Why does the CADA review pay special attention to SMEs and new competitors?

Summary The proposed Cloud and AI Development Act (CADA) includes a mandatory review mechanism under Article 47 that explicitly requires the European Commission to pay "specific attention to small and medium-sized enterprises and the position of new competitors." This is not a passive observation but a legally binding instruction to evaluate whether the regulation is successfully fostering market entry or inadvertently entrenching dominant incumbents. Given CADA's primary goal of reducing the EU's reliance on a limited number of third-country hyperscalers—who currently control over 70% of the European market—the review acts as a critical safeguard. It ensures that the complex compliance regimes, such as the Union Assurance Levels for sovereign cloud, do not create prohibitive barriers that only large players can afford, thereby preserving the competitiveness and diversity of the European cloud and AI ecosystem.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, is designed to address a structural imbalance in the European digital economy. The explanatory memorandum identifies a critical vulnerability: the EU's cloud market is characterized by a "pronounced dependence on a limited pool of third-country providers," with three non-EU hyperscalers controlling over 70% of the market. To reverse this trend, CADA establishes a framework for increasing domestic computing capacity, accelerating data centre deployment, and creating a sovereign cloud offer. However, the regulation acknowledges that well-intentioned measures to boost sovereignty could inadvertently raise barriers to entry.

The Mandate of Article 47(3)

The core of the review mechanism lies in Article 47, which governs the evaluation and reporting of the Regulation. While Article 47(1) sets the timeline—requiring the Commission to evaluate the Regulation five years after its entry into force and every five years thereafter—Article 47(3) defines the specific scope of that evaluation.

The text of Article 47(3) states:

"In carrying out the evaluation referred to in paragraph 1, to Commission shall take into account the positions and findings of the European Parliament, of the Council, and of other relevant bodies or sources, and shall pay specific attention to small and medium-sized enterprises and the position of new competitors."

This provision imposes a distinct legal obligation on the Commission. It moves beyond a general assessment of the Regulation's effectiveness to a targeted analysis of market dynamics. The Commission must actively investigate whether the regulatory framework is functioning as intended for smaller market participants. If the review reveals that compliance costs, technical requirements, or procurement rules are disproportionately hindering SMEs or new entrants, the Commission is required to consider these findings when proposing amendments to the Regulation.

Link to Competitiveness and Market Concentration Objectives

The specific focus on SMEs and new competitors in the review clause is inextricably linked to CADA's overarching objectives defined in Article 1.

Article 1(2) establishes the first general objective: "to ensure the conditions necessary for the competitiveness and innovation capacity of the Union's cloud and AI ecosystem." Article 1(3) establishes the second, complementary objective: "to improve the functioning of the single market by laying down a uniform Union legal framework for increasing the Union's resilience and strategic autonomy in cloud and AI technologies."

The explanatory memorandum explicitly connects these objectives to the problem of market concentration. It notes that the current landscape is "characterised by a pronounced dependence on a limited pool of third-country providers." The proposal aims to "reduce critical external dependencies by strengthening homegrown cloud and AI capabilities."

However, the memorandum also warns of the risks associated with regulatory complexity. Measures such as the Union cloud computing sovereignty framework (Title IV, Chapter I) introduce Union assurance levels (Levels 1–4) with rigorous criteria for establishment, infrastructure location, personnel, and cybersecurity certification (Annex II). For a large hyperscaler, meeting these criteria may be a manageable operational cost. For an SME or a new entrant, the costs of independent audits (required for Levels 2–4 under Article 20), the need for specific cybersecurity certifications, and the administrative burden of reporting could be prohibitive.

If the review under Article 47(3) finds that these barriers are effectively locking out smaller European providers, the Regulation would fail its primary objective of increasing the market share of EU providers. Instead of diversifying the market, it could reinforce the dominance of the few large incumbents that can afford compliance, thereby undermining the "competitiveness and innovation capacity" mandated by Article 1(2). The review clause ensures that the Commission monitors this dynamic and can intervene if the regulatory framework begins to stifle the very competition it seeks to foster.

Evidence the Commission Might Gather

To fulfill the mandate of Article 47(3), the Commission would likely gather a comprehensive set of quantitative and qualitative evidence. Based on the structure of CADA and standard EU impact assessment methodologies, the evidence base would likely include:

• Market Structure and Share Data: The Commission would analyze market share trends to determine if the share of European providers is increasing, and crucially, whether this growth is driven by large incumbents or by SMEs and new entrants. This would involve distinguishing between established EU players and new market participants to see if the "new competitor" objective is being met.
• Compliance Cost Analysis: A detailed assessment of the financial and administrative burden imposed by CADA's requirements. This would include data on the costs of obtaining Union Assurance Level recognition (including audit fees under Article 20), the costs of cybersecurity certification (Annex II), and the administrative overhead of reporting under Article 23. The Commission would compare these costs relative to the turnover of SMEs versus large providers to identify disproportionate impacts.
• Public Procurement Outcomes: Since CADA significantly influences public procurement through Article 30 (mandating specific assurance levels) and Article 32 (Union added value criteria), the review would examine procurement data. The Commission would assess whether SMEs are successfully winning contracts for cloud and AI services, particularly those requiring higher assurance levels. It would evaluate if the "Union added value" criteria are effectively helping SMEs or if they are being used in a way that favors large, established European incumbents.
• Barriers to Entry and Innovation Metrics: Qualitative evidence from stakeholder consultations, including feedback from trade associations, SME representatives, and new entrants. This would cover difficulties in accessing funding, challenges in meeting sustainability requirements for data centres (Title III), and the complexity of navigating the sovereignty framework. Additionally, the Commission would look at innovation indicators, such as the number of new cloud and AI startups established in the EU and the level of venture capital investment in these sectors.
• Utilization of Support Mechanisms: An evaluation of how effectively SMEs are utilizing the support mechanisms established by CADA, such as the network of Experience and Acceleration Centres for AI (Article 5), the EuroCloud Federation (Article 34), and the EU Open Source Solutions Catalogue (Article 43). The review would assess whether these tools are accessible and beneficial to smaller players.

The Commission would also be required to consult with the European Parliament, the Council, and other relevant bodies, ensuring that the evaluation reflects a broad range of perspectives on the regulation's impact on market diversity.

What this means for you

For cloud service providers, data centre operators, and technology startups, the explicit focus on your position in Article 47(3) is a critical strategic lever.

• Active Participation in the Review: As an SME or new competitor, you have a unique opportunity to shape the future of the regulation. The Commission is legally required to listen to your experience. You should actively engage in the consultation processes leading up to the review, providing concrete evidence of how CADA's requirements impact your business operations, costs, and ability to compete.
• Document Compliance Burdens: Maintain detailed records of the resources you allocate to complying with CADA. This includes costs for audits, cybersecurity certifications, reporting, and infrastructure adjustments. Quantitative data on these costs is far more persuasive than general complaints and will be essential for demonstrating if the regulatory burden is disproportionate.
• Leverage Support Mechanisms: CADA offers specific tools designed to assist smaller players. Ensure you are utilizing the Experience and Acceleration Centres for AI (Article 5) for skills and innovation support, and consider participating in the EuroCloud Federation (Article 34) to share capacity and reduce costs. The promotion of open-source solutions (Article 41) can also reduce vendor lock-in and development costs.
• Advocate for Proportionality: If you find that certain provisions, such as the audit requirements for Union Assurance Levels, are creating an unfair disadvantage compared to larger competitors, use the review process to advocate for tailored measures. The Commission's mandate to pay "specific attention" to your position means that arguments for proportionality and simplified pathways for SMEs carry significant weight.

Common misconceptions

"The CADA review is just a technical compliance check." Reality: The review under Article 47 is a comprehensive policy evaluation. It is not limited to checking if rules are followed; it is a strategic assessment of whether the Regulation is achieving its goals of market diversification, competitiveness, and resilience. The specific mandate to look at SMEs and new competitors ensures it is a market-structure review, not just a technical audit.

"SMEs are exempt from the sovereignty requirements if they are small." Reality: SMEs are not automatically exempt from the Union Assurance Levels. If an SME wishes to provide cloud services to public sector bodies, it must meet the same assurance level requirements as larger providers (e.g., Level 1 for general procurement, Level 2-4 for public-order-relevant activities under Article 30). However, the review process is designed to ensure that the cost and complexity of meeting these requirements do not effectively exclude SMEs from the market.

"The Commission will only focus on the big players during the review." Reality: While large providers are important, Article 47(3) explicitly mandates that the Commission pay "specific attention to small and medium-sized enterprises and the position of new competitors." Ignoring the impact on smaller players would be a failure to comply with the Regulation's own evaluation clause. The Commission is legally bound to prioritize their perspective in the final report.

Related

• Who receives the CADA review report? Parliament, Council & EESC
• CADA Timeline: From Adoption to Full Application and Review
• What is the review clause in the Cloud and AI Development Act (CADA)?
• CADA Review vs Delegated Acts: How the EU Cloud and AI Development Act Changes
• How will CADA keep up with technological change? Delegated acts & review

This is general information about a draft EU regulation, not legal advice.