The proposed Cloud and AI Development Act (CADA) is frequently misunderstood as an immediate ban on non-European cloud providers or a duplicate of existing AI regulations. In reality, CADA is currently a legislative proposal that would establish a four-tier sovereignty framework for public procurement, leaving market access open for providers who meet specific assurance criteria.

As proposed, the act would not mandate that cloud infrastructure be exclusively owned by EU entities, nor would it force private companies to adopt sovereign services. Instead, it would create a harmonised system for public authorities to assess risks and procure services that meet varying levels of data sovereignty and operational autonomy.

Detail

As proposed, the Cloud and AI Development Act (COM(2026) 502 final) aims to strengthen Europe's cloud and AI ecosystem by addressing dependencies on third-country providers and increasing domestic computing capacity. The proposal is not yet in force; it is subject to the ordinary legislative procedure. If adopted, it would apply one year after entry into force, with certain governance and penalty-related provisions applying on a different timeline.

The core of CADA's regulatory approach is the Union cloud computing sovereignty framework established in Article 16. This framework defines four Union assurance levels (Levels 1-4) for which cloud computing service providers can seek recognition. The levels are cumulative: a provider seeking Level 4 must also meet the criteria for Levels 1, 2, and 3. The criteria, detailed in Annex II, range from basic establishment and data-localisation requirements (Level 1) to stringent controls on personnel, cybersecurity certification, and freedom from third-country control (Level 4).

Crucially, the proposal distinguishes between the obligations of cloud providers and those of public-sector buyers. Cloud providers are not forced to achieve a specific assurance level. Instead, they may voluntarily apply for recognition by submitting evidence to the national competent authority of their establishment (Article 17). If recognised, they would be listed in a central repository (Article 22), making them eligible for public contracts that require that specific assurance level.

For public-sector bodies, the proposal would introduce procurement rules based on risk assessments. Under Article 29, Member States and Union entities must conduct risk assessments to determine which public-sector activities contribute to the preservation of public order. Article 30 then provides that:

  1. Union entities and public-sector bodies whose activities are not identified as contributing to public order must use cloud computing services recognised at Union assurance level 1.
  2. Contracting authorities whose activities are identified as contributing to public order (in sectors under Annex I or II of NIS2, or in national security, internal security, external border management, defence, justice or law enforcement) must only procure services recognised at Union assurance levels 2, 3, or 4.

This structure is designed to make sovereignty requirements proportionate. Not every public administration would need the highest level of sovereign cloud; only those handling critical functions. As proposed, Article 30(4) would also allow derogations in exceptional, duly justified cases — for example, where no recognised service is available or where applying the requirements would mean procuring at disproportionate cost.

What this means for you

For public-sector procurement officers, CADA would change how you specify and award cloud computing contracts. You would no longer rely solely on generic cybersecurity standards but would integrate the Union assurance levels into your tender documents.

1. Conduct Risk Assessments Early Before launching a procurement process, determine whether your activity contributes to the preservation of public order under Article 29(1). This involves assessing the sensitivity, criticality, and magnitude of the data processed. If your activity involves, for example, national security, defence, or law enforcement, you would be required to procure from providers recognised at assurance levels 2, 3, or 4. For a standard administrative function, you would procure from at least a level 1 provider.

2. Check the Central Repository When drafting technical specifications, refer to the central repository of recognised services (Article 22). You would require providers listed there with the appropriate assurance level, helping ensure you reference an objective, EU-wide list rather than favouring specific national vendors.

3. Use Union Added Value Criteria For innovative cloud and AI procurements, Article 32 would require non-price award criteria that evaluate a tenderer's contribution to the European cloud and AI ecosystem — for example, strengthening the EU digital supply chain or using hardware designed or manufactured in the Union. As proposed, these criteria must be ancillary and not decisive; they must be linked to the subject matter and set out in the procurement documents.

4. Plan for Migration If your current cloud provider does not meet the required assurance level, Article 29(6) provides for a reasonable transition period not exceeding 12 months to migrate to a compliant service. Engage with potential providers early to ensure business continuity.

Common misconceptions

There are several persistent myths about CADA that can lead to incorrect procurement strategies or unnecessary alarm.

Myth 1: CADA bans non-European cloud providers. As proposed, this is false. CADA would not impose a blanket ban on providers controlled by third-country entities. Instead, it would create a tiered recognition system. A provider subject to third-country control could still seek recognition — particularly at Level 1 — provided it meets the criteria, including a guarantee under Annex II Level 1 criterion (g) that no laws or practices in that third country would compromise the criteria. For higher levels (2-4) the controls on third-country control become much stricter. Article 18 would also let the Commission identify third countries whose providers may be audited against Union assurance level 3, subject to cumulative criteria including a GDPR adequacy decision.

Myth 2: CADA is the same as the AI Act. CADA and the AI Act are distinct instruments. The AI Act (Regulation (EU) 2024/1689) focuses on the safety, fundamental rights, and transparency of AI systems, prohibiting certain practices and setting requirements for high-risk AI. As proposed, CADA focuses on the infrastructure and services that host and deliver those systems and on public-sector procurement. They are complementary: the AI Act addresses whether the AI system is trustworthy, while CADA would address whether the cloud environment is sovereign and resilient.

Myth 3: CADA is already in force. CADA is currently a Commission proposal. It has not been adopted by the European Parliament or the Council, so none of its provisions are legally binding today. Procurement officers should not attempt to enforce CADA requirements in current tenders. The proposal must go through the ordinary legislative procedure, which involves negotiations and potential amendments. Only after adoption and publication in the Official Journal would the entry-into-force and application dates become relevant.

Myth 4: Cloud providers must choose a sovereignty tier. The assurance levels would not be mandatory for providers to achieve. A cloud provider would be free to operate without seeking recognition. However, to sell to the public sector for the relevant activities, it would need to meet the minimum assurance level dictated by the buyer's risk assessment. A provider that does not seek recognition would simply be ineligible for public contracts requiring a specific assurance level. The application process would lie with the provider.

Myth 5: CADA replaces the Chips Act or the Data Act. As proposed, CADA would work alongside other EU legislation. The Chips Act focuses on semiconductor manufacturing and supply-chain resilience, while the Data Act focuses on data access and switching rights. CADA would address the broader ecosystem, including data centre deployment, sovereignty criteria, and public procurement. The memorandum frames the Data Act as an "enabler" whose switching rights help sovereign alternatives compete; CADA would not replace it.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.