Why is CADA part of the EU tech sovereignty package with the Chips Act 2.0?

Summary The proposed Cloud and AI Development Act (CADA) and the review of the Chips Act (often termed "Chips Act 2.0") are the two complementary pillars of the EU's technology sovereignty strategy. As explicitly stated in the CADA explanatory memorandum, the proposal "needs to be read in conjunction with the proposal for the review of the Chips Act." While the Chips Act 2.0 secures the physical supply of advanced semiconductors and hardware, CADA secures the software, data, and operational layers—ensuring that the cloud and AI services running on that hardware are resilient, sovereign, and free from third-country control. Together, they form a "whole-of-stack" framework designed to reduce critical dependencies and safeguard the Union's public order.

Detail

The European Commission's legislative strategy for digital autonomy relies on an integrated ecosystem approach. Technological sovereignty cannot be achieved by focusing on hardware or software in isolation; secure chips are useless if the cloud services running on them are subject to extraterritorial foreign laws, and sovereign cloud services cannot function without a resilient hardware supply chain. CADA and the Chips Act 2.0 address these distinct but interdependent layers.

Complementary Pillars: Hardware vs. Operational Autonomy

The explanatory memorandum of CADA explicitly frames the proposal as a necessary complement to the Chips Act review. It states that the Chips Act 2.0 "includes measures to promote investments in advanced semiconductors, increase supply chain resilience and demand creation through increased cooperation between the semiconductor supply chain and end markets."

In contrast, CADA addresses the "nexus" between computing infrastructures, data, skills, and the deployment of AI algorithms. The memorandum notes that the current landscape is characterized by a "pronounced dependence on a limited pool of third-country providers," exposing the EU to risks of "operational discontinuity" and "extraterritorial effects of legislation."

• The Chips Act 2.0 secures the foundation: It ensures the availability of advanced semiconductors, quantum accelerators, and the physical manufacturing capacity required to build data centers and AI accelerators within the Union.
• CADA secures the platform and services: It establishes a harmonized framework for cloud sovereignty, data-centre capacity, and the "availability of a sovereign cloud and artificial intelligence (AI) offer to safeguard the Union's public order."

As proposed, CADA ensures that even if the hardware is manufactured in the EU (per the Chips Act), the services utilizing that hardware are not subject to unilateral disruptions or unauthorized access by third-country actors. This dual approach creates a "whole-of-stack" sovereignty strategy.

Article 1: The Legislative Foundation of the Package

Article 1 of CADA defines the subject matter and establishes the legal basis for these sovereignty measures. It outlines that the Regulation establishes a framework for strengthening the cloud and AI ecosystem through five specific measures, several of which directly mirror the objectives of the Chips Act but apply to the service layer:

• (a) Establishing the Cloud and AI Leadership Initiatives: These support research and innovation to achieve large-scale capacity, fostering the development of "advanced EU capabilities in advanced AI technologies."
• (b) Setting the framework for accelerated deployment of data centres: This ensures the physical infrastructure for cloud services is built sustainably and rapidly, addressing the "limited and geographically concentrated availability of computing capacity."
• (c) Enabling the availability of a sovereign cloud and AI offer: This is the core sovereignty provision, aiming to "safeguard the Union's public order" by reducing reliance on non-European providers.
• (d) Reducing dependencies on critical technologies: This directly aligns with the Chips Act's goal of supply chain resilience but targets the software and service dependencies.
• (e) Fostering the adoption of cloud computing services across the public sector: This drives demand for sovereign solutions, creating a market for the hardware secured by the Chips Act.

Article 1 further specifies two general objectives. The first is to ensure conditions for competitiveness and innovation. The second, described as "separate from and complementary to" the first, is to "improve the functioning of the single market by laying down a uniform Union legal framework for increasing the Union's resilience and strategic autonomy in cloud and AI technologies." This second objective is where the synergy with the Chips Act becomes legally explicit: both laws aim to remove fragmentation and build strategic autonomy, but in different layers of the tech stack.

Addressing Critical Dependencies: A Dual Strategy

The explanatory memorandum highlights that the EU's dependence on a limited number of third-country cloud providers exposes the Union to risks such as "extraterritorial effects of legislation adopted by third countries," "potential disruptions affecting the continuity, quality and resilience of cloud computing services," and "reduced control and oversight over personal and non-personal data."

The Chips Act addresses the risk of hardware shortages and supply chain bottlenecks. CADA addresses the risk of "vendor lock-in," data access by foreign governments, and the degradation of service quality by non-EU entities. By combining these efforts, the EU creates a comprehensive defense against external coercion.

For instance, CADA's "Union assurance levels" for cloud services (Article 16) require rigorous audits and criteria to ensure that services are not subject to third-country control. This complements the Chips Act's efforts to ensure that the chips powering these services are produced under secure and resilient conditions. The memorandum notes that "certification under the Cybersecurity Act can address technical cybersecurity criteria but is not suited for addressing sovereignty concerns that go beyond these technical elements." CADA fills this gap, ensuring that the control of the infrastructure remains within the Union.

Harmonization and the Single Market

Both CADA and the Chips Act rely on Article 114 TFEU (harmonization of the internal market) and Article 173(3) TFEU (industrial competitiveness). CADA's explanatory memorandum notes that current fragmentation in data center deployment and divergent national approaches to sovereignty criteria risk undermining the internal market. Similarly, the Chips Act aims to coordinate national subsidies and investments to avoid a "race to the bottom" and ensure a unified European semiconductor base.

By harmonizing sovereignty criteria for cloud services (via CADA) and semiconductor production standards (via the Chips Act), the EU ensures that European providers can compete globally while maintaining high standards of security and autonomy. This harmonization is crucial for public sector procurement, as it provides clear, EU-wide standards for what constitutes a "sovereign" or "trusted" technology solution.

What this means for you

For public-sector procurement officers, industry leaders, and compliance teams, understanding the interplay between CADA and the Chips Act is essential for future-proofing strategies. As CADA is adopted, you will be required to procure cloud computing services that meet specific "Union assurance levels" (Article 30). These levels are designed to mitigate risks associated with third-country control and ensure operational autonomy.

The "tech sovereignty package" approach means that your procurement decisions will increasingly need to consider the entire technology stack. When procuring AI systems or cloud services, you will need to verify not just the software's compliance with CADA's sovereignty criteria, but also the underlying infrastructure's alignment with broader EU industrial policies.

Specifically, CADA encourages the use of hardware components designed or manufactured in the Union (Article 32), which directly supports the goals of the Chips Act. Article 32(2) allows contracting authorities to evaluate the extent to which a tenderer contributes to "strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union."

Procurement officers and strategic planners should prepare for:

1. Risk Assessments: Conducting regular risk assessments to determine the appropriate Union assurance level for your organization's activities (Article 29).
2. Sovereign Cloud Criteria: Evaluating cloud providers against the four-tier assurance framework, which includes requirements for data localization, personnel citizenship, and absence of third-country control.
3. Supply Chain Transparency: Ensuring that providers can demonstrate the origin and security of their hardware and software supply chains, aligning with the broader EU goals of reducing critical dependencies.

By aligning with these complementary pillars, public bodies and private entities can ensure they are not only compliant with future regulations but also contributing to the EU's strategic goal of technological autonomy.

Common misconceptions

"CADA is just another data protection law like the GDPR." No. While CADA complements the GDPR, it focuses on sovereignty and operational autonomy, not just privacy. It addresses risks such as service disruption, third-country data access laws, and the extraterritorial reach of foreign legislation, which are beyond the scope of data protection regulations.

"The Chips Act and CADA are competing initiatives." They are explicitly complementary. The Chips Act secures the hardware supply chain, while CADA secures the cloud and AI services that run on that hardware. The explanatory memorandum states they must be "read in conjunction." One cannot function effectively without the other in a sovereign strategy.

"CADA bans all non-EU cloud providers." CADA does not ban non-EU providers. Instead, it establishes a framework for "Union assurance levels." Providers from third countries can potentially qualify for higher assurance levels (specifically Level 3) if they meet strict criteria, such as being subject to an adequacy decision and implementing robust safeguards against third-country data access (Article 18). However, for activities deemed critical to public order, the requirements for Union establishment and control become mandatory.

"CADA only affects the public sector." While the procurement obligations fall on contracting authorities and public bodies, the sovereignty framework reaches any provider wanting to serve them. Furthermore, CADA's data-centre acceleration measures and the Cloud and AI Leadership Initiatives affect the wider market, encouraging private investment in sovereign infrastructure.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)
• Data Act (Regulation (EU) 2023/2854)

Related

• Why a Cybersecurity Act certificate cannot prove cloud sovereignty under CADA
• CADA for SaaS Providers: How NIS2, Data Act and Sovereignty Tiers Stack
• If I comply with the Chips Act, do I comply with CADA?
• How does CADA reduce hardware dependencies alongside the Chips Act?
• CADA vs the EU Cybersecurity Act: How the Sovereignty Layer Works

This is general information about a draft EU regulation, not legal advice.