Cloud Sovereignty & Digital Decade 2030

Summary The proposed Cloud and AI Development Act (CADA) explicitly binds cloud sovereignty to the EU's Digital Decade 2030 targets. As proposed, CADA mandates that Member States align their national cloud and AI strategies with the Digital Decade's connectivity and capacity goals. It establishes a "Union cloud computing sovereignty framework" (Article 16) with four assurance levels, requiring public procurement to prioritize sovereign services for public-order activities. Simultaneously, it accelerates data centre deployment through "acceleration zones" to close the compute capacity gap, ensuring the physical infrastructure exists to meet the Digital Decade's ambition for 10,000 secure edge nodes and widespread AI adoption.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, positions cloud sovereignty not as an isolated security measure, but as the foundational infrastructure required to achieve the European Union's broader digital ambitions. The proposal recognizes that the Digital Decade Policy Programme 2030's targets for connectivity, edge computing, and AI adoption cannot be met if the underlying compute capacity is geographically concentrated, dependent on third-country providers, or vulnerable to extraterritorial interference.

The Digital Decade 2030 Context and CADA's Alignment

The Digital Decade Policy Programme 2030 sets out four cardinal points, including "secure and sustainable digital infrastructures" and the "digital transformation of businesses." Specific targets include the adoption of cloud computing services, big data, and AI by at least 75% of Union enterprises and the deployment of at least 10,000 climate-neutral, highly secure edge nodes in the Union.

CADA integrates these targets directly into its legal framework. Article 7(4) explicitly requires Member States to ensure that their national cloud and AI strategies "are consistent with, and contribute to, the associated digital targets established under Article 4 of Decision (EU) 2022/2481." While Recital 32 notes this alignment, the binding legal obligation is codified in Article 7. This ensures that national efforts to build sovereign cloud capacity are not siloed but are measured against the EU's broader economic and societal digitalization goals.

Furthermore, the proposal acknowledges the dynamic nature of these targets. Recital 44 states that "In accordance with the Digital Decade Policy Programme 2030, the Commission should also review the digital decade targets to reflect the technical, economic or societal developments and the evolution of the Union's priorities in that regard." This provision allows the sovereignty framework to evolve in tandem with the Digital Decade's ambitions, ensuring that compute capacity gaps are identified and addressed as demand shifts.

Sovereignty as a Driver for Capacity Build-Out

CADA addresses the EU's current "compute capacity deficit" and overreliance on third-country providers through a dual approach: supply-side acceleration of infrastructure and demand-side procurement rules.

Supply-Side: Data Centre Acceleration Zones To meet the Digital Decade's connectivity and capacity goals, CADA introduces "data centre acceleration zones" under Article 10. Member States are required to designate at least one such zone where data centre capacity is being deployed. These zones are designed to facilitate streamlined permitting processes; Article 13(5) sets a maximum of 12 months for the permit-granting procedure for comprehensive applications in these zones. This infrastructure build-out is essential for providing the low-latency, high-capacity compute resources required by the Digital Decade targets, particularly for AI-intensive applications and the deployment of edge nodes.

Demand-Side: The Union Cloud Computing Sovereignty Framework Article 16 establishes the Union cloud computing sovereignty framework, comprising four "Union assurance levels." These levels define the criteria for cloud services to be considered trustworthy and sovereign:

• Level 1: Basic establishment in the Union and data localization.
• Levels 2–4: Increasingly stringent requirements on personnel (conditional or mandatory Union citizenship), data localization, absence of third-country control, and cybersecurity certification.

The link to the Digital Decade is operationalized through public procurement rules. Article 29 requires Member States and Union entities to conduct risk assessments to determine which public sector activities contribute to the preservation of public order. Article 30 then mandates that:

1. Public sector bodies whose activities have not been identified as contributing to public order must use cloud services recognized at Union assurance level 1.
2. Contracting authorities whose activities are identified as contributing to public order (e.g., national security, justice, critical infrastructure) must only procure services recognized at Union assurance levels 2, 3, or 4.

This procurement mandate creates a guaranteed demand signal for European cloud providers. By forcing the public sector to shift away from non-EU hyperscalers for critical functions, CADA stimulates investment in domestic cloud infrastructure. This investment directly supports the Digital Decade's goal of increasing the EU's share of global installed computing capacity and reducing strategic dependencies.

Monitoring and Strategic Alignment

CADA establishes a mechanism for the Commission to monitor the "compute capacity available in the Union," the "volume of demand for data centre capacity," and the "size of the capacity gap" under Article 15. This monitoring is explicitly linked to the achievement of the objectives of Decision (EU) 2022/2481 (the Digital Decade decision). The Commission may use this data to recommend measures to address identified capacity gaps, ensuring that sovereignty efforts are geographically balanced and do not leave peripheral regions behind—a key concern for the Digital Decade's goal of reducing digital divides.

What this means for you

For public-sector procurement officers, legal teams, and IT strategists, CADA introduces a new layer of compliance that intersects with existing digital transformation mandates.

1. Mandatory Biennial Risk Assessments: You must conduct risk assessments under Article 29 to determine if your cloud usage impacts public order. Crucially, Article 29(1) requires these assessments to be carried out "thereafter every two years," not just once. If your activities involve critical infrastructure, national security, or justice, you are legally required to procure only from cloud providers recognized at Union assurance levels 2, 3, or 4.
2. Baseline Sovereignty for All: Even for non-critical public sector activities, you must procure cloud services recognized at Union assurance level 1. This means you can no longer default to non-EU providers without justification.
3. Alignment with National Strategies: Your procurement strategies must align with your Member State's national cloud and AI strategy, which itself must align with Digital Decade 2030 targets per Article 7(4). Ensure your IT roadmaps reflect these dual alignments.
4. Transition Periods: If a risk assessment requires migration to a sovereign cloud, you have a reasonable transition period (not exceeding 12 months) to migrate, considering technical feasibility and data portability (Article 29(6)).
5. Open Source and Interoperability: CADA encourages the use of open-source solutions (Article 41) and promotes the EuroCloud Federation (Article 34) for sharing capacity among public bodies. Leveraging these mechanisms can help meet Digital Decade targets for efficient resource use and reduced vendor lock-in.

Common misconceptions

• Misconception: CADA bans all non-EU cloud providers.
  • Reality: CADA does not ban non-EU providers outright. It establishes a sovereignty framework where non-EU providers can still compete, particularly for non-critical public sector work (Level 1) or if they meet strict criteria for Level 3 via associated third-country decisions (Article 18). However, for critical public order activities, only providers meeting Levels 2–4 (which effectively require substantial EU control and presence) can be procured.
• Misconception: Sovereignty and the Digital Decade are separate policy tracks.
  • Reality: The proposal explicitly links them. The Digital Decade targets for cloud adoption and edge node deployment cannot be met sustainably if the underlying infrastructure is controlled by third-country entities with extraterritorial reach. CADA treats sovereignty as a prerequisite for achieving the Digital Decade's resilience and autonomy goals.
• Misconception: Public sector bodies can ignore sovereignty if they have existing contracts.
  • Reality: While existing contracts may have transition periods, the risk assessment obligation (Article 29) is ongoing and biennial. If an activity is deemed to contribute to public order, the procurement rules (Article 30) apply. Failure to migrate to a recognized sovereign service within the transition period could constitute non-compliance.

Official sources

• Digital Decade Policy Programme (Decision (EU) 2022/2481)

Related

• What is open strategic autonomy in EU digital policy, and how does CADA reflect it?
• What does digital sovereignty mean under the CADA proposal?
• Is data localisation the same as digital sovereignty under CADA?
• How does open source support digital sovereignty under CADA?
• Why is cloud sovereignty important for critical infrastructure? CADA

This is general information about a draft EU regulation, not legal advice.