Why does CADA call the Data Act an 'enabler'?

Summary The Cloud and AI Development Act (CADA) describes the Data Act as an "enabler" because it removes vendor lock-in through switching and interoperability rules, allowing users to freely choose providers. However, while the Data Act opens the path to reducing dependencies on non-EU providers, it "does not build the road towards a more sovereign and trusted EU cloud computing sector." CADA complements this by supplying the specific demand-side measures, sovereignty criteria, and incentives needed to actually drive the uptake of trusted, EU-based cloud services.

This is general information about a draft EU regulation, not legal advice.

Detail

To understand why the European Commission characterizes the Data Act as an "enabler" for the Cloud and AI Development Act (CADA), it is necessary to look at the distinct but complementary roles these two regulations play in shaping the EU's digital infrastructure. As proposed, CADA explicitly positions itself not as a replacement for existing data governance frameworks, but as a strategic layer that builds upon the foundational access rights established by the Data Act.

The Data Act's Role: Removing Barriers to Entry

The Data Act (Regulation (EU) 2023/2854) focuses primarily on ensuring fair access to and use of data. Its core mechanisms regarding cloud services involve enabling switching and removing key sources of vendor lock-in. By mandating interoperability and data portability, the Data Act seeks to ensure that cloud computing service providers in the EU compete on quality, innovation, and price rather than on the difficulty of moving away from them.

As stated in the CADA explanatory memorandum, the Data Act "seeks to enable cloud users to freely choose the provider that best meets their needs and combine offers of different providers in a multi-cloud approach." This creates a fluid market environment where users are not trapped by technical or contractual barriers. In this sense, the Data Act clears the runway; it ensures that if a user wants to move to a different provider, they technically and legally can.

The Gap: Access Does Not Equal Sovereignty

However, the ability to switch providers does not automatically lead to the adoption of sovereign or European cloud solutions. The CADA proposal highlights a critical limitation of the Data Act: it "does not contain elements to shape up a more competitive offer of European cloud computing services or encourage the entry into the market of a more diverse set of cloud computing service providers."

While the Data Act opens the path towards a possible reduction of dependencies on non-EU providers by making switching easier, it "does not build the road towards a more sovereign and trusted EU cloud computing sector." A market where users can easily switch is still a market dominated by whichever providers offer the most compelling commercial terms, which, in the current landscape, often remains third-country hyperscalers. The Data Act addresses the mechanics of competition but not the structural imbalances or the specific sovereignty requirements needed to protect public order and operational autonomy.

CADA's Role: Building the Sovereign Offer and Demand

This is where CADA intervenes. The proposal is designed to fill the gaps left by the Data Act by introducing targeted measures that the Data Act explicitly lacks. CADA provides the "demand-side measures" and "sovereignty framework" necessary to translate the potential for switching into actual uptake of European services.

Key differences include:

1. Sovereignty Criteria: CADA establishes a harmonized Union cloud computing sovereignty framework with four assurance levels (Article 16). This provides a clear, auditable set of criteria for what constitutes a trusted cloud service, addressing risks related to data confidentiality, operational autonomy, and public order. The Data Act does not define or regulate these sovereignty levels.
2. Public Procurement Obligations: CADA mandates that public sector bodies procure cloud services that meet specific Union assurance levels (Article 30). For activities contributing to the preservation of public order, contracting authorities must procure services recognized at Union assurance levels 2, 3, or 4. This creates a guaranteed demand for sovereign services, a mechanism absent in the Data Act.
3. Incentivizing European Providers: CADA includes measures to support the development and deployment of European cloud capabilities, such as the Cloud and AI Leadership Initiatives (Article 3) and the EuroCloud Federation (Article 34). These initiatives aim to boost the supply side by fostering innovation and allowing public bodies to share idle capacity, thereby making European providers more competitive.

The Synergy

The relationship is symbiotic. The Data Act ensures that public and private users are not locked into third-country providers, giving them the freedom to choose. CADA then provides the reasons and the means for them to choose European providers by ensuring those providers meet high sovereignty standards and are supported by public procurement policies.

As the CADA explanatory memorandum notes, "The Data Act is thus an enabler for the proposal." Without the switching rights provided by the Data Act, the sovereignty measures in CADA would be less effective because users might be unable to practically migrate to sovereign alternatives. Conversely, without the sovereignty and demand-pull measures in CADA, the switching rights in the Data Act might simply result in users moving between non-EU providers, failing to reduce the EU's strategic dependencies.

What this means for you

For cloud service providers and data centre operators, understanding this distinction is crucial for strategic planning and compliance preparation.

• For EU-Based Providers: You benefit from the "enabler" status of the Data Act because it lowers the barrier for customers to switch to you. However, you must also prepare for the CADA requirements. To capture the public sector market driven by CADA, you will need to achieve recognition under the Union assurance levels (Article 17). This involves undergoing independent audits for levels 2-4 (Article 20) and demonstrating compliance with strict criteria regarding data localization, personnel citizenship, and absence of third-country control (Annex II).
• For Non-EU Providers: The Data Act allows your EU customers to leave you easily. CADA makes it harder for you to retain public sector customers. If you are subject to the control of a third country, you face significant hurdles in achieving Union assurance levels 3 and 4 (Annex II, Sections 3 and 4). While the Data Act doesn't ban you, CADA's procurement rules (Article 30) effectively restrict your access to critical public sector contracts unless you can meet the stringent sovereignty criteria or operate through an EU-established entity that meets the separation requirements.
• Compliance Strategy: Do not assume that compliance with the Data Act's interoperability standards is sufficient for CADA. You will need to implement additional technical and organizational measures to meet the sovereignty criteria, such as ensuring that customer data remains exclusively within the Union (Annex II, 1.1(c)) and that no data generated by the service is used to train AI systems operated by third countries (Annex II, 2.1(f)).

Common misconceptions

• "The Data Act and CADA are the same thing." They are distinct instruments with different objectives. The Data Act focuses on data access, portability, and switching rights. CADA focuses on technological sovereignty, public procurement, and the deployment of computing capacity. Compliance with one does not equate to compliance with the other.
• "If I am compliant with the Data Act, I am compliant with CADA." This is incorrect. The Data Act does not address sovereignty levels, public procurement mandates, or the specific security criteria for cloud services. CADA introduces entirely new obligations, such as the need for independent audits for higher assurance levels and the requirement for national competent authorities to designate and supervise providers (Article 25).
• "CADA bans non-EU cloud providers." CADA does not ban non-EU providers. However, it creates a framework where public sector bodies are obligated to procure services that meet specific Union assurance levels. Non-EU providers may still serve the private sector or public sector bodies with non-critical needs (Union assurance level 1), but they will face significant barriers in accessing high-security public sector contracts unless they can demonstrate that they are not subject to third-country control or that they meet the exceptional conditions for associated third countries (Article 18).
• "The Data Act forces users to switch to EU providers." No. The Data Act only ensures that users can switch. It does not mandate which provider they switch to. CADA is the instrument that introduces procurement rules to steer public sector demand toward providers meeting EU sovereignty standards.

Official sources

• Data Act (Regulation (EU) 2023/2854)
• Data Governance Act (Regulation (EU) 2022/868)

Related

• CADA for SaaS Providers: How NIS2, Data Act and Sovereignty Tiers Stack
• CADA for Cloud Providers: How it stacks with NIS2, DORA & the Data Act
• DGA vs CADA: Does Data Governance Act compliance satisfy CADA?
• If I already comply with the Data Act, do I comply with CADA?
• CADA Multi-Cloud Guidance vs. Data Act: How They Interact

This is general information about a draft EU regulation, not legal advice.