If I already comply with the Data Act, do I comply with CADA?

Summary No. Complying with the Data Act does not mean you comply with the proposed Cloud and AI Development Act (CADA). While the Data Act provides essential tools for data portability and switching to reduce vendor lock-in, it lacks the sovereignty framework, assurance levels, and public procurement award criteria mandated by CADA. As proposed, CADA establishes a distinct "Union cloud computing sovereignty framework" with four tiers of recognition. Providers must satisfy a two-stack compliance model: fulfilling the Data Act's switching duties plus obtaining CADA recognition at the appropriate Union assurance level to serve the public sector.

Detail

The relationship between the Data Act (Regulation (EU) 2023/2854) and the proposed Cloud and AI Development Act (CADA, COM(2026) 502 final) is one of complementarity, not substitution. The CADA explanatory memorandum explicitly frames the Data Act as an "enabler" that facilitates market contestability, but it clarifies that the Data Act "does not contain elements to shape up a more competitive offer of European cloud computing services or encourage the entry into the market of a more diverse set of cloud computing service providers."

The Data Act: Enabling Switching, Not Sovereignty

The Data Act focuses on removing barriers to data mobility. It grants users the right to switch providers, ensures interoperability, and prevents unfair contractual terms. Its primary goal is to ensure that cloud users can freely choose the provider that best meets their needs and combine offers in a multi-cloud approach.

However, the Data Act does not address the core sovereignty concerns that CADA targets. It does not regulate:

The location of infrastructure or assets relative to the Union.
The citizenship or residency of personnel managing the service.
The risk of extraterritorial access by third-country governments.
The operational autonomy of the provider against third-country control.

Consequently, a provider that fully complies with the Data Act's switching and interoperability obligations (e.g., facilitating data export, providing switching assistance) may still be ineligible for public sector contracts under CADA if they cannot demonstrate the required level of Union assurance.

CADA: The Sovereignty Framework and Assurance Levels

CADA introduces a harmonised "Union cloud computing sovereignty framework" consisting of four Union assurance levels (Article 16). These levels are cumulative and define specific criteria for cloud computing services to be recognised as providing a specific degree of Union assurance.

The framework operates on a tiered recognition system:

Union Assurance Level 1: Requires the provider to be established in the Union and for infrastructure/assets to be located in the Union (unless the public sector body explicitly requires otherwise). Compliance is demonstrated via a conformity self-assessment and an EU statement of conformity (Article 19).
Union Assurance Levels 2, 3, and 4: Impose stricter requirements, including mandatory independent third-party audits (Article 20), specific cybersecurity certification levels, and restrictions on third-country control.
- Level 2 & 3: Require a European cybersecurity certificate of at least assurance level 'substantial' (Annex II 2.1(e), 3.1(e)).
- Level 4: Requires a certificate of at least assurance level 'high' (Annex II 4.1(e)).
- Personnel: For Levels 3 and 4, personnel involved in the service must be Union citizens (Annex II 3.1(d), 4.1(d)). At Level 2, this is conditional: personnel must be Union citizens only if the public sector body explicitly requires it (Annex II 2.1(d)).
- Third-Country Control: Level 3 allows for a derogation where a provider subject to third-country control may be recognised if the Commission has adopted an implementing act under Article 18 (titled "Associated third countries"). This mechanism identifies third countries with sufficient safeguards (e.g., adequacy decisions) to allow such recognition.

Once recognised, services are listed in a central repository maintained by the Commission (Article 22). This repository is the definitive source for public authorities to identify eligible providers. The Data Act contains no equivalent mechanism for recognising sovereignty or listing certified providers.

Procurement and Award Criteria

The divergence is most critical in public procurement. Article 30 of CADA mandates that contracting authorities procure cloud computing services based on the results of a risk assessment (Article 29).

If an activity does not contribute to the preservation of public order, authorities must procure services recognised at Union assurance level 1 (Article 30(2)).
If an activity does contribute to public order (e.g., law enforcement, defence), authorities must procure services recognised at Union assurance level 2, 3, or 4 (Article 30(3)).

Furthermore, Article 32 introduces "Union added value" as a non-price award criterion. Contracting authorities must evaluate tenders based on contributions to the European digital supply chain, such as the use of hardware designed or manufactured in the Union. The Data Act contains no such procurement award criteria or sovereignty tiers. A provider compliant with the Data Act but lacking CADA recognition would be legally barred from bidding on public contracts requiring Level 2 or higher.

The Two-Stack Compliance Model

For cloud service providers, compliance is not a single checkbox. It is a stacked obligation:

Data Act Layer: Fulfil obligations related to data portability, switching assistance, and interoperability to enable user mobility and reduce lock-in.
CADA Layer: Obtain recognition for one or more Union assurance levels, meet the specific technical and organisational criteria for those levels (including audits and cybersecurity certification), and comply with transparency obligations (Article 23).

Failure to meet the CADA sovereignty criteria will prevent public sector adoption, regardless of Data Act compliance. Conversely, failing to meet Data Act switching requirements may limit private sector competitiveness, even if CADA recognition is achieved.

What this means for you

If you are a cloud service provider or data centre operator, you must treat CADA and Data Act compliance as parallel, non-interchangeable tracks.

For Cloud Service Providers

Audit Your Sovereignty Position: Do not assume Data Act compliance covers your sovereignty needs. Conduct a gap analysis against the criteria in Annex II. Determine if you meet the criteria for Level 1 (self-assessment) or Levels 2–4 (independent audit).
Prepare for Recognition: Begin gathering evidence for the recognition process under Article 17. This includes documentation of establishment, infrastructure location, data residency, and subcontractor oversight. Note that for Levels 2–4, you must engage an independent auditing organisation that meets the competence requirements of Article 20.
Monitor Third-Country Risks: If your provider is subject to third-country control, assess whether the Commission has adopted an implementing act under Article 18 for your specific country. Without this, you cannot be recognised at Level 3.
Update Procurement Strategy: Public sector clients will only procure services from the central repository of recognised providers. Ensure your recognised status is up-to-date and that you report any material changes under Article 23.

For Data Centre Operators

Focus on Deployment and Sustainability: Title III of CADA focuses on data centre acceleration zones, sustainability requirements (referencing Delegated Regulation (EU) 2024/1364 for KPIs), and strategic project designation. While less directly about "switching," these rules impact your operational landscape.
Align with Sovereignty Criteria: If you host infrastructure for cloud providers seeking Union assurance levels, ensure your data centre meets the location and security criteria specified in Annex II (e.g., infrastructure located in the Union).

Actionable Steps

Gap Analysis: Compare your current Data Act compliance documentation against CADA's assurance level criteria in Annex II.
Documentation: Prepare the EU statement of conformity (for Level 1) or engage auditors (for Levels 2–4) to gather the evidence listed in Annex III.
Procurement Strategy: Develop a strategy to meet the "Union added value" criteria in Article 32, such as highlighting the use of EU-designed hardware or software.

Common misconceptions

Misconception 1: "Data Act switching compliance covers CADA sovereignty obligations." This is incorrect. The Data Act addresses data portability and switching costs. CADA addresses sovereignty, operational autonomy, and public order. They are distinct legal instruments with different objectives. Data Act compliance does not confer any Union assurance level.

Misconception 2: "CADA replaces the Data Act." CADA does not repeal or replace the Data Act. The proposal states that the Data Act is consistent with and complements CADA. Providers must comply with both. The Data Act remains the primary tool for ensuring user mobility and reducing vendor lock-in, while CADA builds the sovereign infrastructure and trust framework.

Misconception 3: "Only public sector providers need to worry about CADA." While CADA's procurement rules directly target public authorities, the sovereignty framework influences the entire market. Private sector entities in critical sectors (e.g., those under the NIS2 Directive) may conduct similar impact assessments under Article 31. Furthermore, achieving Union assurance levels can be a competitive advantage in the private market, as it signals higher levels of security and sovereignty.

Misconception 4: "Complying with the AI Act means I comply with CADA." The AI Act and CADA have different scopes. The AI Act regulates the safety and fundamental rights risks of AI systems. CADA regulates the cloud infrastructure and sovereignty of the services that host and deliver AI. A provider may comply with the AI Act for its AI models but still need CADA recognition for its cloud infrastructure.

Official sources

This is general information about a draft EU regulation, not legal advice.