Summary The official text of the proposed Cloud and AI Development Act (CADA) is the Commission proposal COM(2026) 502 final, dated 3 June 2026. It contains the full enacting terms (Titles I to V) plus Annexes I to III, and is available on the European Commission's website and the EUR-Lex database under procedure 2026/0138 COD. It is accompanied by SEC(2026) 502 final and the Staff Working Documents SWD(2026) 502 final and SWD(2026) 503 final, which contain the supporting analysis and impact assessment.

Detail

As proposed, CADA is formally titled "Proposal for a Regulation of the European Parliament and of the Council establishing a framework of measures for strengthening Europe's cloud and AI ecosystem (Cloud and AI Development Act)." The primary legal instrument is the document COM(2026) 502 final, which contains the full enacting terms — preceded by an explanatory memorandum and recitals — organised into five titles:

  • Title I: General Provisions (including Article 1 on subject matter and Article 2 on definitions).
  • Title II: Research, Development and Deployment Activities for the Cloud and AI Ecosystem (the Cloud and AI Leadership Initiatives).
  • Title III: Data Centre Capacities.
  • Title IV: Autonomy and adoption (including the cloud computing sovereignty framework, Union assurance levels, and procurement rules).
  • Title V: Final Provisions (including review and entry into force).

The proposal also includes three annexes that form part of the legal text:

  • Annex I: Grand Challenges (strategic technological challenges, including frontier AI and physical AI).
  • Annex II: Criteria for Union Assurance Levels (the cumulative sovereignty and security criteria for levels 1 to 4).
  • Annex III: Audit Evidence for the Audit Procedure (the evidence auditing organisations should request).

For context and rationale beyond the explanatory memorandum within the COM document, you can consult the accompanying staff documents: SWD(2026) 502 final and SWD(2026) 503 final (which include the supporting analysis and impact assessment), along with the synopsis document SEC(2026) 502 final.

These documents are publicly available on the European Commission's website and the EUR-Lex database under procedure 2026/0138 COD, published in the official EU languages.

What this means for you

For public-sector and procurement officers, working from the official text is the first step in preparing for compliance. Because CADA is a proposal, the text may change during negotiations between the European Parliament and the Council; the current COM(2026) 502 final provides the baseline for planning.

You should focus on Title IV, which sets out the Union cloud computing sovereignty framework and the four Union assurance levels (levels 1 to 4) that, as proposed, would determine which cloud services your authority can procure. Annex II is particularly important for procurement teams, as it lists the cumulative criteria providers must meet at each level — for example, establishment in the Union, Union-citizenship requirements for personnel at the higher levels, and European cybersecurity certification.

In addition, Article 29 would require Member States and Union entities to carry out risk assessments to determine which public-sector activities require the higher assurance levels (2, 3 or 4). Using the official COM(2026) 502 text — rather than secondary summaries — ensures your internal policies rely on the exact proposed definitions and requirements.

Common misconceptions

  • Misconception: The CADA text is already law.
    • Fact: CADA is a proposal (COM(2026) 502 final) and is not yet in force. The final text may differ after the ordinary legislative procedure.
  • Misconception: The staff working documents are the legal text.
    • Fact: The Staff Working Documents (such as the impact assessment) explain why the law is proposed and its expected effects, but they do not contain the binding obligations. Only the proposal in COM(2026) 502 final contains the enacting terms.
  • Misconception: Only Title IV matters for procurement.
    • Fact: Title IV covers sovereignty and procurement, but Title II (Leadership Initiatives) and Title III (Data Centre Capacities) also shape the market and available infrastructure. The definitions in Article 2 (Title I) also determine scope — for example, "cloud computing service" is defined by reference to the NIS2 Directive (Directive (EU) 2022/2555).

Related

This is general information about a draft EU regulation, not legal advice.