)" in this legislative context. Engage with industry groups and regulatory bodies to stay informed about how CSA2 and CADA will be implemented in practice, particularly regarding the transition from national schemes to the Union-wide EUCS.

Common misconceptions

Misconception 1: CSA2 and CADA are redundant. Some believe that cybersecurity certification under CSA2 is sufficient to ensure cloud sovereignty. This is incorrect. CSA2 addresses technical security, while CADA addresses legal and operational sovereignty. A service can be technically secure but still subject to third-country data access laws, which CADA aims to mitigate. The explanatory memorandum explicitly states that CSA2 "is not suited for addressing sovereignty concerns that go beyond these technical elements."

Misconception 2: EUCS replaces CADA's sovereignty framework. EUCS is a certification scheme under CSA2, focusing on technical security. It does not replace CADA's sovereignty framework. Instead, EUCS certification is a component of CADA's requirements for higher assurance levels. They are complementary, not substitutive. Without the EUCS certificate, a provider cannot achieve Union assurance levels 2, 3, or 4 under CADA.

Misconception 3: Only the public sector is affected. While CADA's procurement rules directly target public sector bodies, the proposal aims to influence the broader market. Private sector entities in critical sectors may face similar expectations, and providers seeking to serve the public sector must comply with CADA's sovereignty criteria. The market shift towards sovereign services will affect all cloud providers operating in the EU, as the "spillover effects" of public procurement requirements often drive private sector adoption.

Misconception 4: CADA is purely about data localisation. CADA is not just about where data is stored. While data localisation is a criterion, the framework also addresses personnel citizenship, third-country control, software supply chain transparency, and operational autonomy. The proposal explicitly states that the notion of sovereignty "goes beyond data transfers and relates to operational autonomy too."

Official sources

Related

This is general information about a draft EU regulation, not legal advice.