What problem drivers does CADA's impact assessment identify?

Summary The evidence base behind the Cloud and AI Development Act (CADA) identifies three core problem drivers undermining the EU's digital autonomy: a shortage of geographically balanced compute capacity, an overreliance on a small number of non-EU cloud providers, and regulatory fragmentation across Member States. The proposal responds with a mixed approach that combines supply-side capacity building (the Cloud and AI Leadership Initiatives and accelerated data centre deployment) with demand-side sovereignty rules (the Union assurance levels and risk-based procurement). For in-house counsel, this means preparing for mandatory risk assessments, new procurement criteria and Member-State penalties for non-compliance with the sovereignty framework.

Detail

The proposal is accompanied by a comprehensive impact assessment. Its explanatory memorandum diagnoses a structural problem in the EU's cloud and AI ecosystem driven by three interlinked factors that, as proposed, threaten the Union's economic security, technological autonomy and single-market integrity.

1. Limited and geographically concentrated compute capacity

The first driver is the EU's difficulty meeting surging demand for high-performance computing, especially for AI workloads. Current data centre capacity is described as insufficient and concentrated in a few hubs, which raises costs and latency for peripheral regions. Limited capacity pushes European enterprises to route critical workloads through foreign hyperscaler infrastructure, deepening dependency. The proposal aims to triple EU capacity in the next five-to-seven years and reach the needed capacity by 2035, while ensuring balanced geographic deployment across Member States.

2. Critical dependence on non-EU providers

The second driver is market dominance by a small pool of third-country providers. The explanatory memorandum notes that the market share of EU providers "decreased from 29% in 2017 to 15% in 2022 and has remained stagnant since then," and that "three non-EU hyperscalers control over 70% of the European cloud market."

This dependence creates sovereignty risks: large incumbents are subject to third-country jurisdictions whose laws can have extraterritorial effect, including data-access regimes that may conflict with EU fundamental rights and data-protection frameworks. The proposal seeks to mitigate this through a harmonised sovereignty framework with four Union assurance levels, enabling public and private buyers to identify and procure recognised cloud services.

3. Regulatory fragmentation and market barriers

The third driver is the absence of a unified EU-wide framework for cloud sovereignty and data centre deployment. Member States have developed divergent national approaches to identifying sovereign services and permitting data centres, creating disparities that undermine the internal market and complicate cross-border expansion and public procurement. The proposal would harmonise these conditions through a single legal framework, simplifying permitting in "acceleration zones" and standardising sovereignty criteria for cloud procurement.

The policy approach chosen

The impact assessment weighed a range of policy options, from no new EU action through to more interventionist designs. The proposal reflects a combined approach that pairs supply-side measures (accelerating data centre deployment and supporting R&D in cloud and AI technologies) with demand-side measures (the sovereignty framework and public-procurement rules), intended to create a reinforcing cycle of investment and adoption rather than relying on either side alone. (The detailed comparison of options sits in the accompanying Staff Working Document, not in the proposal text itself.)

What this means for you

For in-house counsel and compliance officers, the proposal would introduce concrete obligations, especially for organisations in the public sector, providing cloud services, or within NIS2 scope.

1. Risk assessments and procurement mandates Under Article 29, Member States and Union entities must conduct risk assessments to identify public-sector activities contributing to the preservation of public order and to determine which Union assurance level (2, 3 or 4) is appropriate. Under Article 30, public bodies whose activities do not contribute to public order use services recognised at least at level 1, while those whose activities do contribute (in NIS2 Annex I or II sectors, or national security, internal security, border management, defence, justice or law enforcement) must procure only services recognised at level 2, 3 or 4. Providers should prepare to be audited against the Annex II criteria.

2. Data centre deployment and permitting Title III introduces acceleration zones and obligations on Member States to set up single information points to assist operators, with streamlined permitting. Sustainability expectations draw on the data centre KPI framework under Delegated Regulation (EU) 2024/1364.

3. Penalties and compensation Article 24 requires Member States to lay down rules on penalties for infringements of the sovereignty-framework chapter that are "effective, proportionate and dissuasive," taking into account factors such as the nature, gravity, scale and duration of the infringement, financial benefits gained, and the infringing party's annual turnover.

4. Open source and reuse CADA promotes open-source solutions and reuse of public-sector software. Review internal software development and procurement policies for alignment with these provisions.

5. Deadlines As proposed, the regulation enters into force 20 days after publication and generally applies one year later (Article 48). Member States and Union entities must carry out the first risk assessments within one year of entry into force, and thereafter every two years or whenever necessary (Article 29(1)). National cloud and AI strategies are due within one year (Article 7(1)).

Common misconceptions

• "CADA replaces the AI Act or GDPR." Incorrect. As proposed, CADA complements them. The AI Act regulates AI systems by risk; the GDPR governs personal-data protection; CADA addresses cloud infrastructure and broader sovereignty risks, including operational autonomy and non-personal data. Compliance with one does not exempt you from the others.

• "Sovereignty means data must never leave the EU." Not exactly. Data localisation features in the higher assurance levels, but the framework is risk-based: the level required depends on the Article 29 risk assessment, and the assurance-level criteria are set out cumulatively in Annex II. Localisation is one of several criteria, not the whole of sovereignty.

• "Only public sector entities are affected." Incorrect. The procurement mandates target public bodies, but there are spillovers: private entities in NIS2 Annex I sectors may carry out similar impact assessments (Article 31), and the market shift toward recognised providers affects private supply chains. Providers of all sizes must navigate recognition and audit to serve the public-sector market.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)

Related

• What is the CADA sovereignty risk assessment (Article 29)?
• CADA Article 31: voluntary private-sector impact assessments explained
• Why was the Cloud and AI Development Act (CADA) proposed?
• Why is the EU dependent on non-EU cloud providers?
• Why does CADA have two legal bases (Articles 114 and 173(3) TFEU)?

This is general information about a draft EU regulation, not legal advice.