Summary The proposed Cloud and AI Development Act (CADA) does not redefine or alter the fundamental roles of data controller and data processor established under the General Data Protection Regulation (GDPR). Cloud service providers acting on behalf of public sector bodies remain data processors, and their core GDPR obligations remain intact. However, CADA introduces a "Union cloud computing sovereignty framework" that requires specific technical and organisational measures to be embedded into the contractual agreements mandated by Article 28 of the GDPR. Crucially, Recital 63 of the CADA proposal clarifies that where specific measures are needed to ensure personal data is processed in line with the GDPR, such measures can be foreseen in the mandatory agreements under Article 28. This ensures that sovereignty criteria are legally binding on both the provider and its subcontractors, creating a unified compliance chain for data protection and operational autonomy.

Detail

Under the proposed Cloud and AI Development Act (CADA), the legal relationship between a cloud service provider and a public sector customer regarding personal data processing remains strictly governed by the GDPR. CADA is designed to complement, not replace, existing data protection law. The proposal explicitly states in its explanatory memorandum that it is "consistent with existing rules on the processing of personal data, including the General Data Protection Regulation (GDPR) and the EU-US Data Privacy Framework." Therefore, if a cloud provider processes personal data for a public authority, the provider is a data processor, and the authority is the data controller. This classification does not change based on the cloud provider's status under CADA's sovereignty framework, nor does the provider's recognition at a specific Union assurance level (1–4) alter their GDPR role.

The critical intersection between CADA and the GDPR lies in how sovereignty requirements are enforced contractually. CADA establishes a "Union cloud computing sovereignty framework" comprising four assurance levels under Article 16. To achieve recognition at these levels, providers must meet strict criteria regarding data localisation, personnel, cybersecurity, and third-country control. For providers seeking Union assurance levels 2, 3, or 4, these criteria are verified through independent third-party audits under Article 20.

Recital 63 of the CADA proposal provides the definitive bridge between these two regulatory regimes. It states: "Where specific technical and organisational measures should be implemented pursuant to this Regulation to ensure that personal data are processed in line with this Regulation, such specific measures could be foreseen in the mandatory agreements pursuant to Regulation (EU) 2016/679 [the GDPR] and could be relied on to demonstrate that the necessary Union assurance levels are met."

This means that the sovereignty criteria defined in Annex II of CADA (such as data remaining exclusively within the Union, or personnel being Union citizens) become enforceable contractual terms within the Article 28 GDPR data processing agreement (DPA). The DPA, which is already mandatory for GDPR compliance, becomes the vehicle for CADA compliance.

Furthermore, CADA extends these obligations down the supply chain. The proposal requires that "where the cloud computing service provider relies on subcontractors in the provision of the services, the same agreements apply to the subcontractors." This ensures that the entire processing chain adheres to the required Union assurance level. For example, under Annex II, Union assurance level 1, criterion 1.1(d), if a provider outsources technical support outside the Union, they must implement measures to ensure traceability and security without compromising operational autonomy. Under higher assurance levels, the criteria become stricter, often requiring that technical support be performed exclusively within the Union by Union residents.

The proposal also distinguishes between data protection and sovereignty. While the GDPR focuses on the lawful processing of personal data and the rights of data subjects, CADA addresses broader sovereignty concerns, including operational autonomy and the risk of third-country access to data under extraterritorial laws. The explanatory memorandum notes that while frameworks like the EU-US Data Privacy Framework address transatlantic data transfers, they "do not remove sovereignty concerns about dependence on third-country providers." Thus, CADA adds a layer of operational and legal safeguards that sit alongside GDPR compliance, ensuring that data is not only protected by law but also shielded from foreign interference.

What this means for you

As a cloud service provider or data centre operator aiming to serve the public sector under the proposed CADA, you must integrate sovereignty requirements into your standard GDPR compliance workflows. You do not need to create a separate legal framework for data processing; instead, you must update your Article 28 GDPR contracts to explicitly include the technical and organisational measures required by your target Union assurance level.

1. Updating Article 28 Agreements Your GDPR contracts with public sector bodies must be revised to incorporate the specific criteria of the Union assurance level you are seeking. For Union assurance level 1, you must conduct a conformity self-assessment under Article 19. Your DPA must reflect the criteria you have self-assessed against, such as the commitment that customer data remains exclusively within the Union unless the public sector body explicitly requires otherwise.

For Union assurance levels 2, 3, or 4, you must undergo independent audits under Article 20. The audit evidence will scrutinise your supply chain. Your GDPR processor agreements must therefore flow down to subcontractors, ensuring they are contractually obligated to meet the CADA criteria. This includes clauses prohibiting third-country control, mandating data localisation, and enforcing specific cybersecurity standards (e.g., "substantial" assurance for levels 2 and 3, and "high" assurance for level 4 under Annex II).

2. Binding Subcontractors You must ensure that all subcontractors are bound by the same strict sovereignty and data processing terms. Recital 63 and the text of Article 29 (regarding risk assessments) imply that the chain of responsibility is unbroken. If a subcontractor handles infrastructure, assets, or personnel related to the service, they must meet the same assurance level criteria as the main provider. Your DPA must explicitly require that any sub-processing agreement includes these CADA-specific technical and organisational measures.

3. Transparency and Material Changes Prepare for the transparency obligations under Article 23. If material changes occur that affect your audit report or recognition status (e.g., a change in ownership or a new third-country law affecting your operations), you must notify the auditing organisation and the national competent authority. These changes may also trigger updates to your GDPR contracts if the technical or organisational measures change significantly.

4. Aligning Risk Assessments Ensure your risk assessments align with both GDPR Data Protection Impact Assessments (DPIAs) and CADA's public order risk assessments under Article 29. While the GDPR focuses on risks to data subjects' rights and freedoms, CADA's risk assessments focus on risks to public order, operational autonomy, and third-country interference. Your contracts should clearly delineate responsibilities for both types of risk mitigation, ensuring that the controller understands the provider's role in safeguarding public order.

Common misconceptions

Misconception 1: CADA replaces the GDPR for cloud providers. This is incorrect. CADA explicitly states it is "without prejudice" to the GDPR. The GDPR remains the primary law for personal data protection. CADA adds sovereignty and operational resilience requirements that layer on top of GDPR obligations. Providers must comply with both simultaneously.

Misconception 2: The GDPR processor role is abolished for sovereign cloud services. No. Even if a cloud service is deemed "sovereign" under CADA, if it processes personal data on behalf of a public authority, the provider is still a data processor under the GDPR. The sovereignty status affects the criteria for data handling and location, not the legal role in the data processing relationship. The controller remains the public authority.

Misconception 3: Subcontractors are exempt from CADA sovereignty rules if they are not data processors. This is false. CADA's sovereignty criteria apply to all subcontractors involved in the provision of the service, regardless of their specific GDPR role. If a subcontractor handles infrastructure, assets, or personnel related to the service, they must meet the same assurance level criteria as the main provider. The GDPR contract must reflect this by binding subcontractors to these specific technical and organisational measures.

Misconception 4: An adequacy decision under the GDPR is sufficient for CADA compliance. Not necessarily. While CADA allows for the recognition of third countries for Union assurance level 3 if certain criteria are met under Article 18, this is a separate assessment from GDPR adequacy. A third country may have an adequacy decision for data transfers but still fail CADA's sovereignty criteria regarding operational autonomy, third-country control, or the ability to disrupt services. Providers cannot assume GDPR adequacy equates to CADA compliance.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.