What is strategic autonomy and how does CADA support it?

Summary As proposed, the Cloud and AI Development Act (CADA) would operationalise the EU's goal of strategic autonomy by establishing a harmonised sovereignty framework for cloud services, accelerating domestic data centre deployment, and enabling joint public procurement. CADA would not impose blanket data localisation or ban non-EU providers; instead, it introduces risk-based assurance levels that let public authorities mitigate dependencies on third-country jurisdictions while keeping the internal market open. CADA is a proposal and not yet in force.

Detail

Defining strategic autonomy in the EU context Strategic autonomy (in broader policy debate, "open strategic autonomy") is the EU's capacity to act independently and shape its own course in a changing global landscape. In the digital sector it means reducing critical dependencies on non-European technologies and providers that could jeopardise the Union's security, economic resilience or fundamental rights. It is not about autarky or closing borders, but about ensuring the EU has the capabilities, alternatives and leverage to make sovereign choices without being held hostage by external actors.

The proposed CADA is a central instrument designed to advance this autonomy. Recital 4 links the initiative to reducing dependencies, stating that "[r]einforcing the Union's capacity to develop and deploy cloud and AI technologies within its territory has become a strategic priority for the Union's competitiveness, security of supply and technological sovereignty, as highlighted in the report by Mario Draghi on the future of European competitiveness."

CADA, as proposed, would translate this political objective into concrete regulatory mechanisms across three pillars: a sovereignty assurance framework, infrastructure acceleration, and demand-side procurement measures.

1. A harmonised sovereignty framework (Article 16) The core of CADA's autonomy mechanism is the Union cloud computing sovereignty framework established in Article 16. It defines four "Union assurance levels" (1 to 4) that cloud computing services would have to meet to be considered trusted for public-sector use, with criteria in Annex II.

• Risk-based approach: rather than banning specific countries or companies, CADA would use risk assessments. Member States and Union entities would assess which level is required for specific public-sector activities (Article 29), based on the sensitivity, criticality and magnitude of the data, the risk of unlawful third-country access, and the risk of service disruption (Article 29(2)).
• Tiered assurance:
  • Level 1: the provider established in the Union, with infrastructure and customer data located in the Union unless the public body explicitly requires otherwise — a baseline of control.
  • Levels 2-4: stricter requirements, including (at levels 3 and 4) Union-citizen personnel, European cybersecurity certification, and prohibitions on third-country control that could enable unauthorised access or service disruption.
• Cooperation with trusted partners: Article 18 would let the Commission designate associated third countries by implementing act, so that providers under that country's control could be audited for level 3 — but only where the country meets cumulative criteria, including a relevant adequacy decision under the GDPR and the absence of measures enabling control that conflicts with EU lawful-access rules or that could disrupt service. This keeps the framework open to trusted partners while protecting core interests.

2. Accelerating domestic infrastructure (Articles 10-14) Strategic autonomy needs physical infrastructure. The proposal notes a compute capacity gap that pushes enterprises to route workloads through foreign hyperscalers. CADA would address this by:

• Data centre acceleration zones (Article 10): Member States would designate zones where data centre deployment is facilitated through streamlined permitting and grid-connection processes.
• Strategic projects (Article 14): the Commission could designate data centre projects as strategic where they contribute to objectives such as security, sustainability or closing capacity shortages.
• Sustainability: deployments would have to meet high energy-efficiency standards, so autonomy does not come at the cost of environmental goals.

3. Demand-side measures and procurement (Articles 29-33) Supply-side measures alone are insufficient, so CADA would also shape public demand:

• Procurement standards: public authorities would procure services meeting at least Union assurance level 1; for public-order activities (such as defence, justice or law enforcement), only levels 2, 3 or 4 (Article 30).
• Union added value (Article 32): contracting authorities would include non-price award criteria evaluating how a tender contributes to a European cloud and AI ecosystem and digital supply chain, such as the use of hardware designed or manufactured in the Union.
• Common procurement (Article 37): the Commission could act as a central purchasing body for participating contracting authorities, using collective buying power to negotiate better terms and reduce fragmentation.

Openness vs protection A defining feature of CADA's approach is that it would not close the market. Recital 64 states that the "Union maintains an open and non-discriminatory framework for market access, in accordance with the TFEU and subject to international commitments." The framework anticipates multi-cloud strategies (Recital 65) and recognises that autonomy can be pursued through cooperation with trusted third countries (Article 18), provided robust safeguards are in place.

What this means for you

For public-sector procurement officers and legal teams, CADA as proposed would add a new mandatory layer of due diligence in cloud and AI procurement.

• Conduct risk assessments: you would perform risk assessments (Article 29) to gauge data sensitivity and service criticality, which would dictate whether a level 1, 2, 3 or 4 service is required.
• Update procurement documents: your tenders would need to require the relevant Union assurance level and to include Union added value criteria (Article 32). Note that, as proposed, these criteria must remain ancillary and not decisive in the award; recital 67 suggests contracting authorities "could consider a maximum weighting of 15 out of 120 points" for European added value within the overall evaluation methodology.
• Verify recognition: check that the provider is listed in the central repository of recognised services (Article 22). Procuring a non-recognised service for activities that require recognition would breach the regulation.
• Plan for migration: if your current provider does not meet the required level, you would have to migrate within a reasonable transition period not exceeding 12 months (Article 29(6)).
• Consider common procurement: participating in Commission-led common procurement (Article 37) could give access to pre-negotiated contracts and greater bargaining power.

Common misconceptions

• "CADA bans US or Chinese cloud providers."
  • No. CADA would not ban providers by nationality; it targets risks. A non-EU provider could be audited for level 3 if its home country is designated by the Commission under Article 18 (requiring, among other things, a relevant GDPR adequacy decision and the absence of laws enabling intrusive control). The focus is on legal and operational safeguards, not origin alone.
• "Strategic autonomy means all data must stay in the EU."
  • Not quite. Level 1 and above require data to remain in the Union unless the public body explicitly requires otherwise; the goal is control and protection rather than absolute localisation for its own sake.
• "CADA replaces the AI Act or GDPR."
  • No. CADA would complement them. The AI Act governs the risks of AI systems and the GDPR governs personal-data protection; CADA addresses sovereignty and operational-continuity risks in the cloud and AI supply chain.
• "Only large hyperscalers can comply."
  • No. The framework is meant to foster a diverse European ecosystem. EU statements of conformity issued by SMEs at level 1 would be recognised automatically across Member States without prior recognition (Article 17(3)), and recital 68 records the aspiration for Member States to award at least 25% of relevant cloud and AI innovation-procurement procedures to SMEs.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)
• Digital Decade Policy Programme (Decision (EU) 2022/2481)

Related

• What is open strategic autonomy in EU digital policy, and how does CADA reflect it?
• Why does CADA call cloud dependence a strategic dependency?
• Cloud Sovereignty & Digital Decade 2030: How CADA Links Capacity to Autonomy
• What is technological autonomy in the EU cloud and AI strategy (CADA)?
• What is operational autonomy and why can't a foreign provider guarantee it under CADA?

This is general information about a draft EU regulation, not legal advice.