Summary As proposed, the Cloud and AI Development Act (CADA) is an EU Regulation — directly applicable and binding in its entirety across all Member States, and marked "(Text with EEA relevance)." Its reach extends beyond EU borders through a sovereignty framework that addresses cloud services controlled from third countries, with risk assessments and procurement restrictions for the public sector that apply regardless of where a provider is headquartered. CADA is a proposal (COM(2026) 502 final), so none of this is in force yet.

Detail

The territorial scope of CADA is shaped by its instrument type, its EEA relevance, and its functional reach into third-country jurisdictions via the sovereignty and supply-chain criteria.

Direct applicability and EEA relevance As proposed, CADA is a Regulation of the European Parliament and of the Council. Under Article 48, it states: "This Regulation shall be binding in its entirety and directly applicable in all Member States." That establishes a uniform baseline across the EU, with no need for national transposition.

The proposal is also marked "(Text with EEA relevance)." This signals that, following the usual procedure for such regulations, the EEA states (Norway, Iceland and Liechtenstein) would be expected to incorporate it into the EEA Agreement, extending its scope to the wider European Economic Area.

Addressing third-country control A key element of CADA's reach is how it handles providers that are not established in the Union but deliver or control services from outside it. The proposal recognises the EU's dependence on providers subject to third-country control, and responds with a Union cloud computing sovereignty framework (Article 16).

The framework does not ban third-country providers outright but subjects them to scrutiny based on their control structures. As proposed, Article 18 would allow the Commission, by implementing act, to identify "associated third countries" whose providers may be audited against the Union assurance level 3 criteria, provided cumulative conditions are met — including a GDPR adequacy decision and the absence of measures enabling control that conflicts with EU law.

For providers seeking the higher assurance levels, Annex II sets out stringent criteria addressing third-country control — for example, demonstrating that third-country control is not exercised in a way that restricts service delivery, prevents access to customer data, or enables service disruption.

Procurement and public-sector reach The territorial impact is felt most acutely in public procurement. Under Article 30, contracting authorities whose activities contribute to the preservation of public order (in NIS2 critical sectors and areas such as national security, defence, or justice) would only procure cloud services recognised at Union assurance level 2, 3, or 4 (Article 30(3)). In effect, a third-country provider that cannot meet the sovereignty criteria — for example because of extraterritorial laws such as the US CLOUD Act — would be excluded from these contracts, regardless of technical merit.

Entry into force and application Under Article 48, the Regulation would enter into force on the twentieth day following its publication in the Official Journal and would apply one year later — a transition window for Member States to designate national competent authorities and for providers to align with the framework.

What this means for you

For in-house counsel and compliance officers, CADA's territorial scope calls for a Union-wide and internationally aware compliance strategy rather than a purely national one.

  1. Uniform compliance strategy. Because CADA would be directly applicable (Article 48), you cannot rely on divergent national interpretations; your programme should meet the common EU standard across all Member States where you operate.
  2. Third-country risk assessment. If your organisation controls cloud services from outside the EU, map your governance and data-access protocols against Annex II. You would need to show that foreign laws do not compel access to EU customer data or service disruption; failing that would likely disqualify you from Levels 2, 3 and 4 and bar you from the relevant public contracts (Article 30).
  3. Procurement readiness. Public buyers would carry out risk assessments (Article 29) to set the required assurance level. Prepare evidence packages mapping your architecture to the Union assurance criteria.
  4. Use the transition period. With a one-year application delay from entry into force, use the window to restructure data flows and update vendor contracts so subcontractors also meet the sovereignty requirements.

Common misconceptions

  • "CADA only applies to EU-based companies." Incorrect. While the framework encourages European capacity, it bears on any provider offering services to Union entities and public bodies. Third-country providers can participate but must meet the same sovereignty criteria, including demonstrating resilience against extraterritorial access.
  • "A GDPR adequacy decision is sufficient for CADA compliance." Incorrect. While a GDPR adequacy decision is one of the cumulative conditions for the Commission to identify an associated third country under Article 18 (relevant to Level 3), it is not sufficient on its own. Providers must also meet the technical and operational criteria on service continuity, data localisation and personnel, which go beyond data-protection safeguards.
  • "CADA creates a new national licensing regime." Incorrect. As a Regulation, CADA would be directly applicable. Member States would designate national competent authorities (Article 25), but the rules are harmonised at EU level — one EU-wide sovereignty framework rather than 27 national cloud laws.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.