Summary The proposed Cloud and AI Development Act (CADA) is designed to complement, not duplicate, existing EU digital legislation. As proposed, CADA would address specific gaps in sovereignty, computing capacity, and public-sector resilience that instruments like the GDPR, AI Act, NIS2, and Data Act do not fully cover. While the GDPR and AI Act focus on data protection and system safety, CADA would introduce a sovereignty framework for public procurement and a regime for accelerated data centre deployment. Compliance officers should prepare for new risk assessments, sovereignty audits, and procurement criteria that would sit alongside their existing regulatory obligations.

Detail

The Cloud and AI Development Act (CADA) is a legislative proposal (COM(2026) 502 final) aimed at strengthening Europe's cloud and AI ecosystem. A core feature of CADA is its relationship with the broader EU digital regulatory framework. The proposal positions itself as consistent with and complementary to existing laws, filling structural gaps rather than creating overlapping burdens. Understanding these interactions is critical for in-house counsel managing multi-layered compliance landscapes.

1. CADA and the Data Act: Enabling Sovereignty Through Switching

The Data Act (Regulation (EU) 2023/2854) focuses on fair access to data, interoperability, and switching between data processing services. As stated in the explanatory memorandum, the Data Act is an "enabler" for the proposal by removing vendor lock-in so that users can freely choose providers. However, the memorandum notes the Data Act does not, on its own, shape up a more competitive offer of European cloud services. As proposed, CADA would fill this gap with supply-side measures to boost domestic capabilities and demand-side measures to drive adoption. While the Data Act ensures technical portability, CADA would target strategic autonomy.

2. CADA and the Digital Markets Act (DMA): Fairness vs. Sovereignty

The DMA regulates gatekeepers to ensure a fair and contestable market. As of the proposal, no cloud computing service provider had been designated as a gatekeeper for its cloud services, though on 18 November 2025 the Commission opened three market investigations on cloud computing services under the DMA. CADA and the DMA operate at different levels. The DMA targets the behaviours of designated gatekeepers, whereas CADA would focus on the uptake and use of services to strengthen technological sovereignty. The explanatory memorandum states the DMA "does not contain measures that would actively promote the uptake of sovereign cloud computing services." For providers, this means complying with DMA fairness obligations while potentially also seeking recognition under CADA's sovereignty framework to win public-sector contracts.

3. CADA and the AI Act: Safety vs. Sovereignty

The AI Act (Regulation (EU) 2024/1689) harmonises rules for AI systems based on risk, focusing on health, safety, and fundamental rights. The memorandum states it "does not cover aspects of sovereignty." As proposed, CADA would complement the AI Act by addressing the infrastructure and supply-chain dependencies that underpin AI deployment. While the AI Act regulates the system, CADA would regulate the cloud environment in which the system runs. For example, an AI system may meet the AI Act's high-risk requirements, but the cloud service hosting it may need to meet a higher Union assurance level under CADA if used by a public authority for public-order activities. The two regimes are distinct but concurrent; an entity may be a provider under the AI Act and a cloud computing service provider under CADA simultaneously.

4. CADA and NIS2 / the Cybersecurity Act: Technical Security vs. Sovereignty

NIS2 (Directive (EU) 2022/2555) and the Cybersecurity Act focus on technical cybersecurity and supply-chain risks. As proposed, CADA would go further by addressing sovereignty risks, which include operational autonomy and protection against extraterritorial legal access (e.g., laws like the US CLOUD Act). The memorandum notes that while NIS2 improves cybersecurity risk management, it "does not contain measures to boost the uptake and use of such services" and is "fully focused on technical cybersecurity as opposed to broader sovereignty considerations." The proposal also notes that the European Cybersecurity Certification Scheme for Cloud Services (EUCS) has not yet been adopted, but that once finalised it could be leveraged within the sovereign cloud framework to show a service meets the highest cybersecurity standards. CADA would add layers regarding data localisation, personnel controls, and freedom from third-country control on top of that.

5. CADA and GDPR: Data Protection vs. Strategic Autonomy

The GDPR protects personal data. As proposed, CADA would protect public order and strategic autonomy. The memorandum states the proposal is consistent with existing rules on the processing of personal data, including the GDPR, but addresses risks the GDPR does not, such as operational discontinuity and dependence on third-country providers. CADA's Union assurance levels (Article 16) would set criteria on operational autonomy and control that go beyond the GDPR's transfer mechanisms. The memorandum also notes the proposal complements the EU-US Data Privacy Framework, because sovereignty "goes beyond data transfers and relates to operational autonomy too."

6. CADA and DORA / Financial-Sector Law

The Digital Operational Resilience Act (DORA) shapes compliance obligations for cloud providers serving financial entities. The memorandum notes DORA has a sectoral scope specific to the financial sector. CADA would have a broader horizontal scope but specifically addresses public-sector procurement. For financial entities that are also public-sector bodies, both regimes could apply. CADA's risk assessments for public order may influence the cloud services chosen by public financial institutions, overlapping with DORA's operational-resilience requirements.

7. CADA and the Chips Act

The proposal needs to be read in conjunction with the review of the Chips Act, which the memorandum frames as promoting investment in advanced semiconductors and increasing supply-chain resilience. As proposed, CADA's Cloud and AI Leadership Initiatives would foster co-design of hardware and software and integration of Union-based technologies, creating a loop where CADA drives demand for European hardware and the Chips Act supports supply.

8. CADA and the Public Procurement Directives

As proposed, CADA would supplement the Public Procurement Directives by providing sector-specific criteria. The memorandum states the horizontal acquis does not adequately address the many layers of cloud sovereignty. Under Article 32, contracting authorities would apply "Union added value" award criteria, such as the use of hardware designed or manufactured in the Union, and under Article 30 would have to meet minimum assurance levels for cloud services.

What this means for you

For in-house counsel and compliance officers, CADA would introduce a new compliance layer that intersects with existing duties.

  1. Dual Compliance Mapping: Map your cloud and AI services against both the AI Act (for the AI system) and CADA (for the cloud infrastructure). A compliant AI system would not guarantee a compliant cloud environment for public-sector clients.
  2. Sovereignty Risk Assessments: Under Article 29, Member States and Union entities would have to conduct risk assessments to determine the required Union assurance level (2, 3, or 4) for public-order activities. This is distinct from GDPR Data Protection Impact Assessments, though they may share data inputs.
  3. Procurement Strategy: Review procurement templates. Article 32 would require "Union added value" criteria in tenders for innovative cloud and AI; ensure your vendor evaluation can assess and score them, such as the origin of hardware and software components.
  4. Audit Readiness: For providers aiming for Union assurance levels 2-4, prepare for independent third-party audits (Article 20). These would assess evidence of freedom from third-country control, data localisation, and personnel controls under Annex II.
  5. Deadlines: As proposed, Member States and Union entities would carry out initial risk assessments by one year after entry into force (Article 29). Plan your internal readiness assessments accordingly.

Common misconceptions

  • Misconception: "CADA replaces the GDPR for cloud services."
    • Reality: As proposed, CADA would not replace the GDPR. It would add sovereignty and operational-resilience requirements on top of data-protection obligations. Both would apply concurrently.
  • Misconception: "Only public-sector bodies are affected by CADA."
    • Reality: While the procurement rules in Article 30 target public bodies and Union entities, the sovereignty framework affects cloud providers wishing to serve the public sector. Under Article 31, certain private entities in high-criticality sectors may carry out similar assessments, and the Commission could make such assessments mandatory by delegated act.
  • Misconception: "CADA is just about cybersecurity."
    • Reality: As proposed, CADA would address sovereignty, including legal and operational risks beyond technical cybersecurity, such as extraterritorial data-access laws and vendor lock-in.
  • Misconception: "The AI Act covers cloud infrastructure sovereignty."
    • Reality: The AI Act focuses on the AI system's risk to health, safety, and rights. The memorandum states it does not cover aspects of sovereignty, which would be the focus of CADA's cloud framework.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.