Summary As proposed in Article 1(1) of the Cloud and AI Development Act (CADA), the Regulation would establish a framework to strengthen the EU's cloud and AI ecosystem through five measures: (a) the Cloud and AI Leadership Initiatives; (b) a framework for accelerated data centre deployment; (c) a sovereign cloud and AI offer to safeguard public order; (d) reducing dependencies on critical technologies; and (e) fostering adoption of cloud services across the public sector. CADA is a proposal (COM(2026) 502 final), so none of this is in force yet.

Detail

CADA is a legislative proposal addressing the EU's strategic dependencies in cloud and AI. While the detailed obligations are spread across its titles, Article 1(1) gives the concise, high-level enumeration of the core measures.

According to the proposal text, the framework rests on five pillars:

1. Establishing the Cloud and AI Leadership Initiatives

  • Provision: Article 1(1)(a) — "establishing the Cloud Leadership Initiative and the AI Leadership Initiative ('the Cloud and AI Leadership Initiatives')".
  • Summary: These initiatives support research, innovation and large-scale capacity across the cloud and AI ecosystem, including next-generation data centre technologies, open cloud computing stacks, frontier AI, and physical and industrial AI (detailed from Article 3 onward). They are the supply-side engine.

2. Setting the framework for accelerated data centre deployment

  • Provision: Article 1(1)(b) — "setting the framework for the accelerated deployment of data centres across the Union".
  • Summary: A harmonised framework to simplify and speed up data centre deployment, including data centre acceleration zones (Article 10), streamlined permitting (Article 13) and strategic projects (Article 14), aimed at balanced geographic distribution and more compute capacity.

3. Enabling a sovereign cloud and AI offer to safeguard public order

  • Provision: Article 1(1)(c) — "enabling the availability of a sovereign cloud and artificial intelligence (AI) offer to safeguard the Union's public order".
  • Summary: This introduces the Union cloud computing sovereignty framework (Article 16), defining four Union assurance levels against which services can be audited and recognised, creating a verified market of trusted providers for sensitive public-sector use.

4. Reducing dependencies on critical technologies

  • Provision: Article 1(1)(d) — "reducing dependencies on critical technologies".
  • Summary: Measures to mitigate reliance on non-European providers and third-country jurisdictions, addressing risks such as extraterritorial data-access laws and operational discontinuity, including through European alternatives and resilient supply chains.

5. Fostering the adoption of cloud computing services across the public sector

  • Provision: Article 1(1)(e) — "fostering the adoption of cloud computing services across the public sector".
  • Summary: The demand-side lever: risk assessments (Article 29), sovereignty-linked procurement obligations (Article 30) and Union added value criteria (Article 32). The proposal also establishes the European public sector cloud federation, the "EuroCloud Federation" (Article 34), to help public authorities cooperate.

These five measures are designed to work together: the Leadership Initiatives (1) and data centre deployment (2) build the infrastructure base; the sovereignty framework (3) and dependency reduction (4) keep it secure and resilient; and public-sector adoption (5) creates stable, regulated demand.

The proposal also states two general objectives. Article 1(2) sets the first general objective — ensuring the conditions for competitiveness and innovation capacity of the Union's cloud and AI ecosystem. Article 1(3) sets the second, separate and complementary objective — improving the functioning of the single market by laying down a uniform Union legal framework to increase resilience and strategic autonomy.

What this means for you

For public-sector and procurement officers, the most immediate impact comes from measures 3, 4 and 5, which change how public entities procure and manage cloud.

Procurement strategy shifts. Under the proposed sovereignty framework you would no longer treat all providers as equal on risk. You would conduct Article 29 risk assessments to set the appropriate Union assurance level; for public-order activities (such as national security, justice or critical infrastructure) you may be restricted to providers recognised at Levels 2, 3 or 4.

Cooperation mechanisms. Measure 5 is supported by the EuroCloud Federation (Article 34). Prepare for opportunities to cooperate with other Member States and the Commission, which can reduce administrative burden but requires alignment with EU-wide standards.

Open source and interoperability. The proposal places notable emphasis on open source and avoiding lock-in (reflected in the open-source-licence definition in Article 2 and the procurement provisions). Review contracts and tenders for data portability and switching.

Strategic planning. Measures 1 and 2 shape the market — more data centres and European cloud stacks will gradually increase sovereign options. Plan long-term IT strategy to anticipate migration toward these providers as they become available and recognised.

Common misconceptions

"CADA bans non-EU cloud providers." No. It creates a tiered assurance system, not a ban. Non-EU providers can still operate, but to serve sensitive public-order functions they must meet strict criteria and pass independent audits for a higher assurance level. The aim is risk management.

"The Leadership Initiatives are just funding programmes." They are broader strategic frameworks coordinating research, innovation and large-scale deployment across the Union, not simple grant schemes.

"All public bodies must use the highest sovereign-cloud level." No. The approach is proportionate: most standard activities would use Level 1, with higher levels reserved for activities identified through risk assessment as preserving public order or involving highly sensitive data.

"CADA replaces the GDPR or the AI Act." No. CADA would complement them. It does not replace the GDPR's data-protection rules or the AI Act (Regulation (EU) 2024/1689); it adds a layer focused on sovereignty, operational continuity and strategic autonomy.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.