Summary As proposed, the Cloud and AI Development Act (CADA) is justified on subsidiarity grounds because, in the Commission's view, Member States acting alone cannot adequately address the EU's limited and geographically concentrated computing capacity or its dependence on third-country cloud providers. The explanatory memorandum argues that EU action delivers added value by enabling coherent, geographically balanced data centre deployment, avoiding a "race to the bottom," reducing regulatory complexity, and correcting market failures of imperfect information around sovereign cloud services. The proposal rests on Articles 114 and 173(3) TFEU.

Detail

The subsidiarity case for CADA is that the proposal's objectives — strengthening the EU's cloud and AI ecosystem and reducing external dependencies — cannot be sufficiently achieved by Member States acting individually. The explanatory memorandum sets this out under "Legal basis, subsidiarity and proportionality," resting on three main threads: coherent capacity planning, prevention of cross-border fragmentation, and correction of market failures around trust and sovereignty.

1. Limited and concentrated computing capacity The proposal identifies that EU computing capacity is "limited and geographically concentrated." It argues that a common approach to accelerating data centre deployment enables coherent planning and deployment of capacity in a geographically balanced way, "while avoiding a race to the bottom and reducing regulatory complexity for investors and data centre operators." EU-level action is said to ensure that all businesses and public administrations can access sufficient compute capacity — described as a prerequisite for Europe to become an "AI continent."

2. Cross-border fragmentation and sovereignty standards A core component of CADA is the Union cloud computing sovereignty framework, which would set harmonised criteria for trusted cloud computing services. The memorandum notes that, while some Member States have developed national approaches to identifying sovereign services, these do not adequately address cross-border issues. Divergent national procurement practices and inconsistent sovereignty criteria hinder providers from operating seamlessly across the Union. The proposal argues that EU action "delivers benefits that exceed what Member States could achieve individually, especially in addressing the underlying market failures of imperfect information," improving the internal market and enabling providers to "grow beyond their national markets."

3. Legal basis and strategic autonomy The proposal rests on a cumulative legal basis of Articles 114 and 173(3) of the Treaty on the Functioning of the European Union (TFEU). Article 114 TFEU underpins measures to improve the functioning of the internal market through harmonisation, levelling the playing field for cloud providers. Article 173(3) TFEU underpins measures to enhance the Union's industrial competitiveness and innovation capacity; the proposal argues the current compute shortage constrains European industry and that EU-level intervention is needed to strengthen technological leadership.

The proposal stresses that dependence on non-European cloud providers is a Union-wide challenge affecting businesses and public administrations in all Member States, and that European providers struggle to scale across the EU because of differing national trustworthiness standards, particularly in public procurement. EU action is presented as uniquely able to ensure that investment and acceleration policies reflect collective priorities and avoid fragmentation.

What this means for you

For in-house counsel and compliance officers, the subsidiarity reasoning signals the regulatory direction of travel.

  • Uniform standards over national patchworks: The argument points toward uniform EU-wide standards for cloud sovereignty and data centre deployment. Compliance strategies should anticipate a harmonised framework rather than a set of divergent national rules, particularly in public procurement, where the proposal would require contracting authorities to procure services meeting specific Union assurance levels.
  • Sustainability and permitting: The proposal aims to streamline data centre deployment (its "acceleration" measures) and harmonise sustainability expectations. Organisations planning data centre projects should monitor the emerging EU-wide criteria.
  • Market access and scaling: For providers, removing fragmented national trustworthiness standards is presented as an opportunity. Assess your offerings against the proposed Union assurance levels 1–4 to identify gaps ahead of any recognition process.
  • Risk assessments: As proposed, public-sector bodies and Union entities would carry out risk assessments to determine the appropriate Union assurance level for their activities (Article 29). Legal and compliance functions should expect to be involved in those assessments.

Common misconceptions

  • Misconception 1: CADA replaces national data centre or cloud strategies.

    • Clarification: As proposed, CADA would not replace national strategies but would require them to be consistent with the Regulation's objectives (Article 7). Member States would retain responsibility for matters such as spatial planning and local permitting within the EU framework.

  • Misconception 2: Subsidiarity means the EU is taking over all cloud governance.

    • Clarification: The subsidiarity case is specific to areas where national action is said to be insufficient — cross-border fragmentation and strategic dependencies. The proposal also invokes proportionality, presenting its measures as the least intrusive means of addressing the identified failures, and frames CADA as complementing existing law such as the GDPR and the AI Act rather than replacing it.

  • Misconception 3: National sovereignty frameworks are sufficient.

    • Clarification: The proposal states that national measures do not adequately address cross-border issues and risk fragmenting the internal market, arguing that a single EU-wide framework is needed for consistent protection of public order and for European providers to compete effectively.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.