What does the Cloud and AI Development Act (CADA) do?

As proposed, the Cloud and AI Development Act (CADA) would establish a comprehensive EU framework to strengthen Europe's cloud and AI ecosystem — boosting domestic computing capacity, simplifying data-centre deployment, and ensuring the sovereignty of public-sector cloud services. Under Article 1(1) of the proposal, CADA would establish a framework "in particular through" five measures: the Cloud and AI Leadership Initiatives; a framework for accelerated data-centre deployment; enabling a sovereign cloud and AI offer to safeguard public order; reducing dependencies on critical technologies; and fostering the adoption of cloud computing services across the public sector. CADA is a proposal (COM(2026) 502 final), so none of this is in force yet.

Detail

The Cloud and AI Development Act is a legislative proposal designed to address the EU's limited and geographically concentrated computing capacity and its heavy reliance on non-European cloud providers. As proposed, the Regulation would rest on a dual legal basis — Articles 114 and 173(3) of the Treaty on the Functioning of the European Union (TFEU) — to harmonise the internal market and enhance industrial competitiveness.

The five core measures

Article 1(1) of the proposal lists the five measures CADA would establish to strengthen the cloud and AI ecosystem:

1. Establishing the Cloud and AI Leadership Initiatives: these would support research and innovation to achieve large-scale capacity across the Union's cloud and AI ecosystem, focusing on priorities such as energy-efficient data centres, open cloud-computing stacks, and frontier AI.
2. Setting a framework for the accelerated deployment of data centres: CADA would harmonise conditions for data-centre deployment across the Union, including "data centre acceleration zones" with streamlined permitting (a permit-granting time limit not exceeding 12 months) and single information points to assist operators. As stated in the explanatory memorandum, the aim is to triple EU data-centre capacity within five to seven years and reach the needed capacity by 2035.
3. Enabling a sovereign cloud and AI offer to safeguard the Union's public order: the proposal introduces a Union cloud computing sovereignty framework with four Union assurance levels, letting public authorities procure cloud services according to verified sovereignty and security guarantees so that critical public-sector activities are protected from third-country interference or disruption.
4. Reducing dependencies on critical technologies: by promoting open cloud stacks, supporting frontier AI, and encouraging EU-designed or EU-manufactured hardware, CADA aims to cut strategic dependencies — including measures to ensure providers are not subject to third-country control that could compromise operational autonomy.
5. Fostering the adoption of cloud computing services across the public sector: CADA would require Member States to conduct risk assessments to determine which public-sector activities need higher sovereign assurance, encourage open-source solutions, and establish a European public sector cloud federation (the "EuroCloud Federation") to share data-centre and cloud capacity among public bodies.

Leadership Initiatives and data-centre capacity

Under Title II, the Cloud and AI Leadership Initiatives would pursue operational objectives such as advancing energy-efficient data-centre technologies, developing open cloud-computing stacks that support Union technological autonomy, and advancing the Union's frontier-AI capabilities. The proposal envisages support through Union programmes.

Title III focuses on data-centre capacity. It would require Member States to designate data-centre acceleration zones where deployment is facilitated through aggregated baseline permits and streamlined environmental assessments. The Commission would also monitor the Union's compute-capacity gap and could designate "data centre strategic projects" that contribute significantly to the Union's digital and energy goals.

Sovereign cloud and public-sector adoption

Title IV establishes the sovereignty framework. As proposed, cloud computing service providers could be recognised as offering Union assurance levels 1 to 4: Level 1 rests on a self-assessment, while Levels 2, 3 and 4 require independent third-party audits. Under Article 30, public buyers whose activities do not contribute to public order would procure Level 1 services (Article 30(2)); for activities identified as contributing to the preservation of public order (for example defence, justice, or critical sectors), contracting authorities would only procure services recognised at Levels 2, 3, or 4 (Article 30(3)).

What this means for you

For public-sector procurement officers, CADA as proposed would change how cloud and AI services are sourced and managed.

• Mandatory assurance levels: you could no longer procure cloud services on price or generic specifications alone. Any procured service would need recognition at the assurance level appropriate to your activity — Level 1 for ordinary activities, and Levels 2, 3 or 4 where your activities contribute to public order (Article 30).
• Risk assessments: Member States and Union entities would carry out risk assessments (Article 29) identifying which activities contribute to public order; you would align your procurement strategy with them.
• EU added-value criteria: in procurements for innovative cloud services and AI systems, you would include non-price award criteria evaluating the tenderer's contribution to the European cloud and AI ecosystem — for example, EU-designed or EU-manufactured hardware or software (Article 32), kept ancillary and not decisive.
• Open-source preference: the proposal would have Union entities and public bodies encourage and facilitate the reuse of open standards and open-source components when building their cloud and AI stack (Article 41).
• EuroCloud Federation: you may be able to join the EuroCloud Federation (Article 34) to share data-centre and cloud capacity with other public bodies across the EU.

Common misconceptions

• "CADA replaces the AI Act." No. The AI Act addresses the safety, transparency and fundamental-rights risks of AI systems placed on the market; CADA addresses the infrastructure, sovereignty and industrial competitiveness of the cloud and AI ecosystem. They are complementary.
• "CADA bans non-EU cloud providers." No. It creates a sovereignty framework in which providers subject to third-country control may face stricter audit requirements or be excluded from certain high-assurance public contracts if they cannot demonstrate sufficient safeguards.
• "All public-sector cloud use requires the highest sovereignty level." No. The framework is proportionate: most public services would require Level 1, and higher levels are reserved for activities contributing to public order.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)

Related

• Why was the Cloud and AI Development Act (CADA) proposed?
• Who does the Cloud and AI Development Act (CADA) apply to?
• Where can I read the official text of the Cloud and AI Development Act (CADA)?
• When was the Cloud and AI Development Act (CADA) proposed?
• What is the one-sentence summary of the Cloud and AI Development Act (CADA)?

This is general information about a draft EU regulation, not legal advice.