What is the Cloud and AI Development Act (CADA)?

Summary The Cloud and AI Development Act (CADA) is a proposed EU regulation that aims to strengthen Europe's cloud and artificial-intelligence ecosystem. It was published by the European Commission as COM(2026) 502 final on 3 June 2026 and is still only a proposal, so nothing in it is in force yet. As proposed, CADA would do three big things: build up the EU's own computing capacity (notably data centres), create a common "sovereignty" standard for cloud services used by the public sector, and push public bodies towards European and open-source options. Article 1 of the proposal sets out this framework and two complementary goals: making the EU's cloud and AI sector more competitive, and making the single market more resilient and strategically autonomous.

Detail

The Cloud and AI Development Act is the European Commission's attempt to reduce the EU's growing dependence on a handful of non-European cloud providers and to secure the computing capacity Europe needs for the AI era. It was tabled as COM(2026) 502 final on 3 June 2026 under the legislative reference 2026/0138 (COD). It is a draft Regulation working its way through the ordinary legislative procedure, so its text, dates and obligations could still change before adoption.

What the law sets out to do

Under Article 1(1), CADA would establish "a framework for strengthening the cloud and AI ecosystem at Union level," built around five measures:

1. Leadership initiatives — establishing the Cloud Leadership Initiative and the AI Leadership Initiative (together, the "Cloud and AI Leadership Initiatives") to support research, innovation and large-scale capacity building.
2. Data centre deployment — setting a framework for the accelerated deployment of data centres across the Union.
3. A sovereign cloud and AI offer — enabling the availability of a sovereign cloud and AI offer "to safeguard the Union's public order."
4. Reducing dependencies — reducing dependencies on critical technologies.
5. Public-sector adoption — fostering the adoption of cloud computing services across the public sector.

Article 1(2) and 1(3) then state two general objectives. The first is to ensure the conditions necessary for the competitiveness and innovation capacity of the Union's cloud and AI ecosystem. The second, described as "separate from and complementary to" the first, is to improve the functioning of the single market by laying down a uniform legal framework for increasing the Union's resilience and strategic autonomy in cloud and AI technologies.

The main building blocks

CADA is a large instrument. The parts most people will encounter are:

• Union assurance levels (the sovereignty framework). As proposed, Article 16 would create a four-tier framework of "Union assurance levels" (1 to 4), with the detailed criteria set out in Annex II. The higher the level, the stronger the requirements around control of the service, data location and protection from third-country interference. Providers would apply to be recognised at a level through a national competent authority (Article 17).
• Public-sector procurement rules. As proposed, contracting authorities would have to procure cloud services that meet at least Union assurance level 1, and only services recognised at levels 2, 3 or 4 where a risk assessment shows the activity has public-order relevance (Articles 29 and 30).
• Data centre acceleration zones. Member States would designate zones where data centre projects benefit from streamlined permitting, including a 12-month limit on permit-granting and an aggregated baseline permit (Articles 10 to 13).
• The EuroCloud Federation. A voluntary federation (Article 34) allowing Union entities and public-sector bodies to share data centre and cloud capacity.
• Open source. Encouragement of open-source solutions and reuse of public-sector software, supported by an EU-level catalogue (Articles 41 to 43).

Why now?

The explanatory memorandum points to a structural problem: EU providers' share of the European cloud market fell from 29% in 2017 to 15% in 2022, while three non-EU hyperscalers now control over 70% of that market. The Commission frames this as a risk to economic security and operational autonomy, echoing the Draghi report on European competitiveness. CADA is the proposed response — combining supply-side support, demand-side procurement levers and a sovereignty standard.

What this means for you

For a general reader or a public-sector buyer trying to make sense of CADA, the practical takeaways are:

• Nothing applies yet. CADA is a proposal. It would only become binding after the European Parliament and Council adopt it and it is published, and most obligations would apply one year after that (Article 48). There is time to prepare.
• It is not a ban on non-EU providers. CADA does not outlaw any provider. It creates graded sovereignty levels and lets public buyers choose the level that matches the sensitivity of each activity.
• Public bodies will need to classify their workloads. If adopted, public authorities would carry out risk assessments to decide which activities need higher assurance levels and which can run on level 1.
• European and open-source options get a push. Procurement rules and the open-source measures are designed to give credible European alternatives a fairer chance, not to mandate any particular product.

If you procure or manage cloud services for a public body, the sensible first step is to map which of your services touch sensitive data or critical functions — that mapping is what will eventually drive your assurance-level obligations.

Common misconceptions

• "CADA bans non-European cloud providers." No. It establishes graded assurance levels. Non-EU providers can still compete, though the highest levels carry strict control and third-country-access criteria that are hard for some providers to meet. Article 18 even sets out a route by which a third country could be recognised so that services controlled from it become eligible for level 3.
• "CADA replaces the AI Act." No. The AI Act regulates AI systems themselves (their safety, transparency and fundamental-rights risks). CADA regulates the cloud and compute infrastructure, sovereignty and procurement around them. They are complementary, and CADA even borrows the AI Act's definition of an "AI system."
• "Every public-sector cloud workload will need the highest sovereignty level." No. CADA takes a risk-based approach. Only activities with public-order relevance, as identified by a risk assessment, would require levels 2, 3 or 4; routine services can sit at level 1.
• "CADA is already in force." No. It is a proposal dated 3 June 2026 and has not been adopted.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)

Related

• Why was the Cloud and AI Development Act (CADA) proposed?
• Who does the Cloud and AI Development Act (CADA) apply to?
• Where can I read the official text of the Cloud and AI Development Act (CADA)?
• When was the Cloud and AI Development Act (CADA) proposed?
• What is the one-sentence summary of the Cloud and AI Development Act (CADA)?

This is general information about a draft EU regulation, not legal advice.