What is the EU technology sovereignty package, and how does CADA fit in?

Summary "Technology sovereignty" describes a coordinated EU effort to reduce critical dependencies on third-country cloud and AI infrastructure while safeguarding operational autonomy and data control. The proposed Cloud and AI Development Act (CADA)—COM(2026) 502 final, presented on 3 June 2026—is its central legislative pillar: it would establish a harmonised sovereignty framework and accelerate domestic data-centre deployment. As proposed, CADA would require risk assessments for public-sector cloud procurement and create a four-tier assurance system to protect Union public order, supporting the strategic-autonomy goals set out in the Draghi report and the Digital Decade targets.

Detail

In the EU context, "technology sovereignty" is less about protectionism than about retaining control over digital infrastructure, data, and capabilities. CADA is the regulatory engine for this strategy, responding to dependence on a few non-EU hyperscalers that currently control over 70% of the European cloud market.

CADA at the core of the agenda

CADA, proposed by the European Commission on 3 June 2026, pursues a dual approach: supply-side measures to build domestic capacity and demand-side measures to drive adoption of trusted services.

1. The sovereignty framework (Title IV) The cornerstone is a Union cloud computing sovereignty framework of four "Union assurance levels" (Article 16), with criteria set out in Annex II.

• Level 1: provider established in the Union; infrastructure and assets in the Union; customer data remaining exclusively within the Union (unless the public sector body explicitly requires otherwise). Conformity is by self-assessment.
• Levels 2–4: progressively stricter, adding independent third-party audits, a European cybersecurity certificate (at least "substantial" for levels 2 and 3, and "high" for level 4), and—at levels 3 and 4—Union citizenship for personnel involved in the service and a prohibition on third-country control of the provider and its subcontractors.

This lets public authorities match assurance to sensitivity. Article 29 would require Member States and Union entities to carry out risk assessments to determine which level (2, 3, or 4) is appropriate for activities contributing to the preservation of public order—such as national security, defence, justice, or NIS2-covered sectors. Article 30 would then require contracting authorities for those activities to procure only services recognised at the appropriate higher level; other public bodies would use at least level 1.

2. Accelerating domestic capacity (Title III) To reduce reliance on foreign infrastructure, CADA aims to triple EU data-centre capacity within five to seven years. It would require Member States to designate "data centre acceleration zones" (Article 10) and facilitate permitting, with the permit-granting process for projects in those zones not exceeding 12 months from a complete application (Article 13). This targets the structural imbalance and concentration of capacity in a few hubs.

3. Strategic R&D (Title II) CADA would establish the Cloud and AI Leadership Initiatives (Article 3) to support research and innovation in cutting-edge technologies, including frontier AI, physical and industrial AI, and open cloud-stack technologies, organised around "grand challenges" set out in Annex I.

Link to the Draghi report and the Digital Decade

CADA's urgency draws on Mario Draghi's report, The Future of European Competitiveness, which urges the EU to keep a foothold in areas requiring technological sovereignty, such as security and encryption ("sovereign cloud" solutions), to reduce critical external dependencies, and to expand domestic computational capacity. CADA operationalises these recommendations.

CADA also aligns with the Digital Decade Policy Programme 2030, which sets political targets—such as widespread enterprise cloud adoption—while CADA supplies concrete measures and leverages Digital Decade monitoring to ensure expanded capacity is deployed sustainably and securely.

Complementarity with EU cybersecurity rules

CADA does not operate alone.

• Cybersecurity certification (EUCS / Regulation (EU) 2019/881): A European cybersecurity certification scheme for cloud services would provide the technical security baseline. CADA leverages it by requiring, at higher assurance levels, a certificate of at least "substantial" (levels 2–3) or "high" (level 4)—see Annex II. EUCS addresses technical security; CADA's framework adds the strategic-autonomy and data-governance layers.
• Broader cybersecurity reform: Cybersecurity rules focus on the technical security of ICT supply chains and products and do not, by themselves, resolve sovereignty concerns about operational autonomy or third-country data access. CADA is designed to fill that gap.

What this means for you

For public-sector and procurement officers, CADA would reshape how cloud and AI services are sourced.

1. Mandatory risk assessments. Under Article 29 you would carry out periodic risk assessments classifying your activities. Where activities contribute to the preservation of public order, you would be required to procure services meeting the appropriate higher assurance level (2, 3, or 4); otherwise, at least level 1 (Article 30).
2. New award criteria. Article 32 ("Union added value") would require contracting authorities to include non-price award criteria in procurement of innovative cloud services and AI systems, letting you reward contributions to the European cloud and AI ecosystem—such as Union-designed or -manufactured hardware or Union-developed technologies. These criteria must be ancillary, not decisive.
3. Reduced lock-in. The framework encourages multi-cloud strategies and open-source solutions; Article 41 promotes an "open source first" approach for public bodies. Article 29 also requires you to consider whether a multi-vendor or multi-cloud strategy is appropriate.
4. Audit readiness and the repository. Providers seeking levels 2–4 must pass independent audits (Article 20). As a buyer, you would rely on the central repository of recognised services (Article 22) to identify compliant providers and simplify due diligence.

Common misconceptions

• "CADA bans non-EU cloud providers." It does not. It creates a tiered system. Non-EU providers can pursue Union assurance level 1 (self-assessed) and, where the Commission recognises their home country under Article 18, may be audited against the level 3 criteria. But for the most critical public-order activities, only providers meeting the strictest criteria (levels 3 and 4, including Union establishment, Union-citizen personnel, and no third-country control) would be eligible.
• "Sovereignty is the same as cybersecurity." A service can be technically secure yet not sovereign. A US-based provider may have strong encryption but still be subject to extraterritorial laws like the US CLOUD Act. CADA addresses the sovereignty risk; EUCS and related rules address the technical security baseline.
• "The framework applies to all private companies." The mandatory procurement requirements (Article 30) and risk assessments (Article 29) primarily target Union entities and public sector bodies. Private entities in NIS2 sectors may carry out similar impact assessments (Article 31), but the binding mandates focus on the public sector.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)
• Digital Decade Policy Programme (Decision (EU) 2022/2481)

Related

• Why is cloud sovereignty important for critical infrastructure? CADA
• Why is sovereignty described as layered or nuanced in CADA?
• CADA Sovereignty: Why Assessment is Per Service, Not Per Provider
• Why is sovereignty a competitiveness issue, not just a security one? | CADA
• Why data residency is not enough for cloud sovereignty under CADA

This is general information about a draft EU regulation, not legal advice.