DGA Data Intermediaries and CADA

Summary If you operate as a Data Governance Act (DGA) data intermediary, the proposed Cloud and AI Development Act (CADA) does not replace your DGA obligations; the two regimes stack. Your DGA registration, neutrality requirements, and reporting duties remain fully in force. However, if you provide cloud computing services to public sector bodies whose activities are identified as contributing to the preservation of public order, you must also comply with CADA's sovereignty framework. This means undergoing risk assessments under Article 29 and securing the appropriate Union assurance level (1, 2, 3, or 4) for those specific contracts. You cannot rely on DGA neutrality to bypass CADA's data localisation or personnel requirements for public-order data.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, and the Data Governance Act (DGA) address distinct but potentially overlapping layers of the EU's digital ecosystem. The DGA establishes a framework for data sharing and the neutrality of data intermediaries. CADA, conversely, targets the infrastructure and market structure beneath the data layer, focusing on cloud sovereignty, data-centre capacity, and strategic autonomy.

For a DGA data intermediary that also provides cloud computing services, these regimes do not substitute one another. Instead, they operate in parallel. CADA's scope is triggered not by your status as a DGA intermediary, but by your activity as a cloud computing service provider defined in Article 2(1) of CADA (which mirrors the definition in Directive (EU) 2022/2555). If you fall within this definition, the obligations of Title IV (Autonomy) apply to your cloud services, regardless of your DGA registration.

1. The DGA Notification Regime Remains Unaffected

CADA contains no provisions that alter the notification, registration, or operational rules for DGA data intermediaries. The DGA's core pillars remain untouched by this proposal:

• Neutrality: You must continue to refrain from processing the data you facilitate sharing for your own purposes, except for security and integrity checks.
• Transparency: Your obligation to maintain public registers and report on data sharing activities persists.
• Liability: Your liability status under the DGA framework is unchanged.

CADA does not impose new DGA-specific reporting duties, nor does it offer an exemption from DGA rules for providers who achieve a high Union assurance level. If you are a DGA intermediary, you must maintain your registration and compliance with the DGA. Simultaneously, if you offer cloud services, you must assess whether those services fall under CADA's sovereignty framework.

2. When CADA Obligations Trigger: The Public Order Link

For a DGA data intermediary, CADA obligations primarily arise when you provide cloud computing services to Union entities or Member State public sector bodies. The critical determinant is whether the public sector body's activities contribute to the preservation of public order.

Article 29 Risk Assessments

Article 29 of CADA obliges Member States and Union entities to carry out risk assessments to determine which public sector activities contribute to the preservation of public order. These assessments must identify activities in sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2) and in areas such as:

• National security and defence.
• Internal security and law enforcement.
• External border management.
• Justice and criminal investigation.

If the public sector body you serve has identified its activities as contributing to public order under Article 29(1), they are legally bound under Article 30(3) to procure only cloud computing services that have been recognised as offering Union assurance levels 2, 3, or 4.

Implications for DGA Intermediaries Hosting Public Data

If your DGA intermediary services involve hosting or processing data on behalf of a public sector body that falls under Article 29's public order definition, you must ensure your cloud service offering meets the required Union assurance level. This is a condition of contract eligibility for those public bodies.

The required assurance level depends on the risk assessment outcome:

• Union Assurance Level 1: The baseline for all public sector cloud services. It requires establishment in the Union, data localisation in the Union, and compliance with state-of-the-art cybersecurity standards.
• Union Assurance Levels 2–4: Required for public order activities. These levels impose stricter cumulative criteria, including:
  • Personnel: For Levels 3 and 4, personnel (including subcontractors) must be Union citizens. For Level 2, Union citizenship is conditional (only if the public sector body explicitly requires it).
  • Infrastructure: Exclusive location of infrastructure, assets, and personnel within the Union.
  • Third-Country Control: Strict prohibitions on control by third countries or legal entities established in third countries, with limited derogations for Level 3 under Article 18.
  • Cybersecurity: Certification under the European Cybersecurity Certification Scheme for Cloud Services (EUCS) at least at the 'substantial' level for Levels 2 and 3, and 'high' for Level 4.

3. Obligations Stack Rather Than Substitute

A common misconception is that compliance with one regime negates the other. In practice, they stack:

1. DGA Layer: You maintain your DGA registration, ensure data neutrality, and comply with DGA transparency rules.
2. CADA Layer: For public sector contracts involving public order data, you must undergo the CADA recognition process under Article 17 to obtain a Union assurance level. This involves independent third-party audits (for Levels 2–4) and submission to national competent authorities.

You cannot use DGA neutrality arguments to bypass CADA's sovereignty requirements. For example, even if you are a neutral intermediary under the DGA, if you host data for a law enforcement agency (a public order entity under Article 29), your cloud infrastructure must meet the strict data localisation and personnel controls of the required Union assurance level. The DGA ensures you do not use the data; CADA ensures the infrastructure hosting the data is sovereign.

What this means for you

As a DGA data intermediary providing cloud services, you must take the following steps to ensure compliance with both regimes:

1. Map Your Public Sector Clients: Identify which of your clients are Union entities or Member State public bodies. Determine if they are procuring cloud services for activities that may be deemed "public order" relevant.
2. Assess Public Order Relevance: Determine if these clients have conducted Article 29 risk assessments. If they have, request the outcome. If their activities are deemed relevant to public order, they will require you to hold a Union assurance level 2, 3, or 4.
3. Prepare for Audits: If you need Level 2, 3, or 4, you must engage an auditing organisation (as defined in Article 2(17)) to conduct independent third-party audits. Ensure your infrastructure, personnel, and subcontractors meet the strict Union-only criteria for these levels. Note that for Level 3, a derogation exists for third-country control if the Commission has adopted an implementing act under Article 18.
4. Maintain DGA Compliance: Continue to fulfill all DGA registration and neutrality obligations. Do not cease DGA reporting activities in anticipation of CADA relief; there is none.
5. Monitor National Implementations: Member States must designate national competent authorities by one year after CADA's entry into force (Article 25). You will submit your recognition applications to these authorities.

Common misconceptions

"CADA replaces DGA for data sharing." Incorrect. CADA focuses on cloud sovereignty and procurement. DGA focuses on data sharing facilitation and neutrality. They are complementary. You must comply with both if you operate as a registered intermediary providing cloud services.

"I am a neutral intermediary, so I don't need to worry about data localisation." Incorrect. Neutrality under DGA means you don't use the data for your own purposes. It does not exempt you from CADA's requirement that, for public order services, customer data must remain exclusively within the Union (Annex II, Union Assurance Level 2–4 criteria).

"Article 29 only applies to governments, not my business." Incorrect. While Article 29 obliges Member States to perform the risk assessment, the result of that assessment dictates the procurement requirements you must meet to sell to them. If the government identifies its data as public-order sensitive, you must meet the corresponding Union assurance level to remain a compliant vendor.

"CADA only affects data centres." Incorrect. While CADA includes measures for data-centre acceleration zones, its sovereignty framework (Title IV) applies to any cloud computing service provider seeking to serve the public sector.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)
• Data Act (Regulation (EU) 2023/2854)
• Data Governance Act (Regulation (EU) 2022/868)

Related

• CADA vs DGA: How Sovereign Cloud Rules Apply to Data Altruism and Public Reuse
• CADA vs Existing EU Cloud Rules: The Missing Sovereignty Layer
• CADA for SaaS Providers: How NIS2, Data Act and Sovereignty Tiers Stack
• EHDS vs CADA: Does health data compliance cover cloud sovereignty?
• DGA vs CADA: Does Data Governance Act compliance satisfy CADA?

This is general information about a draft EU regulation, not legal advice.