Summary The AI Continent Action Plan (COM(2025) 165 final, 9 April 2025) is the EU's strategic roadmap for European AI leadership, built around a nexus of five domains: computing infrastructures, data, skills, the development and adoption of AI algorithms, and regulatory simplification. As proposed, the Cloud and AI Development Act (CADA) is a key legislative instrument to deliver the plan's infrastructure and sovereignty goals — providing the legal basis to accelerate data centre deployment, establish a cloud sovereignty framework, and steer public-sector procurement. Together they aim to reduce dependence on third-country providers and secure the compute the EU's AI ambitions require.

Detail

The AI Continent Action Plan, published by the European Commission on 9 April 2025 (COM(2025) 165 final), set a strategic roadmap to ensure European AI leadership. As the CADA explanatory memorandum describes, the plan is built around a nexus of five key domains that must be strengthened together: computing infrastructures, data, skills, the development and adoption of AI algorithms, and regulatory simplification.

CADA is designed to operationalise the infrastructure and regulatory pillars of that nexus. While the Action Plan sets direction, CADA would provide binding mechanisms. It addresses the "computing infrastructure" domain by establishing a harmonised framework for accelerated data centre deployment, aiming to triple EU capacity in the next five-to-seven years so that AI training and inference demand can be met within Europe. This complements the deployment of "AI factories" and "AI gigafactories" under the Action Plan, which aim to give European businesses and researchers broad access to high-capacity, next-generation compute.

The relationship is also defined by "regulatory simplification" and sovereignty. CADA responds by establishing a Union cloud computing sovereignty framework with four Union assurance levels, the criteria for which are set out in Annex II (Article 16). This lets public sector bodies procure cloud services meeting harmonised criteria for data residency, operational autonomy and protection against third-country control, preventing the single-market fragmentation that divergent national sovereignty rules could cause.

CADA also supports the "development and adoption of AI algorithms" domain by fostering an environment in which European providers can compete. Article 1 establishes the subject matter, including the Cloud and AI Leadership Initiatives (Article 1(1)(a)), which support research, innovation and large-scale capacity across the Union's cloud and AI ecosystem. On "skills" and adoption, Article 5 requires each Member State to establish Experience and Acceleration Centres for AI (Centres for AI), building on the European Digital Innovation Hubs, to accelerate uptake of cloud and AI technologies — including for SMEs, SMCs and public bodies.

What this means for you

For public-sector and procurement officers, the alignment of the Action Plan and CADA signals a change in how cloud and AI services are bought: procurement becomes part of a strategic autonomy objective.

1. Sovereignty risk assessments Under Article 29, Member States and Union entities would carry out risk assessments to identify public sector activities that contribute to the preservation of public order — in sectors falling under Annex I or II of the NIS2 Directive (Directive (EU) 2022/2555) and in areas such as national security, internal security, external border management, defence, justice or law enforcement — and to determine which Union assurance level (2, 3 or 4) is appropriate. You should begin mapping current cloud contracts against these emerging levels.

2. Procurement criteria shifts Article 32 requires contracting authorities, in procurement of innovative cloud services and AI systems, to include "Union added value" non-price award criteria assessing the tenderer's contribution to a European cloud and AI ecosystem, including the use of software or hardware designed or manufactured in the Union. These criteria must be ancillary and not decisive (Article 32(2)), but they require a structured evaluation method.

3. Transition to compliant services If your providers do not meet the required level, plan for migration. Article 29(6) provides that where a risk assessment requires migration to another cloud computing service, the Member State or Union entity must migrate within a reasonable transition period not exceeding 12 months, taking account of technical feasibility, continuity of service and data portability. The central repository of recognised services (Article 22) would help you identify compliant providers.

4. Engage with Centres for AI The national Centres for AI (Article 5) can provide expertise on AI integration, connect you with European providers, and support upskilling — helping deliver the plan's skills and adoption goals.

Common misconceptions

Misconception 1: CADA replaces the AI Act. The AI Act (Regulation (EU) 2024/1689) and CADA are complementary. The AI Act addresses the safety, fundamental-rights and transparency risks of AI systems; CADA, as proposed, addresses the underlying cloud infrastructure, data centre capacity and the sovereignty of the services hosting AI.

Misconception 2: All public-sector cloud procurement requires the highest sovereignty level. The framework is proportionate. Under Article 30(2), Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use services recognised at Union assurance level 1. Only activities identified as contributing to public order (Article 30(3)) require levels 2, 3 or 4.

Misconception 3: The AI Continent Action Plan is legally binding. The Action Plan is a strategic communication (COM(2025) 165 final) setting policy goals. CADA is the legislative proposal (COM(2026) 502 final) that, if adopted, would create binding obligations on data centre deployment, sovereignty recognition and procurement.

Misconception 4: CADA only applies to EU-based providers. While CADA aims to strengthen European providers, it does not ban non-EU providers outright. Article 18 lets the Commission identify "associated third countries" whose providers may be audited against the criteria for Union assurance level 3, provided strict cumulative criteria are met (for example, an adequacy decision under the GDPR and no laws enabling conflicting third-country access). Higher assurance levels remain stringent for providers subject to third-country control.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.