What sovereign-cloud pressure does CADA create for automotive?

Summary As proposed, the Cloud and AI Development Act (CADA) would require public sector bodies in the automotive sector to procure cloud services meeting specific "Union assurance levels," with higher security tiers mandated for activities deemed critical to public order. While CADA primarily binds public buyers, it creates significant downstream pressure on cloud providers and data centre operators to achieve sovereign certification to access public contracts and influence private sector standards in automotive software-defined vehicles.

Detail

The proposed Cloud and AI Development Act (CADA) targets the EU's strategic dependence on non-European cloud providers by establishing a harmonised sovereignty framework. For the automotive industry, this regulation introduces specific procurement and data handling obligations that will reshape how cloud services are selected, audited, and deployed for vehicle development, testing, and public mobility services.

Automotive as a Strategic Sector

CADA explicitly identifies the automotive sector as a priority for industrial AI deployment. Recital 18 states that the Cloud and AI Leadership Initiatives should accelerate the development and uptake of industrial AI across strategic sectors, listing "automotive" alongside healthcare, transport, and defence. Recital 19 further specifies that advancements in this sector should support the "development, testing and deployment of innovative software platforms contributing to the Union industrial leadership in software defined vehicles and autonomous driving." It also calls for Member States to facilitate the testing of AI systems for autonomous driving, including cooperation with Experience and Acceleration Centres for AI.

This designation signals that automotive data and cloud infrastructure are viewed as critical to the EU's technological sovereignty. Consequently, the sovereignty framework established in Title IV of CADA applies directly to the cloud services supporting these activities, particularly when public funds or public entities are involved.

The Union Assurance Levels

At the core of CADA's sovereignty framework is the establishment of four "Union assurance levels" (Article 16). These levels define the criteria cloud computing service providers must meet to be recognised as offering a certain degree of Union assurance. The levels are cumulative; a provider must meet all criteria of a lower level to qualify for a higher one.

• Union Assurance Level 1: Requires the provider to be established in the Union, with infrastructure and customer data remaining exclusively within the Union (unless explicitly required otherwise by the public sector body). It also mandates that if the provider is controlled by a third country, it must guarantee no laws in that third country require reporting software vulnerabilities to foreign authorities before they are exploited.
• Union Assurance Level 2: Adds stricter requirements, including that subcontractors must also be established in the Union, personnel and assets must be located in the Union, and the service must obtain a European cybersecurity certificate of at least "substantial" assurance. Crucially, data generated by the service cannot be used to train AI systems operated by third countries.
• Union Assurance Level 3: Requires that personnel involved in service provision are Union citizens and, where handling classified information, hold necessary national security clearances. It strictly prohibits third-country control over the provider and its subcontractors, with limited derogations for associated third countries that meet specific safeguard criteria.
• Union Assurance Level 4: The highest level, requiring similar personnel and establishment criteria as Level 3, but demanding a "high" assurance level European cybersecurity certificate. It also requires effective control over software components, ensuring no third country holds effective control over their design or development.

Procurement Obligations for Public Sector Automotive Activities

Article 30 of CADA mandates that contracting authorities procure cloud computing services based on the results of risk assessments conducted under Article 29.

1. Baseline Requirement: Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud services recognised as having at least Union Assurance Level 1.
2. Public Order Relevance: Contracting authorities whose activities have been identified as contributing to the preservation of public order (including in sectors falling under Annex I or II of the NIS2 Directive, and areas like transport and national security) must procure services recognised as having Union Assurance Level 2, 3, or 4.

For the automotive sector, this distinction is critical. While general automotive R&D might fall under Level 1, activities related to autonomous driving testing on public roads, traffic management systems, or critical infrastructure integration could be classified as having public order relevance. If a Member State's risk assessment determines that a specific automotive cloud use case impacts public order, the cloud provider must meet at least Level 2 criteria, which includes strict data localisation, Union-based personnel, and prohibitions on using customer data to train third-country AI models.

Impact on Data and AI Training

A significant pressure point for cloud providers is the restriction on data usage. Under Levels 2, 3, and 4, data generated by using the audited service "are not used to train or fine-tune any AI system operated by a third country or a legal entity established in a third-country" and are not transferred outside the Union (Annex II). This directly impacts automotive companies leveraging cloud AI for autonomous driving models. If the underlying cloud infrastructure does not meet these sovereignty criteria, public sector automotive projects cannot use it for high-assurance activities.

What this means for you

For cloud service providers and data centre operators, CADA creates a clear market segmentation based on sovereignty credentials. To remain competitive for European public sector automotive contracts, you must:

1. Audit Your Supply Chain: Ensure your subcontractors and infrastructure locations align with the cumulative criteria of the Union Assurance Levels. For Levels 2-4, this means strict Union-based establishment for personnel and assets.
2. Prepare for Certification: Achieve the required European cybersecurity certifications (EUCS) at the "substantial" or "high" levels. Without these, you cannot meet Levels 2-4.
3. Segregate Data Flows: Implement technical controls to ensure that data from Union-based public sector clients is not used to train third-country AI models. This may require separate data silos or distinct service offerings for sovereign clients.
4. Monitor Public Order Classifications: Stay informed about how Member States classify automotive activities in their risk assessments. If autonomous driving testing is deemed a public order concern in your jurisdiction, your clients will need Level 2+ services.

Common misconceptions

• "CADA only applies to government agencies." While CADA's procurement rules (Article 30) bind public authorities, the sovereignty framework creates a ripple effect. Private automotive companies often partner with public entities for testing and infrastructure. To maintain interoperability and meet similar security expectations, private sector entities in high-criticality sectors (as referenced in Article 31) may be encouraged or required to conduct similar impact assessments, driving demand for sovereign clouds across the industry.
• "Level 1 is sufficient for all automotive work." Level 1 is the minimum for general public sector use. However, given the safety-critical nature of autonomous driving and traffic systems, many Member States are likely to classify these activities as having public order relevance, triggering the need for Level 2, 3, or 4 services.
• "Sovereignty means only EU ownership." While Union establishment and control are key, the criteria also include technical safeguards like cybersecurity certifications, personnel citizenship, and data usage restrictions. A provider can be EU-established but still fail to meet Level 2 if it uses customer data to train third-country AI models.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• What sovereign-cloud pressure does CADA create for the energy sector?
• What sovereign-cloud pressure does CADA create for telecoms?
• What sovereign-cloud pressure does CADA create for research?
• What sovereign-cloud pressure does CADA create for healthcare?
• What sovereign-cloud pressure does CADA create for financial services?

This is general information about a draft EU regulation, not legal advice.