Summary As proposed, the Cloud and AI Development Act (CADA) would affect EU citizens mainly indirectly, by making the public services they rely on - healthcare, justice, social security, administration - more secure and resilient. Through a harmonised sovereignty framework, CADA aims to reduce the EU's dependence on a small number of non-European cloud providers, lowering the risk that foreign governments could access sensitive public-sector data or disrupt essential services. For most people, that would translate into stronger protection of public data and a more autonomous European digital infrastructure - not new obligations on individuals.
Detail
CADA is a proposed EU regulation to strengthen Europe's cloud and AI ecosystem. While much of it concerns industrial capacity and technical standards, a core motivation is protecting public order and the public interest. As proposed, CADA addresses the risks of relying heavily on a few third-country cloud providers whose operations may be subject to laws allowing foreign authorities to access data stored in Europe.
Protecting public order and public-sector data
One of CADA's stated measures is enabling the availability of a sovereign cloud and AI offer to safeguard the Union's public order (Article 1(1)(c)). This means the infrastructure behind essential services - hospitals, police, courts, social security - would be expected to meet higher sovereignty standards.
Under the proposed framework, Member States and Union entities would conduct risk assessments to identify which public-sector activities contribute to the preservation of public order (Article 29). For those activities, public authorities would procure cloud services recognised at higher Union assurance levels. These levels are designed to keep data under effective EU supervision and limit exposure to the extraterritorial reach of third-country laws, such as the US CLOUD Act, which can compel US-based companies to disclose data regardless of where it is stored.
A tiered sovereignty framework
CADA would introduce a four-tier "Union cloud computing sovereignty framework" (Article 16), with the criteria set out in Annex II:
- Union assurance level 1: the baseline for non-public-order public-sector activities. Among other criteria, the provider must be established in the Union, and infrastructure, assets, and customer data must remain within the Union unless the public sector body explicitly requires otherwise.
- Union assurance levels 2, 3, and 4: higher levels for more sensitive activities, with stricter cumulative criteria - independent third-party audits; for the highest levels, requirements that personnel be Union citizens; and, at levels 3 and 4, a prohibition on third-country control (with a narrow derogation at level 3 for recognised "associated third countries").
By requiring authorities to procure services aligned with these levels, CADA aims to provide harmonised, auditable criteria that protect sensitive public-sector data while avoiding fragmentation of the single market.
Resilience and operational continuity
Beyond data protection, CADA focuses on operational continuity. The explanatory memorandum highlights the risk that unilateral decisions by third-country actors could disrupt service provision. By fostering a competitive market of European providers and ensuring critical public services can run on sovereign infrastructure, CADA seeks to keep essential services available even during geopolitical tensions.
What this means for you
For the average EU citizen, CADA would mostly work behind the scenes, in the infrastructure of the public services you use.
Stronger protection of sensitive public data When you interact with public services handling sensitive information - medical records, tax filings, legal proceedings - CADA would aim to ensure the underlying cloud infrastructure is subject to strict EU oversight, reducing the likelihood that this data could be accessed under foreign jurisdictions. The explanatory memorandum stresses that sovereignty goes beyond data transfers and relates to operational autonomy too.
More reliable public services By reducing dependence on a few foreign providers, CADA aims to make public services more resilient. If a foreign provider suspended services due to political or commercial pressure, critical services could be disrupted; CADA's push for a robust European cloud ecosystem aims to ensure credible, locally controlled alternatives.
Support for European innovation While not a direct consumer benefit, CADA's goal of increasing cloud and AI capacity developed and deployed in the EU is intended to support innovation and jobs, potentially leading to more competitive digital services over time.
Transparency and trust CADA would require transparency from providers about subcontractors and infrastructure location (Annex II), helping public authorities make informed choices and supporting greater trust in the digital tools used by public administrations.
Common misconceptions
Misconception: CADA bans foreign cloud providers. Reality: It would not. Foreign providers could still operate in the EU market, particularly for less sensitive uses. For public-order-relevant activities, authorities would procure services recognised at higher Union assurance levels. Providers subject to third-country control could still reach some levels, and could be audited for level 3 where the Commission recognises that country as an "associated third country" (Article 18); level 4 would prohibit third-country control with no derogation.
Misconception: CADA is only about technology. Reality: While CADA addresses data centres and AI, a core purpose is also legal and strategic: safeguarding public order. The proposal cites risks such as unauthorised access to Union data, technology leakage, sabotage, and espionage by third-country actors (Recital 64).
Misconception: CADA will make public services more expensive and less efficient. Reality: The proposal argues that reducing dependencies and fostering competition among European providers would support a more resilient and potentially more cost-effective market over time, partly by reducing vendor lock-in. The voluntary EuroCloud Federation would also let public authorities share capacity. Short-term adjustment costs are possible.
Related
- What does 'reducing dependencies on critical technologies' mean in CADA?
- What does CADA mean for SMEs and startups in the EU cloud market?
- What does CADA mean for public-sector cloud buyers?
- What does CADA mean for hyperscalers operating in Europe?
- What does CADA mean for data centre operators?
This is general information about a draft EU regulation, not legal advice.