How should an SME plan compliance across CADA and the other EU digital laws?

Summary For Small and Medium-sized Enterprises (SMEs) and small mid-caps (SMCs), the proposed Cloud and AI Development Act (CADA) does not create a standalone compliance silo but layers sovereignty requirements onto existing obligations. The baseline remains the General Data Protection Regulation (GDPR) for data protection, with the NIS2 Directive or the Digital Operational Resilience Act (DORA) applying if the SME operates in a critical sector. CADA offers a streamlined path for SMEs: under Article 17(3), an SME's self-assessment for Union assurance level 1 is automatically recognised across the EU without prior national authority approval. For higher levels, SMEs may voluntarily conduct impact assessments under Article 31 to align with public standards. Crucially, Recital 68 and Article 33 set a target for Member States to award at least 25% of innovation procurement for cloud and AI to SMEs, creating a strategic market opportunity for those who align their compliance with "European added value" criteria.

Detail

The proposed Cloud and AI Development Act (CADA), as set out in COM(2026) 502 final, establishes a framework to strengthen Europe's cloud and AI ecosystem. For SMEs, the challenge is not merely adopting new rules but integrating them into a complex web of existing digital legislation. The proposal explicitly states that it complements, rather than replaces, the GDPR, the Data Act, the NIS2 Directive, and DORA. A successful compliance strategy for an SME must therefore be sequenced, starting with the foundational legal baselines before addressing CADA-specific sovereignty and procurement mechanisms.

1. Establishing the Regulatory Baseline: GDPR, NIS2, and DORA

Before an SME can engage with CADA's sovereignty framework, it must ensure its baseline compliance with the EU's core digital regulations. CADA is designed to sit on top of these regimes, addressing gaps in sovereignty and operational autonomy that they do not cover.

The GDPR Baseline The General Data Protection Regulation (GDPR) remains the non-negotiable foundation for any cloud provider processing personal data. CADA's sovereignty framework is explicitly consistent with the GDPR. Recital 63 of the proposal notes that where cloud services process personal data, the GDPR requires organisational and technical measures to ensure compliance. CADA does not alter these data protection obligations; instead, it adds a layer of requirements regarding data localisation, third-country control, and operational autonomy. An SME must ensure that the technical measures implemented to meet CADA's assurance levels (such as data remaining exclusively within the Union) also satisfy GDPR's requirements for data protection by design and by default.

The NIS2 and DORA Baseline For SMEs operating in critical sectors, the NIS2 Directive and DORA impose specific cybersecurity and operational resilience obligations. Recital 5 of the CADA proposal highlights that the EU's dependence on third-country providers exposes users to risks of operational discontinuity, a concern that NIS2 and DORA also address.

• NIS2: The NIS2 Directive improves the cybersecurity risk management of cloud computing service providers. Recital 5 clarifies that while NIS2 focuses on technical cybersecurity, CADA addresses broader sovereignty considerations. An SME in scope for NIS2 should map its existing risk management and incident reporting procedures to CADA's requirements to avoid duplication.
• DORA: The Digital Operational Resilience Act (DORA) shapes compliance for cloud providers serving financial entities. Recital 5 notes that DORA is sectoral and specific to the financial sector, whereas CADA has a broader scope. SMEs serving financial clients must ensure their CADA compliance does not conflict with DORA's specific ICT risk management and incident testing requirements.

2. Leveraging CADA's SME-Specific Provisions: The Level 1 Shortcut

The most significant advantage CADA offers to SMEs is the streamlined recognition process for Union assurance level 1. This level serves as the baseline for public procurement and is designed to be accessible to smaller providers.

Automatic Recognition for SMEs Under Article 17(3), the proposal introduces a specific derogation for SMEs. While standard providers must submit their EU statement of conformity to a national competent authority for evaluation, an SME's statement of conformity for Union assurance level 1 is "directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority." This provision drastically reduces the administrative burden and time-to-market for SMEs. To utilise this, an SME must:

1. Conduct a conformity self-assessment against the criteria for Union assurance level 1 set out in Annex II.
2. Issue an EU statement of conformity, assuming responsibility for compliance (Article 19(2)).
3. Make this statement publicly available (Article 19(3)).

Once these steps are completed, the SME's service is recognised across the Union. This allows SMEs to immediately bid for public contracts that require only level 1 assurance, which covers many non-critical public sector activities.

The Path to Higher Levels: Voluntary Assessments For SMEs aiming to serve public bodies with activities identified as contributing to the preservation of public order (requiring levels 2, 3, or 4), the path is more rigorous. These levels require independent third-party audits (Article 20). However, SMEs are not excluded from this market. Article 31 provides a critical mechanism for private sector entities, including SMEs, to conduct voluntary impact assessments. While mandatory risk assessments under Article 29 apply to Member States and Union entities, Article 31(1) allows entities in sectors listed in Annex I of the NIS2 Directive (which includes many SMEs in critical infrastructure) to carry out "similar assessments." By voluntarily conducting these assessments, an SME can:

• Demonstrate robustness and alignment with public sector standards before a tender is issued.
• Identify gaps in their sovereignty posture early.
• Position themselves as "ready" for higher assurance levels, even if the audit is not yet mandatory for their specific client base. The Commission may issue guidance on these assessments (Article 31(2)), and for entities in high-criticality sectors, the Commission may eventually mandate impact assessments via delegated acts (Article 31(3)).

3. Strategic Procurement: The 25% Innovation Target

CADA is not just a compliance burden; it is a market-shaping tool designed to boost European providers. For SMEs, the most tangible benefit lies in the public procurement provisions.

The 25% Target Recital 68 explicitly states that "Member States should aspire to award at least 25% of relevant cloud and AI procurement innovation procedures to SMEs." This is reinforced by Article 33(4), which sets the objective that "at least 25% of their procurement for cloud computing services and AI systems be awarded to innovative SMEs." This target creates a protected market segment. SMEs should monitor national strategies (required under Article 7) where Member States must include plans to achieve this objective.

European Added Value Criteria To win these contracts, SMEs must align with the "European added value" criteria outlined in Article 32. Contracting authorities are required to include non-price award criteria evaluating:

• Contributions to strengthening the digital technology supply chain in the Union.
• Integration of technologies developed in the Union.
• Delivery of services using hardware or software designed or manufactured in the Union.
• Use of open-source solutions.

By ensuring their compliance documentation highlights these elements—such as using EU-designed chips or open-source middleware—SMEs can differentiate themselves from larger, non-EU incumbents. Article 32(2) clarifies that these criteria must be "ancillary and not decisive," but in a market where the 25% target is a political priority, they become a decisive factor for SMEs.

4. Data Centre Deployment and Sustainability

For SMEs that are data centre operators or planning to build infrastructure, CADA offers a framework to accelerate deployment. Article 10 requires Member States to designate "data centre acceleration zones" where permitting is streamlined. Article 13 mandates that the permit-granting procedure for projects in these zones shall not exceed 12 months.

However, access to these zones is conditional on sustainability. Article 11 requires that sustainability requirements for data centres in acceleration zones use the key performance indicators (KPIs) defined in Delegated Regulation (EU) 2024/1364. These KPIs are not enumerated in CADA itself but are referenced from the existing Energy Efficiency Directive framework. SMEs must ensure their projects meet these KPIs (e.g., PUE, WUE) to qualify for the accelerated permitting process. Failure to meet these standards could block access to the acceleration zones, hindering the ability to scale infrastructure.

What this means for you

As an SME provider or data centre operator, your compliance and market strategy should follow a phased approach that leverages CADA's specific provisions for smaller players:

1. Secure the Baseline First: Before engaging with CADA, ensure your GDPR compliance is robust. If you operate in a critical sector, verify your NIS2 or DORA status. Map your existing cybersecurity measures to CADA's sovereignty criteria to identify where you already meet the "technical cybersecurity" requirements of Annex II.
2. Prioritise Level 1 for Speed: If you are an SME, immediately conduct a self-assessment for Union assurance level 1. Issue your EU statement of conformity and publish it. This triggers the automatic recognition mechanism under Article 17(3), allowing you to bid on public contracts without waiting for national authority approval. This is your fastest route to market.
3. Voluntarily Align for Higher Levels: If you target critical public sector activities (e.g., law enforcement, defence), do not wait for a tender. Conduct a voluntary impact assessment under Article 31 to identify gaps in your personnel screening, data localisation, and third-country control measures. This prepares you for the independent audits required for levels 2, 3, or 4.
4. Target the 25% Innovation Quota: Review your product roadmap to ensure it aligns with Article 32 "European added value" criteria. Document your use of EU-manufactured hardware, open-source software, and R&D results from Union-funded programmes. Use this documentation to position your bids specifically for the innovation procurement procedures where the 25% SME target applies.
5. Engage with Acceleration Zones: If you are a data centre operator, identify the acceleration zones designated by your Member State under Article 10. Engage early with the single information points (Article 12) to ensure your project meets the Delegated Regulation (EU) 2024/1364 sustainability KPIs, securing the 12-month permitting timeline.

Common misconceptions

• "CADA replaces GDPR or NIS2." No. CADA is a complementary framework. Recital 5 and Recital 63 confirm that CADA addresses sovereignty and operational autonomy, while GDPR handles data protection and NIS2/DORA handle technical cybersecurity and operational resilience. You must comply with all applicable regimes simultaneously.
• "SMEs are exempt from audits for all levels." Incorrect. The automatic recognition exemption under Article 17(3) applies only to Union assurance level 1. If an SME seeks recognition for levels 2, 3, or 4, it must undergo the same independent third-party audits as larger providers (Article 20).
• "The 25% SME target is a voluntary suggestion." While Recital 68 uses the word "aspire," Article 33(4) sets a binding objective for Member States: "Member States shall pursue as objective that at least 25% of their procurement... be awarded to innovative SMEs." Member States must include plans to achieve this in their national strategies (Article 33(4)).
• "Sustainability is just a nice-to-have." For data centre operators, sustainability is a gatekeeper. Article 11 mandates the use of KPIs from Delegated Regulation (EU) 2024/1364 for projects in acceleration zones. Without meeting these metrics, an SME cannot access the streamlined permitting process.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• Does complying with all other EU digital laws make CADA automatic?
• What single checklist covers CADA plus the main EU digital laws?
• CADA and the Chips Act 2.0: How the EU's Digital Stack Laws Interact
• CADA Third-Country Control: Disclosure Rules vs. Other EU Laws
• Does CADA introduce a one-stop shop with other EU digital authorities?

This is general information about a draft EU regulation, not legal advice.