Does AI Act compliance mean you comply with CADA?

Summary No. Complying with the EU AI Act would not, on its own, satisfy the proposed Cloud and AI Development Act (CADA). The AI Act (Regulation (EU) 2024/1689) governs the safety, transparency and fundamental-rights impact of AI systems and general-purpose AI models. CADA, as proposed (COM(2026) 502 final), would add a separate sovereignty framework for cloud services, plus data-centre and procurement rules. The CADA explanatory memorandum says the AI Act "does not cover aspects of sovereignty." So a cloud or AI provider would still have to meet CADA's Union assurance levels and infrastructure rules independently of its AI Act status — the two run in parallel.

Detail

The two instruments do different jobs. The AI Act is a product-safety and fundamental-rights regulation: it classifies AI systems by risk (prohibited, high-risk, transparency-obligation, minimal) and imposes duties such as risk management, data governance, technical documentation, logging, human oversight and conformity assessment. The CADA proposal is a capacity-building and sovereignty instrument: it aims to strengthen Europe's cloud and AI ecosystem, reduce dependence on third-country providers, speed up data-centre deployment and build trust in cloud services through graded "Union assurance levels."

Where the scopes diverge

CADA reuses the AI Act's terminology — Article 2(3) defines "AI system" by reference to Article 3(1) of the AI Act — but the obligations diverge sharply. CADA's "cloud computing service" definition (Article 2(1)) cross-refers to the NIS2 Directive. Recital 10 of the proposal clarifies the boundary: a cloud service "encompasses on-demand access to AI systems … hosted and operated remotely," but "[o]nly the delivery and making available of an AI system forms part of the service. The AI system itself and its underlying model are excluded from the scope of this definition." So the AI Act keeps the model; CADA reaches the cloud delivery around it.

Because the regimes attach to different layers, obligations stack rather than substitute. A provider serving Union entities or public sector bodies would have to satisfy CADA's sovereignty framework even if the AI workloads it hosts are fully AI Act-compliant.

Sovereignty assurance vs. AI risk management

CADA's central mechanism is the Union cloud computing sovereignty framework in Article 16: four assurance levels, with the cumulative criteria set out in Annex II. Those criteria centre on matters the AI Act does not touch, including:

• establishment of the provider (and subcontractors involved in the service) in the Union;
• location of infrastructure and assets, and the requirement that customer data — including metadata and telemetry — remain exclusively within the Union (subject to limited exceptions where the public sector body explicitly requires otherwise);
• safeguards against third-country control being exercised in ways that would restrict the service, expose customer data or disrupt continuity;
• personnel screening and Union-citizenship requirements where a public sector body determines they are necessary (these are conditional under Annex II, not a blanket rule);
• cybersecurity certification under a European scheme (or, until one exists, national schemes or the highest applicable standards).

The AI Act has no equivalent sovereignty tiers. A high-risk AI system can be fully AI Act-compliant yet run on a cloud service that does not meet CADA's level 2, 3 or 4 criteria — for example because data is processed outside the Union or because third-country control is not adequately mitigated.

Procurement: a constraint the AI Act does not impose

Under Article 29, Member States and Union entities would conduct risk assessments to decide which assurance level fits a given public-sector activity. Under Article 30, those whose activities are not identified as contributing to public order must use level-1 services, while those identified as contributing to public order (in the NIS2 Annex I/II sectors or in national security, defence, justice and similar areas) must procure only level 2, 3 or 4 services. The AI Act offers no comparable infrastructure-level procurement filter — so AI Act compliance alone would not keep you in a public tender.

Frontier AI: layered, not merged

For frontier-AI developers the layering is sharpest. CADA Article 8 sets criteria for recognition as a "frontier AI priority project" — a pioneering project scaling up frontier AI, undertaken by a European Digital Infrastructure Consortium or another entity eligible for Union funding and involving at least three Member States that pool computing resources — which can unlock guaranteed compute under Article 9. Separately, the AI Act imposes its own duties on general-purpose AI models, including systemic-risk obligations. A frontier-AI provider could clear the AI Act's technical bar yet still need CADA recognition to access public-sector demand or pooled compute.

Why the documentation does not transfer

It is tempting to assume that a mature AI Act compliance file — risk-management system, technical documentation, data-governance records, post-market monitoring — gives a head start on CADA. It gives almost none for the sovereignty criteria. AI Act documentation answers questions about the system: is its training data appropriate, is human oversight designed in, is it accurate and robust, is it logged. CADA's Annex II asks orthogonal questions about the service and the organisation behind it: is the provider established in the Union, do infrastructure, assets and (at higher levels) personnel sit in the Union, does customer data including metadata and telemetry stay within the Union, is any third-country control mitigated so it cannot restrict the service or expose data, is there a complete software bill of materials, are third-country software components subject to source-code audits and migration plans. None of these is produced as a by-product of AI Act conformity work. A provider that treats CADA as a documentation add-on to its AI Act file will find the evidence base largely empty.

The boundary in one line

The cleanest mental model: the AI Act regulates the model and the system; CADA regulates the cloud delivery of that system and the sovereignty of the infrastructure underneath it. Recital 10 of CADA draws the line explicitly — on-demand access to a hosted AI system is within CADA's "cloud computing service," but the AI system and its underlying model are not. So the same deployment can be simultaneously an AI Act matter (the system) and a CADA matter (its hosting), with neither subsuming the other.

What this means for you

Treat the AI Act and CADA as two compliance tracks.

1. Map your services to CADA's assurance levels. Do not assume AI Act documentation (risk-management files, technical documentation) carries over. Assess your services against the Annex II criteria. To serve public-sector clients you would need at least level 1, and level 2, 3 or 4 depending on your customers' risk assessments.
2. Prepare for independent audits. Levels 2, 3 and 4 require an independent third-party audit at the provider's expense (Article 20), examining sovereignty criteria — establishment, data localisation, third-country control, supply-chain measures such as an SBOM — that AI Act conformity assessments do not cover. Level 1 rests on a conformity self-assessment and EU statement of conformity (Article 19).
3. Look down your supply chain. Annex II extends sovereignty criteria to subcontractors involved in the service. Review subcontractor establishment, data flows and third-country exposure now.
4. Watch the public market. Your eligibility for public tenders would track your CADA assurance level, not your AI Act status.

Common misconceptions

"The AI Act covers all AI-related EU rules." No. It addresses safety and fundamental rights for AI systems and GPAI models. It does not cover cloud sovereignty, data-centre deployment or public procurement of cloud — CADA would.

"A high-risk AI system automatically meets CADA's top tier." No. The AI Act's high-risk category turns on potential harm from the system; CADA's levels turn on the infrastructure's sovereignty. The two classifications are independent.

"CADA replaces the AI Act for cloud providers." No. The memorandum frames CADA as reinforcing the AI Act. Providers of AI-enabled cloud services would comply with both.

"My CE marking proves CADA compliance." No. A CE marking attests AI Act conformity. It says nothing about Union establishment, data localisation or third-country control under CADA.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• Data Act (Regulation (EU) 2023/2854)
• Data Governance Act (Regulation (EU) 2022/868)

Related

• CADA and the AI Act: Dual Compliance for Public-Sector AI Buyers
• If I comply with the Chips Act, do I comply with CADA?
• DGA vs CADA: Does Data Governance Act compliance satisfy CADA?
• If I already comply with the Data Act, do I comply with CADA?
• Why is CADA part of the EU tech sovereignty package with the Chips Act 2.0?

This is general information about a draft EU regulation, not legal advice.