Summary As proposed, the Cloud and AI Development Act (CADA) reaches a broad set of actors: cloud computing service providers, data centre operators, Member States, Union entities, public-sector bodies and contracting authorities. Providers are affected mainly when they want to sell to the public sector under the sovereignty framework; operators are affected through the data-centre deployment rules; and public bodies are affected as buyers, subject to new risk-assessment and procurement duties. The scope is built on defined terms in Article 2 and obligations spread across the proposal. CADA is still a proposal, so nothing applies yet.

Detail

CADA binds different stakeholders in different ways. Who falls within scope, and how, follows from the defined terms in Article 2 and the obligations in the substantive titles.

Cloud computing service providers

The central regulated actor is the cloud computing service provider, defined in Article 2(2) as "a legal entity which provides a cloud computing service." "Cloud computing service" itself is defined in Article 2(1) by reference to Article 6, point (30), of Directive (EU) 2022/2555 (NIS2).

Providers come within CADA's sovereignty rules principally when they seek to serve Union entities and public-sector bodies. Under Title IV, a provider wanting recognition at any of the four Union assurance levels (criteria in Annex II) would:

  • submit an application for recognition to the national competent authority of establishment (Article 17);
  • undergo a conformity self-assessment for level 1 (Article 19) or an independent third-party audit for levels 2 to 4 (Articles 20 to 21); and
  • report material changes that could affect its recognition (Article 23).

Providers that do not seek recognition are still affected indirectly, because public-sector procurement rules (Article 30) channel demand towards recognised services.

Data centre operators

Data centre operators, defined in Article 2(11) by reference to Delegated Regulation (EU) 2024/1364, are addressed in Title III. Member States must designate data centre acceleration zones (Article 10); operators deploying in those zones benefit from facilitated administration, single information points (Article 12) and an aggregated baseline permit with a 12-month permit-granting limit (Article 13). Operators may also seek to have projects designated as data centre strategic projects (Article 14).

Member States

Member States carry the main implementation duties:

  • adopt national cloud and AI strategies (Article 7);
  • designate national competent authorities for the sovereignty chapter (Article 25);
  • designate data centre acceleration zones, weighing the aspects listed in Article 10 such as site location and grid capacity (Article 10); and
  • carry out risk assessments to determine the required assurance level for public-sector activities (Article 29).

Union entities and public-sector bodies

CADA expressly targets public-sector consumption of cloud and AI. Union entities are defined in Article 2(7) as the Union institutions, bodies, offices and agencies set up by or under the TEU, TFEU or Euratom Treaty. Public-sector bodies are defined in Article 2(6) by reference to Directive (EU) 2019/1024. As proposed, these entities must procure cloud services that are recognised under the framework; where a risk assessment shows an activity has public-order relevance, they must use only services recognised at Union assurance levels 2, 3 or 4 (Articles 29 and 30).

Contracting authorities

Contracting authorities, defined in Article 2(22) by reference to Directive 2014/24/EU, are the public-sector buyers. As proposed, they must procure at least Union assurance level 1 (Article 30); apply "Union added value" award criteria when procuring innovative cloud services and AI systems (Article 32); and are encouraged to use and facilitate the reuse of open-source solutions (Article 41).

What this means for you

For public-sector buyers, CADA adds a layer of due diligence before any cloud or AI contract: you would need to consider the provider's Union assurance level, not just price and performance.

  1. Risk assessments. Rely on or contribute to your Member State's risk assessments (Article 29) to decide whether an activity has public-order relevance. If it does, you would be limited to providers recognised at levels 2 to 4.
  2. Check recognition. Before tendering, consult the central repository of recognised services (Article 22) to confirm a provider holds the level you need.
  3. Apply EU added-value criteria. For innovative cloud/AI procurements, include award criteria rewarding contribution to the European cloud and AI ecosystem (Article 32).
  4. Lean towards open source. Encourage open standards and reuse to cut vendor lock-in and support sovereignty (Article 41).

For providers, the message is direct: to serve the EU public sector you must navigate the recognition process — preparing for self-assessment or audit, meeting the Annex II criteria and engaging your national competent authority.

Common misconceptions

"CADA only applies to EU-based companies." No. The framework favours EU establishment, but Article 18 sets out a route by which a third country can be recognised so that services controlled from it become eligible for level 3. Third-country-controlled providers face higher hurdles, especially around extraterritorial-law exposure, but are not categorically outside the framework.

"Every cloud provider must get recognised." No. CADA does not require all providers to obtain recognition. It requires public buyers to procure from providers that have. Private-sector buyers are not directly bound by the procurement rules, though Article 31 lets certain NIS2-scope entities run similar impact assessments.

"CADA replaces the AI Act." No. The AI Act regulates AI systems themselves; CADA addresses the cloud/compute infrastructure, sovereignty and procurement around them. A provider offering a high-risk AI system via the cloud could be subject to both.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.