CADA vs GDPR

Summary The proposed Cloud and AI Development Act (CADA) does not replace the General Data Protection Regulation (GDPR); it layers a new sovereignty framework on top of existing data protection obligations. For in-house counsel, this means processor due diligence must now verify two distinct compliance tracks: GDPR Article 28 contractual safeguards for data privacy and CADA's tiered "Union assurance" status for operational autonomy. Buyers must check the CADA central repository (Article 22) to confirm a provider's recognized assurance level, ensuring that data protection and technological sovereignty are both secured. A provider can be GDPR-compliant yet fail CADA if subject to third-country control, and vice versa.

Detail

The interaction between the proposed Cloud and AI Development Act (CADA) and the GDPR creates a dual-compliance landscape for cloud computing service providers and their customers. While the GDPR focuses on the protection of personal data and the rights of data subjects, CADA addresses broader strategic concerns, including operational continuity, data sovereignty, and resilience against third-country interference. For compliance officers, understanding how these regimes interact is critical for robust vendor risk management.

The Persistence of GDPR Article 28 Obligations

Under the GDPR, controllers must ensure that processors provide sufficient guarantees to implement appropriate technical and organizational measures so that processing meets the requirements of the regulation and ensures the protection of data subjects' rights (Article 28). This obligation remains fully intact under CADA. The CADA explanatory memorandum explicitly states that the proposal is consistent with existing rules on the processing of personal data, including the GDPR.

Consequently, the standard due diligence steps for GDPR compliance—such as verifying a processor's security certifications, reviewing data processing agreements (DPAs), and assessing sub-processor chains—remain mandatory. CADA does not relieve organizations of their duty to ensure that personal data is processed lawfully, fairly, and transparently. Instead, it introduces additional criteria that must be satisfied to meet the EU's broader strategic autonomy goals.

The GDPR continues to govern the lawfulness of processing, while CADA governs the sovereignty of the infrastructure hosting that processing. A Data Processing Agreement (DPA) under GDPR Article 28 must still address data subject rights, breach notification, and sub-processor authorization. However, the DPA must now also reflect the specific Union assurance level required by the controller, as mandated by CADA.

CADA's Sovereignty Framework and Union Assurance Levels

CADA introduces a "Union cloud computing sovereignty framework" comprising four "Union assurance levels" (Article 16). These levels define the criteria cloud computing services must meet to be considered trustworthy from a sovereignty perspective. The criteria range from basic establishment in the Union (Level 1) to strict requirements on personnel citizenship, absence of third-country control, and enhanced cybersecurity certifications (Levels 2–4) (Annex II).

Crucially, CADA establishes a mechanism for recognizing these services. Providers must submit evidence of compliance to national competent authorities, which then register recognized services in a central repository maintained by the European Commission (Article 22). This repository serves as the single source of truth for a provider's sovereignty status.

The distinction between the levels is significant for due diligence:

• Level 1: Requires establishment in the Union and data localization, but allows for third-country control provided specific safeguards are met.
• Level 2: Requires infrastructure, assets, and personnel to be located in the Union, with "substantial" cybersecurity certification.
• Level 3: Requires personnel to be Union citizens (conditional on public body requirements) and "substantial" cybersecurity certification. It allows for third-country control only if the Commission has adopted a specific implementing act for that third country (Article 18).
• Level 4: Requires personnel to be Union citizens, "high" cybersecurity certification, and a complete absence of third-country control.

The Role of the Central Repository in Due Diligence

Article 22 of CADA mandates that the Commission establish and maintain a "central repository" of cloud computing services recognized as offering Union assurance levels 1 through 4. National competent authorities register services in this repository after verifying the provider's evidence, such as self-assessment statements for Level 1 or independent audit reports for Levels 2–4.

For due diligence purposes, this repository transforms sovereignty verification from a complex, bespoke contractual exercise into a standardized check. Instead of negotiating extensive sovereignty clauses from scratch, buyers can verify a provider's status by consulting the central repository. If a service is listed with a specific assurance level, it has undergone the necessary scrutiny to meet the cumulative criteria set out in Annex II of CADA.

The repository also serves as a transparency mechanism. Under Article 23, providers must notify authorities of any material changes that may affect their recognition. If a provider loses their status, the revocation is published in the repository, alerting customers immediately. This dynamic status check is a critical addition to the static nature of traditional DPA reviews.

Dual-Track Due Diligence: Privacy and Sovereignty

The practical implication for in-house counsel is the need for a dual-track due diligence process.

1. Data Protection Track: Verify compliance with GDPR Article 28. This involves reviewing the DPA, ensuring adequate security measures, and confirming that sub-processors are bound by equivalent data protection obligations. This track ensures the rights of the data subject are protected.
2. Sovereignty Track: Verify the provider's Union assurance level via the CADA central repository (Article 22). This ensures that the provider meets the structural, operational, and legal criteria for sovereignty, such as data localization within the Union and absence of extraterritorial third-country control. This track ensures the continuity and autonomy of the service.

These tracks are complementary but distinct. A provider may be fully GDPR-compliant (e.g., through Standard Contractual Clauses) but fail to meet CADA's higher sovereignty thresholds if it is subject to third-country laws that could compel data access or service disruption. Conversely, a provider might meet sovereignty criteria but still require robust GDPR-specific contractual terms to protect personal data rights.

Risk Assessments and Procurement Requirements

CADA requires Member States and Union entities to conduct risk assessments to determine the appropriate Union assurance level for their specific activities (Article 29). These assessments consider the sensitivity of data, criticality of operations, and potential impact on public order. Based on these assessments, contracting authorities are obligated to procure services that meet the corresponding assurance level (Article 30). For example, activities contributing to public order in sectors like defense or law enforcement may require Level 2, 3, or 4 services.

This shifts the burden of proof. Buyers cannot simply assume a provider is suitable; they must align their procurement with the outcome of their risk assessment and verify the provider's recognized status in the central repository. For private sector entities in critical sectors (as defined in Annex I of the NIS2 Directive), CADA allows for similar impact assessments (Article 31), signaling that these dual-track diligence practices may soon become industry standard across regulated sectors.

What this means for you

For in-house counsel and compliance officers, the CADA-GDPR interaction necessitates an immediate update to vendor risk management frameworks.

1. Update Due Diligence Checklists: Add a mandatory step to verify the provider's status in the CADA central repository (Article 22). Confirm that the service is recognized at the assurance level required by your organization's risk assessment. Do not rely solely on marketing claims of "EU-based" services; check the official registry.
2. Review Contracts: Ensure that your cloud computing contracts explicitly reference the required Union assurance level. Include clauses that require the provider to notify you of any changes to their recognized status or any material changes that could affect their sovereignty compliance (Article 23). Update your DPAs to reflect that the processor must maintain the specific assurance level throughout the contract term.
3. Conduct Risk Assessments: Perform or update risk assessments in line with Article 29 to determine the minimum assurance level your organization requires. Document the rationale for this determination, considering the sensitivity of data and the criticality of operations. For public bodies, this is a mandatory step before procurement.
4. Monitor the Repository: Establish a process for regularly checking the central repository to ensure that your providers maintain their recognized status. Be prepared to respond to notifications of revocation or amendment of a provider's recognition, which could trigger a migration requirement under Article 29(6).
5. Coordinate with Data Protection Teams: Align your sovereignty due diligence with your GDPR compliance efforts. Ensure that your Data Protection Officer (DPO) and legal teams are aware of the additional sovereignty requirements and that they are reflected in your overall vendor management strategy. The DPO focuses on the data, while the legal team focuses on the infrastructure sovereignty.

Common misconceptions

• Misconception: CADA replaces GDPR due diligence.
  • Reality: CADA complements, not replaces, GDPR. You must still comply with Article 28 of the GDPR for data protection. CADA adds a separate layer of requirements focused on sovereignty and operational autonomy. A provider can be GDPR-compliant but fail CADA, or vice versa.
• Misconception: GDPR adequacy decisions are sufficient for CADA compliance.
  • Reality: While CADA considers adequacy decisions under the GDPR (Article 45) when assessing third-country providers for Level 3 recognition (Article 18), an adequacy decision alone does not guarantee a service meets CADA's sovereignty criteria. Providers must still undergo the specific recognition process and be listed in the central repository. Adequacy addresses data transfers; CADA addresses control and infrastructure.
• Misconception: Only public sector entities need to worry about CADA.
  • Reality: While CADA imposes direct procurement obligations on public authorities, its impact extends to the private sector. Providers seeking to serve public clients must obtain recognition, and private entities in critical sectors (NIS2) may conduct similar impact assessments. Furthermore, the market shift toward sovereign services will likely drive industry-wide adoption of these standards.
• Misconception: A "European" cloud provider automatically meets CADA standards.
  • Reality: Establishment in the Union is only the baseline (Level 1). Higher levels require specific certifications, personnel citizenship, and proof of no third-country control. Without a formal recognition in the central repository, a provider's "European" status is unverified under CADA.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• Do financial entities need a CADA sovereignty tier in addition to DORA due diligence?
• Why is the GDPR not enough to achieve cloud sovereignty under CADA?
• Which EU laws does CADA stack on top of? A guide to the new sovereignty layer
• CADA and EUCS: How the Cloud Certification Scheme Fits the Sovereignty Framework
• CADA vs Gaia-X and SecNumCloud: How the EU Sovereignty Framework Unifies Cloud Standards

This is general information about a draft EU regulation, not legal advice.