Is my organisation affected by CADA? How to check your scope

Summary If your organisation operates in the EU cloud and AI ecosystem, the proposed Cloud and AI Development Act (CADA) would likely affect you — but your obligations depend entirely on your role. As proposed, public-sector bodies and Union entities face risk-assessment and procurement duties; cloud computing service providers face a new sovereignty assurance framework; data centre operators face acceleration-zone rules; and some private firms in critical sectors may carry out impact assessments. CADA is broad, but it deliberately separates supply-side measures (infrastructure) from demand-side measures (procurement).

Detail

The Cloud and AI Development Act (CADA) is a proposed EU Regulation aimed at strengthening the Union's cloud and AI ecosystem — increasing computing capacity, enabling a sovereign cloud offer and boosting public-sector uptake of these technologies. Because it seeks to reshape the market, its reach is wide. But, as proposed, it does not impose identical duties on every actor; it creates distinct obligations for different categories of organisation.

To work out whether CADA would affect you, first identify your role in the cloud and AI value chain. The categories the proposal addresses include:

1. Cloud computing service providers — a legal entity that provides a cloud computing service (Article 2, point (2)).
2. Data centre operators — entities building or operating data centres, especially within designated "acceleration zones."
3. Contracting authorities and Union entities — public-sector bodies and EU institutions procuring cloud services or AI systems.
4. Certain private-sector entities in critical sectors — notably entities listed in Annex I of the NIS2 Directive (such as energy, transport, banking and health).

If you fall into any of these, CADA would affect your operations, compliance processes or procurement. Here is how the proposal applies to each role.

1. Public buyers (contracting authorities and Union entities)

If you are a public authority or Union entity, you would be directly subject to CADA's demand-side measures, centred on risk management and procurement.

• Risk assessments: Under Article 29, Member States and Union entities would carry out risk assessments identifying which public-sector activities contribute to the preservation of public order, and which Union assurance level (2, 3 or 4) is appropriate for them.
• Procurement rules: Under Article 30, if your activities are not identified as contributing to public order, you would use services recognised at Union assurance level 1. If they are identified as contributing to public order — in sectors under Annex I or II of NIS2, or in national security, internal security, external border management, defence, justice or law enforcement — you would only procure services recognised at Union assurance level 2, 3 or 4.
• Union added value: Under Article 32, when procuring innovative cloud services or AI systems, you would include non-price award criteria assessing the tenderer's contribution to the European cloud and AI ecosystem (for example, EU-designed hardware or software).
• Open source: Article 41 would have the Union and Member States encourage public bodies to use, and facilitate reuse of, open standards and open-source components when building their cloud and AI stack.

2. Cloud computing service providers

If you provide cloud computing services, your obligations would focus on demonstrating sovereignty in order to serve the public sector.

• Sovereignty framework: To provide services to Union entities and public-sector bodies, you would seek recognition under the Union cloud computing sovereignty framework in Article 16, which comprises four assurance levels.
• Assurance levels:
  • Level 1: a conformity self-assessment leading to an EU statement of conformity (Article 19).
  • Levels 2–4: independent third-party audits (Article 20) against the cumulative criteria in Annex II, covering matters such as data localisation, Union citizenship of personnel, cybersecurity certification and control by third countries.
• Transparency: You would notify the auditing organisation and your national competent authority of any material change that may affect your audit opinion or recognition (Article 23).
• Penalties: Member States would lay down effective, proportionate and dissuasive penalties for infringements of the sovereignty framework (Article 24).

3. Data centre operators

If you operate or plan to build data centres, CADA would affect where and how you deploy capacity.

• Acceleration zones: Where data centre capacity is being deployed in a Member State, that Member State would designate at least one data centre acceleration zone (Article 10), with streamlined permitting (Article 13) but specific sustainability conditions.
• Sustainability: Within acceleration zones, Member States would set sustainability requirements using the key performance indicators in Delegated Regulation (EU) 2024/1364 (Article 11).
• Strategic projects: The Commission may designate qualifying projects as data centre strategic projects (Article 14) where they meet at least two listed criteria, unlocking certain benefits.
• Single information points: You would have the right, on request, to be assisted by a single information point throughout the project lifecycle in an acceleration zone (Article 12).

4. Private-sector entities (NIS2 entities)

CADA primarily targets the public sector, but it reaches into critical-infrastructure firms.

• Impact assessments: Under Article 31, entities listed in Annex I of Directive (EU) 2022/2555 (NIS2) that are not public-sector bodies may carry out assessments similar to the Article 29 risk assessments. This is voluntary by default.
• Possible mandatory step: The Commission may issue guidance on the methodology and mitigation measures, and — in specific, duly justified circumstances and in consultation with Member States — may adopt delegated acts requiring entities in sectors of high criticality to perform impact assessments and take risk-mitigation measures (Article 31).

What this means for you

• For public procurement officers: Prepare for the Article 29 risk assessments of your cloud usage. Review current contracts; if you use services that would not meet the required assurance level, plan migration. Build "Union added value" criteria into tenders for innovative cloud and AI procurements.
• For cloud providers: If you want to serve the EU public sector, prepare for the sovereignty framework. Level 1 means a self-assessment that data and infrastructure remain in the Union; higher levels mean rigorous third-party audits of your supply chain, personnel and cybersecurity. Have your transparency processes ready to report material changes.
• For data centre operators: Track which acceleration zones your target Member States designate, align your sustainability metrics with the EU data centre rating scheme, and consider applying for "strategic project" status for large projects.
• For private-sector leaders: If you operate in a NIS2 critical sector, watch for Commission guidance on impact assessments. These are voluntary today but could become mandatory for high-criticality sectors via delegated acts — which would in turn shape your choice of cloud provider.

Common misconceptions

• "CADA only applies to cloud providers." Incorrect. Providers face significant compliance, but public buyers face procurement mandates and data centre operators face deployment rules — and some private firms in critical sectors are within reach of impact assessments.
• "All public cloud contracts must use level 4 assurance." Incorrect. CADA takes a risk-based approach. Public activities not contributing to public order would require at least level 1; higher levels (2, 3 or 4) apply only where a risk assessment identifies the activity as contributing to public order in sensitive sectors.
• "CADA replaces the AI Act." Incorrect. The AI Act (Regulation (EU) 2024/1689) governs the safety and fundamental-rights compliance of AI systems. CADA focuses on the sovereignty, capacity and procurement of the underlying cloud and AI ecosystem. They are complementary; CADA does not regulate AI safety.
• "Small providers are exempt." Not exactly. SMEs get a simplification — an EU statement of conformity for level 1 is directly and automatically recognised across Member States without prior national recognition (Article 17(3)) — but they are not exempt from the sovereignty framework if they wish to serve the public sector.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)

Related

• What is the territorial scope of CADA?
• How does CADA define its scope of cloud and AI?
• Does CADA apply to SMEs and startups? Scope and reliefs explained
• Why was the Cloud and AI Development Act (CADA) proposed?
• Why is the EU dependent on non-EU cloud providers?

This is general information about a draft EU regulation, not legal advice.