What sovereign-cloud market opportunity does CADA create for startups?

Summary The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, creates a structural market opportunity for startups by replacing fragmented national sovereignty rules with a single, EU-wide "Union assurance" framework. As proposed, startups can achieve Union assurance level 1 through a self-assessment (Article 19), gaining immediate access to public procurement contracts that legally require this baseline. Crucially, Recital 66 predicts that private-sector entities in regulated industries will mirror these public requirements, creating a "spillover" demand for sovereign services beyond the public sector. To capitalize, startups must navigate the recognition path under Articles 17 and 18 and ensure their services are listed in the mandatory central repository under Articles 22 and 23, which serves as the definitive marketplace for buyers seeking compliant providers.

Detail

The Cloud and AI Development Act (CADA) is a proposal designed to address the EU's strategic dependence on non-European cloud providers. For startups, this legislation represents a shift from competing solely on price or technical features to competing on "sovereignty" as a verifiable, auditable asset. The proposal establishes a harmonized legal framework where cloud services are categorized into four "Union assurance levels" (Annex II), creating a clear ladder for market entry and growth.

The Sovereignty Framework: A Tiered Market Entry

The core of the opportunity lies in the Union cloud computing sovereignty framework established by Article 16. This framework defines four assurance levels, ranging from Level 1 (basic compliance) to Level 4 (maximum sovereignty).

For startups, Union assurance level 1 is the critical entry point. Under Article 19, providers seeking Level 1 recognition are not required to undergo expensive third-party audits immediately. Instead, they must carry out a conformity self-assessment against the criteria in Annex II and issue an "EU statement of conformity." These criteria include being established in the Union, ensuring infrastructure and data remain within the Union (unless explicitly required otherwise by the public body), and demonstrating compliance with state-of-the-art cybersecurity standards.

This self-assessment route significantly lowers the barrier to entry. It allows startups to demonstrate compliance with EU data localization and establishment rules without the immediate financial burden of independent audits, which are mandatory for Levels 2, 3, and 4.

The Recognition Path for New Entrants (Articles 17–18)

To sell to public sector bodies, a startup's cloud service must be formally recognized. Article 17 outlines the mechanism for this recognition, designed to be a "one-stop-shop" for the entire EU internal market.

1. Application: The startup submits an application for recognition to the national competent authority of its Member State of establishment.
2. Evidence Submission:
   • For Level 1, the startup submits the EU statement of conformity issued under Article 19.
   • For Levels 2, 3, and 4, the startup must submit an independent third-party audit report and a "positive" audit opinion from an auditing organization (Article 20).
3. Assessment Timeline: The evaluating national competent authority has 60 days to assess the evidence. If the evidence is insufficient, they may request further information, suspending the clock for up to 30 days in total.
4. EU-Wide Validity: Once the evaluating authority prepares a draft recognition decision, it notifies other Member States for a 60-day review period. If no other Member State raises a reasoned objection within this period, the service is recognized throughout the Union.

This mechanism is vital for startups. Instead of navigating 27 different national certification regimes, a startup recognized in one Member State gains automatic access to the entire EU market.

Article 18 further clarifies the path for third-country involvement. While the general rule for higher assurance levels is that providers must not be subject to third-country control, Article 18 allows the Commission to adopt implementing acts identifying specific third countries as "associated." If a third country meets stringent safeguards (e.g., adequacy decisions, no extraterritorial access laws), providers controlled by that country may be audited for Union assurance level 3. While this is primarily relevant for non-EU entrants, it underscores the rigor of the framework: Level 3 is the highest level where third-country control is potentially permissible, whereas Level 4 strictly prohibits it.

The Central Marketplace: Visibility via Articles 22–23

A major hurdle for startups is visibility. CADA addresses this by mandating a central digital infrastructure. Article 22 requires the Commission to establish and maintain a central repository of cloud computing services recognized under the sovereignty framework.

• Registration: The national competent authority that recognizes a service must register it in this central repository.
• Public Access: The repository must be publicly available and regularly updated, serving as the definitive list for contracting authorities and private buyers seeking compliant providers.
• Transparency: Article 23 imposes ongoing transparency obligations. Recognized providers must promptly notify the auditing organization and the competent authority of any material changes in circumstances that could affect their recognition status. If a service no longer complies, the recognition can be amended or revoked, and this change is published in the repository.

For a startup, being listed in this repository is not merely a compliance formality; it is a primary marketing asset. It signals to buyers that the service has been vetted and meets EU sovereignty standards, reducing the due diligence burden for public and private purchasers.

Public Procurement and the Private-Sector Spillover

The immediate demand driver is public procurement. Article 30 mandates that Union entities and public sector bodies procure cloud services with at least Union assurance level 1. For activities identified as contributing to the preservation of public order (e.g., defense, law enforcement, critical infrastructure), Article 30(3) requires procurement of services recognized at Union assurance levels 2, 3, or 4.

However, the market opportunity extends far beyond the public sector. Recital 66 explicitly addresses the "spillover" effect: "Requirements imposed by or on public authorities to adopt specific assurance levels offered by cloud computing services tend to be mirrored by private-sector entities operating in regulated industries, with subsequent spillover effects contributing to broader market realignment over time."

This means that startups achieving Level 1 or higher recognition will become attractive to private companies in sectors like finance, healthcare, and energy. These entities, often subject to strict regulations like the NIS2 Directive or DORA, will increasingly prefer suppliers that meet the same sovereignty standards as the public sector to mitigate their own operational and reputational risks. The public sector's procurement rules effectively set a new market standard that private industry will follow.

What this means for you

For cloud service providers, data-center operators, and particularly startups, CADA offers a clear, albeit rigorous, roadmap to market entry:

1. Prioritize Level 1 Compliance: Focus immediately on meeting the criteria for Union assurance level 1 (Annex II). Ensure your establishment is in the EU, your infrastructure and data remain within the Union, and you have robust cybersecurity measures. This allows you to issue an EU statement of conformity under Article 19 without immediate third-party audit costs.
2. Engage Early with Competent Authorities: Identify the national competent authority in your Member State of establishment. Prepare your evidence package (EU statement of conformity) well in advance. The 60-day assessment clock under Article 17 starts once your application is accepted, so ensure your documentation is complete to avoid suspension delays.
3. Plan for Higher Levels: If you aim to serve public-order-relevant sectors (defense, justice), plan for the independent third-party audits required for Levels 2–4 under Article 20. Select an auditing organization that meets the strict independence criteria (Article 20(4)).
4. Leverage the Central Repository: Once recognized, ensure your service is correctly registered in the central repository under Article 22. Use this listing in your marketing to demonstrate trustworthiness to both public buyers and private regulated entities.
5. Monitor Private-Sector Demand: Be prepared for increased interest from regulated private industries. As Recital 66 suggests, the public sector's adoption of assurance levels will drive private sector demand. Startups with recognized status will be positioned to capture this "spillover" market.

Common misconceptions

"CADA bans non-EU cloud providers." No. CADA does not ban non-EU providers. It creates a tiered sovereignty framework. Non-EU providers may still operate in the EU market, but they may not meet the criteria for higher assurance levels (especially Level 4) required for certain sensitive public sector contracts. They can still serve the private sector or public sectors not requiring high assurance.

"Startups cannot afford the audit costs for higher assurance levels." While Levels 2–4 require third-party audits, startups can enter the market immediately with Level 1, which only requires a self-assessment and an EU statement of conformity under Article 19. This allows startups to build a customer base and revenue stream before investing in the more expensive audits for higher levels.

"Recognition is only valid in one Member State." False. The recognition mechanism under Article 17 is designed for EU-wide validity. Once recognized by one national competent authority, the service is recognized across the Union, provided no other Member State raises a reasoned objection within the 60-day review period.

"The central repository is a government-run marketplace where contracts are awarded." The repository under Article 22 is a register of recognized services, not a procurement platform. It provides transparency and trust, listing which providers meet which assurance levels. Actual procurement processes are still conducted by individual contracting authorities according to public procurement rules.

"Level 3 allows any third-country control." No. Article 18 allows for a derogation for Level 3 only if the Commission adopts an implementing act for a specific third country that meets strict safeguards (e.g., adequacy decisions, no extraterritorial access). Level 4 strictly prohibits third-country control under any circumstances.

Related

• What sovereign-cloud pressure does CADA create for the energy sector?
• What sovereign-cloud pressure does CADA create for telecoms?
• What sovereign-cloud pressure does CADA create for research?
• What sovereign-cloud pressure does CADA create for healthcare?
• What sovereign-cloud pressure does CADA create for financial services?

This is general information about a draft EU regulation, not legal advice.