Summary As proposed, the Cloud and AI Development Act (CADA) creates a strategic framework for the pharmaceutical sector, balancing infrastructure support with sovereignty safeguards. The proposal explicitly identifies the pharmaceutical sector as a priority for AI transformation, noting that advancements should "transform the pharmaceutical sector" by improving clinical decision accuracy (Recital 19). For eligible projects, Article 8 establishes a mechanism for "frontier AI priority projects" to receive matched EU computing resources, while Article 4(7) promotes secure, privacy-enhancing health-data reuse for AI models. Crucially, pharmaceutical entities falling under the NIS2 Directive (Annex I) are not subject to mandatory public procurement rules but have the option to conduct voluntary impact assessments under Article 31 to determine their cloud sovereignty needs, with the Commission retaining the power to mandate such assessments for sectors of high criticality.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, is designed to strengthen Europe's cloud and AI ecosystem by reducing dependencies on non-European providers and accelerating the deployment of sovereign infrastructure. For the pharmaceutical and clinical research sectors, the regulation is not merely an infrastructure bill; it is a targeted instrument to foster AI-driven innovation while ensuring operational autonomy. The proposal recognizes that the rapid proliferation of AI has resulted in an unprecedented demand for computational capabilities, making computing infrastructures "strategic resources critical to the Union's economic security, sovereignty, resilience, and competitiveness."

Transforming the Pharmaceutical Sector (Recital 19)

The legislative intent behind CADA is deeply rooted in the specific needs of strategic industries. Recital 19 of the proposal explicitly addresses the healthcare and pharmaceutical domains, stating that in healthcare, "those advancements should improve the accuracy of clinical decisions and transform the pharmaceutical sector." This recital frames the entire initiative as a catalyst for industrial transformation, moving beyond generic digitalization to specific, high-impact applications such as drug discovery, personalized medicine, and clinical trial optimization.

The proposal acknowledges that the deployment of AI in industrial contexts requires rigorous validation in real-world environments. Consequently, it mandates that the Union provide industrial actors with "cloud-based AI tools and testing environments." For pharmaceutical companies, this signals a regulatory environment where access to high-performance computing and validated testing grounds is a policy priority, provided the projects align with the Union's strategic autonomy goals.

Frontier AI Priority Projects and Compute Matching (Article 8)

A primary mechanism for supporting the pharmaceutical sector is the "frontier AI priority project" designation. Article 8 sets out the criteria for the Commission to recognize projects as frontier AI priority projects. To qualify, a project must:

  1. Be a pioneering project focused on the support and scaling-up of frontier AI technologies.
  2. Be undertaken by a European Digital Infrastructure Consortium (EDIC) or another eligible legal entity.
  3. Involve the participation of at least three Member States.
  4. Ensure that participating Member States pool computing time and other relevant resources.

For pharmaceutical companies, the significance of Article 8 lies in its link to Article 9. Under Article 9(1), the Union and Member States must ensure that "sufficient AI computing resources from their compute capacities are allocated to support the development of frontier AI priority projects." Furthermore, Article 9(2) establishes a matching mechanism: "The Union shall at least match the AI computing resources contributed by Member States to frontier AI priority projects to the extent that sufficient AI computing capacity is available within the Union's share of European high performance computing access time."

This creates a tangible pathway for pharma companies to access high-performance computing (HPC) resources. By structuring drug discovery or advanced modeling projects as cross-border consortia involving at least three Member States, pharmaceutical entities could unlock matched EU compute capacity. This is particularly relevant for "frontier AI" applications in pharma, such as generative models for molecule discovery or complex simulations for clinical trial design, which require massive computational power that may be scarce or costly on the open market.

Secure Health-Data Reuse for AI Models (Article 4)

Beyond compute, CADA addresses the data bottleneck that often hinders AI development in healthcare. Recital 22 and Article 4(7) specifically target the public sector's role in data availability. Article 4(7)(d) mandates that the Cloud and AI Leadership Initiatives shall "facilitate secure, privacy-enhancing health data reuse for AI models and tools in healthcare."

The proposal aims to "enhance the quality of public sector data and promote the sharing and reuse of training data and AI models across the Union's public sector." While CADA does not create new rights for private entities to access raw patient data, it establishes a framework where public sector bodies (hospitals, research institutes, health agencies) are encouraged to develop AI models using high-quality data and make them available for reuse.

For pharmaceutical companies, this implies a shift toward a more interoperable ecosystem. The proposal supports the use of "privacy-preserving frameworks, (such as federated learning and high-fidelity synthetic data generation)" to train models without compromising confidentiality. This aligns with the sector's need to validate AI tools for clinical trials or post-market surveillance using diverse, high-quality datasets while maintaining strict compliance with data protection laws. The emphasis on "secure, privacy-enhancing" reuse suggests that future collaborations between pharma and public health bodies will increasingly rely on these technical safeguards rather than traditional data transfers.

Sovereignty and Impact Assessments for Private Sector (Article 31)

The core of CADA's sovereignty frameworkβ€”the Union Assurance Levels (1–4)β€”primarily governs public procurement. Article 30 mandates that contracting authorities whose activities contribute to public order must procure services at Assurance Levels 2, 3, or 4. However, pharmaceutical companies are generally private entities and are not subject to these mandatory procurement rules unless they act as contracting authorities.

Instead, the proposal introduces a tailored mechanism for private sector entities operating in critical sectors under Article 31. Article 31(1) states that "Entities referred to in Annex I of Directive (EU) 2022/2555 [the NIS2 Directive] who are not public sector bodies may carry out similar assessments as those set out in Article 29."

Pharmaceutical companies often fall within the scope of the NIS2 Directive as "essential" or "important" entities. Under Article 31, these entities have the option to conduct impact assessments to determine their cloud sovereignty needs and identify risks related to third-country control or service disruption. This is distinct from the mandatory risk assessments required of public bodies under Article 29.

However, this optionality is not absolute. Article 31(3) grants the Commission the power to intervene: "Where, because of specific circumstances, and where duly justified and in consultation with the Member States, the Commission concludes that entities who are not public sector bodies operating in sectors of high criticality require an impact assessment, the Commission may adopt delegated acts to supplement this Regulation... specifying the need for such impact assessment and the risk mitigation measures that those entities... shall take."

Given that the pharmaceutical sector is explicitly highlighted in Recital 19 as a domain for transformation and is critical to public health, it is a prime candidate for such future delegated acts. The Commission may also issue guidance on the methodology for these assessments under Article 31(2). Therefore, while not currently mandatory for all pharma companies, the regulatory trajectory suggests that entities in this sector should be prepared to conduct formal impact assessments if the Commission deems the sector's criticality to warrant it.

Public Procurement and EU Added Value (Article 32)

Although pharmaceutical companies are private, their interaction with the public sector is extensive, particularly in clinical research and public health procurement. Article 32 introduces "Union added value" criteria for public procurement of cloud computing services and AI systems. Under Article 32(1), contracting authorities must include non-price award criteria to evaluate a tenderer's contribution to the European cloud and AI ecosystem.

Article 32(3) specifies that these criteria should evaluate the extent to which the tenderer contributes to strengthening the digital supply chain in the Union, including the use of hardware or software designed or manufactured in the EU. While this applies to public buyers, it creates a significant market signal. Pharmaceutical companies sourcing cloud services or AI tools for clinical research may find that public research partners or healthcare systems increasingly prefer solutions that align with these sovereignty criteria. This indirect pressure could influence vendor choices and drive the adoption of EU-based cloud and AI providers within the pharma supply chain.

What this means for you

For in-house counsel, compliance officers, and strategic planners in the pharmaceutical and clinical research sectors, CADA introduces several actionable considerations:

  1. Pursue Frontier AI Designation: Evaluate whether your AI-driven drug discovery, personalized medicine, or clinical trial optimization projects qualify as "frontier AI priority projects" under Article 8. If your project is pioneering, involves cross-border collaboration with at least three Member States, and is structured through an EDIC or similar entity, you could access matched EU computing resources under Article 9. Engage with national authorities and EDICs early to position your projects for recognition.
  2. Prepare for Voluntary (or Future Mandatory) Impact Assessments: Monitor the development of guidance under Article 31. As an entity likely covered by the NIS2 Directive, you have the option to conduct impact assessments to determine your cloud sovereignty needs. Start mapping your critical data flows, cloud service providers, and third-country dependencies now. Be aware that the Commission may adopt delegated acts under Article 31(3) to make such assessments mandatory for the pharmaceutical sector if it is deemed a sector of "high criticality."
  3. Leverage Secure Data Reuse: Explore partnerships with public healthcare institutions and research bodies that are developing AI models under the CADA framework. The proposal's emphasis on "secure, privacy-enhancing health data reuse" (Article 4(7)(d)) suggests new avenues for accessing high-quality, anonymized datasets or pre-trained models for validating your own AI tools. Ensure your technical architecture supports privacy-preserving techniques like federated learning to align with these regulatory expectations.
  4. Align Vendor Strategy with EU Added Value: As public sector buyers increasingly apply "Union added value" criteria under Article 32, ensure your cloud and AI vendors can demonstrate alignment with EU sovereignty goals. This may become a competitive advantage when bidding for public-sector research contracts or collaborating with public health bodies.

Common misconceptions

"CADA mandates pharmaceutical companies to use only EU cloud providers." False. CADA's mandatory procurement rules for sovereign cloud services (Union Assurance Levels 2–4) apply to public sector bodies and contracting authorities whose activities contribute to public order (Article 30). Private pharmaceutical companies are not subject to these mandatory procurement rules. However, they may be encouraged or eventually required to conduct impact assessments under Article 31 if the Commission deems the sector critical.

"CADA gives pharma companies free access to patient data." False. CADA does not override the GDPR or national health data laws. It encourages the reuse of AI models and training data developed by the public sector, but any processing of personal health data must still comply with existing data protection regulations. The focus is on enabling secure, privacy-enhancing techniques (like federated learning) rather than creating new data access rights.

"All AI projects in pharma are eligible for EU compute matching." False. Only projects recognized as "frontier AI priority projects" under Article 8 are eligible for matched computing resources. These projects must be pioneering, involve broad cross-border participation (at least three Member States), and address strategic challenges. Standard operational AI tools or smaller-scale research projects do not qualify.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.