Summary No, there is no existing EU law that exempts you from the obligations set out in the proposed Cloud and AI Development Act (CADA). Compliance with other major EU digital regulationsβ€”such as the AI Act, GDPR, NIS2, or DORAβ€”does not waive your duties under CADA. The CADA sovereignty framework is a standalone legal requirement that operates in parallel to these other instruments. The Commission's explanatory memorandum explicitly states that existing laws address technical cybersecurity and data protection but do not cover "aspects of sovereignty," which is the specific gap CADA is designed to fill.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a distinct regulatory framework designed to strengthen the EU's cloud and AI ecosystem by addressing strategic dependencies and ensuring operational autonomy. A critical question for cloud service providers is whether adherence to established EU laws satisfies the new, specific requirements of CADA. The definitive answer is no. CADA introduces standalone obligationsβ€”particularly regarding the four Union assurance levelsβ€”that are not covered by, nor exempted through, compliance with other EU legislation.

CADA is not a subset of other laws CADA creates a "Union cloud computing sovereignty framework" comprising four assurance levels (Article 16). This framework sets harmonised criteria for cloud computing services to be recognised as offering specific levels of Union assurance. These criteria address risks related to data sovereignty, operational autonomy, and public order that are distinct from general cybersecurity or data privacy.

The explanatory memorandum explicitly clarifies this distinction in Recital 47: "Existing Union law addresses cybersecurity, data protection, interoperability and data portability requirements which cloud computing services are subject to. However, there is no cross-cutting Union regulatory framework establishing a harmonised understanding of what constitutes a trusted cloud computing service for mitigating such risks." The text further notes that while the NIS2 Directive improves cybersecurity risk management, it is "fully focused on technical cybersecurity as opposed to broader sovereignty considerations." Consequently, meeting the technical standards of NIS2 or the data protection rules of the GDPR does not automatically grant a provider a CADA Union assurance level.

The AI Act and CADA are complementary, not interchangeable The AI Act (Regulation (EU) 2024/1689) harmonises rules for AI systems and general-purpose AI models to ensure they are safe, transparent, and respect fundamental rights. However, the explanatory memorandum states plainly that the AI Act "does not cover aspects of sovereignty." CADA complements the AI Act by focusing on the infrastructure and supply-chain resilience that underpins AI deployment.

Compliance with the AI Act's risk management, data governance, and transparency obligations does not exempt a provider from CADA's requirements regarding infrastructure location, personnel citizenship, or freedom from third-country control. The AI Act governs the software (the AI system), while CADA governs the platform (the cloud infrastructure). A provider could be fully compliant with the AI Act for a high-risk AI system yet fail CADA's sovereignty criteria if their data centre assets are located outside the Union or if they are subject to third-country control.

GDPR, NIS2, DORA, and the Data Act do not provide exemptions The proposal explicitly addresses the relationship with other key instruments, confirming that none serve as a substitute for CADA:

  • GDPR: The General Data Protection Regulation protects personal data. While CADA is consistent with GDPR rules, the GDPR does not address operational autonomy or the risk of service disruption by third-country actors. CADA's sovereignty criteria include requirements the GDPR does not, such as ensuring that customer data remains exclusively within the Union and that technical support is performed exclusively within the Union by Union residents (Annex II, Union assurance levels 2–4).
  • NIS2: The Directive on Security of Network and Information Systems (NIS2) improves cybersecurity risk management. However, as noted in the explanatory memorandum, it is "fully focused on technical cybersecurity as opposed to broader sovereignty considerations." NIS2 compliance does not satisfy CADA's requirements for Union establishment, localisation of assets, or independence from third-country control.
  • DORA: The Digital Operational Resilience Act applies to the financial sector. While it covers cloud providers serving financial entities, it has a sectoral scope and "does not contain measures to boost the uptake and use of such services" in the broader public sector. It is specific to financial operational resilience and does not establish the broad, horizontal sovereignty framework that CADA proposes for public order and critical infrastructure across all sectors.
  • Data Act: The Data Act enables switching and reduces vendor lock-in. The explanatory memorandum describes it as an "enabler" for the proposal, noting that it "does not contain elements to shape up a more competitive offer of European cloud computing services or encourage the entry into the market of a more diverse set of cloud computing service providers." It does not mandate the specific assurance levels defined in CADA.

CADA's sovereignty obligations are standalone Under CADA, cloud computing service providers seeking to offer services to Union entities and public sector bodies must undergo a specific recognition process. For Union assurance level 1, providers must issue an EU statement of conformity (Article 19). For levels 2, 3, and 4, providers must undergo independent third-party audits (Article 20).

These processes are specific to CADA. There is no provision in the proposal that allows a provider to substitute a NIS2 certification, a GDPR compliance report, or an AI Act conformity assessment for the CADA audit or statement of conformity. The criteria in Annex II are cumulative and specific; for instance, Union assurance level 3 and 4 require personnel to be Union citizens (Annex II, 3.1(d) and 4.1(d)), a requirement that exists in no other EU digital regulation.

What this means for you

If you are a cloud service provider or data centre operator targeting the EU public sector or critical infrastructure, you must plan for stacked compliance. You cannot rely on your existing compliance portfolio as a shield against CADA.

  1. Audit your sovereignty posture: Review your infrastructure, personnel, and subcontractors against the criteria in Annex II of CADA. Even if your data encryption meets GDPR standards, you must also ensure that your infrastructure and assets are located in the Union and that you are not subject to the control of a third country (Annex II, Union assurance level 1, criteria a, b, g).
  2. Prepare for separate assessments: Expect to undergo distinct conformity assessments or audits for CADA. For higher assurance levels, this involves independent auditing organisations verifying your compliance with specific sovereignty criteria, such as the location of technical support and the absence of third-country control over your software supply chain.
  3. Update your contracts: Ensure your contracts with subcontractors reflect CADA's strict requirements on data localisation and personnel location, which may be more stringent than your current GDPR or NIS2 contractual obligations.
  4. Monitor legislative progress: As CADA is a proposal, the final text may change. However, the core principle that sovereignty compliance is separate from cybersecurity and data protection compliance is firmly established in the current draft.

Common misconceptions

  • "If I am GDPR compliant, I am CADA compliant." False. GDPR protects personal data privacy; CADA protects operational autonomy and data sovereignty. A provider can be GDPR compliant but fail CADA criteria if, for example, their technical support staff are located outside the Union or if they are subject to third-country laws that could compel data access.
  • "NIS2 certification covers CADA sovereignty levels." False. NIS2 focuses on cybersecurity resilience. CADA includes cybersecurity but also mandates structural independence from third-country control, specific personnel citizenship requirements (for levels 3 and 4), and strict data localisation.
  • "The AI Act replaces the need for CADA." False. The AI Act regulates the AI systems themselves. CADA regulates the cloud infrastructure and services that host and run those systems. They address different layers of the technology stack.
  • "Compliance with one EU law exempts me from others." False. EU digital law is cumulative. Providers must comply with the AI Act, GDPR, NIS2, DORA (if applicable), and CADA simultaneously. There is no "one-size-fits-all" exemption.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.