Summary No. GDPR compliance would not satisfy the proposed Cloud and AI Development Act (CADA, COM(2026) 502 final). The GDPR protects personal data; CADA, as proposed, would establish a separate framework focused on operational autonomy, data sovereignty and reducing strategic dependence on third-country providers. Meeting GDPR standards would be necessary but not sufficient: a provider serving the public sector would also need recognition at the relevant Union assurance level, demonstrated by self-assessment (level 1) or independent audit (levels 2β4). The two regimes sit side by side.
Detail
CADA was proposed by the Commission on 3 June 2026 to strengthen Europe's cloud and AI ecosystem by addressing risks that data-protection law alone does not cover. The GDPR (Regulation (EU) 2016/679) governs the lawful processing of personal data and the rights of data subjects. CADA, as proposed, would target broader sovereignty concerns: operational continuity, infrastructure location and protection against the extraterritorial reach of third-country law.
GDPR is necessary but not sufficient
The proposal states it is consistent with existing rules on the processing of personal data, including the GDPR. But its explanatory memorandum is explicit that the GDPR and frameworks such as the EU-US Data Privacy Framework, while addressing transatlantic data transfers, "do not remove sovereignty concerns about dependence on third-country providers," because "the notion of sovereignty goes beyond data transfers and relates to operational autonomy too."
A fully GDPR-compliant organisation may therefore still rely on providers that do not meet CADA's sovereignty standards. The GDPR ensures data is processed lawfully and securely; it does not require that the hosting infrastructure sit exclusively within the Union, nor does it prevent a third-country government from compelling a provider to disrupt service or access data. CADA, as proposed, would address those gaps through the "Union cloud computing sovereignty framework" of four assurance levels in Article 16, with criteria set out in Annex II.
Operational autonomy vs. lawful processing
The GDPR asks whether personal data is protected and data-subject rights respected. CADA would ask a different question: whether the service itself could be disrupted, degraded or controlled by third-country actors. Under Annex II, the higher levels turn on criteria the GDPR does not address, including:
- the provider (and subcontractors involved in the service) being established in the Union;
- infrastructure, assets and customer data β including metadata and telemetry β remaining within the Union (subject to limited exceptions where the public sector body explicitly requires otherwise);
- safeguards ensuring that any third-country control is not exercised to restrict the service, expose customer data, or disrupt continuity, and that the provider is not obliged to give effect to illegitimate foreign restrictive measures;
- supply-chain measures such as a software bill of materials and controls over third-country software components.
Levels 2, 3 and 4 are verified by independent third-party audit (Article 20); level 1 by conformity self-assessment and an EU statement of conformity (Article 19).
The role of risk assessments (Article 29)
CADA would require public bodies to assess the sovereignty level their activities need:
- Article 29(1): Member States and Union entities carry out risk assessments β by entry into force plus one year, then every two years or whenever necessary β to identify public-sector activities contributing to the preservation of public order and to determine which assurance level (2, 3 or 4) is appropriate.
- Article 29(2): the assessment considers data sensitivity, criticality and magnitude (personal and non-personal), the risk of unlawful third-country access, and the risk of service disruption.
- Article 29(3): the Commission specifies the methodology and templates by implementing act, including how the highest level is used for the most critical activities such as defence.
- Article 29(6): where migration is required, it must occur within a reasonable transition period not exceeding 12 months.
For private entities in the NIS2 Annex I sectors that are not public sector bodies, Article 31 provides that they "may carry out similar assessments" β voluntary in principle, though the Commission may, by delegated act and in duly justified circumstances, require impact assessments for entities operating in sectors of high criticality.
Where the regimes touch: the mandatory-agreement bridge
CADA does not ignore the GDPR's machinery β it reuses part of it. Recital 63 records that where cloud services process personal data, the GDPR already requires controllerβprocessor agreements on organisational and technical measures, that "the same agreements apply to the subcontractors," and that any specific technical and organisational measures needed under CADA "could be foreseen in the mandatory agreements pursuant to Regulation (EU) 2016/679 and could be relied on to demonstrate that the necessary Union assurance levels are met." So a well-drafted GDPR processor agreement is not wasted effort under CADA; it can be extended to carry sovereignty commitments and serve as evidence toward an assurance level. The corollary is that a thin, boilerplate processor agreement leaves a gap precisely where CADA recognition needs proof.
Distinct compliance mechanisms
GDPR compliance rests on internal governance, data-processing agreements and adherence to principles. CADA would add: assurance-level recognition (Articles 17, 19, 20); a Commission-maintained central repository of recognised services that public buyers draw from (Article 22); and national competent authorities overseeing recognition and enforcement (Articles 25β26) β distinct from the data-protection authorities that enforce the GDPR. Crucially, the question each regime answers differs: the GDPR asks whether personal data is processed lawfully and protected; CADA would ask whether the service itself can be controlled, disrupted or accessed by a third country. A provider can answer the first question well and the second poorly.
What this means for you
GDPR compliance cannot be used as a shield against CADA's sovereignty requirements. Treat CADA as a separate layer alongside, and sometimes above, your data-protection framework.
1. Run a gap analysis. Review current providers. Even if GDPR-compliant, check whether they would hold recognition at the level your activities require.
2. Update vendor contracts. Existing data-processing agreements may not cover CADA's expectations. Add infrastructure-location guarantees, protections against third-country legal demands, sovereignty-audit rights and migration plans tied to changes in assurance status.
3. Prepare for risk assessments. If you are a public body, plan to run the Article 29 assessment in the first year after entry into force, weighing operational-continuity and third-country-influence risks, and budget for migration within the 12-month window (Article 29(6)).
4. Monitor private-sector obligations. Strict procurement mandates fall on public bodies, but Article 31 lets NIS2 Annex I entities run similar assessments, and the Commission may require them for sectors of high criticality. Mapping your cloud dependencies early would help.
Common misconceptions
"If our provider has an adequacy decision, we're CADA-compliant." No. An adequacy decision concerns data-protection equivalence. CADA's level 3 may permit a third-country-controlled provider only where the Commission has recognised that country as an "associated third country" under Article 18 β and an adequacy decision under Article 45 GDPR is only one of several cumulative conditions there, not the whole test.
"GDPR's extraterritorial scope covers CADA's concerns." No. The GDPR reaches processors of EU residents' data wherever located; CADA would focus on the location of infrastructure and operational control. A US-established provider can be GDPR-compliant yet fail CADA where its infrastructure is outside the Union or it is exposed to foreign law allowing access or disruption.
"CADA replaces the GDPR." No. CADA would complement it; both apply. The GDPR protects individual rights; CADA would protect the Union's operational autonomy and strategic interests.
"Only the public sector is affected." Largely, the mandatory procurement rules target public bodies β but Article 31 extends optional (and potentially mandatory) assessments to critical private entities, and public-sector demand would shape the wider market.
Official sources
Related
- If I already comply with the Data Act, do I comply with CADA?
- If I already comply with NIS2, do I comply with CADA?
- Why is the GDPR not enough to achieve cloud sovereignty under CADA?
- What GDPR roles do cloud providers keep under CADA?
- CADA vs GDPR: How Processor Due Diligence Changes Under the New Sovereignty Framework
This is general information about a draft EU regulation, not legal advice.