Summary Under the proposed Cloud and AI Development Act (CADA), your obligations depend on your role: cloud computing service provider, public-sector contracting authority, private entity in a critical (NIS2) sector, or data centre operator. As proposed, CADA would enter into force 20 days after publication and apply one year later (Article 48), establishing a sovereignty framework for public cloud procurement and an accelerated framework for data centre deployment. Providers must decide whether they need Union assurance level recognition; public buyers must run risk assessments to set the required sovereignty tier. CADA is a proposal (COM(2026) 502 final), so none of this is in force yet.

Detail

CADA is a wide-ranging proposal to strengthen the EU's cloud and AI ecosystem by boosting capacity, simplifying data centre deployment, and ensuring sovereignty in public cloud procurement. To work out whether and how it applies to you, first identify your role, because obligations are tiered.

1. Identify your role and map to key provisions

Cloud computing service providers If you provide a cloud computing service, you are a "cloud computing service provider" (Article 2(2), referring to the NIS2 definition). Your core obligations sit in the Union cloud computing sovereignty framework (Title IV).

  • Recognition: To supply Union entities and public sector bodies, you must obtain recognition for a Union assurance level (1, 2, 3 or 4) from your national competent authority of establishment (Article 17).
  • Level 1: A conformity self-assessment and an EU statement of conformity (Article 19). For SMEs, the Level 1 statement is automatically recognised in all Member States (Article 17(3)).
  • Levels 2-4: An independent third-party audit, with an audit report and a "positive" audit opinion (Article 20), assessed against the Annex II criteria.
  • Transparency: You must notify the auditing organisation and the national competent authority of any material change that may affect the audit opinion or recognition (Article 23).

Public-sector contracting authorities If you procure cloud services, demand-side rules apply.

  • Risk assessments: Member States and Union entities must run risk assessments identifying which public-sector activities contribute to the preservation of public order and which assurance level (2, 3 or 4) is appropriate (Article 29).
  • Procurement: For activities not identified as preserving public order, you must use a service recognised at Level 1 (Article 30(2)). For activities that are so identified — in the NIS2 sectors and areas such as defence, justice or law enforcement — you must procure only services recognised at Levels 2, 3 or 4 (Article 30(3)).
  • Union added value: In procurements for innovative cloud services and AI systems, you must include non-price award criteria assessing the tenderer's contribution to a European cloud and AI ecosystem (for example, EU-designed or EU-manufactured hardware), kept ancillary and not decisive (Article 32).

Private-sector entities (NIS2 entities) If you are an entity listed in Annex I of the NIS2 Directive (Directive (EU) 2022/2555) but not a public body, you fall outside the Article 30 procurement rules but have a parallel track.

  • Impact assessments: You "may" carry out assessments similar to the Article 29 risk assessment (Article 31(1)).
  • Commission action: The Commission may issue methodology guidance (Article 31(2)) and, where duly justified for entities in sectors of high criticality, may adopt delegated acts requiring an impact assessment and risk-mitigation measures (Article 31(3)).

Data centre operators Your obligations focus on deployment and sustainability (Title III).

  • Acceleration zones: Member States deploying data centre capacity must designate at least one "data centre acceleration zone" by six months after entry into force (Article 10), within which permitting is streamlined (Article 13).
  • Sustainability: Conditions within acceleration zones include sustainability requirements (Article 11).
  • Strategic projects: Large projects may seek designation as "data centre strategic projects" through the mechanism in Article 14.

2. Key dates

Under Article 48, as proposed, CADA would enter into force on the 20th day after publication in the Official Journal and would apply from one year after entry into force.

  • National strategies: Member States adopt national cloud and AI strategies within one year of entry into force (Article 7).
  • Risk assessments: Member States and Union entities carry out initial risk assessments within one year of entry into force, then every two years (Article 29(1)).
  • Competent authorities: Member States designate national competent authorities within one year of entry into force (Article 25(1)).
  • Acceleration zones: Designated within six months of entry into force (Article 10(1)).

3. Penalties and enforcement

Member States must lay down penalties for infringements of the sovereignty Chapter by providers; they must be "effective, proportionate and dissuasive" (Article 24(1)). When setting penalties, authorities take into account factors including the nature, gravity, scale and duration of the infringement, previous infringements, financial benefit gained, and the provider's annual Union turnover (Article 24(2)). Recipients of cloud services also have a right to seek compensation for damage caused by a provider's infringement of its obligations under that Chapter (Article 24(3)).

What this means for you

For in-house counsel and compliance officers, the first step is to map your current cloud stack against the proposed Union assurance levels.

  • Providers: Prepare for the conformity route. For the EU public sector you must be ready to self-assess for Level 1 or undergo a third-party audit for Levels 2-4. Align subcontractor transparency and data-localisation against the Annex II criteria, and review your software supply chain for third-country control, which Levels 2-4 scrutinise closely.
  • Public buyers: Initiate the Article 29 risk assessment. Identify workloads touching national security, justice or critical infrastructure — these are likely to require Level 2, 3 or 4, which may mean migrating away from providers that cannot meet those criteria. Update procurement templates to include the Article 32 Union added value criteria.
  • Data centre operators: Engage with national authorities on acceleration zones, prepare sustainability reporting, and assess whether large projects qualify as strategic projects under Article 14.

Common misconceptions

  • "CADA replaces the GDPR." No. CADA would complement existing data-protection law; the GDPR's third-country transfer rules remain fully applicable. CADA adds a sovereignty layer focused on operational autonomy and public order.
  • "Only EU-based providers can comply." Level 1 requires establishment in the Union, but the higher levels turn on third-country control. Under Article 18, the Commission may recognise an "associated third country" whose controlled providers may then be audited at Level 3, subject to strict cumulative criteria (including a GDPR adequacy decision and reciprocal market access). This is a high bar, and many non-EU providers would struggle to meet Levels 3 or 4, where third-country control is prohibited (with no derogation at Level 4).
  • "Private companies are exempt." Private companies are not bound by the Article 30 procurement rules, but NIS2 entities may run impact assessments under Article 31, and the Commission may, by delegated act, require them in high-criticality sectors (Article 31(3)). Public-sector demand may also drive private demand for sovereign services.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.