Summary Existing EU legislation addresses fragments of the cloud ecosystem — data protection, market fairness, cybersecurity, switching — but none establishes a harmonised framework for cloud sovereignty or operational autonomy. The Data Act enables switching but does not build a sovereign supply base; the DMA targets market contestability, not the active uptake of sovereign services; the AI Act regulates safety, not sovereignty; the Cybersecurity Act and NIS2 cover technical security, not strategic control; and the GDPR (with the EU-US Data Privacy Framework) governs data transfers, not operational autonomy. As proposed, the Cloud and AI Development Act (CADA) fills this gap with a Union cloud computing sovereignty framework and risk-based public procurement.

Detail

The proposal is predicated on the finding that the current EU regulatory landscape, while robust, is insufficient to address the Union's strategic dependence on third-country cloud providers. The explanatory memorandum explicitly distinguishes CADA from existing instruments, arguing that a coordinated ecosystem approach is needed to reduce critical external dependencies.

The Data Act: switching without sovereignty The Data Act (Regulation (EU) 2023/2854) is described as an enabler for CADA, not a substitute. By enabling switching and removing vendor lock-in, it "seeks to ensure that cloud computing service providers in the EU compete on quality, innovation, and price." However, the memorandum states it "does not contain elements to shape up a more competitive offer of European cloud computing services or encourage the entry into the market of a more diverse set of cloud computing service providers," and that it "opens the path towards a possible reduction of dependencies on non-EU providers but does not build the road towards a more sovereign and trusted EU cloud computing sector." Switching alone does not guarantee that the alternative provider is sovereign or that the infrastructure is resilient against third-country interference. "The Data Act is thus an enabler for the proposal."

The Digital Markets Act: contestability, not autonomy The Digital Markets Act (DMA) covers cloud computing services as a core platform service, with obligations applying to providers designated as gatekeepers. The memorandum notes the DMA "only aims at maintaining and promoting a fair and contestable cloud market in the Union" and does not contain measures that "would actively promote the uptake of sovereign cloud computing services." The DMA intervenes at the level of market contestability, whereas CADA intervenes on both supply and demand to ensure that procured services — especially in the public sector — meet sovereignty and resilience standards.

The AI Act: safety, not sovereignty The AI Act (Regulation (EU) 2024/1689) harmonises rules for AI systems to protect health, safety and fundamental rights. The memorandum states plainly that it "does not cover aspects of sovereignty." The AI Act addresses risks in the use of AI; it does not address strategic risks in the infrastructure on which AI is built or jurisdictional control over it. CADA is positioned to complement it by helping ensure that the underlying cloud infrastructure is resilient and autonomous.

Cybersecurity and NIS2: technical security, not strategic control The Cybersecurity Act and the NIS2 Directive focus on technical cybersecurity and the security of network and information systems. The memorandum notes NIS2 improves cybersecurity risk management of providers and data centres but does not boost uptake of such services and is "fully focused on technical cybersecurity as opposed to broader sovereignty considerations." Likewise, certification under the Cybersecurity Act can address technical criteria but is "not suited for addressing sovereignty concerns" that go beyond those technical elements — such as the risk of unilateral decisions by third-country actors disrupting service provision.

GDPR and data privacy: transfers, not operational autonomy The General Data Protection Regulation (GDPR) and the EU-US Data Privacy Framework address transfers of personal data to third countries. The memorandum argues that "while the EU-US Data Privacy Framework addresses transatlantic data transfers, it" does not remove sovereignty concerns about dependence on third-country providers, because the notion of sovereignty "goes beyond data transfers and relates to operational autonomy too." The GDPR protects individuals' privacy but does not stop a third-country provider from degrading service quality, disrupting continuity, or facing extraterritorial laws affecting non-personal data.

The CADA solution: Union assurance levels To fill these gaps, CADA would introduce a Union cloud computing sovereignty framework of four Union assurance levels (Article 16), with cumulative criteria in Annex II providing a harmonised, auditable benchmark. Under Article 29, Member States and Union entities would conduct risk assessments to determine which public-sector activities require which assurance level to preserve public order. Under Article 30, contracting authorities would procure services meeting the appropriate level. This creates demand-side pull for recognised sovereign services, complementing the supply-side Cloud and AI Leadership Initiatives.

What this means for you

For in-house counsel and compliance officers, the insufficiency of existing laws means strategies focused only on GDPR, NIS2 or the DMA are incomplete on cloud sovereignty. As proposed, CADA introduces new obligations for public bodies and influences the private sector through procurement.

Risk assessments and procurement mandates Under Article 29, Member States and Union entities must carry out risk assessments by entry into force plus one year, and thereafter every two years (or whenever necessary), to identify activities contributing to the preservation of public order and the appropriate Union assurance level (2, 3 or 4). Under Article 30, contracting authorities with such activities must procure only services recognised at level 2, 3 or 4, while other public bodies use at least level 1.

Recognition and audits Providers seeking to serve the public sector must obtain recognition under Article 17 — an application to the national competent authority of establishment, supported by a self-assessment (EU statement of conformity) for level 1 or an independent third-party audit for levels 2–4. Prepare to demonstrate compliance with the Annex II criteria.

Penalties and compensation Article 24 requires Member States to lay down rules on penalties for infringements of the sovereignty-framework chapter that are "effective, proportionate and dissuasive," weighing factors such as the nature, gravity, scale and duration of the infringement and financial benefits gained.

Transition and migration Where a risk assessment requires migration to another cloud service, Article 29(6) requires migration within a reasonable transition period not exceeding 12 months, taking account of technical feasibility, service continuity and data portability.

Common misconceptions

"GDPR compliance is enough for cloud sovereignty." Incorrect. The GDPR protects personal data and data-subject rights. It does not address operational resilience or the risk of third-country access to data through extraterritorial laws such as the US CLOUD Act. CADA targets these broader sovereignty risks.

"The Data Act solves vendor lock-in and sovereignty." The Data Act facilitates switching, but does not ensure the alternative provider is sovereign or EU-controlled. A user can switch from one non-EU hyperscaler to another without improving sovereignty. CADA aims to make trusted sovereign alternatives exist and be recognisable.

"Cybersecurity certification equals sovereignty." Technical certifications (such as under the Cybersecurity Act) confirm security standards, but do not assess whether a provider is subject to third-country laws that could compel data access or service disruption. Sovereignty covers legal and operational control, not just technical security.

"CADA only applies to the public sector." While the mandatory procurement requirements in Article 30 bind public bodies, the recognition framework in Title IV applies to providers seeking to serve the public sector, and Article 31 lets private entities in NIS2 Annex I sectors carry out similar impact assessments — creating spillover into private procurement.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.