CADA vs the AI Act

Summary The EU AI Act and the proposed Cloud and AI Development Act (CADA, COM(2026) 502 final) play distinct but complementary roles. The AI Act (Regulation (EU) 2024/1689) is a product-safety and fundamental-rights regulation governing how AI systems are placed on the market and used. CADA, as proposed, governs the underlying cloud infrastructure, compute capacity, and sovereignty of cloud services. Put simply: the AI Act regulates how AI is built and used; CADA would regulate where the computing power and data reside, and how resilient that supply chain is. CADA remains a proposal and is not yet in force.

Detail

To understand the difference, distinguish between regulating a technology's behaviour (the AI Act) and regulating the infrastructure that powers it (CADA). Both aim to strengthen the EU's digital sovereignty and competitiveness, but they rest on different legal bases, target different actors, and impose different obligations.

1. Core objectives and legal basis

The AI Act (Regulation (EU) 2024/1689) The AI Act is a risk-based framework ensuring AI systems placed on the Union market or put into service are safe, transparent, and respect fundamental rights. Its legal basis is Articles 114 and 16 TFEU. It prohibits certain AI practices (under Article 5, e.g. social scoring and certain biometric categorisation) and imposes obligations on "high-risk" AI systems (classified under Article 6 and Annexes I and III). Importantly, the AI Act does not cover sovereignty, cloud-infrastructure location, or provider ownership — a gap CADA is designed to fill.

CADA (COM(2026) 502 final) CADA is a proposal for a regulation to strengthen Europe's cloud and AI ecosystem. Its legal basis is cumulative: Article 114 TFEU (internal market) and Article 173(3) TFEU (industrial competitiveness). As proposed, Article 1 sets out measures including the accelerated deployment of data centres, "enabling the availability of a sovereign cloud and artificial intelligence (AI) offer to safeguard the Union's public order," reducing dependencies on critical technologies, and fostering public-sector adoption of cloud services. Its goals would be to increase compute capacity, support sustainable data-centre deployment, and make cloud supply chains more resilient.

2. Scope and target actors

AI Act scope The AI Act applies to providers, deployers, importers, and distributors of AI systems, and to providers of general-purpose AI (GPAI) models (Articles 51–56), including those with systemic risk. Key actors are AI developers, companies integrating AI into products, and entities using AI systems. It excludes AI used purely for military, defence, or national-security purposes, and purely personal, non-professional use.

CADA scope CADA, as proposed, targets the cloud and data-centre sector. Its actors include cloud computing service providers, data-centre operators, Member States, Union entities, and contracting authorities (public buyers). A central mechanism would be the "Union cloud computing sovereignty framework" (Article 16), comprising four Union assurance levels (1–4), with criteria set out in Annex II. Recognition would come via conformity self-assessment for level 1 (Article 19) or independent third-party audit for levels 2–4 (Article 20).

3. Compliance obligations and penalties

AI Act obligations Compliance centres on risk-management systems, data governance, technical documentation, logging, transparency, and human oversight. Under Article 99, fines reach up to €35 million or 7% of total worldwide annual turnover for breaching the Article 5 prohibitions, and up to €15 million or 3% for most other infringements.

CADA obligations (as proposed)

• Data centres: Member States would designate "data centre acceleration zones" (Article 10) with streamlined permitting not exceeding 12 months from a comprehensive application (Article 13), plus sustainability requirements and single information points.
• Cloud sovereignty: Providers serving public-sector bodies would need recognition at a Union assurance level — self-assessment for level 1, independent audit for levels 2–4.
• Penalties: Under Article 24, Member States would lay down effective, proportionate, and dissuasive penalties for infringements of the sovereignty chapter by cloud providers. Recipients of cloud services would also have the right to seek compensation for damage caused by a provider's infringement.

4. Complementary nature

The two instruments are designed to work together. The CADA explanatory memorandum states that the proposal "reinforces key objectives of the AI Act," and notes that the AI Act "does not cover aspects of sovereignty." So while the AI Act ensures an AI system is safe and rights-respecting, CADA would help ensure the cloud infrastructure hosting it is sovereign and resilient. A public authority running a high-risk AI system (regulated by the AI Act) would, as proposed, procure it on a cloud service meeting the relevant CADA assurance level.

What this means for you

For in-house counsel and compliance officers, the distinction implies two parallel tracks:

1. AI Act track (in force): Classify your AI systems (prohibited, high-risk, limited, or minimal risk). Implement risk-management, data-governance, and transparency measures. Note Article 99 fines up to 7% of global turnover for the most serious breaches.
2. CADA track (proposed): Evaluate your cloud and data-centre dependencies. If you are a cloud provider, prepare for the assurance framework, including audits for levels 2–4. If you are a public-sector body, plan the Article 29 risk assessments that would set the required assurance level. If you operate data centres, watch for acceleration-zone permitting and sustainability requirements.

Timelines to watch:

• AI Act: Entered into force 1 August 2024; Article 5 prohibitions apply from 2 February 2025; GPAI rules from 2 August 2025; most high-risk obligations and governance from 2 August 2026.
• CADA: As a proposal, no dates are fixed. The text uses placeholders such as one year from entry into force for Member States to designate national competent authorities (Article 25) and conduct first risk assessments (Article 29), and six months to designate acceleration zones (Article 10).

Common misconceptions

• "CADA replaces the AI Act for cloud services." Incorrect. CADA would not regulate AI systems themselves, only the cloud services hosting them. An AI system must comply with the AI Act regardless of its cloud provider's assurance status.
• "The AI Act covers data sovereignty." Incorrect. The CADA memorandum is explicit that the AI Act "does not cover aspects of sovereignty." CADA, as proposed, fills that gap through assurance levels based on EU establishment, data residency, control, and personnel criteria (Annex II).
• "Only public-sector bodies are affected by CADA." Incorrect. While the binding procurement rules target public buyers, CADA's acceleration-zone rules and the provider recognition framework would directly affect private cloud providers and data-centre operators.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)

Related

• Why was the Cloud and AI Development Act (CADA) proposed?
• Who does the Cloud and AI Development Act (CADA) apply to?
• Where can I read the official text of the Cloud and AI Development Act (CADA)?
• When was the Cloud and AI Development Act (CADA) proposed?
• When must Member States act under CADA? Key deadlines

This is general information about a draft EU regulation, not legal advice.