Summary As proposed, the Cloud and AI Development Act (CADA) adopts a comprehensive, integrated policy option that combines supply-side measures to boost domestic computing capacity with demand-side measures to reduce dependence on third-country cloud providers. This approach is delivered through a single EU-level Regulation to ensure internal-market coherence, prevent regulatory fragmentation, and address structural bottlenecks that national action alone cannot resolve. CADA is a proposal and not yet in force.

Detail

The European Commission's proposal for CADA (COM(2026) 502 final) represents a shift toward an integrated, ecosystem-wide regulatory framework. The preferred policy option, supported by the accompanying impact assessment, does not treat the EU's cloud and AI challenges in isolation. Instead, it merges two primary problem drivers into a single legislative instrument: the shortage of domestic computing capacity and the strategic dependence on non-European cloud service providers.

Combining capacity and dependence measures The proposal links the need to increase compute capacity with the necessity of reducing external dependencies. As the explanatory memorandum notes, the EU's limited data-centre capacity forces European enterprises to route critical workloads through foreign hyperscaler infrastructure, deepening dependence on third-country providers — three non-EU hyperscalers control over 70% of the European cloud market, while EU providers' share fell from 29% in 2017 to 15% in 2022 and has remained stagnant. The preferred option therefore takes a dual-track approach:

  1. Supply-side capacity building: Title III provides for the accelerated deployment of data centres across the Union, including the obligation to designate "data centre acceleration zones" (Article 10), conditions within those zones (Article 11), single information points to streamline permitting (Article 12), and a mechanism to designate "data centre strategic projects" (Article 14). As proposed, the wider objective is to triple EU data-centre capacity within five to seven years, with growth that is sustainable and energy-efficient.
  2. Demand-side sovereignty and autonomy: Title IV introduces a "Union cloud computing sovereignty framework" (Article 16) comprising four assurance levels, with criteria in Annex II. This lets public sector bodies and Union entities procure cloud services based on verified levels of sovereignty, data confidentiality and operational autonomy. By mandating risk assessments (Article 29) and requiring specific assurance levels for public-order activities (Article 30), the proposal would create guaranteed demand for sovereign European cloud services.

The rationale is that addressing only one of these issues would be ineffective: increasing capacity without fostering sovereign demand could simply expand the market share of non-EU providers, while promoting sovereignty without expanding domestic capacity would leave buyers with no viable European alternative. The preferred option is thus intended to create a virtuous cycle — accelerated infrastructure deployment provides the physical basis for sovereign services, while sovereignty mandates drive the investment needed to build that infrastructure.

Rationale for EU-level implementation The proposal is structured as a Regulation, ensuring direct applicability and uniform application across Member States. The memorandum justifies EU-level intervention under Articles 114 and 173(3) TFEU, citing two main rationales:

  • Preventing market fragmentation: Current national approaches to data-centre deployment vary significantly in permitting timelines, sustainability requirements and sovereignty criteria. As proposed, a harmonised EU framework would remove these disparities, reducing compliance costs and enabling cross-border scaling by European providers.
  • Addressing systemic market failures: Dependence on non-EU providers is driven by structural market failures and imperfect information that individual Member States cannot resolve alone. EU-level action is intended to enable a coordinated response and to leverage collective purchasing power through mechanisms such as the EuroCloud Federation (Article 34) and common procurement frameworks (Articles 37 onward), strengthening the Union's bargaining position and managing strategic dependencies consistently.

Coherence with existing legislation As proposed, the preferred option complements rather than duplicates existing EU legislation. It aligns with the Data Act's provisions on portability and switching, the AI Act's rules on trustworthy AI, and the Digital Markets Act's oversight of gatekeepers, while filling specific gaps — binding sovereignty criteria, accelerated permitting for critical infrastructure, and demand-side procurement rules — that other instruments do not address.

What this means for you

For in-house counsel and compliance officers, the integrated nature of CADA's preferred policy option signals a multi-layered compliance landscape that, once the Regulation applies, would require coordinated action across IT, procurement and legal functions.

  • Procurement strategy: Public sector bodies and Union entities would conduct mandatory risk assessments (Article 29) to determine the appropriate Union assurance level for their cloud services. Map your current cloud contracts against these levels and prepare for possible migrations to sovereign providers, particularly for activities contributing to public order (Article 30). Private entities in sectors of high criticality (Annex I to the NIS2 Directive) may carry out similar impact assessments (Article 31).
  • Infrastructure compliance: If your organisation operates or plans data centres, prepare for the designation of acceleration zones and associated sustainability requirements, including the key performance indicators referenced via Commission Delegated Regulation (EU) 2024/1364 (Article 11), and engagement with single information points (Article 12).
  • Audit and certification readiness: Providers seeking recognition at Union assurance levels 2, 3 or 4 would undergo independent third-party audits (Article 20). Review cloud service agreements for audit rights, data-location clauses, and transparency on subcontractors and third-country control; failure to meet the criteria could mean exclusion from public procurement.
  • Timeline awareness: CADA is a proposal, but as drafted national strategies would have to be established within one year of entry into force (Article 7), and the first risk assessments within one year as well (Article 29). Monitor the legislative procedure and begin internal gap analyses so you are ready once the Regulation is adopted and applies.

Common misconceptions

  • Misconception: CADA is just another cybersecurity law.
    • Reality: While CADA references cybersecurity standards (such as a future European Cybersecurity Certification Scheme for Cloud Services), its core focus is technological sovereignty, operational autonomy and market structure. It addresses non-technical risks such as vendor lock-in, third-country data-access laws and supply-chain dependencies that go beyond traditional cybersecurity.
  • Misconception: Only public sector entities are affected by the sovereignty framework.
    • Reality: The mandatory procurement rules (Article 30) apply to contracting authorities and Union entities, while the sovereignty framework and audit requirements (Articles 16–24) apply to cloud computing service providers seeking recognition. Private entities in high-criticality sectors (NIS2 Annex I) may conduct similar impact assessments (Article 31), and public-procurement standards often influence private-sector practice.
  • Misconception: National measures are sufficient to address cloud dependencies.
    • Reality: The memorandum rejects national-only approaches due to the risk of fragmentation and the inability of individual Member States to counterbalance the scale of global hyperscalers. As proposed, an EU-level Regulation is intended to create a unified market for sovereign cloud services so European providers can scale and compete.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.