Summary No. Complying with the Chips Act (including the proposed Chips Act 2.0) does not mean you comply with the Cloud and AI Development Act (CADA). The Chips Act focuses on semiconductor manufacturing, supply chain resilience, and hardware design. CADA imposes separate, distinct obligations on cloud computing service providers regarding sovereignty, data localization, personnel citizenship, and public procurement. While both are complementary parts of the EU's broader "tech-sovereignty package," they regulate different layers of the digital stack. A provider must navigate two independent compliance tracks: one for the physical hardware (Chips Act) and one for the service and infrastructure layer (CADA).

Detail

The European Commission's proposal for the Cloud and AI Development Act (CADA) and the Chips Act are distinct legislative instruments with different legal bases, objectives, and scopes. A common misconception among cloud service providers, data centre operators, and hardware manufacturers is that adherence to one automatically satisfies the requirements of the other. This is incorrect.

Distinct Regulatory Scopes

The Chips Act is primarily concerned with the physical hardware layer of the technology stack. Its objectives, as noted in the CADA explanatory memorandum, include promoting investments in advanced semiconductors, increasing supply chain resilience, and creating demand through cooperation between the semiconductor supply chain and end markets. It aims to secure the production and availability of microprocessors, accelerators, and other critical components designed and manufactured in the Union.

In contrast, CADA regulates the service and infrastructure layer. As explicitly stated in Article 1(1) of the CADA proposal, its subject matter is establishing a framework to strengthen the cloud and AI ecosystem through five specific measures:

  • Establishing the Cloud and AI Leadership Initiatives.
  • Setting the framework for the accelerated deployment of data centres.
  • Enabling the availability of a "sovereign cloud and artificial intelligence (AI) offer to safeguard the Union's public order."
  • Reducing dependencies on critical technologies.
  • Fostering the adoption of cloud computing services across the public sector.

The CADA proposal explicitly positions itself as complementary to the Chips Act, not substitutive. Recital 27 of CADA notes that the Cloud and AI Leadership Initiatives should build on those established in the Chips Act 2.0 to enable semiconductor technologies underpinning AI, cloud computing, and data centres. However, this synergy does not merge their compliance regimes.

Complementary but Separate Obligations

A cloud provider compliant with the Chips Act may have secured reliable access to EU-designed processors or participated in a "grand challenge" for semiconductor innovation. However, this does not address CADA's core requirements for "Union assurance levels."

Under Article 16 and Annex II of CADA, providers must meet cumulative criteria for sovereignty that are entirely unrelated to chip manufacturing. These include:

  • Establishment: The provider must be established in the Union.
  • Location: Infrastructure, assets, and personnel must be located in the Union.
  • Data Residency: Customer data must remain exclusively within the Union.
  • Control: The provider must not be subject to the control of a third country or a legal entity established in a third country (unless a specific derogation under Article 18 applies).
  • Cybersecurity: For Levels 2 and 3, a European cybersecurity certificate of at least "substantial" assurance is required; for Level 4, a "high" assurance certificate is mandatory.

The Chips Act does not impose these data residency, personnel citizenship, or sovereignty audit requirements. A provider using EU-made chips but storing data in a third country, or employing non-EU personnel for critical operations, would fail CADA's higher assurance levels despite full Chips Act compliance.

Furthermore, CADA introduces specific procurement rules for public sector bodies. Article 30 mandates that contracting authorities must procure cloud computing services recognized at specific Union assurance levels (Level 1 for general use; Levels 2, 3, or 4 for activities contributing to public order). A provider cannot leverage Chips Act compliance to bypass these sovereignty audits and recognitions.

The Tech-Sovereignty Package

Both regulations are part of the EU's "tech-sovereignty package," aiming to reduce dependence on third-country providers, but they address different risks. The Chips Act addresses the risk of hardware shortages and geopolitical leverage over component supply. CADA addresses the risk of data access by third-country authorities, operational continuity, and extraterritorial legal interference.

As the CADA explanatory memorandum states, the proposal complements the Chips Act by focusing on the "uptake and use of the services provided," while the Chips Act focuses on the industrial base. Therefore, a provider must navigate both frameworks independently to be fully compliant with the EU's strategic autonomy goals.

What this means for you

If you are a cloud service provider, data centre operator, or hardware manufacturer, you must treat CADA and the Chips Act as two separate compliance tracks.

  1. Map Your Obligations Separately: Do not assume that your hardware sourcing compliance under the Chips Act covers your service-level obligations under CADA. You need to conduct a separate gap analysis for CADA's sovereignty framework, specifically checking your establishment, data flows, and personnel location.
  2. Prepare for Sovereignty Audits: Regardless of your semiconductor supply chain, you must prepare for independent third-party audits if you aim to offer services at Union Assurance Levels 2, 3, or 4. Article 20 requires these audits to verify criteria such as the location of personnel, the absence of third-country control, and software supply chain transparency.
  3. Update Public Sector Proposals: When bidding for public sector contracts, ensure your tender demonstrates compliance with CADA's Article 32 (Union added value) and the specific assurance levels required by the contracting authority's risk assessment under Article 29. Chips Act compliance may be a positive factor in demonstrating supply chain resilience, but it is not a substitute for the mandatory sovereignty recognition.
  4. Monitor Cross-Referencing: While the regulations are separate, the Commission may issue guidance linking them. For instance, CADA's Article 4 encourages the development of AI-optimised servers based on processors designed and manufactured in the Union, aligning with Chips Act goals. Staying aligned with both will strengthen your market position, but compliance remains distinct.

Common misconceptions

  • "If my hardware is EU-compliant, my cloud service is sovereign." Incorrect. Sovereignty under CADA involves data localization, personnel citizenship, legal jurisdiction, and operational autonomy, not just the origin of the physical chips. A provider using EU-made chips but storing data in a third country would fail CADA's higher assurance levels.
  • "The Chips Act 2.0 replaces CADA's hardware requirements." Incorrect. The Chips Act focuses on manufacturing and design incentives. CADA focuses on the operational and legal framework for cloud services. They are parallel tracks.
  • "Compliance with one exempts me from the other." Incorrect. The CADA proposal explicitly states it complements the Chips Act. There is no exemption clause in CADA that waives sovereignty requirements based on semiconductor compliance.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.