Summary As proposed, the Cloud and AI Development Act (CADA) identifies space and aerospace as a strategic sector for industrial AI, explicitly mandating support for geospatial AI development by leveraging Earth observation data from the Copernicus programme. Recital 19 highlights that digital advances must transform how space assets and data flows are operated. For sensitive space data, the proposal would require public-sector bodies to conduct risk assessments under Article 29, potentially mandating procurement of cloud services at Union assurance levels 2, 3, or 4 to ensure sovereignty. While Article 8 opens pathways for frontier AI projects in space to access matched high-performance computing resources, the act does not ban non-EU providers outright but restricts their use for public-order-relevant activities to those meeting strict sovereignty criteria.

Detail

The proposed Cloud and AI Development Act (CADA) treats the space and aerospace sector not merely as a user of cloud services, but as a strategic pillar for the Union's technological autonomy. The legislation weaves together supply-side innovation support with demand-side sovereignty requirements, specifically targeting the unique data flows and operational risks inherent to space assets.

Strategic Support: Geospatial AI and Copernicus Data

The proposal explicitly anchors its support for the space sector in the development of advanced AI models capable of processing vast amounts of satellite and Earth observation data. Recital 19 of the explanatory memorandum provides the clearest articulation of this intent. It states that in the space sector, "digital advances should transform the way space assets, services and data flows are operated and used." Crucially, it notes that "in the field of climate and environment, geospatial AI should be developed, in particular by leveraging Earth observation data from the Copernicus programme and the capabilities of the Union Space and connectivity programmes."

This is not a passive encouragement but a directive embedded in the operational objectives of the Cloud and AI Leadership Initiatives. Article 4(5) mandates that these initiatives "accelerate the development and uptake of industrial AI across the Union's strategic sectors." The recitals confirm that space is one of these prioritized sectors, alongside healthcare, transport, and defence. The objective is to foster the development of "highly capable sector-specific AI models designed to meet the operational requirements of the industries prioritised under the Apply AI Strategy."

For the space sector, this means the proposal would support:

  • Geospatial AI: Algorithms capable of analyzing Copernicus data for climate monitoring, disaster response, and environmental protection.
  • Autonomous Operations: AI systems for satellite maneuvering, constellation management, and autonomous decision-making in orbit.
  • Data Integration: Tools that combine space-based data with terrestrial data streams for comprehensive situational awareness.

Furthermore, Article 8 establishes criteria for recognizing "frontier AI priority projects." While the text does not list space explicitly in the article itself, Annex I defines "Grand Challenge 3" as Frontier AI, focusing on "pioneering projects" that develop frontier AI models as strategic assets. Given the capital-intensive nature of space technologies and the strategic importance of Earth observation, projects developing advanced AI for space applications could qualify for this designation. Such projects would need to involve broad participation from entities across the Union, such as European Digital Infrastructure Consortia (EDICs), to unlock matched computing resources under Article 9.

Sovereign Cloud Assurance for Sensitive Space Data

The most significant regulatory shift for the space sector under CADA concerns the sovereignty of the cloud infrastructure underpinning space operations. As space agencies and aerospace companies increasingly rely on cloud computing for processing telemetry, imagery, and classified defense data, the proposal introduces a rigorous framework to mitigate third-country dependencies.

Article 29 imposes a mandatory obligation on Member States and Union entities to conduct risk assessments. These assessments must identify public-sector activities that "contribute to the preservation of public order." The text explicitly lists sectors falling under Annex I or II of the NIS2 Directive and areas including "national security, internal security, external border management, defence, justice or law enforcement." Space assets, particularly those used for defense, border surveillance, or critical infrastructure monitoring, would almost certainly fall within this scope.

The risk assessment under Article 29(1)(b) requires authorities to determine which Union assurance level (2, 3, or 4) is appropriate for these activities. The assessment must consider the "sensitivity, criticality, and magnitude" of the data, the risk of unlawful access by third countries, and the risk of service disruption. For space data that is classified or highly sensitive, the assessment would likely conclude that a high assurance level is necessary.

Once a risk assessment identifies an activity as contributing to public order, Article 30(3) triggers a procurement mandate. Contracting authorities "shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4." This effectively bars the use of non-assured or low-assurance (Level 1) cloud services for sensitive space operations.

The criteria for these higher levels are detailed in Annex II:

  • Union Assurance Level 2: Requires infrastructure and personnel to be located in the Union, data to remain exclusively within the Union, and a European cybersecurity certificate of at least "substantial" assurance. It also mandates that data is not used to train third-country AI systems.
  • Union Assurance Level 3: Adds the requirement that personnel must be Union citizens (conditional on public body requirements) and that the provider is not subject to third-country control, unless a derogation under Article 18 applies. It requires a "substantial" cybersecurity certificate.
  • Union Assurance Level 4: The highest tier, requiring a "high" cybersecurity certificate, Union citizen personnel, and strict controls to prevent third-country influence over software supply chains.

For the space sector, this means that any public procurement of cloud services for sensitive satellite data would be restricted to providers who can demonstrate full Union control over their infrastructure, data, and personnel, and who hold the requisite cybersecurity certification.

Open Source and Interoperability in Space Systems

CADA also addresses the long-term maintainability and security of space systems through open-source mandates. Article 41 encourages Union entities and public sector bodies to "use and facilitate the reuse of open standards and components released under an open source licence" when building their cloud and AI ecosystems. This is particularly relevant for space, where proprietary vendor lock-in can pose security risks and hinder innovation.

Article 42 reinforces this by requiring that software made available for reuse under an open-source licence be published in a catalogue connected to the EU Open Source Solutions Catalogue. This facilitates the sharing of space-related software tools, such as orbital mechanics calculators or image processing algorithms, across the Union. The proposal also establishes a network of Open Source Programme Offices (Article 44) to coordinate these efforts, ensuring that space agencies and aerospace companies can collaborate on secure, auditable software stacks.

What this means for you

For CTOs, space architects, and SMEs in the aerospace sector, CADA represents a dual track of opportunity and compliance.

1. Leverage Frontier AI Funding for Space Projects If your organization is developing frontier AI models for space applicationsβ€”such as autonomous satellite collision avoidance, real-time Earth observation analysis, or deep-space navigationβ€”you should actively monitor calls for "frontier AI priority projects" under Article 8. Qualifying for this status is not automatic; it requires broad participation (e.g., via EDICs) and alignment with "Grand Challenge 3." Success could unlock matched AI computing resources from the Union and Member States under Article 9, providing access to high-performance computing (HPC) capacity that is critical for training large-scale geospatial models.

2. Prepare for Sovereign Cloud Audits If you provide cloud services to public-sector bodies, space agencies, or defense contractors, you must prepare for the Union assurance level recognition process under Article 17. For services handling sensitive space data, you will likely need to undergo independent third-party audits to demonstrate compliance with Annex II criteria. This includes proving:

  • Data Localization: All customer data, including telemetry and imagery, remains exclusively within the Union.
  • Personnel Control: Ensuring personnel are Union citizens (for Level 3/4) and located in the Union.
  • Supply Chain Transparency: Providing a complete Software Bill of Materials (SBOM) and demonstrating no third-country control over critical software components.
  • Cybersecurity Certification: Obtaining a European cybersecurity certificate of at least "substantial" (Level 2/3) or "high" (Level 4) assurance.

Start auditing your technical architecture now to ensure data residency and subcontractor oversight meet these strict standards.

3. Adopt an Open-Source First Strategy Consider contributing your space-related AI tools and models to the EU Open Source Solutions Catalogue as encouraged by Article 42. This aligns with CADA's objectives and can enhance your visibility within the European public sector. Ensure your open-source licenses are compatible with EU requirements and that you have robust governance for your repositories to facilitate reuse by other space entities.

4. Engage in Risk Assessments Engage with national competent authorities and space agencies during the risk assessment processes mandated by Article 29. Provide technical input on the sensitivity of different types of space data (e.g., distinguishing between raw telemetry, processed imagery, and classified defense data) to help shape appropriate assurance level requirements. Proactive engagement can help ensure that the regulatory framework is technically feasible and does not impose undue burdens on innovation while maintaining necessary security.

Common misconceptions

Misconception 1: CADA bans the use of non-EU cloud providers for all space data. Correction: CADA does not impose a blanket ban. The requirement to use Union-assured cloud services (levels 2, 3, or 4) applies specifically to public-sector bodies whose activities have been identified through a risk assessment as contributing to the preservation of public order (Article 30). For non-sensitive data or private-sector entities not covered by the risk assessment, the requirements are less stringent, though private entities in high-criticality sectors may be encouraged to conduct similar impact assessments under Article 31.

Misconception 2: Only large space agencies can benefit from CADA's AI initiatives. Correction: While frontier AI projects under Article 8 require broad participation, the Cloud and AI Leadership Initiatives also support the uptake of industrial AI across strategic sectors, including SMEs. Article 4(5) explicitly mentions accelerating the uptake of sectoral AI models, and Article 5 establishes Experience and Acceleration Centres for AI that support SMEs and SMCs in their digital transformation. SMEs in the space sector can leverage these centers for testing, validation, and access to computing resources.

Misconception 3: CADA replaces existing space-specific regulations. Correction: CADA complements existing frameworks. It does not replace the regulatory regimes for space traffic management, satellite licensing, or the specific rules of the Copernicus programme. Instead, it provides a horizontal framework for cloud sovereignty and AI development that applies across sectors, including space. Compliance with CADA is additional to, not a substitute for, other applicable EU and national space laws.

Related

This is general information about a draft EU regulation, not legal advice.