What does CADA mean for hyperscalers operating in Europe?

Summary As proposed, the Cloud and AI Development Act (CADA) would directly affect hyperscalers operating in Europe by establishing a four-tier sovereignty framework that could restrict access to critical public-sector contracts. The proposal responds to a market in which, per the explanatory memorandum, three non-EU hyperscalers control over 70% of the European cloud market. To serve sensitive public-sector workloads, hyperscalers would generally need independent third-party audits to achieve "Union assurance levels" 2-4 — and, where they are controlled by a third country, could potentially qualify for Union assurance level 3 via the Article 18 "associated third countries" route if their home country meets strict criteria.

Detail

The proposed CADA marks a shift in how cloud-computing services would be regulated in the EU, moving beyond data protection and cybersecurity to address "technological sovereignty." For hyperscalers — the large-scale providers that currently dominate the market — CADA would introduce a structured set of obligations and opportunities intended to rebalance the EU's dependence on non-European providers.

Addressing market concentration and sovereignty

The explanatory memorandum identifies the current market as a strategic risk, stating that "currently, three non-EU hyperscalers control over 70% of the European cloud market," while the market share of EU providers fell from 29% in 2017 to 15% in 2022. The memorandum links this concentration to risks of operational discontinuity and potential extraterritorial access to data by third-country governments. CADA would seek to mitigate these risks through a harmonised EU-wide sovereignty framework.

That framework rests on four "Union assurance levels" (Levels 1-4), with criteria set out in Annex II of the proposal. The levels define the degree of control, data localisation, and personnel requirements a cloud service must meet.

• Level 1 would require establishment in the Union and that infrastructure and customer data remain within the Union (verified by self-assessment).
• Levels 2-4 would impose progressively stricter requirements, verified by independent third-party audit, including (where a European scheme exists) a European cybersecurity certificate, Union-citizenship requirements for personnel at Levels 3 and 4, and restrictions on third-country control.

Procurement levers and demand reshaping

CADA would not ban non-sovereign cloud services outright; it would reshape demand through public procurement. Under Article 29, Member States and Union entities conduct risk assessments, and Article 30 then sets the procurement obligation:

• If an authority's activities are not identified as contributing to the preservation of public order, it must use services recognised at Union assurance level 1 (Article 30(2)).
• If activities are identified as contributing to public order (for example, national security, defence, justice), contracting authorities must only procure services recognised at Union assurance levels 2, 3, or 4 (Article 30(3)).

Article 30 applies to contracting authorities (and Union entities) that procure cloud-computing services for their exclusive use. The effect is a "sovereignty premium": hyperscalers that cannot achieve higher assurance levels could be excluded from the most sensitive public-sector contracts, while EU-based providers — or those willing to invest in genuinely sovereign infrastructure — could gain an advantage.

The third-country recognition path: Article 18

A pivotal provision for non-EU hyperscalers is Article 18, "Associated third countries." It provides a route for cloud-computing service providers subject to the control of a third country (or a third-country entity) to be audited against the criteria for Union assurance level 3.

Normally, the higher levels require providers not to be subject to third-country control. Article 18(1) allows the Commission, by implementing act, to identify third countries whose providers may nonetheless be audited for Level 3, provided the third country fulfils all of the following cumulative criteria:

1. It is subject to a relevant adequacy decision under Article 45 of the GDPR.
2. It has no measures enabling it to exercise control over the provider in a way that conflicts with the rules on lawful access to non-personal data in Article 32(2) and (3) of the Data Act (Regulation (EU) 2023/2854).
3. It has no measures to compel the provider to degrade or disrupt service continuity, or to enforce restrictive measures such as sanctions or embargoes unless legitimate under Member State or Union law.
4. It has no measures to impede the provision of state-of-the-art technologies and services.
5. It maintains an open market to Union cloud-computing services.
6. It grants equivalent access to its public-procurement procedures for services controlled by a Union Member State or entity.

If a third country meets these criteria, its providers could be audited for Level 3 — allowing them to compete for high-level public contracts that would otherwise be restricted. The Commission would publish a list of qualifying third countries and must repeal, amend, or suspend a decision if a country ceases to qualify (Article 18(2)-(3)).

What this means for you

For hyperscalers operating in Europe, CADA would add a compliance layer focused on sovereignty rather than security alone. Your strategic response should consider:

1. Audit readiness for higher assurance levels. To remain competitive in the sensitive public sector, prepare for independent third-party audits under Article 20. This means demonstrating compliance with Annex II criteria — including software supply-chain transparency (such as providing a software bill of materials) and meeting Union-citizenship requirements for personnel at Levels 3 and 4.
2. Evaluate Article 18 eligibility. If you are controlled by a non-EU entity, assess whether your home country meets the Article 18 criteria. If not, qualifying for the highest levels may require demonstrating that third-country control is not exercised in ways that compromise the service — and, for Level 4, third-country control is prohibited outright.
3. Adapt procurement strategies. Monitor "Union added value" criteria under Article 32. Contracting authorities would evaluate innovative cloud and AI tenders on non-price criteria, including the use of hardware designed or manufactured in the Union. Investing in local supply chains and EU-developed technologies may improve your scoring.
4. Prepare for client risk assessments. Public-sector clients would conduct risk assessments under Article 29. Engage early: if their activities are deemed to contribute to public order, they would be barred from procuring your services for those activities unless you hold Level 2, 3, or 4 recognition.

Common misconceptions

Misconception 1: CADA bans non-EU cloud providers. As proposed, CADA would not prohibit non-EU providers from operating in the EU. It creates a tiered system. Non-EU providers can still serve the market but may be excluded from specific high-criticality public-sector contracts unless they achieve recognition (including via the Article 18 route) or establish sufficiently autonomous EU operations.

Misconception 2: GDPR adequacy is enough for sovereignty. GDPR adequacy is a prerequisite for the Article 18 route, but not sufficient on its own. CADA also addresses operational autonomy and service continuity, which go beyond data privacy.

Misconception 3: Only EU-based companies can achieve the higher levels. While the higher levels generally require providers not to be subject to third-country control, Article 18 provides an exception for providers from "associated third countries," who may be audited for Level 3 if their country qualifies and they implement strict safeguards. Level 4, however, strictly prohibits third-country control.

Misconception 4: CADA replaces the AI Act or Cybersecurity Act. CADA would complement existing laws. The AI Act regulates the safety and fundamental-rights impacts of AI systems; the Cybersecurity Act (and any future EU cloud certification scheme) addresses technical cybersecurity; CADA focuses on sovereignty, data localisation, and supply-chain resilience. A provider must comply with all applicable frameworks.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)
• Data Act (Regulation (EU) 2023/2854)

Related

• What does 'reducing dependencies on critical technologies' mean in CADA?
• What does CADA mean for the average EU citizen?
• What does CADA mean for SMEs and startups in the EU cloud market?
• What does CADA mean for public-sector cloud buyers?
• What does CADA mean for data centre operators?

This is general information about a draft EU regulation, not legal advice.