Summary No. Compliance with the Data Governance Act (DGA) does not automatically satisfy obligations under the proposed Cloud and AI Development Act (CADA). The DGA focuses on enabling trusted data sharing through intermediaries and data altruism, whereas CADA establishes a distinct "Union cloud computing sovereignty framework" with four assurance levels, mandatory risk assessments for public procurement, and strict data localisation requirements. As proposed, CADA operates as a complementary framework that adds layers of security and sovereignty obligationsβ€”particularly for public sector bodies and entities in high-criticality sectorsβ€”which are entirely outside the DGA's scope.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, is designed to strengthen the EU's cloud and AI ecosystem by addressing strategic dependencies and enhancing technological sovereignty. While the Data Governance Act (DGA) and CADA share the broader EU objective of fostering a competitive digital single market, they address fundamentally different regulatory problems. The DGA primarily facilitates data sharing through data intermediaries and data altruism, ensuring trusted environments for data exchange. CADA, conversely, establishes a rigid sovereignty framework for cloud computing services, specifically targeting the risks associated with third-country control, operational discontinuity, and the lack of a sovereign cloud offer.

Distinct Regulatory Scopes: Data Flow vs. Infrastructure Sovereignty

The DGA does not contain elements to shape a more competitive offer of European cloud computing services or encourage the entry of diverse providers in the same manner as CADA. As explicitly noted in the CADA explanatory memorandum, the DGA is an "enabler" for the proposal by removing vendor lock-in and enabling switching, but it "does not build the road towards a more sovereign and trusted EU cloud computing sector."

CADA introduces a "Union cloud computing sovereignty framework" comprising four assurance levels (Article 16). These levels dictate specific, cumulative criteria for cloud computing services to be recognised as providing Union assurance. For example, higher assurance levels (2, 3, and 4) require independent third-party audits (Article 20), strict data localisation within the Union (Annex II), and prohibitions on third-country control over infrastructure and personnel. The DGA contains no equivalent sovereignty assurance levels, audit mechanisms, or infrastructure location mandates. Therefore, a cloud provider compliant with DGA data-sharing protocols may still fail to meet CADA's stringent sovereignty criteria if their infrastructure is located outside the EU or if they are subject to third-country laws that could compel data access.

Mandatory Risk Assessments and Public Procurement

A critical divergence lies in procurement obligations. CADA imposes mandatory risk assessments on Member States and Union entities (Article 29). These assessments determine which Union assurance level (1, 2, 3, or 4) is appropriate for specific public sector activities, particularly those contributing to the preservation of public order in sectors falling under Annex I or II of the NIS2 Directive, or in areas of national security, defence, and justice.

Under Article 30 of CADA, contracting authorities whose activities are identified as contributing to the preservation of public order must only procure cloud computing services recognised as having a Union assurance level 2, 3, or 4. Even for activities not identified as such, a minimum requirement of Union assurance level 1 applies. The DGA does not impose such procurement mandates or sovereignty-based award criteria. Consequently, an organisation may fully comply with DGA data-sharing rules but remain ineligible for public contracts under CADA if its cloud services lack the requisite Union assurance recognition.

Complementarity, Not Substitution

The CADA proposal explicitly states that it is consistent with the rules on switching between data processing services introduced by the Data Act (often conflated with the DGA in broader discussions, though the DGA specifically addresses intermediaries). The DGA's focus on interoperability and switching enables users to embrace European cloud services more strongly, but it does not mitigate the risks of third-country dependency. CADA addresses these risks by requiring Member States to undertake sovereignty risk assessments (Article 29) to determine which sub-sectors and use cases should be served by services aligned with respective sovereignty levels.

Furthermore, CADA introduces "Union added value" criteria for public procurement (Article 32), allowing contracting authorities to evaluate tenders based on their contribution to strengthening the digital technology supply chain in the Union. This includes the use of software or hardware designed or manufactured in the Union. The DGA has no provisions regarding hardware origin or supply chain sovereignty. Thus, DGA compliance is a necessary but insufficient condition for CADA compliance in the context of public sector cloud procurement.

What this means for you

For in-house counsel and compliance officers, particularly those managing public sector IT or operating in high-criticality sectors (as defined in Annex I of the NIS2 Directive), the separation of DGA and CADA compliance requires a dual-track strategy.

  1. Conduct Sovereignty Risk Assessments: If your organisation is a contracting authority or operates in a sector identified as critical, you must carry out risk assessments as mandated by Article 29 of CADA. These assessments must determine the sensitivity of data and the impact of potential third-country access or service disruption. You must then map these risks to the appropriate Union assurance level (1–4).
  2. Verify Cloud Provider Assurance Levels: Ensure that your cloud computing service providers have been recognised under Article 17 of CADA as offering the specific Union assurance level required by your risk assessment. DGA compliance certificates or data-sharing agreements are not substitutes for CADA recognition. For Union assurance levels 2, 3, and 4, this requires a "positive" audit opinion from an independent auditing organisation (Article 20).
  3. Review Procurement Strategies: Update your procurement procedures to include the non-price award criteria set out in Article 32 of CADA. This involves evaluating the "Union added value" of tenders, including the origin of hardware and software components. Failure to do so may result in non-compliance with CADA's procurement obligations, even if your data sharing practices are DGA-compliant.
  4. Prepare for Audit Readiness: If you are a cloud provider aiming for Union assurance levels 2, 3, or 4, prepare for independent third-party audits. These audits will scrutinise your software supply chain, data localisation, and personnel citizenship (Annex II). DGA compliance documentation will not satisfy these audit criteria.

Common misconceptions

Misconception 1: "DGA data-sharing agreements cover CADA sovereignty requirements." This is incorrect. The DGA facilitates the flow of data through trusted intermediaries, focusing on data governance and altruism. CADA focuses on the sovereignty of the cloud infrastructure hosting that data. A service can be DGA-compliant for data sharing but fail CADA's Union assurance level 3 criteria if it allows third-country personnel access to infrastructure or if customer data can be transferred outside the Union without explicit public sector approval.

Misconception 2: "Compliance with the Data Act (switching rules) is enough for CADA." While CADA is consistent with the Data Act's switching provisions, the Data Act does not address sovereignty. CADA introduces mandatory procurement rules and sovereignty risk assessments that have no parallel in the Data Act. Relying solely on Data Act compliance leaves public sector bodies exposed to CADA penalties for failing to procure recognised sovereign cloud services.

Misconception 3: "CADA only applies to large hyperscalers." CADA applies to all cloud computing service providers seeking to offer services to Union entities and public sector bodies under the sovereignty framework. SMEs are not exempt from Union assurance level 1 requirements (Article 17), and those seeking higher levels must undergo audits. The scale of the provider does not negate the need for sovereignty recognition if they wish to participate in relevant public procurement.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.