If two EU laws require different cloud setups, which wins under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), there is no single "winner" when cloud setup requirements conflict; instead, CADA is designed to layer with, not override, existing EU law. Public sector bodies must conduct risk assessments under Article 29 to determine the appropriate Union assurance level, ensuring that sector-specific obligations—such as those in the GDPR, NIS2, or DORA—feed directly into these assessments. Compliance requires satisfying the most stringent technical and organizational measures across all applicable instruments, with risk-based proportionality guiding the final architecture. CADA fills the sovereignty gap left by other regulations but does not displace their core mandates.

Detail

The Cloud and AI Development Act (CADA), proposed by the European Commission on 3 June 2026 (COM(2026) 502 final), establishes a comprehensive framework for strengthening Europe's cloud and AI ecosystem. A critical aspect of this proposal is its interaction with existing EU legislation, particularly where conflicting or overlapping requirements arise regarding cloud infrastructure, data sovereignty, and security. For in-house counsel and compliance officers, understanding how CADA resolves these tensions is essential for avoiding regulatory fragmentation and ensuring robust compliance.

CADA Layers With, Rather Than Overrides, Existing Law

A fundamental principle of CADA is that it does not operate in a vacuum. The proposal is explicitly designed to complement and layer upon existing EU legal instruments, rather than replacing them. As stated in the explanatory memorandum, CADA reinforces key objectives of the AI Act, the General Data Protection Regulation (GDPR), the Data Act, and the Directive on Security of Network and Information Systems (NIS2).

For instance, while the GDPR governs the processing of personal data and provides mechanisms for cross-border transfers, it does not address broader sovereignty concerns related to operational autonomy or the strategic dependence on third-country providers. CADA fills this gap by introducing a harmonized sovereignty framework. However, this does not absolve entities from GDPR obligations. Instead, entities must comply with both. If a cloud service provider must meet GDPR's data protection standards and CADA's Union assurance levels, the entity must implement measures that satisfy both regimes. In practice, this often means adopting the more stringent of the two requirements.

The proposal explicitly notes that it is "consistent with existing rules on the processing of personal data, including the General Data Protection Regulation (GDPR) and the EU-US Data Privacy Framework." However, it clarifies that "while the EU-US Data Privacy Framework addresses transatlantic data transfers, it does not remove sovereignty concerns about dependence on third-country providers." Thus, CADA acts as a sovereign overlay, addressing risks that data protection laws alone do not cover.

The Role of Article 29: Risk Assessments as the Tie-Breaker

The primary mechanism for resolving potential conflicts or overlaps is the risk assessment obligation set out in Article 29 of CADA. This article mandates that Member States and Union entities carry out risk assessments to identify public sector activities that use or will use cloud computing services and contribute to the preservation of public order.

Article 29(1) requires these assessments to: (a) Identify public sector activities using cloud services that contribute to preserving public order in sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2) and in the areas of national security, internal security, external border management, defence, justice, or law enforcement, including the prevention, investigation, detection and prosecution of criminal offence. (b) Determine which Union assurance level (2, 3, or 4) is appropriate for these identified activities.

Crucially, Article 29(2) specifies that these risk assessments must consider: (a) The sensitivity, criticality, and magnitude of the non-personal data processed, including the potential impact on public order and the nature, scope, context, and purpose of processing personal data, as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects. (b) The risk and consequent impact on public order of unlawful access under Union law to such data by a third country or a legal entity established in a third country. (c) The risk and consequent impact on public order of possible service disruption.

This structure ensures that sector-specific obligations, such as those imposed by the GDPR on personal data or NIS2 on critical infrastructure, directly inform the CADA risk assessment. The risk assessment acts as a bridge, translating sector-specific legal requirements into the CADA sovereignty framework. If a sector-specific law requires a high level of data localization or specific security controls, the risk assessment under Article 29 would likely necessitate a higher Union assurance level (e.g., Level 3 or 4) to mitigate the identified risks.

Sector-Specific Obligations Feed Risk Assessments

Recital 63 of CADA explicitly addresses this interplay, stating that in their risk assessments, Union entities and Member States shall assess the sensitivity, criticality, and magnitude of personal and non-personal data processed in cloud environments. It notes that this processing may include personal data within the meaning of Regulation (EU) 2016/679 (GDPR) and data subject to sector-specific obligations under Union law, including Directive (EU) 2022/2555 (NIS2) and Regulation (EU) 2022/2554 (DORA).

The recital further clarifies that where cloud computing services are used to process personal data, the GDPR provides for an obligation to agree on organizational and technical measures. If specific technical and organizational measures are implemented pursuant to CADA to ensure personal data is processed in line with CADA, these measures could be foreseen in the mandatory agreements pursuant to the GDPR and relied upon to demonstrate that the necessary Union assurance levels are met. This creates a synergistic compliance approach, where measures implemented for one regulation can support compliance with another, reducing duplication and administrative burden.

The proposal also notes that it "complements the Digital Operational Resilience Act (DORA)" by ensuring that cloud services underpinning emergency management and civil protection are provided at the appropriate Union assurance level, thereby contributing to the digital preparedness dimension of the Preparedness Union Strategy.

Sovereignty and Free-Flow Tension

CADA aims to balance the EU's commitment to the free flow of data within the Union with the need for technological sovereignty. Recital 64 emphasizes that the free flow of data within the Union is an essential condition for the proper functioning of the internal market. However, it also acknowledges the need to protect public order, which may require restricting access to certain cloud services based on sovereignty risks.

The tension arises when a cloud provider's architecture, designed for global scalability and free flow, conflicts with CADA's stricter data localization and control requirements for higher assurance levels. For example, Union Assurance Level 3 and 4 require that customer data remain exclusively within the Union and that personnel involved in service provision are Union citizens with appropriate security clearances. If a provider's global setup involves data processing or personnel access from third countries, it cannot offer these higher assurance levels. In such cases, the "winner" is the public order requirement, and the contracting authority must procure a service that meets the stricter CADA criteria, even if it limits the free flow of data to third countries.

Recital 64 explicitly states that "where necessary and in duly justified circumstances, the Union retains the right... to adopt or maintain measures necessary to protect public morals, order or safety, allowing for necessary and proportionate restrictions on access to public procurement procedures." This confirms that public order concerns, as assessed under Article 29, can legally override the general principle of free data flow within the internal market context of public procurement.

Risk-Based Proportionality Applies

CADA employs a risk-based, proportional approach to ensure that sovereignty requirements do not unduly burden the public sector. Not all public services require the highest levels of assurance. Article 30(2) states that Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order under the Article 29 risk assessment shall use cloud computing services recognized as having Union Assurance Level 1.

Only where a risk assessment determines that activities have public order relevance (as per Article 30(3)) must contracting authorities procure services recognized as offering Union Assurance Levels 2, 3, or 4. This proportionality ensures that entities only incur the higher costs and operational constraints of sovereign cloud setups when justified by a specific, assessed risk to public order.

Recital 52 reinforces this, noting that "The Union assurance levels should provide for a proportionate framework to ensure that public order is preserved... Most public services would not require the highest levels of assurance." The risk assessment ensures that the principles of proportionality and subsidiarity are complied with by assessing the specific cases in which protection of public order requires the highest level of assurance.

What this means for you

For in-house counsel and compliance officers, the implication is a shift from siloed compliance to integrated risk management. You cannot treat CADA, GDPR, NIS2, or sector-specific laws like DORA as separate compliance checklists. Instead, you must adopt a holistic approach:

1. Conduct Integrated Risk Assessments: Use the framework in Article 29 to evaluate your cloud usage. When assessing the sensitivity and criticality of data, explicitly consider obligations under the GDPR and sector-specific laws like NIS2 and DORA. Document how these sector-specific risks influence your choice of Union Assurance Level.
2. Adopt the Highest Standard: Where requirements overlap, implement the most stringent technical and organizational measures. If GDPR requires specific encryption standards and CADA Level 3 requires data to remain exclusively in the EU, your cloud architecture must satisfy both. Do not assume CADA overrides GDPR; assume it adds an additional layer of security and sovereignty requirements.
3. Leverage Synergies: Use the contractual and technical measures implemented for CADA compliance to support your GDPR compliance, as suggested in Recital 63. This can streamline vendor management and reduce the need for duplicate contracts or audits.
4. Monitor Assurance Levels: Ensure that your cloud providers are recognized for the appropriate Union Assurance Level based on your risk assessment. For critical public order activities, Level 1 is insufficient; you must procure Level 2, 3, or 4 services. Verify that your providers undergo the necessary independent audits (for Levels 2-4) and maintain the required data localization and personnel controls.
5. Prepare for Enforcement: Member States must lay down penalties for infringements of the sovereignty framework under Article 24. These penalties must be effective, proportionate and dissuasive. Ensure your internal compliance programs are robust to avoid these penalties, which can be significant for organizations failing to meet their sovereignty obligations.

Common misconceptions

• Misconception: CADA overrides the GDPR.
  • Reality: CADA does not override the GDPR. Both laws apply concurrently. CADA addresses sovereignty and operational autonomy, while GDPR addresses personal data protection. Compliance requires meeting the requirements of both, often by implementing the stricter of the two sets of measures.
• Misconception: All public sector cloud usage requires the highest sovereignty level.
  • Reality: CADA applies a risk-based approach. Only activities identified as contributing to the preservation of public order through an Article 29 risk assessment require Union Assurance Levels 2, 3, or 4. Other public sector activities can use Level 1 services.
• Misconception: Sector-specific laws are irrelevant to CADA compliance.
  • Reality: Sector-specific obligations, such as those in NIS2 or DORA, are integral to the CADA risk assessment process. Recital 63 explicitly states that these obligations feed into the assessment of data sensitivity and criticality, influencing the required Union Assurance Level.
• Misconception: Free flow of data always takes precedence.
  • Reality: While the free flow of data is a key EU principle, CADA allows for restrictions to protect public order. If a risk assessment identifies significant sovereignty risks, public sector bodies must procure services that limit data flow to third countries, even if this restricts the free flow of data, as permitted under Recital 64.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• Which EU laws does CADA stack on top of? A guide to the new sovereignty layer
• Which existing EU certifications can be reused as CADA tier evidence?
• Which CADA obligations stack with NIS2 obligations?
• Which CADA obligations stack on top of AI Act obligations?
• Which CADA definitions come from the NIS2 Directive?

This is general information about a draft EU regulation, not legal advice.