What are the three core problems CADA tries to solve?

Summary As proposed, the Cloud and AI Development Act (CADA) targets three structural weaknesses in the EU's digital infrastructure: a deficit in domestic computing capacity, a heavy dependence on non-EU cloud providers that raises sovereignty concerns, and risks to operational continuity that can threaten public order. CADA would respond by accelerating data-centre deployment (aiming to triple EU capacity), establishing a harmonised sovereignty framework for cloud services, and requiring risk assessments to steer public-sector procurement. CADA is a proposal (COM(2026) 502 final), so none of this is in force yet.

Detail

The European Commission's proposal for the Cloud and AI Development Act (COM(2026) 502 final) identifies a set of interlocking problems that hinder Europe's economic security, technological autonomy, and digital resilience. Article 1 sets out the subject matter — a framework to strengthen the EU's cloud and AI ecosystem — targeting the compute-capacity gap, strategic dependence on third-country providers, and the need for sovereign, resilient public-sector infrastructure.

1. The compute-capacity deficit and deployment barriers

The first problem is the Union's shortage of computing capacity, especially the high-performance compute needed for AI. As the explanatory memorandum notes, limited data-centre capacity pushes European enterprises to route critical workloads through foreign hyperscaler infrastructure, making the EU a less attractive destination for tech investment.

As proposed, CADA would accelerate data-centre deployment across the Union. The explanatory memorandum sets the aim of tripling EU capacity within the next five to seven years and reaching the needed capacity by 2035. To get there, Title III would require Member States to designate "data centre acceleration zones" with streamlined permitting and harmonised sustainability requirements, and would empower the Commission to monitor the capacity gap and designate "data centre strategic projects" for accelerated support — tackling the regulatory fragmentation and slow permitting that hold back infrastructure growth.

2. Dependence on non-EU providers and data sovereignty

The second problem is the EU's dependence on a small pool of third-country cloud providers. As the explanatory memorandum reports, three non-EU hyperscalers control over 70% of the European cloud market, while the EU providers' share fell from 29% in 2017 to 15% in 2022 and has remained stagnant since. This concentration creates strategic dependencies: large incumbents are often subject to third-country jurisdictions whose laws have extraterritorial effect, including laws that may mandate data access in ways that conflict with EU fundamental rights and data-protection frameworks.

To mitigate this, CADA would introduce a Union cloud computing sovereignty framework in Title IV, with four Union assurance levels based on cumulative criteria in Annex II. As proposed, the criteria address factors such as the location of infrastructure and personnel, data localisation, and the absence of third-country control — with higher levels requiring that infrastructure, assets and personnel be in the Union and that providers not be under third-country control. This harmonised approach would replace fragmented national sovereignty criteria with a single EU-wide standard, letting providers scale across the internal market.

3. Operational continuity and public-order resilience

The third problem is the risk to public order from disruption of cloud services. As the explanatory memorandum argues, dependence on third-country actors exposes European users to risks such as unilateral decisions that disrupt service, degrade quality, or enable unauthorised access — particularly acute for the public sector, where cloud underpins functions in national security, defence, justice and other critical areas.

CADA would link cloud procurement directly to public-order resilience. Article 29 would require Member States and Union entities to carry out risk assessments identifying which public-sector activities contribute to the preservation of public order. Based on those assessments, Article 30 sets the procurement rule: activities not contributing to public order use Level 1 (Article 30(2)), while activities identified as contributing to public order in the relevant critical sectors must use Levels 2, 3, or 4 (Article 30(3)).

What this means for you

For public-sector procurement officers, CADA would integrate sovereignty and resilience into procurement as mandatory requirements rather than optional considerations.

First, you would engage in mandatory risk assessments. Under Article 29, your authority would identify which activities contribute to the preservation of public order — in sectors under the NIS2 Directive (Annex I or II of Directive (EU) 2022/2555) and in areas such as national security, defence and law enforcement. That assessment sets the minimum assurance level for your contracts; for public-order activities you could not simply pick the lowest-cost provider.

Second, you would verify provider recognition. Before awarding contracts, you would check the central repository of recognised cloud services maintained by the Commission (Article 22) to confirm the provider holds a valid recognition at the required level. Level 1 can be demonstrated through self-assessment; higher levels require independent third-party audits.

Third, you would consider multi-cloud strategies. Article 29(9) requires you to consider whether a multi-vendor or multi-cloud strategy is appropriate. And Article 32 introduces "Union added value" criteria, letting you evaluate tenders on their contribution to the EU's digital ecosystem — for example, EU-designed or EU-manufactured hardware or software (kept ancillary, not decisive).

Common misconceptions

• "CADA bans non-EU cloud providers." No. It creates a tiered framework. Non-EU providers can still operate, particularly at Level 1, if they meet the criteria. At higher levels (3 and 4) the criteria tighten, effectively excluding providers under third-country control unless specific safeguards apply — including the possibility, under Article 18, for the Commission to identify "associated third countries" whose controlled providers may be audited against the Level 3 criteria.
• "CADA replaces the GDPR or AI Act." No. The GDPR governs data protection and the AI Act governs the risks of AI systems; CADA addresses the sovereignty, continuity and capacity of the cloud that hosts and runs them. A provider must comply with all applicable laws.
• "All public-sector cloud use requires the highest sovereignty level." No. The framework is risk-based and proportionate. Only activities identified as contributing to public order in the relevant critical sectors require Levels 2, 3 or 4; other activities use Level 1 (Article 30).

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)

Related

• Why can't existing EU laws already solve cloud sovereignty? (CADA)
• Why was the Cloud and AI Development Act (CADA) proposed?
• Why is the EU dependent on non-EU cloud providers?
• Why does CADA have two legal bases (Articles 114 and 173(3) TFEU)?
• Why does CADA focus so heavily on the public sector?

This is general information about a draft EU regulation, not legal advice.