What is Gaia-X and how does it relate to CADA sovereignty?

Summary Gaia-X is a voluntary, industry-led initiative to build a federated European data infrastructure, but it carries no binding legal force. The proposed Cloud and AI Development Act (CADA) would supply the mandatory legal framework that Gaia-X lacks, replacing voluntary labels with four binding "Union assurance levels" (Article 16, with criteria in Annex II). Gaia-X focuses on technical interoperability and trust labels; as proposed, CADA would mandate specific sovereignty criteria for public procurement, making it the regulatory backbone for European digital autonomy. The two are complementary, not competing.

Detail

To understand the relationship, distinguish a voluntary industry ecosystem from binding legislation.

Gaia-X: the voluntary ecosystem

Gaia-X is an initiative to build a federated data infrastructure in Europe, connecting data spaces, cloud providers and users through technical standards, codes of conduct and trust labels. Its goal is to enable data sharing while preserving sovereignty, primarily through self-regulatory mechanisms and industry consensus. Because it is not legislation, participation is voluntary and its "sovereign" labels carry no legal weight in public procurement or regulatory compliance.

CADA: the binding legal framework

The Cloud and AI Development Act, proposed by the Commission on 3 June 2026 (COM(2026) 502 final), is a draft Regulation that would impose binding obligations on public sector bodies and certain private entities to address the EU's dependence on non-European cloud providers.

The core of CADA's sovereignty approach is Article 16, which would establish a "Union cloud computing sovereignty framework" comprising four "Union assurance levels" (1 through 4). The detailed, auditable criteria for each level are set out in Annex II of the proposal.

Key differences and relations:

1. From voluntary labels to mandatory tiers. Gaia-X uses trust labels to signal compliance with its codes of conduct. As proposed, CADA replaces this with legally defined assurance levels. Under Article 16(1), providers must meet the Annex II criteria to be recognised as offering a given level — and that recognition is effectively a precondition for serving the public sector.
2. Harmonised criteria vs. fragmented standards. A long-standing Gaia-X challenge has been the lack of uniform enforcement. CADA would harmonise sovereignty criteria EU-wide. Article 16(2) would empower the Commission to adopt delegated acts to amend the levels (and the evidence in Annex III), keeping them current while legally consistent across Member States.
3. Procurement mandates. Gaia-X cannot compel public authorities to buy specific services; CADA could. Article 30 would require public sector bodies to use services at least at Union assurance level 1, and — for activities identified as contributing to public order via risk assessments under Article 29 — only services at Levels 2, 3 or 4. This would create guaranteed demand for services that align with Gaia-X's technical ideals but are now legally recognised.
4. Audit and verification. Gaia-X relies largely on self-declaration and voluntary audits. CADA would introduce independent third-party audits for Levels 2, 3 and 4 (Article 20), with strict rules on auditor independence, competence and non-contingent fees — a layer of legal accountability the self-regulatory model lacks.

How they work together

Gaia-X and CADA are complementary. Gaia-X provides technical interoperability standards, data-space architectures and collaboration networks; CADA would provide the legal teeth. A provider can use Gaia-X frameworks, but to sell to the EU public sector under CADA it would have to go through formal recognition under Article 17 and meet the relevant Annex II criteria. In short: Gaia-X builds the road; CADA would set the traffic laws.

What this means for you

For CTOs, architects and SMEs, the relationship shifts the landscape from "best practice" to "legal requirement."

• For cloud providers: If you target the EU public sector, voluntary Gaia-X labels would not be sufficient. Prepare for the CADA recognition process — align your architecture with the Annex II criteria (data location, personnel requirements, supply-chain transparency) and prepare for independent audits at higher levels. Start mapping your current Gaia-X compliance to CADA's Annex II criteria now.
• For public sector buyers: Your procurement rules would change. You would conduct risk assessments (Article 29) to set the required level, and verify formal recognition in the central repository under Article 22 rather than relying on vendor claims or Gaia-X labels alone.
• For SMEs and start-ups: CADA aims to foster a competitive European market. While audits for Levels 2–4 are rigorous, Article 17(3) would let an SME's EU statement of conformity for Union assurance level 1 be directly and automatically recognised in all Member States, without prior national recognition — lowering the barrier to entry.
• For architects: Design for "sovereignty by design." Ensure data residency, supply-chain transparency and personnel controls can meet the strictest CADA criteria (Level 4) for defence or critical-infrastructure clients. Use Gaia-X standards for interoperability, but build your compliance framework around CADA's legal definitions.

Common misconceptions

• "Gaia-X is dead because of CADA." No. Gaia-X would remain the primary technical and collaborative framework for data spaces. CADA does not replace Gaia-X's technical standards; it would provide a legal mandate for services that meet sovereignty criteria to be procured. They are two sides of one coin: technical interoperability and legal sovereignty.
• "CADA's sovereignty levels are just Gaia-X labels with a legal stamp." Not quite. Gaia-X labels rest on industry codes of conduct; CADA's Union assurance levels would be defined by specific, legally binding criteria in Annex II, enforced by national competent authorities (Article 25) and independent auditors. The legal consequences of non-compliance under CADA (penalties, loss of recognition) do not exist in the Gaia-X framework.
• "Only large hyperscalers can comply with CADA." Incorrect. The proposal includes measures for SMEs: automatic recognition at Level 1 (Article 17(3)) and non-price "Union added value" award criteria in procurement (Article 32) are designed to help smaller EU providers compete.
• "CADA replaces the AI Act or GDPR." No. CADA would focus on cloud sovereignty, data-centre deployment and public procurement; it complements the AI Act (which regulates AI systems) and the GDPR (which regulates personal data). A service would need to comply with all three. CADA's sovereignty framework adds an operational-autonomy and supply-chain layer that neither the AI Act nor GDPR addresses.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)

Related

• What was Schrems II and how does it relate to cloud sovereignty under CADA?
• How does sovereignty relate to AI model and compute access?
• How does CADA's sovereignty framework relate to NIS2 and DORA?
• Why is cloud sovereignty important for critical infrastructure? CADA
• Why is sovereignty described as layered or nuanced in CADA?

This is general information about a draft EU regulation, not legal advice.