Summary The proposed Cloud and AI Development Act (CADA) would fundamentally reshape the operational landscape for automotive suppliers and Tier 1 vendors. As proposed, the regulation would embed these suppliers in EU-wide initiatives for industrial AI, mandate participation in secure data-pooling ecosystems for autonomous driving, and impose strict "Union assurance" requirements on the cloud infrastructure underpinning their software. While CADA does not directly regulate the automotive sector's products, its sovereignty framework would cascade through the supply chain, requiring vendors to ensure their cloud providers meet specific assurance levels to serve public-sector or critical-infrastructure clients.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, is designed to strengthen Europe's cloud and AI ecosystem, reduce dependence on third-country providers, and enhance strategic autonomy. For automotive suppliers and Tier 1 vendors, the proposal is not merely a back-office compliance exercise; it is a strategic framework that directly influences how software-defined vehicles (SDVs), autonomous driving systems, and industrial AI are developed, tested, and deployed.

Industrial AI and Strategic Sectors: The Automotive Mandate

CADA explicitly identifies the automotive sector as a strategic priority for industrial AI development. Under the Cloud and AI Leadership Initiatives, the proposal aims to accelerate the uptake of AI across key industrial sectors, with transport and automotive receiving specific attention.

Recital 19 of the explanatory memorandum provides the clearest signal of the expected cooperation model. It states that advancements in the automotive sector should support the development, testing, and deployment of innovative software platforms contributing to Union industrial leadership in software-defined vehicles and autonomous driving. Crucially, the recital notes that Member States should facilitate the development, testing and deployment of AI systems for autonomous driving, including through cooperation with the Centres for AI, the automotive industry, suppliers, cities and regions.

This establishes a formal expectation for Tier 1 vendors to be active participants in a coordinated European effort. Suppliers would likely need to engage with the new network of Experience and Acceleration Centres for AI (established under Article 5) to access testing facilities, skills, and innovation support. These centres are tasked with helping organisations accelerate their digital transformation and connecting them with European providers of cloud and AI technologies, effectively creating a bridge between automotive R&D and the sovereign cloud infrastructure.

Data Pooling and Collaborative AI: Breaking Silos

A major bottleneck for automotive AI is access to high-quality, diverse training data. CADA addresses this by promoting secure data pooling mechanisms. Article 4(5)(c) outlines an operational objective to "enable secure large-scale data pooling for collaborative AI training through technologies enhancing privacy and preserving confidentiality."

For automotive suppliers, this implies a structural shift towards collaborative data ecosystems. The proposal encourages the use of trusted third parties to pool data across industrial sectors while strictly preserving intellectual property rights. Tier 1 vendors would be expected to participate in these data spaces, potentially using federated learning or other privacy-enhancing technologies to train specialised AI models without exposing raw, sensitive vehicle or driver data.

Furthermore, Article 9 provides for the allocation of AI computing resources to support industrial AI projects. This suggests that suppliers working on frontier or industrial AI applications could gain access to European high-performance computing (EuroHPC) capacity, provided they align with the Union's strategic goals. This access is critical for training large-scale models required for autonomous navigation and real-time decision-making.

Sovereign Cloud Requirements and the Supply Chain Cascade

The most direct operational impact on Tier 1 vendors stems from CADA's Union cloud computing sovereignty framework (established in Article 16). This framework introduces four "Union assurance levels" (1 to 4) that cloud computing services must meet to be recognised as sovereign.

While these rules primarily target cloud service providers, the obligations cascade down the supply chain through public procurement and risk assessment mechanisms:

  1. Risk Assessment Trigger: Under Article 29, Member States and Union entities must carry out risk assessments to determine which public sector activities contribute to the preservation of public order. This includes sectors falling under the NIS2 Directive (Annex I or II) and areas like national security, internal security, and law enforcement.
  2. Procurement Mandate: If a public sector activity or a critical industrial use case is deemed to affect public order, the contracting authority must procure cloud services that meet at least Union assurance level 2, 3, or 4 (Article 30(3)).
  3. Private Sector Impact: While Article 31 allows private sector entities in high-criticality sectors to conduct similar impact assessments, the market pressure is significant. If an automotive OEM or a Tier 1 vendor supplies software to public bodies (e.g., for smart city traffic management, emergency response vehicles, or public transport), they must ensure the underlying cloud infrastructure meets these assurance levels.

For Tier 1 vendors, this creates a "sovereign cloud pressure" effect:

  • Vendor Vetting: Suppliers must ensure their cloud providers and sub-processors are recognised under the CADA framework. If a cloud provider is not recognised, the automotive client may be unable to use the supplier's software in sovereign or critical contexts.
  • Data Localisation: Higher assurance levels (particularly levels 2–4) require that customer data, including metadata and telemetry, remain exclusively within the Union unless explicitly authorised otherwise (Annex II, Section 2.1(c)). Automotive telemetry data, which often includes precise location and driver behaviour, will be subject to these strict localisation rules.
  • Third-Country Control: Providers must demonstrate they are not subject to the control of a third country in a way that could allow unauthorised access to data or disruption of service (Annex II, Section 2.1(g)). This is particularly relevant for Tier 1 vendors who may currently rely on global hyperscalers with extraterritorial legal exposures.

Accelerated Deployment and Testing Infrastructure

CADA also facilitates the physical and digital infrastructure needed for automotive innovation. Article 10 requires Member States to designate data centre acceleration zones where permitting is streamlined. This is critical for the low-latency computing required by autonomous driving and V2X (vehicle-to-everything) communication.

Additionally, the proposal supports the testing of AI systems in real-world conditions. While the AI Act provides the general framework for testing, CADA's Cloud and AI Leadership Initiatives (Article 4) specifically support the "development, testing and validation in real-world environments of physical AI models and systems" (Article 4(4)(c)). This creates a supportive regulatory environment for Tier 1 vendors to test autonomous driving features in designated zones with reduced administrative barriers, complementing the cooperation with cities and regions mentioned in Recital 19.

What this means for you

If you are an automotive supplier or Tier 1 vendor, CADA would require a proactive review of your cloud and AI strategy:

  • Audit Your Cloud Stack: Identify which cloud services you use for development, training, and deployment. Verify if they are eligible for Union assurance levels. If your current provider is a non-EU hyperscaler without recognised sovereignty status, you may face barriers to selling to EU-based OEMs or public sector partners.
  • Engage with Data Spaces: Prepare to participate in European data spaces. Invest in privacy-enhancing technologies (PETs) that allow you to contribute to data pooling for AI training without violating data protection or intellectual property rules.
  • Leverage Support Mechanisms: Register your innovation projects with the Centres for AI in your Member State. These centres can provide access to testing facilities, skills training, and connections to European cloud providers, helping you meet the "AI first" principle promoted by the regulation.
  • Monitor Public Procurement Rules: If you supply software to public sector bodies (e.g., for smart mobility solutions), ensure your solution can be hosted on a cloud service that meets the required Union assurance level. Failure to do so could disqualify you from tenders.

Common misconceptions

  • "CADA only applies to cloud providers." While the sovereignty framework directly regulates cloud providers, its requirements cascade through the supply chain. Automotive vendors cannot ignore the sovereignty status of their underlying infrastructure if their clients are subject to CADA's procurement rules.
  • "Data localisation means all data must stay in one Member State." CADA promotes the free flow of data within the Union. Data must remain within the EU, but it can be processed across different Member States unless a specific public sector body explicitly requires otherwise.
  • "Autonomous driving testing is fully covered by the AI Act." While the AI Act regulates the safety and fundamental rights aspects of AI systems, CADA provides the specific industrial policy framework, data pooling mechanisms, and compute resource allocation to enable the development and testing of these systems at scale.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.