Summary As proposed, the Cloud and AI Development Act (CADA) rests on a dual legal basis: Article 114 and Article 173(3) of the Treaty on the Functioning of the European Union (TFEU). Article 114 supports internal-market harmonisation (the sovereignty framework, data centre rules, procurement criteria); Article 173(3) supports industrial-competitiveness measures (the Cloud and AI Leadership Initiatives) that, by design, do not harmonise national laws. The proposal links this split to its two general objectives in Article 1. CADA is a proposal (COM(2026) 502 final), not yet in force.

Detail

CADA's architecture addresses two distinct but complementary policy goals, which is why the proposal uses a cumulative legal basis.

The dual objective

Article 1 sets out two separate general objectives. Article 1(2) — the first general objective — is to ensure the conditions necessary for the competitiveness and innovation capacity of the Union's cloud and AI ecosystem. Article 1(3) — the second, "separate from and complementary to" the first — is to improve the functioning of the single market by laying down a uniform Union legal framework for increasing the Union's resilience and strategic autonomy.

Recital 7 states plainly that "the framework pursues separate objectives, relying on two distinct legal bases."

Article 114 TFEU: harmonising the internal market

Article 114 TFEU empowers the EU to adopt measures to improve the functioning of the internal market through harmonisation. As Recital 9 explains, the available compute capacity and resilience of the cloud and AI ecosystem "can best be addressed through Union harmonisation measures on the basis of Article 114 TFEU," because a single coherent framework harmonising conditions for providers and deployers is necessary for the internal market.

On this basis, the proposal supports:

  • Data centre deployment rules: harmonising conditions for accelerated deployment (Title III) to avoid divergent national approaches to capacity, sustainability and permitting.
  • Sovereignty framework: the uniform Union cloud computing sovereignty framework (Article 16) with four assurance levels, preventing fragmented national sovereignty criteria.
  • Public procurement rules: harmonised risk-assessment and award criteria (Articles 29-32) for consistent application of sovereignty requirements.

The explanatory memorandum notes that, without such harmonisation, divergent national rules on sovereignty and sustainability could undermine the internal market and create unequal competitive conditions.

Article 173(3) TFEU: bolstering industrial competitiveness

Article 173(3) TFEU provides the legal basis for measures enhancing the EU's industrial competitiveness and innovation capacity. As Recital 8 clarifies, such measures "should not entail the harmonisation of national laws or regulations."

On this basis, the proposal supports:

  • Cloud and AI Leadership Initiatives: the Cloud Leadership Initiative and the AI Leadership Initiative (established from Article 3 onward), fostering cutting-edge cloud and AI technologies, large-scale capacity, and projects such as frontier AI priority projects (Article 8).
  • Industrial capacity building: increasing energy-efficient compute capacity and next-generation infrastructure to strengthen European industry, addressing the current shortage of computing capacity.

Why the split matters

Combining the two bases in a single instrument, as the explanatory memorandum explains, gives a unified regulatory response to interlinked challenges, letting the EU simultaneously:

  1. Remedy internal-market distortions through uniform rules for providers and data centre operators; and
  2. Bolster industrial competitiveness by actively supporting domestic capabilities and reducing dependencies.

CADA is therefore not merely a harmonisation tool but also an instrument of industrial policy.

What this means for you

For in-house counsel and compliance officers, the dual basis maps onto two kinds of provision:

  • Harmonised obligations (Art 114). The sovereignty framework (Article 16) and data centre rules (Title III) would apply uniformly across the EU. To access public-sector contracts, your services must meet the Annex II Union assurance level criteria; failing the harmonised standard could mean exclusion from procurement.
  • Industrial initiatives (Art 173(3)). The Cloud and AI Leadership Initiatives offer funding and collaboration but do not impose harmonised national laws. Participation does carry conditions — for example, frontier AI priority projects under Article 8 require, among other things, the participation of at least three Member States.
  • Penalties and enforcement. Infringements of the sovereignty Chapter are subject to penalties under Article 24, which Member States must make effective, proportionate and dissuasive. National competent authorities (Article 25) enforce the rules, with investigative and enforcement powers including ordering cessation of infringements (Article 26).
  • Deadlines. Member States must designate data centre acceleration zones within six months of entry into force (Article 10(1)) and carry out initial risk assessments within one year (Article 29(1)).

Common misconceptions

  • "CADA is solely a harmonisation measure like the GDPR." Correction: it combines harmonisation (Article 114) with active industrial policy (Article 173(3)). It does more than align national laws; it supports the development of domestic capabilities through the Leadership Initiatives.
  • "The sovereignty framework applies to all cloud services." Correction: the framework (Article 16) targets cloud services provided to Union entities and public sector bodies. It is not a blanket regulation of all private-sector cloud use, though NIS2 entities may carry out similar impact assessments (Article 31).
  • "Article 173(3) measures harmonise national laws." Correction: Recital 8 states these measures should not entail the harmonisation of national laws or regulations; they focus on competitiveness and innovation capacity.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.