Summary The EU's tech sovereignty agenda is not a single law but a coordinated set of measures to secure Europe's digital autonomy, reduce dependence on third countries, and strengthen its industrial base. As proposed, the Cloud and AI Development Act (CADA) is the cloud-and-AI instrument in that agenda: it sits alongside measures such as the Chips Act, the Cybersecurity Act, and the Apply AI Strategy. For public-sector bodies, CADA would translate high-level sovereignty goals into binding procurement rules and a four-level cloud sovereignty framework. CADA is a proposal (COM(2026) 502 final) and is not yet in force.

Detail

"Tech sovereignty" in the EU refers to the capacity to act autonomously in the digital sphere — keeping control over critical infrastructure, data, and technological capabilities without being unduly exposed to third-country actors. As proposed, CADA is the legislative instrument that operationalises this for cloud and AI.

CADA as the cloud and AI pillar

CADA responds to the EU's pronounced dependence on a limited pool of non-EU cloud providers. The proposal's explanatory memorandum notes that three non-EU hyperscalers currently control over 70% of the European cloud market, and frames the resulting risks to operational continuity, data access under third-country laws, and the Union's strategic autonomy.

Under Article 1, CADA would establish "a framework for strengthening the cloud and AI ecosystem at Union level" through measures including:

  • establishing the Cloud Leadership Initiative and the AI Leadership Initiative (Article 1(1)(a));
  • setting a framework for the accelerated deployment of data centres across the Union (Article 1(1)(b));
  • enabling the availability of a sovereign cloud and AI offer to safeguard the Union's public order (Article 1(1)(c));
  • reducing dependencies on critical technologies (Article 1(1)(d));
  • fostering the adoption of cloud computing services across the public sector (Article 1(1)(e)).

Article 1 also sets two general objectives: ensuring the conditions for the competitiveness and innovation capacity of the Union's cloud and AI ecosystem (Article 1(2)), and improving the single market through a uniform legal framework for the Union's resilience and strategic autonomy (Article 1(3)).

Coordination with other sovereignty measures

CADA does not operate in a vacuum; it is designed to complement adjacent initiatives often grouped under the tech sovereignty label.

1. Semiconductors and the Chips Act. While CADA addresses cloud deployment and AI capabilities, the underlying hardware sits with EU semiconductor policy. The proposal's "grand challenges" (Article 6(2), as indicated in Annex I) include building end-to-end hardware and software cloud stacks, linking CADA's demand for European compute capacity to European semiconductor supply.

2. Cybersecurity. Sovereignty and cybersecurity are distinct but overlapping. EU cybersecurity rules focus on the technical trustworthiness of ICT products and services; CADA instead introduces a "Union cloud computing sovereignty framework" with four assurance levels (Article 16) addressing non-technical risks, such as a third country disrupting service continuity or compelling data access under extraterritorial law. A service can be technically secure yet not meet CADA's higher sovereignty levels.

3. The Apply AI Strategy. This strategy sets out actions to boost AI adoption across industry and the public sector. CADA underpins those goals with measures to support cloud and AI development and deployment, increase access to compute capacity, and build trust.

Digital autonomy and reducing critical dependencies

The core driver is digital autonomy. The proposal highlights that limited Union data-centre capacity and dependence on third-country providers pose risks to economic security and strategic autonomy. By establishing a harmonised sovereignty framework, CADA aims to ensure European users have credible European alternatives.

Under Article 16, the sovereignty framework comprises four Union assurance levels, with the criteria set out in Annex II, that providers must meet to serve Union entities and public sector bodies. Public bodies would conduct risk assessments to determine the appropriate level: activities contributing to the preservation of public order — for example in NIS2 sectors, national security, defence, or law enforcement — may require the higher levels. This mechanism reduces critical dependencies by steering sensitive workloads towards services meeting strict criteria.

What this means for you

For public-sector procurement officers, CADA would move cloud and AI sourcing beyond purely technical and financial criteria to include sovereignty and autonomy as core requirements.

1. Mandatory risk assessments (Article 29). Member States and Union entities would carry out risk assessments to identify which public-sector activities using cloud services contribute to the preservation of public order, and to determine the appropriate Union assurance level (2, 3 or 4). Assessments must consider at least the sensitivity, criticality and magnitude of the data, the risk of unlawful access by a third country, and the risk of service disruption.

2. Procurement obligations (Article 30). Bodies whose activities are not identified as contributing to public order must use services recognised at Union assurance level 1 (Article 30(2)); contracting authorities whose activities are so identified must procure only services recognised at level 2, 3 or 4 (Article 30(3)). Limited, duly justified derogations are available (Article 30(4)). You can no longer simply choose the cheapest option; the service must be recognised at the relevant level.

3. Union added value (Article 32). For innovative cloud and AI procurements, contracting authorities must include, within the quality evaluation, non-price "Union added value" criteria — for example, the extent to which the tenderer strengthens the EU digital supply chain, integrates Union-developed technologies, and uses hardware designed or manufactured in the Union. These criteria must be linked to the subject matter and remain "ancillary and not decisive" (Article 32(2)).

4. Open source and the EuroCloud Federation. The proposal promotes open-source "open source first" (Article 41) and establishes the European public sector cloud federation ("EuroCloud Federation") (Article 34), through which public bodies may share idle capacity and services. Software that public bodies make available for reuse under an open source licence must be shared via a catalogue connected to the EU Open Source Solutions Catalogue (Article 42), which the Commission maintains under Article 43.

Common misconceptions

Misconception 1: CADA is the same as the EU's cybersecurity rules. Both aim to secure the digital ecosystem, but they address different risks. Cybersecurity law focuses on technical vulnerabilities and product trustworthiness; CADA focuses on sovereignty, operational autonomy, and third-country interference. A service can be technically secure yet not meet CADA's higher assurance levels.

Misconception 2: CADA bans all non-EU cloud providers. No. It creates a tiered system. Non-EU providers may still be recognised at Union assurance level 1 and, where the Commission identifies an "associated third country" meeting the cumulative criteria, may be audited against the criteria for Union assurance level 3 (Article 18). But for public-order activities, only services at the higher levels may be procured, which limits non-compliant providers in those segments.

Misconception 3: The "tech sovereignty package" is a single law. There is no single "Tech Sovereignty Act." It is a label for a collection of complementary measures — including CADA — each with its own legal basis, scope, and enforcement mechanisms.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.