Summary The proposed Cloud and AI Development Act (CADA, COM(2026) 502 final) is accompanied by a Commission impact assessment that received a positive opinion (with a request for improvements) from the Regulatory Scrutiny Board on 8 May 2026. The proposal addresses two distinct problems: too little computing capacity in the EU, and excessive dependence on a few non-EU cloud providers. As enacted in the proposal, the Commission's chosen approach pairs an incentive-based, harmonised route to data-centre deployment (acceleration zones and faster permitting) with a risk-based sovereignty framework for public-sector procurement (four Union assurance levels), rather than imposing binding national capacity targets or a blanket sovereign-cloud mandate. The detailed comparison of options sits in the impact assessment rather than in the legal text; this answer describes the approach the proposal actually adopts.

Detail

The proposal responds to the EU's dependence on third-country cloud providers and a shortage of domestic computing capacity. Its two general objectives, set out in Article 1, are (1) to ensure the conditions for the competitiveness and innovation capacity of the Union's cloud and AI ecosystem, and (2), separately and complementarily, to improve the single market by increasing the Union's resilience and strategic autonomy in cloud and AI. The accompanying impact assessment compared policy options against these objectives; the proposal reflects the Commission's preferred combination. (The full option-by-option analysis is in the impact assessment document, not the regulation; the article numbers below are to the proposal as adopted.)

Problem 1: increasing computing capacity

The first strand addresses the shortage of EU data-centre capacity. The proposal's stated ambition is to "triple EU capacity in the next five-to-seven years and reach the needed capacity by 2035," with balanced geographic deployment and without a "race to the bottom" on sustainability. The Legislative Financial and Digital Statement frames this as Specific objective No 1: "by 2030, the EU should at least triple its current data centre capacity," with an intermediate objective so that by 2035 capacity meets needs.

Rather than mandating binding national capacity targets, the proposal takes an incentive-and-harmonisation route:

  • Acceleration zones (Article 10): Member States deploying data-centre capacity must designate at least one zone, weighing grid capacity, connectivity, brownfield reuse, waste-heat reuse and sustainability.
  • Single information points (Article 12) to assist operators with authorisations, with particular attention to SMEs.
  • Facilitated permitting (Article 13): the permit-granting procedure for projects in acceleration zones "shall not exceed 12 months" from a complete application (Article 13(5)), with an aggregated baseline permit at zone level.
  • Strategic projects (Article 14): the Commission may designate data-centre projects meeting at least two listed criteria (e.g. supporting essential public-sector functions, highly sustainable or innovative features, contributing to grid stability, integrating EU-made chips, or addressing a compute shortage identified under Article 15).
  • Sustainability tie-in (Article 11(1)): zone sustainability requirements must use the key performance indicators in Delegated Regulation (EU) 2024/1364 pursuant to the Energy Efficiency Directive.

Problem 2: reducing dependence on non-EU providers

The second strand addresses the strategic risk of relying on providers subject to third-country jurisdiction, which may enable extraterritorial data access or service disruption. Rather than a blanket sovereign-cloud mandate for all public procurement, the proposal adopts a risk-based sovereignty framework:

  • Union assurance levels (Article 16): four cumulative levels, with criteria in Annex II, from a self-assessed level 1 to an independently audited level 4.
  • Recognition and audit (Articles 17, 19–20): a level-1 EU statement of conformity, and independent audits with a "positive" audit opinion for levels 2–4.
  • Risk assessments (Article 29): by one year after entry into force, and every two years thereafter, Member States and Union entities must assess which public-sector activities contribute to the preservation of public order.
  • Procurement obligations (Article 30): contracting authorities whose activities are not identified as public-order-relevant must use at least level 1 (Article 30(2)); those whose activities are public-order-relevant — in NIS2 sectors, or in national security, internal security, border management, defence, justice or law enforcement — must procure only services recognised at levels 2, 3 or 4 (Article 30(3)). Limited derogations apply (Article 30(4)).
  • Associated third countries (Article 18): the framework is not a blanket exclusion of foreign-controlled providers; the Commission may designate third countries whose providers can be audited for level 3 where cumulative conditions are met (e.g. a relevant GDPR adequacy decision; no measures compelling access, service disruption or sanctions enforcement; reciprocal market access).

This calibration reflects the proposal's stated proportionality: most public services would not require the highest levels of assurance, with the higher levels reserved for cases where they are necessary and proportionate to preserve public order.

Supplementary measures

The proposal also includes the European public sector cloud federation ("EuroCloud Federation," Article 34) to let public bodies share data-centre and cloud capacity, common procurement carried out by the Commission (Article 37), and measures to encourage open source (Article 41) to reduce lock-in and strengthen technological autonomy.

What this means for you

For in-house counsel and compliance officers, the chosen approach translates into concrete obligations for public-sector entities and providers targeting the public market.

  • Public-sector risk assessments (Article 29): required within one year of entry into force and every two years thereafter; their outcome determines the assurance level needed.
  • Procurement obligations (Article 30): at least level 1 generally; levels 2–4 for public-order activities; derogations only in the exceptional, justified circumstances in Article 30(4).
  • Provider recognition (Articles 17, 19–20): a self-assessment and EU statement of conformity for level 1; independent third-party audit and a positive audit opinion for levels 2–4. Providers must report material changes affecting their level (Article 23).
  • Penalties (Article 24): Member States must lay down effective, proportionate and dissuasive penalties for infringements of the sovereignty chapter, and the proposal addresses compensation for recipients harmed by provider infringements.
  • Deadlines: acceleration zones within six months (Article 10), national competent authorities within one year (Article 25), and national strategies within one year (Article 7) of entry into force.

Common misconceptions

  • "CADA bans non-EU cloud providers." No. The proposal does not ban them. Non-EU-linked providers may pursue lower assurance levels by meeting the relevant criteria, and the Commission may designate associated third countries for level 3 under Article 18. For the most sensitive public-order activities, however, the level 3 and 4 criteria largely exclude providers under coercive third-country control.
  • "All public-sector cloud procurement must be sovereign." No. Only activities identified as contributing to public order must use levels 2, 3 or 4 (Article 30(3)); other public-sector activities must use at least level 1 (Article 30(2)).
  • "CADA replaces the AI Act." No. They are distinct and complementary: the AI Act regulates AI systems' safety and fundamental-rights implications, while CADA addresses cloud and AI capacity, sovereignty and procurement.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.