What does CADA mean for compliance and legal teams?

As proposed, the Cloud and AI Development Act (CADA) would add a new layer of obligations for in-house legal and compliance teams, centred on cloud soverei

Summary As proposed, the Cloud and AI Development Act (CADA) would add a new layer of obligations for in-house legal and compliance teams, centred on cloud sovereignty, data centre deployment and public procurement. Public sector bodies and certain NIS2 private entities would have to run risk or impact assessments and procure cloud at specific "Union assurance levels." Penalties under the proposal apply to cloud computing service providers' infringements of the sovereignty framework, not directly to private buyers. Legal teams would need to map obligations by entity type and integrate CADA alongside the AI Act, GDPR, NIS2 and DORA. Nothing here is in force yet.

Detail

CADA (COM(2026) 502 final) aims to reduce dependence on non-European providers and grow EU compute capacity. For legal and compliance professionals, it shifts the focus from purely technical cybersecurity to "technological sovereignty" and operational autonomy.

Mapping obligations by entity type

1. Cloud computing service providers (CCSPs)

Recognition: Providers wishing to serve the public sector must seek recognition for Union assurance levels. Level 1 is based on an EU statement of conformity / self-assessment (Article 19); levels 2–4 require an independent third-party audit (Article 20). Recognition is obtained through the national competent authority of establishment (Article 17).
Reporting changes: Where a change may affect the audit report, the positive opinion under Article 20 or the recognition under Article 17, the provider must notify it (Article 23).
Audit cooperation: Providers grant auditing organisations the access needed to perform audits (Article 20).

2. Public sector bodies and Union entities

Risk assessments: Member States and Union entities must run risk assessments identifying public-sector activities that contribute to the preservation of public order and determining which Union assurance level (2, 3 or 4) is appropriate (Article 29).
Procurement mandates: Under Article 30, bodies whose activities are not identified as public-order-relevant use services recognised at Union assurance level 1 (Article 30(2)); those that are must procure only services recognised at level 2, 3 or 4 (Article 30(3)), subject to limited exceptions in Article 30(4).
Open source: Public bodies are encouraged toward open source and, where they make owned software available for reuse, must use a catalogue connected to the EU OSS Catalogue (Articles 41–43).

3. Private sector entities (NIS2 scope)

Impact assessments: Entities listed in Annex I of NIS2 (Directive (EU) 2022/2555) that are not public bodies may carry out assessments similar to those in Article 29 (Article 31(1)). The Commission may issue methodology guidance (Article 31(2)) and, for sectors of high criticality, may adopt delegated acts making such assessments and risk-mitigation measures mandatory (Article 31(3)).
Spillover: Even absent a mandate, private critical-sector entities may face contractual pressure from public-sector clients.

4. Data centre operators

Acceleration zones: Operators in designated zones benefit from faster permitting but must meet sustainability requirements and fair, non-discriminatory resource allocation (Articles 10–11).
Single information points: Operators may, on request, be assisted by a single information point throughout the project lifecycle (Article 12).

Key deadlines and timeline

Under Article 48, the Regulation would enter into force on the twentieth day after publication in the Official Journal and apply from one year after entry into force.

Data centre acceleration zones: at least one to be designated within six months of entry into force (Article 10).
National strategies: to be established within one year of entry into force (Article 7).
National competent authorities: to be designated within one year of entry into force (Article 25).
Risk assessments: initial assessment within one year of entry into force, then every two years (Article 29).

These dates run from final adoption and publication, which remain subject to the ordinary legislative procedure.

Penalties and enforcement

Article 24 requires Member States to lay down rules on penalties for infringements of the sovereignty Chapter (Title IV, Chapter I) by cloud computing service providers. Penalties must be effective, proportionate and dissuasive. In imposing them, Member States take into account non-exhaustive criteria including the nature, gravity, scale and duration of the infringement; mitigation; previous infringements; financial benefits gained or losses avoided; any other aggravating or mitigating factor; and the infringing party's annual turnover in the preceding financial year in the Union (Article 24(2)).

Recipients of cloud services have the right to seek compensation from providers for damage or loss due to an infringement of obligations under that Chapter (Article 24(3)).

Enforcement sits with national competent authorities (Article 25), which have investigative powers under Article 26. Mutual assistance and cross-border cooperation mechanisms are established (Articles 27–28).

Interaction with existing EU law

AI Act: The AI Act regulates the safety and fundamental-rights impact of AI systems; CADA focuses on cloud infrastructure and sovereignty. The Commission's memorandum states the AI Act "does not cover aspects of sovereignty."
GDPR: Per the memorandum, CADA is consistent with existing personal-data rules including the GDPR; sovereignty (operational autonomy) goes beyond data transfers, so CADA complements rather than replaces data-protection law.
NIS2: CADA references NIS2 throughout; NIS2-scope entities may conduct impact assessments (Article 31), and risk assessments key off NIS2 Annex I/II sectors (Article 29).
DORA: The memorandum notes CADA supports the objectives of the Digital Operational Resilience Act, which shapes compliance for cloud providers serving the financial sector.

What this means for you

For in-house counsel and compliance officers, CADA would shift the role from passive compliance toward active strategic procurement and governance.

Audit preparedness. If you provide cloud to the public sector, prepare for third-party audits (Article 20): document internal controls, supply-chain transparency and data-residency policies.
Procurement policy. Update public procurement policies to reflect assurance levels (Article 30) and Union-added-value criteria (Article 32); add clauses on subcontractor transparency and third-country control.
Risk-assessment integration. Align internal frameworks with the Article 29 methodology; identify which activities may have "public order relevance."
Cross-border coordination. Establish channels with national competent authorities if you operate across Member States (Articles 25–28).
Open-source governance. Develop a strategy for open-source use and potential sharing via the EU OSS Catalogue (Articles 41–43).

Common misconceptions

"CADA replaces the AI Act." Incorrect. They have distinct scopes: the AI Act covers AI systems' safety and rights; CADA covers cloud infrastructure sovereignty, resilience and capacity.
"Only public sector bodies are affected." Incorrect. Providers seeking public-sector contracts must meet assurance levels, and NIS2-scope private entities may run impact assessments (and could face mandatory ones via delegated acts).
"CADA imposes direct fines on private buyers." As proposed, the penalties in Article 24 apply to cloud providers' infringements of the sovereignty Chapter. Private buyers are not directly fined, though they may face contractual consequences or delegated-act obligations under Article 31(3).

Official sources

This is general information about a draft EU regulation, not legal advice.