Summary The Draghi report — The future of European competitiveness (September 2024) — is a strategic document that helped justify the proposed Cloud and AI Development Act (CADA). As proposed, CADA operationalises the report's call for the EU to regain control over data and cloud services, expand domestic compute capacity, and back "sovereign cloud" solutions. For public-sector buyers, CADA would translate those high-level goals into procurement criteria — chiefly the four Union assurance levels (Article 16) and mandatory risk assessments (Article 29). CADA is a proposal (COM(2026) 502 final), not yet in force.

Detail

CADA is designed to address strategic vulnerabilities highlighted in the report by Mario Draghi. The report, published in September 2024, argues that the EU must "maintain a foothold in areas where technological sovereignty is required, such as security and encryption ('sovereign cloud' solutions)" and reduce critical external dependencies by strengthening homegrown cloud and AI capabilities.

CADA cites the report directly. Recital 4 of the proposal states that reinforcing the Union's capacity to develop and deploy cloud and AI technologies "has become a strategic priority for the Union's competitiveness, security of supply and technological sovereignty, as highlighted in the report by Mario Draghi on the future of European competitiveness." Recital 5 then explains that these dependencies translate not only into limited market shares for European providers but also into "significant risks for the Union's operational autonomy, resilience and security," noting risks associated with the extraterritorial effects of third-country legislation.

The explanatory memorandum expands the link, recording that the Draghi report "calls on the European Commission to take targeted actions aimed at regaining and retaining control over data and cloud computing services, expanding domestic computational capacity and establishing a robust financial and talent flywheel to drive innovation." CADA is the legislative instrument intended to act on that call, moving beyond voluntary guidance to enforceable standards.

The core mechanism is the Union cloud computing sovereignty framework in Article 16, which sets out four "Union assurance levels" (Levels 1-4) whose criteria are in Annex II. These are designed to mitigate the risks the report flags — for example, the potential for third-country actors to disrupt service provision or access data via extraterritorial laws — through a single EU-wide definition of sovereignty rather than fragmented national rules.

The proposal links these sovereignty measures to procurement. Article 29 requires Member States and Union entities to run risk assessments identifying which public-sector activities contribute to the preservation of public order; Article 30 then ties what a buyer may procure to the result — Level 1 for ordinary activities, Levels 2, 3 or 4 for public-order activities. This addresses the report's concern about reliance on non-European providers exposing the EU to discontinuity and loss of control.

CADA also reflects the report's emphasis on industrial capacity. Article 1 sets the general objectives of competitiveness and innovation capacity and of improving the single market's functioning for resilience and strategic autonomy. To build domestic capacity, Article 10 requires Member States deploying data centre capacity to designate data centre acceleration zones, while the Cloud and AI Leadership Initiatives (Articles 3 onward) support cutting-edge cloud and AI development.

What this means for you

For public-sector procurement officers and legal teams, the report-to-CADA link is practical, not theoretical.

  1. Sovereignty becomes a procurement criterion. Under the proposed Article 30, specifications must require a recognised Union assurance level. For public-order activities (such as national security, justice or critical infrastructure), you would be required to procure services recognised at Levels 2, 3 or 4.
  2. Risk assessments are mandatory. You must participate in or conduct the Article 29 assessments, which determine the minimum level. The Commission is to specify the methodology, templates and elements by implementing act (Article 29(3)).
  3. Vendor qualification changes. Existing vendors, particularly non-EU hyperscalers, may not qualify at the higher levels. Verify recognition under Article 17 (and check the Article 22 central repository); without recognition at the required level you cannot procure for high-risk public-order activities, regardless of price or performance.
  4. Strategic alignment. When drafting institutional or national strategies, you can reference the Draghi report's objectives to justify sovereign-cloud investment; CADA provides the legal framework, including the Cloud and AI Leadership Initiatives.

Common misconceptions

  • CADA bans non-EU cloud providers entirely. Reality: it creates a tiered system, not a ban. Non-EU providers can still offer services but must meet the Union assurance level criteria to be eligible for public contracts at the higher levels. Article 18 allows the Commission to recognise an "associated third country" whose controlled providers may then be audited at Level 3, subject to strict cumulative criteria.
  • The Draghi report is legally binding. Reality: it is a strategic document and policy recommendation, not legislation. CADA is the proposal that would translate its recommendations into binding law.
  • Sovereignty just means data localisation. Reality: per the explanatory memorandum and Annex II, sovereignty also covers operational autonomy, absence of third-country control, the ability to prevent service disruption, and EU cybersecurity standards. A provider can store data in the EU yet still fail Level 3 or 4 if subject to third-country laws that could compel access or degrade service.
  • All public-sector contracts need the highest level. Reality: the framework is risk-based. Under Article 30(2), activities not identified as preserving public order use at least Level 1; only identified public-order activities require Levels 2, 3 or 4.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.