Summary As proposed in the Cloud and AI Development Act (CADA), digital economic coercion is the strategic risk that third-country actors exploit the EU's dependence on foreign cloud infrastructure for political or economic leverage — through embargoes, sanctions, monopoly pricing or service disruption that damage Union interests. CADA would reduce that leverage by establishing a sovereignty framework with four Union assurance levels (Article 16), mandating risk assessments for public-sector use (Article 29), tying procurement to those levels (Article 30), and promoting European cloud alternatives.

Detail

The proposed Cloud and AI Development Act (CADA), put forward by the European Commission on 3 June 2026, identifies the Union's reliance on a limited number of third-country cloud providers as a critical vulnerability. The proposal links this technical dependence to geopolitical and economic risk, treating coercion not merely as a market problem but as a threat to public order and strategic autonomy.

Defining digital economic coercion under CADA

CADA does not set out a single dictionary definition of "economic coercion." Instead, Recital 50 describes it operationally within the context of cloud dependencies. Among the risks arising from critical dependence on providers under third-country control, it lists:

  • Dependency vulnerabilities: "political and/or economic coercion, for example by using vendor or technology lock-ins, embargos or sanctions, monopoly pricing damaging the financial interest of the Union and Member States" (Recital 50).
  • Access to information: access to sensitive information, unauthorised communication, technology leakage, data manipulation or exfiltration, or espionage.
  • Misuse: manipulation, remote access and control, sabotage, or weaponisation.

Recital 46 stresses that these risks are not theoretical: large incumbents are often subject to third-country jurisdictions whose laws have extraterritorial effects that may conflict with EU fundamental rights and data-protection frameworks, exposing European users to operational discontinuity from unilateral third-country decisions.

How cloud dependence enables coercion

The leverage described in CADA flows from the asymmetry created by market concentration and technical lock-in. Three non-EU hyperscalers control over 70% of the European cloud market, while the EU providers' share fell from 29% in 2017 to 15% in 2022 (explanatory memorandum). As proposed, this concentration can be exploited in several ways:

  1. Embargoes and sanctions: a provider compelled by its home state could restrict or deny services to EU entities, potentially halting digital operations of public bodies or critical-infrastructure operators.
  2. Monopoly pricing: with limited alternatives, dominant providers could impose pricing that damages the Union's financial interests — acute for public bodies with fixed budgets.
  3. Technology lock-ins: proprietary architectures make switching costly, reducing EU customers' bargaining power and increasing exposure to unilateral changes in terms or access.

CADA's response: reducing leverage through sovereignty

CADA would mitigate coercion by reducing the underlying dependence that enables it.

1. The Union cloud computing sovereignty framework (Article 16). Article 16 would establish a framework of four Union assurance levels, with criteria set out in Annex II, that providers must meet to serve Union entities and public-sector bodies.

  • Union assurance level 1 would require establishment in the Union, infrastructure and assets in the Union, and customer data (including metadata and telemetry) remaining exclusively within the Union unless the public-sector body requires otherwise, plus transparency around subcontractors and state-of-the-art cybersecurity (Annex II, 1.1).
  • Union assurance levels 2, 3 and 4 would add stricter requirements, including independent third-party audits, European cybersecurity certification (where available), restrictions on third-country control, and — from level 3 — Union citizenship of personnel. At level 4, the provider and subcontractors must not be subject to third-country control, and data identified as sensitive via risk assessment must remain exclusively in the Union (Annex II, 4.1).

2. Risk assessments and procurement obligations (Articles 29 and 30). Member States and Union entities would conduct risk assessments to identify activities contributing to the preservation of public order (Article 29). Activities not so identified would use level 1 (Article 30(2)); activities contributing to public order — in sectors covered by the NIS2 Directive or in national security, internal security, border management, defence, justice or law enforcement — would be procured at level 2, 3 or 4 (Article 30(3)).

3. Promoting European alternatives. CADA would boost European supply through the Cloud and AI Leadership Initiatives (Title II) and the European public sector cloud federation ("EuroCloud Federation," Article 34), which would facilitate the sharing of public-sector data-centre and cloud services among Union entities and public-sector bodies. A more competitive European market is intended to dilute incumbents' leverage.

4. Associated third countries (Article 18). CADA recognises that some third countries may offer sufficient assurances. Article 18 would let the Commission identify third countries whose providers may be audited against the criteria for Union assurance level 3, provided the country meets cumulative criteria — including a GDPR adequacy decision, no measures enabling control that conflicts with lawful access to non-personal data, and no measures to compel service degradation or disruption or to oblige the provider to apply sanctions or embargoes.

What this means for you

For public-sector and procurement officers, CADA would change how cloud services are evaluated: sovereignty and resilience against coercion would join technical specification and price as decision criteria.

  • Conduct risk assessments. Under Article 29, you would assess and regularly update which activities contribute to the preservation of public order and the appropriate Union assurance level. Assessments would be repeated at least every two years, or whenever necessary.
  • Align procurement with assurance levels. For public-order activities you would procure services recognised at level 2, 3 or 4, verifying that providers have undergone independent audits and hold a valid recognition decision (Articles 17 and 20).
  • Evaluate coercion risk. Weigh a provider's exposure to third-country laws that could lead to embargoes, sanctions or monopoly pricing; the assurance levels give you a structured way to do so.
  • Plan for transition. Where migration is required, Article 29(6) allows a reasonable transition period not exceeding 12 months. Article 29(9) also requires you to consider whether a multi-cloud strategy is appropriate.
  • Consider the EuroCloud Federation. Participating (Article 34) can let you share data-centre and cloud services with other public bodies, pooling resources and reducing reliance on external commercial providers.

Common misconceptions

  • "CADA bans all non-EU cloud providers." As proposed, it does not. It recognises services by their assurance level; non-EU providers can still serve the market, and Article 18 even allows recognition of qualifying third countries for level 3.
  • "Economic coercion only means state-sponsored hacking." CADA specifically highlights coercion through market mechanisms — embargoes, sanctions and monopoly pricing — alongside misuse and unauthorised access. The risk is not just data theft but service disruption and financial pressure.
  • "Level 1 is enough for all public-sector activity." Level 1 is the minimum, but levels 2, 3 or 4 would be mandatory for activities contributing to the preservation of public order (Article 30(3)).
  • "CADA replaces the GDPR." It complements it. The GDPR protects personal data; CADA targets the sovereignty and resilience of cloud infrastructure, including operational continuity and third-country control.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.