CLOUD Act vs EU-US Data Privacy Framework vs CADA

The US CLOUD Act and the EU-US Data Privacy Framework (DPF) both address cross-border data — access and transfer legality respectively — but neither establishes a framework for operational autonomy or technological sovereignty. The proposed Cloud and AI Development Act (CADA) is designed to fill that gap with a harmonised "Union cloud computing sovereignty framework" that would set assurance levels for public sector procurement. The CADA explanatory memorandum says the proposal "complements the EU-US Data Privacy Framework as the notion of sovereignty goes beyond data transfers and relates to operational autonomy too." CADA is a proposal (COM(2026) 502 final), not yet in force.

Detail

The three instruments are often conflated, which obscures what "sovereignty" means in EU law. Counsel should distinguish the extraterritorial reach of US law, the transfer mechanism of the DPF, and the operational-autonomy requirements CADA would introduce.

The US CLOUD Act: extraterritorial data access

The CLOUD Act (Clarifying Lawful Overseas Use of Data Act) amended the Stored Communications Act to require US providers to disclose data in their "possession, custody, or control, regardless of whether" it is stored inside or outside the United States (18 U.S.C. § 2713). This creates a sovereignty conflict for EU entities: a US-based provider can be compelled by US legal process to produce data held in an EU data centre.

The Act also authorises executive agreements with "qualifying foreign governments" (§ 2523) and gives providers a limited comity mechanism to move to quash or modify legal process that conflicts with a qualifying government's laws. But that pathway does not prevent the initial compulsion, and it depends on an executive agreement being in place. Relying on US law reform alone does not guarantee that data on US-controlled infrastructure is immune from US access.

The EU-US Data Privacy Framework: transfer legality, not sovereignty

The DPF is an adequacy decision that permits the lawful transfer of personal data from the EU to participating US recipients, by ensuring protection essentially equivalent to that guaranteed in the EU. It addresses the legality of the transfer under the GDPR.

As the CADA explanatory memorandum notes, "while the EU-US Data Privacy Framework addresses transatlantic data transfers, it does not remove sovereignty concerns about dependence on third-country providers." The DPF does not stop a provider from degrading service, disrupting continuity, or being subject to foreign access to non-personal data such as telemetry or metadata. It secures data-transfer privacy standards, not the operational autonomy of the infrastructure.

CADA: operational autonomy and Union assurance levels

CADA would address these residual risks through a "Union cloud computing sovereignty framework" (Article 16). The focus is not whether a transfer is lawful under privacy law, but whether the provider is subject to third-country control that could undermine Union public order.

CADA would establish four Union assurance levels, with the cumulative criteria set out in Annex II:

• Level 1: the provider must be established in the Union with infrastructure and assets located in the Union; customer data (including metadata and telemetry) must remain exclusively within the Union unless the public sector body explicitly requires otherwise (Annex II §1.1).
• Levels 2–4: progressively stricter — independent third-party audit (Article 20), location of personnel in the Union, Union-citizen personnel at levels 3 and 4, and a prohibition on third-country control (with a limited level-3 derogation for "associated third countries" under Article 18).

Article 16(1) would require providers to meet these criteria in order to provide services to Union entities and public sector bodies — a market mechanism for sovereignty that operates independently of any transfer-adequacy decision.

Why CADA goes beyond the DPF

The complementarity is explicit in the memorandum: sovereignty "goes beyond data transfers and relates to operational autonomy too."

This matters in practice. A provider can be DPF-compliant for personal-data transfers yet fail a higher Union assurance level because it is subject to third-country control that could disrupt continuity or expose non-personal data. CADA would require Member States and Union entities to run risk assessments (Article 29) to set the level appropriate to each activity; for activities identified as contributing to the preservation of public order — in NIS2 Annex I/II sectors and in national security, internal security, external border management, defence, justice or law enforcement — contracting authorities could only procure services recognised at level 2, 3 or 4 (Article 30(3)).

What this means for you

For in-house counsel, the interplay calls for a two-layered strategy:

1. Data-transfer compliance (GDPR/DPF): continue to rely on the DPF — or SCCs and other safeguards where adequacy does not apply — for lawful transfers of personal data to US recipients. This satisfies privacy obligations.
2. Sovereignty and procurement compliance (CADA): evaluate providers against the Union assurance levels. Public sector bodies and Union entities would run risk assessments under Article 29.
   • Timing: as proposed, Member States and Union entities must carry out the risk assessments by [date of entry into force plus one year], and thereafter every two years (Article 29(1)).
   • Procurement restrictions: activities identified as contributing to the preservation of public order could only use services recognised at level 2, 3 or 4 (Article 30(3)); other public sector activities must use at least level 1 (Article 30(2)). Limited exceptional derogations would apply (Article 30(4)).
   • Private sector: the mandatory rules target the public sector, but private entities listed in Annex I of the NIS2 Directive may carry out similar impact assessments (Article 31), and procurement spillover may push hyperscalers toward separate, EU-controlled entities to retain public contracts.

Note: CADA is a proposal; the precise enforcement and penalty regime will depend on the final adopted text and national implementation.

Common misconceptions

• "If we use the DPF, our data is sovereign." No. The DPF secures privacy standards during transfer; it does not prevent a provider being compelled to degrade service or expose non-personal data under foreign law. CADA targets that operational risk.
• "CADA replaces the GDPR." No. CADA would complement it. You still need a lawful basis for processing and a valid transfer mechanism; CADA would add structural and operational requirements for the infrastructure.
• "Only US providers are affected by CADA." No. CADA would apply to all providers serving the EU public sector. EU providers must also meet the assurance levels and prove independence from third-country control.
• "Sovereignty means data must never leave the EU." Not exactly. At level 1, data may remain exclusively in the Union unless the public sector body requires otherwise (Annex II §1.1(c)). The core focus is control and autonomy: a provider established in the EU but controlled by a third-country entity could still fail the higher levels.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• CADA vs the EU-US Data Privacy Framework: which one matters for sovereignty?
• CADA's EU sovereignty framework vs China's cloud data localisation: what differs?
• GDPR data localisation vs CADA sovereignty levels: are they the same?
• Does the AI Act or CADA cover cloud sovereignty?
• Does CADA protect EU data from the US CLOUD Act?

This is general information about a draft EU regulation, not legal advice.