CADA vs Existing EU Cloud Rules

Summary As proposed, the Cloud and AI Development Act (CADA) introduces a mandatory sovereignty framework that existing EU laws do not cover. While current rules like the GDPR, Data Act, and NIS2 Directive protect data privacy, enable switching, and manage technical cybersecurity, they do not prevent third-country governments from accessing data or disrupting services. CADA fills this gap by establishing four "Union assurance levels" and requiring public sector bodies to procure cloud services based on these levels, ensuring operational autonomy and safeguarding public order.

Detail

To understand CADA, it helps to view it not as a replacement for existing digital laws, but as the missing sovereignty layer that sits on top of them. The EU already possesses a robust set of rules governing cloud computing, but these rules primarily address data protection, cybersecurity, and market fairness. They do not address sovereignty—specifically, who has the legal power to access your data and who can decide to shut down your service.

What Existing Rules Cover

Currently, the EU relies on several key instruments to regulate cloud services, each addressing a specific dimension of the digital ecosystem:

• GDPR: Protects personal data privacy and restricts transfers to countries without adequate protection. However, as noted in the CADA explanatory memorandum, the GDPR "does not remove sovereignty concerns about dependence on third-country providers" and does not address operational autonomy. It focuses on the rights of the data subject, not the control of the infrastructure.
• Data Act: Enables switching between data processing services and removes vendor lock-in. It ensures users can freely choose providers and combine offers in a multi-cloud approach. However, the Data Act "does not contain elements to shape up a more competitive offer of European cloud computing services" or ensure those services are sovereign. It facilitates movement but does not guarantee the destination is secure from foreign interference.
• NIS2 Directive: Improves cybersecurity risk management for cloud providers and data centres. It focuses on technical cybersecurity but is "fully focused on technical cybersecurity as opposed to broader sovereignty considerations."
• Cybersecurity Act (CSA2): Addresses supply chain risks and technical cybersecurity criteria. However, certification under this act "is not suited for addressing sovereignty concerns that go beyond these technical elements."

What CADA Adds: The Sovereignty Layer

As proposed in Article 1, CADA establishes a framework for strengthening the cloud and AI ecosystem, specifically by "enabling the availability of a sovereign cloud and artificial intelligence (AI) offer to safeguard the Union's public order."

The core addition is the Union Cloud Computing Sovereignty Framework. This framework introduces four "Union assurance levels" (detailed in Annex II of the proposal) that define criteria for trusted cloud services. These levels go beyond technical security to address three critical sovereignty risks:

1. Data Access: Preventing unauthorized access to data by third-country authorities (e.g., via laws with extraterritorial effect like the US CLOUD Act).
2. Operational Continuity: Preventing the disruption or degradation of service quality by third-country actors.
3. Legal Control: Ensuring providers are not subject to the control of third countries in a way that undermines service delivery or forces compliance with foreign sanctions.

Under Article 29, Member States and Union entities must conduct risk assessments to determine which assurance level is appropriate for their activities. For example, activities contributing to public order in sectors like national security, defence, justice, or law enforcement may require higher assurance levels (Levels 2, 3, or 4) than standard administrative tasks (Level 1).

Article 30 then mandates that contracting authorities procure cloud services that meet the required assurance level. This transforms sovereignty from a voluntary best practice into a binding procurement requirement. For activities identified as contributing to public order, authorities "shall only procure and use services that have been recognised as offering Union assurance levels 2, 3, or 4."

What this means for you

For public-sector procurement officers, CADA changes how you evaluate and select cloud providers. Previously, a provider might be considered "compliant" if they met GDPR standards and had strong cybersecurity certifications. Under CADA, that is no longer sufficient.

1. Mandatory Risk Assessments

You will need to conduct risk assessments for your public sector activities. These assessments must identify which activities contribute to the preservation of public order and determine the appropriate Union assurance level (1, 2, 3, or 4) for those activities. This is not a one-time task; Article 29 requires these assessments to be carried out by the date of entry into force plus one year, and thereafter every two years, or whenever necessary. The assessment must consider the sensitivity of data, the risk of unlawful access by third countries, and the risk of service disruption.

2. Procurement Criteria Shift

Your procurement documents must specify the required Union assurance level. For example, if your risk assessment determines that your data processing is critical to public order, you must procure services recognized as offering Union assurance levels 2, 3, or 4. You cannot simply buy the cheapest or most technically advanced option if it does not meet the sovereignty criteria. Article 30 explicitly states that for public-order-relevant activities, lower assurance levels are insufficient.

3. Verification of Recognition

You must verify that providers are officially recognized as offering the required assurance level. Article 22 establishes a central repository of recognized services. Before awarding a contract, you should check this repository to ensure the provider's status is valid and up-to-date. The repository will be publicly available and regularly updated by the Commission and national competent authorities.

4. Transition Planning

If your risk assessment requires migrating to a different cloud service to meet a higher assurance level, Article 29 mandates migration within a reasonable transition period that shall not exceed 12 months. You should begin planning these transitions early to ensure continuity of service. The regulation acknowledges the need for a "reasonable transition period" taking into account technical feasibility and data portability.

Common misconceptions

Misconception 1: "GDPR compliance is enough for sovereignty." This is incorrect. GDPR protects personal data privacy but does not prevent a third-country government from compelling a cloud provider to hand over non-personal data or to disrupt service. As the CADA explanatory memorandum states, the GDPR "does not remove sovereignty concerns about dependence on third-country providers." CADA addresses these operational and legal sovereignty risks that GDPR leaves untouched.

Misconception 2: "CADA bans all non-EU cloud providers." CADA does not ban non-EU providers outright. However, it makes it very difficult for them to qualify for higher assurance levels. Article 18 allows the Commission to recognize third countries as providing sufficient assurances for Level 3, but this requires strict criteria, including adequacy decisions and guarantees against unauthorized access. For Level 4, providers must not be subject to third-country control.

Misconception 3: "Sovereignty is just about data location." While data localization is part of it (e.g., data must remain in the Union for higher levels), sovereignty is broader. It includes ensuring that personnel, infrastructure, and decision-making are not controlled by third countries. Annex II details criteria such as Union citizenship for personnel (conditional at Level 2, mandatory at Levels 3 and 4) and the absence of third-country control over the provider.

Misconception 4: "CADA replaces the AI Act." No. The AI Act regulates the safety and fundamental rights implications of AI systems. CADA focuses on the infrastructure (cloud) and sovereignty aspects. They are complementary; the AI Act ensures AI is safe, while CADA ensures the cloud running that AI is sovereign and resilient. The CADA explanatory memorandum explicitly notes that the AI Act "does not cover aspects of sovereignty."

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)
• Data Act (Regulation (EU) 2023/2854)
• Data Governance Act (Regulation (EU) 2022/868)

Related

• Which EU laws does CADA stack on top of? A guide to the new sovereignty layer
• DGA Data Intermediaries and CADA: Do Sovereignty Rules Apply?
• CADA and WTO GPA: How the EU balances cloud sovereignty with trade rules
• CADA vs the EU Cybersecurity Act: How the Sovereignty Layer Works
• DORA vs CADA: How Critical ICT Rules Interact with Sovereignty Tiers

This is general information about a draft EU regulation, not legal advice.