CADA vs AI Act

Summary The proposed Cloud and AI Development Act (CADA) does not replace the EU AI Act but creates a parallel infrastructure layer that AI providers must navigate. While the AI Act regulates the safety and fundamental rights of AI systems, CADA addresses the sovereignty of the underlying cloud and the access to compute capacity. For AI providers, CADA introduces two critical new dimensions: (1) a mechanism to access subsidized, pooled high-performance computing for frontier AI projects via Articles 8 and 9, and (2) strict "Union assurance" requirements for cloud hosting when serving public-sector clients, particularly for activities contributing to public order (Articles 16, 29, 30). Compliance with the AI Act is necessary but insufficient for public-sector contracts under CADA.

Detail

The EU AI Act (Regulation (EU) 2024/1689) and the proposed Cloud and AI Development Act (CADA, COM(2026) 502 final) operate on different layers of the AI value chain. The AI Act is a product-safety and fundamental-rights regulation that imposes obligations on providers regarding risk management, data governance, and transparency. However, as explicitly stated in the CADA explanatory memorandum, the AI Act "does not cover aspects of sovereignty." It does not regulate where infrastructure is located, who controls the provider, or how compute capacity is allocated.

CADA fills this gap by establishing a framework to strengthen the EU's cloud and AI ecosystem. For AI providers, this means navigating a new set of incentives for compute access and new constraints on where and how their models can be hosted for public-sector use.

Compute Access and Frontier AI Support (Articles 8–9)

A primary innovation of CADA for AI providers is the creation of a structured pathway to access high-performance computing (HPC) resources, addressing the "compute gap" that the AI Act ignores.

Article 8 establishes the criteria for the Commission to recognize projects as "frontier AI priority projects." These are defined as pioneering projects focused on the support and scaling-up of frontier AI technologies—models that "approach, reach or exceed the current state of the art." To qualify, a project must:

• Be selected through open calls for expression of interest.
• Be undertaken by a European digital infrastructure consortium (EDIC) or another eligible legal entity.
• Involve the participation of at least three Member States.
• Pool computing time and other relevant resources to support implementation.

Article 9 then mandates the allocation of resources to these designated projects. It requires the Union and Member States to ensure sufficient AI computing resources are allocated to support frontier AI priority projects within the limits of available capacity. Crucially, Article 9(2) states that the Union shall "at least match the AI computing resources contributed by Member States to frontier AI priority projects" to the extent that sufficient capacity is available within the Union's share of European high-performance computing (EuroHPC) access time.

This mechanism offers AI providers a direct operational benefit: the ability to access subsidized, pooled compute resources through consortium collaboration, rather than relying solely on the open market. Furthermore, Article 9(3) extends this support to "AI industrial innovation, physical AI and public sector AI projects," broadening the scope of accessible resources beyond just frontier models.

Sovereign Cloud Hosting Requirements for Public-Sector AI

While the AI Act governs the model, CADA governs the hosting environment. This distinction is vital for AI providers targeting the public sector.

CADA establishes a "Union cloud computing sovereignty framework" comprising four assurance levels (Article 16). The level required depends on a risk assessment conducted by Member States and Union entities (Article 29) to determine if an activity contributes to the preservation of public order.

If an AI system is used in a context contributing to public order (e.g., national security, justice, defense, law enforcement, or critical infrastructure), Article 30(3) mandates that contracting authorities must procure cloud services recognized at Union assurance level 2, 3, or 4.

For AI providers, this creates a "sovereign hosting" requirement. Even if an AI model is fully compliant with the AI Act, it cannot be sold to public authorities for critical use cases unless it is hosted on infrastructure meeting CADA's assurance criteria. Annex II sets out these cumulative criteria, which include:

• Data Localization: Customer data, including metadata and telemetry, must remain exclusively within the Union (Annex II, 1.1(c), 2.1(c), 3.1(c), 4.1(c)).
• Personnel and Control: For levels 3 and 4, personnel involved in service provision must be Union citizens, and the provider must not be subject to the control of a third country (Annex II, 3.1(d), 4.1(d)).
• No Third-Country AI Training: Data generated by using the audited service must not be used to train or fine-tune any AI system operated by a third country or a legal entity established in a third country (Annex II, 2.1(f), 3.1(f), 4.1(f)).

Additionally, Article 18 allows for a derogation where a third country may be recognized as providing sufficient assurances for Level 3, but this requires a specific Commission implementing act and strict safeguards.

The AI Act Provides No Sovereignty or Compute-Access Measures

It is a common misconception that the AI Act's data governance rules (Article 10) or transparency obligations (Article 13) address sovereignty. They do not. The AI Act requires high-quality, representative data and transparency about training data, but it does not mandate that data stay within the EU, nor does it prevent providers from using EU data to improve models hosted outside the EU. Similarly, the AI Act is silent on the scarcity of compute resources.

CADA complements the AI Act by adding these missing layers. Where the AI Act says "your model must be safe and fair," CADA says "your model's hosting infrastructure must be sovereign, and you can access pooled compute if you collaborate on frontier projects."

What this means for you

For AI providers, CADA introduces a dual reality: new revenue streams through compute pooling and new compliance hurdles for public-sector contracts.

1. Form or Join Consortia: If you are an AI provider or a compute-intensive startup, consider forming or joining a European digital infrastructure consortium to apply for "frontier AI priority project" status under Article 8. This could grant access to matched EuroHPC compute time under Article 9, significantly reducing training costs for large models.
2. Audit Your Hosting Stack: If you sell AI systems to public authorities, especially in critical sectors, you must ensure your cloud hosting partner holds CADA recognition at the appropriate Union assurance level. Review your data flows to ensure no customer data is used to fine-tune third-country AI models, as strictly prohibited by Annex II.
3. Differentiate Your Offering: Market your AI solutions not just as AI Act-compliant, but as "CADA-ready." Highlighting that your service can be hosted on Union assurance level 3 or 4 infrastructure will be a key competitive advantage in public procurement tenders.
4. Monitor Risk Assessments: Keep track of how Member States conduct their risk assessments under Article 29. As more public-sector activities are classified as contributing to public order, the demand for high-assurance cloud services will grow, driving demand for sovereign hosting solutions.

Common misconceptions

"CADA replaces the AI Act for AI providers." False. CADA does not replace the AI Act. AI providers must still comply with all AI Act obligations regarding safety, data governance, and transparency. CADA adds additional requirements related to cloud sovereignty and compute access.

"The AI Act ensures my AI data stays in the EU." False. The AI Act requires data quality and governance but does not mandate data localization. CADA's sovereignty framework (Annex II) is what mandates that customer data remain exclusively within the Union for recognized sovereign services.

"Only cloud providers need to worry about CADA." False. While CADA directly regulates cloud computing services, AI providers are deeply affected because their ability to sell to the public sector depends on the sovereignty of the cloud infrastructure hosting their models. Additionally, AI providers can benefit directly from the compute access mechanisms in Articles 8–9.

"CADA's compute support is automatic." False. Access to matched compute resources under Article 9 is contingent on being recognized as a frontier AI priority project under Article 8, which requires meeting strict criteria including multi-Member State participation and consortium structure.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• Data Act (Regulation (EU) 2023/2854)

Related

• CADA for SaaS Providers: How NIS2, Data Act and Sovereignty Tiers Stack
• CADA for Cloud Providers: How it stacks with NIS2, DORA & the Data Act
• Does CADA affect AI Act GPAI model providers using EU cloud?
• Does CADA add to AI Act transparency duties for AI in cloud?
• Why is CADA part of the EU tech sovereignty package with the Chips Act 2.0?

This is general information about a draft EU regulation, not legal advice.