Summary As proposed, CADA focuses on the public sector because public buyers are the strongest demand-side lever for building European cloud sovereignty and protecting public order. Article 1 frames the regulation's measures as including "enabling the availability of a sovereign cloud and artificial intelligence (AI) offer to safeguard the Union's public order" and "fostering the adoption of cloud computing services across the public sector." By requiring sovereignty risk assessments and harmonised assurance levels for public procurement, CADA would use the state's purchasing power to create a stable market for trusted European cloud services. CADA is a proposal and not yet in force.

Detail

The Cloud and AI Development Act (CADA) — COM(2026) 502 final — is not merely a technical framework for data centres; as proposed it is a strategic instrument designed to reshape the European cloud market. While the regulation includes supply-side measures to boost domestic capacity, its demand-side provisions are centred on the public sector. This focus is driven by three interconnected rationales: the current over-reliance on third-country providers, the need to protect public order, and the power of public procurement to stimulate market growth.

Addressing critical dependencies

The explanatory memorandum of the CADA proposal sets out a stark market reality. Three non-EU hyperscalers control over 70% of the European cloud market, while the market share of EU providers fell from 29% in 2017 to 15% in 2022 and has remained stagnant since. The memorandum notes that large incumbents are "subject to third-country jurisdictions where laws with an extraterritorial effect apply, including laws mandating data access and transfer that may conflict with EU fundamental rights and data protection frameworks", and that this dependence also exposes users to operational discontinuity, particularly where unilateral decisions by third-country actors could disrupt service provision.

Because the public sector is a major consumer of cloud services, its procurement choices directly influence market dynamics. By shifting public demand towards sovereign or high-assurance providers, CADA aims to help create a viable market for European cloud computing service providers, thereby reducing the Union's critical external dependencies.

Safeguarding public order

Article 1 lists, among the regulation's measures, "enabling the availability of a sovereign cloud and artificial intelligence (AI) offer to safeguard the Union's public order." As proposed, this is not just about data privacy; it is about operational autonomy and resilience.

Public sector activities often involve sensitive data, critical infrastructure, and essential services. A disruption in cloud services provided by a third-country entity — whether due to geopolitical tensions, sanctions, or unilateral decisions by the provider — could undermine public order. To address this, CADA would introduce a harmonised Union cloud computing sovereignty framework with four assurance levels (Article 16). Member States and Union entities would be required to conduct risk assessments (Article 29) to determine which public-sector activities require higher assurance levels (levels 2, 3 or 4) to protect public order, so that critical government functions are not held hostage by external dependencies.

Public procurement as a demand-side lever

Article 1 also names "fostering the adoption of cloud computing services across the public sector" among the regulation's measures. As proposed, CADA treats public procurement as a powerful tool for market shaping. By setting clear, harmonised criteria for what constitutes a trusted cloud service, CADA would let contracting authorities make informed purchasing decisions that align with sovereignty goals.

The proposal introduces several mechanisms to leverage this purchasing power:

  • Union added value criteria: Article 32 would allow contracting authorities to include European added-value award criteria in public procurement of innovative cloud computing services and AI systems, so they can evaluate tenderers on their contribution to the European digital supply chain. As proposed, such criteria should not be decisive for the award of the contract — only a limited weighting is allocated to European added value within the overall evaluation.
  • Common procurement framework: Articles 37 onward would establish a framework for joint and common procurement activities for Union entities and Member States, helping to lower costs, reduce administrative burdens, and accelerate the adoption of resilient, secure digital solutions.
  • EuroCloud Federation: Article 34 would establish the European public sector cloud federation (the "EuroCloud Federation") to facilitate the sharing of secure and resilient public-sector data-centre and cloud computing services among Union entities and public sector bodies, promoting resource efficiency and strengthening the internal market for sovereign cloud capabilities.

By harmonising these requirements across the EU, CADA aims to reduce the fragmentation caused by divergent national approaches to cloud sovereignty, creating a larger, more attractive market for European providers.

What this means for you

For public-sector and procurement officers, CADA as proposed would introduce a new set of obligations and opportunities that change how cloud services are bought and managed.

Mandatory risk assessments: You would be required to carry out risk assessments to identify which of your organisation's cloud-based activities contribute to the preservation of public order, and to determine the appropriate Union assurance level for those activities. This would not be a one-time exercise: assessments would be repeated every two years, or whenever necessary (Article 29).

Updated procurement criteria: Your tender documents would need to reflect the new sovereignty framework. Cloud services procured for activities identified as contributing to public order would have to meet the required assurance levels (levels 2, 3 or 4 under Article 30(3); a baseline of level 1 otherwise under Article 30(2)). You could also consider incorporating European added-value criteria under Article 32.

Participation in common initiatives: Consider participating in the EuroCloud Federation (Article 34) or common procurement activities. These mechanisms could help you access secure, sovereign cloud services more efficiently and at lower cost while contributing to reducing dependencies on third-country providers.

Training and awareness: Ensure your procurement teams understand the proposed CADA requirements, particularly the sovereignty framework and its assurance levels, so you can prepare for compliance and make strategic purchasing decisions aligned with the EU's sovereignty objectives. These obligations would only take effect once CADA is adopted and starts to apply.

Common misconceptions

Misconception 1: CADA bans non-EU cloud providers. It would not. CADA as proposed establishes a tiered assurance framework. Non-EU providers can still operate in the EU but may need to meet stricter criteria for higher assurance levels, particularly if they are subject to third-country control. The regulation focuses on ensuring that critical public-sector functions are supported by services meeting specific sovereignty and security standards, not on excluding foreign companies by nationality. Providers from designated "associated third countries" could even be eligible for Union assurance level 3 (Article 18).

Misconception 2: All public-sector cloud services must be at the highest assurance level. No. CADA as proposed adopts a proportionate approach. Most public services would require only Union assurance level 1. Higher levels (2, 3 or 4) would be reserved for activities identified through risk assessments as critical to public order — such as national security, defence, justice or critical infrastructure — so the regulation does not impose unnecessary burdens on routine administrative functions.

Misconception 3: CADA replaces the GDPR or the AI Act. It would complement them, not replace them. The GDPR governs personal-data protection and the AI Act regulates AI systems by risk; CADA addresses the sovereignty, operational autonomy and resilience of the cloud infrastructure that supports those activities. Public sector bodies would have to comply with all applicable regulations simultaneously.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.