Summary Under the proposed Cloud and AI Development Act (CADA), a "cloud dependency" is not merely a commercial reliance on a vendor, but a strategic risk threatening the Union's public order, economic security, and operational autonomy. As outlined in Recitals 46 and 50 of COM(2026) 502 final, this dependence on a limited number of providers subject to third-country control exposes the EU to risks of misuse (sabotage, weaponisation), unauthorised access (espionage, data exfiltration), and dependency vulnerabilities (political coercion, embargoes). CADA addresses this by mandating risk assessments under Article 29 to identify critical functions and requiring procurement of services with specific Union assurance levels (Article 30) to safeguard public order.

Detail

The proposed Cloud and AI Development Act (CADA) fundamentally redefines the concept of cloud dependency. It moves beyond traditional concerns of vendor lock-in or technical interoperability to frame reliance on external infrastructure as a direct threat to the Union's sovereignty and public order. To understand the scope of this risk, one must examine the specific language of the proposal's explanatory recitals and the operational mechanisms established in the text.

The Strategic Nature of the Risk: Recitals 46 and 50

The legislative intent behind CADA's approach to dependency is explicitly grounded in Recital 46. This recital states that the Union remains "critically dependent on a limited number of cloud computing service providers subject to the control of third countries or legal entities established in third-countries." This dependence is not viewed as a neutral market condition but as a source of "critical strategic dependencies and concentration risks."

Recital 46 identifies three primary vectors of risk arising from this dependence:

  1. Extraterritorial Legal Reach: Providers may be subject to laws outside the EU that mandate data access or transfer. These laws can conflict with EU fundamental rights and data protection frameworks, creating a legal vulnerability where EU data is accessible to foreign jurisdictions.
  2. Operational Discontinuity: There is a risk that "unilateral decisions by third-country actors could disrupt service provision." This threatens the continuity, quality, and resilience of cloud services, potentially halting critical public functions.
  3. Loss of Control: The dependence reduces the Union's "control and oversight over personal and non-personal data and infrastructure," undermining the ability to retain control over assets under Union and national jurisdiction.

Recital 50 further operationalises these abstract risks by categorising the specific harms that cloud dependencies can cause to public order. It details three distinct categories of threat that contracting authorities must consider:

  • Misuse: This includes the potential for "manipulation, remote access and control, sabotage, weaponisation" of cloud services. In this context, a dependency is a vector through which a third country could actively degrade or destroy critical digital infrastructure.
  • Access to Information: This covers "unauthorised access to sensitive information, technology leakage, data manipulation or exfiltration, espionage." Here, the risk is the passive or active theft of state secrets, personal data, or commercially sensitive information by foreign actors.
  • Dependency Vulnerabilities: This refers to "political and/or economic coercion," such as the use of "vendor or technology lock-ins, embargos or sanctions, monopoly pricing." This category highlights how reliance on a single external provider can be leveraged to damage the financial interests or strategic autonomy of the Union and its Member States.

Why CADA Treats Dependency as a Strategic Risk

CADA treats cloud dependency as a strategic risk because it directly undermines the Union's capacity to act autonomously. As stated in Recital 46, the ability to "retain control over infrastructure, data, assets and technology systems under Union and national jurisdiction has become an imperative policy objective."

The proposal argues that existing EU legislation, while robust in specific areas, does not address the core sovereignty issues. For instance, the General Data Protection Regulation (GDPR) addresses data privacy, and the Data Act addresses switching costs and interoperability. However, Recital 48 notes that these instruments "do not contain elements to shape up a more competitive offer of European cloud computing services" or address the "extraterritorial reach of third-country laws."

Furthermore, Recital 48 observes that while providers have launched "tailored versions" of their services to address sovereignty concerns, these "do not address the core sovereignty issues allowing for the extraterritorial reach of third-country laws and the possible degradation or disruption of the service." Consequently, CADA introduces a harmonised "Union cloud computing sovereignty framework" (established in Article 16) to fill this gap. This framework is designed to mitigate dependency risks by establishing auditable criteria for trusted cloud services, ensuring that critical public functions are not reliant on infrastructure that could be compromised by foreign control.

The Mechanism: Risk Assessments and Assurance Levels

The primary tool for managing cloud dependency under CADA is the risk assessment mandated by Article 29. This article requires Member States and Union entities to carry out regular assessments to determine which public sector activities "contribute to the preservation of public order."

Article 29(1) specifies that these assessments must identify activities in sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2) and in areas such as "national security, internal security, external border management, defence, justice or law enforcement." The assessment must explicitly consider:

  • The sensitivity, criticality, and magnitude of the data processed.
  • The risk of unlawful access to data by a third country or legal entity established in a third country.
  • The risk of service disruption.

If a risk assessment identifies a significant dependency risk, Article 30 triggers a procurement obligation. Article 30(3) states that contracting authorities whose activities contribute to the preservation of public order "shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4." This creates a direct regulatory link: identifying a strategic dependency risk necessitates the procurement of a sovereign service, effectively shielding critical public functions from high-risk external dependencies.

What this means for you

For public-sector bodies, Union entities, and procurement officers, the redefinition of cloud dependency under CADA requires a fundamental shift in strategy. You can no longer treat cloud procurement as a purely commercial decision based on price or performance.

1. Conduct Mandatory Risk Assessments

You are required to perform risk assessments under Article 29 to identify whether your activities contribute to the preservation of public order. These assessments must be conducted by the date of entry into force plus one year and updated every two years.

  • Action: Map your cloud usage against the sectors listed in Article 29(1) (e.g., defence, justice, critical infrastructure).
  • Focus: Evaluate not just data sensitivity, but the risk of misuse, espionage, and coercion as defined in Recital 50.
  • Outcome: Determine the appropriate Union assurance level (2, 3, or 4) required for your specific activities.

2. Align Procurement with Sovereignty Levels

Once a risk assessment identifies a public-order-relevant activity, Article 30(3) mandates that you procure only services recognised at the required assurance level.

  • Action: Verify that potential providers are listed in the central repository (Article 22) with the correct Union assurance level.
  • Constraint: You cannot award a contract to a provider that does not meet the required level, even if they offer the lowest price, unless a specific derogation under Article 30(4) applies (e.g., no suitable service exists or disproportionate cost).

3. Plan for Migration and Transition

If your current provider does not meet the required assurance level, you must plan for migration. Article 29(6) provides a "reasonable transition period" which "shall not exceed 12 months."

  • Action: Initiate migration planning immediately upon the entry into force of the regulation.
  • Consideration: Ensure that the transition plan accounts for technical feasibility, continuity of service, and data portability to avoid service disruption during the switch.

4. Engage with National Competent Authorities

The recognition of cloud providers is managed by national competent authorities.

  • Action: Engage early with your national authority to understand the specific recognition process and the status of potential providers.
  • Resource: Utilise the central repository maintained by the Commission to identify compliant services.

Common misconceptions

"Cloud dependency is only about data privacy." This is incorrect. While data privacy is a factor, CADA's definition of dependency is much broader. As Recital 50 clarifies, the risks include misuse (sabotage, weaponisation), access to information (espionage), and dependency vulnerabilities (political coercion). A provider might be fully GDPR-compliant but still pose a high strategic risk if it is subject to third-country laws that could force service degradation or data exfiltration.

"Only EU-based providers can be compliant." CADA does not automatically exclude non-EU providers. Article 18 provides a mechanism for the Commission to recognise third countries as providing sufficient assurances for Union assurance level 3. This requires the third country to meet strict criteria, including having an adequacy decision under the GDPR and no measures enabling unauthorised access or service disruption. However, the bar is high, and most non-EU providers will likely struggle to meet the criteria for higher assurance levels without significant structural changes.

"Small public bodies are exempt from these rules." CADA applies to all contracting authorities, regardless of size. While the impact may be less severe for smaller bodies, the obligation to conduct risk assessments and procure based on assurance levels remains. However, Article 30(4) allows for derogations in exceptional circumstances, such as when no recognised service is available or if compliance would result in disproportionate cost. These derogations are narrow and must be duly justified.

"CADA replaces the AI Act." No. The AI Act regulates the safety and fundamental rights of AI systems. CADA regulates the infrastructure (cloud and data centres) upon which those systems run. As the Commission notes, the AI Act "does not cover aspects of sovereignty." An organisation deploying high-risk AI for law enforcement may need to comply with the AI Act for the system itself and CADA for the underlying cloud infrastructure.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.