Summary Under the proposed Cloud and AI Development Act (CADA), sovereignty is not merely a security protocol but a foundational driver of European economic competitiveness. The proposal explicitly links technological dependence to market failure: EU cloud providers' market share dropped from 29% in 2017 to 15% in 2022, while three non-EU hyperscalers now control over 70% of the market. Recital 5 of the proposal states these dependencies translate "not only into limited market shares for the European cloud computing service providers, but also into significant risks for the Union's operational autonomy, resilience and security." Framed by Mario Draghi's report on European competitiveness, CADA seeks to reverse this trend by creating a predictable demand signal through standardized "Union assurance levels," enabling European providers to scale, invest, and compete globally rather than remaining locked in foreign ecosystems.

Detail

The Cloud and AI Development Act (CADA), proposed by the European Commission on 3 June 2026 (COM(2026) 502 final), represents a paradigm shift in EU digital policy. It reframes cloud sovereignty from a narrow cybersecurity concern into a broad economic imperative. The proposal is built on the premise that technological dependence translates directly into economic vulnerability, lost competitive advantage, and a stifling of local innovation capacity.

The Link Between Dependence and Market Share

The explanatory memorandum for CADA highlights a stark and concerning decline in the European cloud market. It notes that while the EU market for cloud computing services is growing significantly, the market share of EU providers decreased from 29% in 2017 to 15% in 2022 and has remained stagnant since. Currently, three non-EU hyperscalers control over 70% of the European cloud market.

This concentration creates a structural imbalance. Recital 5 of the proposal explicitly states that these dependencies translate "not only into limited market shares for the European cloud computing service providers, but also into significant risks for the Union's operational autonomy, resilience and security." This framing underscores that sovereignty is not just about protecting data from unauthorized access; it is about ensuring that European businesses and public administrations are not locked into ecosystems controlled by foreign entities. Such lock-in distorts competition, prevents the emergence of a robust European digital industrial base, and exposes the Union to operational discontinuity risks if third-country actors make unilateral decisions to disrupt service provision.

The proposal argues that the current landscape is characterized by a "pronounced dependence on a limited pool of third-country providers." This dependence forces European enterprises to route critical workloads through foreign hyperscaler infrastructure, making the EU a less attractive destination for tech investment compared to regions with more abundant, lower-cost compute resources. By addressing this, CADA aims to correct a market failure where the lack of a trusted, sovereign alternative stifles the growth of European champions.

The Draghi Report and Competitiveness

The proposal is heavily influenced by the findings of Mario Draghi's report, 'The future of European competitiveness.' The report calls on the European Commission to take targeted actions aimed at regaining and retaining control over data and cloud computing services, expanding domestic computational capacity, and establishing a robust financial and talent flywheel to drive innovation.

Draghi's analysis posits that the EU must maintain a foothold in areas where technological sovereignty is required, such as security and encryption ("sovereign cloud" solutions). CADA responds to this call by establishing a framework to strengthen Europe's cloud and AI ecosystem. The goal is to position the EU not just as a consumer of advanced digital technologies, but as a global hub for trusted, sovereign, and scalable digital infrastructure.

By reducing critical external dependencies, the EU aims to create a level playing field where European providers can compete on quality, innovation, and price, rather than being overshadowed by third-country incumbents with disproportionate market power. The proposal seeks to foster a "talent flywheel" where homegrown capabilities drive further innovation, ensuring that the EU retains control over its data, assets, and technology systems under Union and national jurisdiction.

Sovereignty as a Market Enabler

Article 16 of CADA establishes a Union cloud computing sovereignty framework comprising four "Union assurance levels." This framework provides a harmonized and auditable set of criteria for cloud computing services to be recognized at specific levels of sovereignty. The goal is to ensure that public sector bodies, which represent a massive portion of digital demand, can make informed purchasing decisions that support European technological autonomy.

The proposal recognizes that public procurement frequently serves as a primary signal of market direction. As stated in the explanatory memorandum, "Requirements imposed by or on public authorities to adopt specific assurance levels offered by cloud computing services tend to be mirrored by private-sector entities operating in regulated industries, with subsequent spillover effects contributing to broader market realignment over time."

By mandating that contracting authorities conduct risk assessments (Article 29) and procure services that meet appropriate Union assurance levels (Article 30), CADA aims to drive demand toward European providers. This creates a predictable, large-scale demand signal that allows European cloud and AI providers to scale, invest, and compete globally. The framework is designed to be proportionate: most public services would not require the highest levels of assurance, but specific cases (e.g., law enforcement, defence) may require levels 3 or 4 to preserve public order.

Innovation and Strategic Autonomy

Beyond market share, sovereignty is intrinsically linked to innovation capacity. The proposal emphasizes that Europe has world-class research and development capabilities and vibrant open-source communities that remain largely untapped. By strengthening homegrown cloud and AI capabilities, the EU aims to foster a "talent flywheel" that drives innovation.

The Cloud and AI Leadership Initiatives, established under Title II of the proposal, support research and innovation activities to achieve large-scale capacity throughout the Union's cloud and AI ecosystem. These initiatives target next-generation resource-efficient data centre technologies, open cloud computing stacks, and frontier AI. The proposal places a particular emphasis on open source as a lever to boost technological sovereignty, in line with the EU Open Source Strategy.

This approach ensures that the EU is not only secure but also at the forefront of technological development, capable of shaping the standards and capabilities of the next technological wave. The proposal aims to triple EU data centre capacity in the next five-to-seven years and reach the needed capacity by 2035, ensuring balanced geographic deployment across Member States.

What this means for you

For public-sector and procurement officers, CADA introduces a new dimension to your purchasing responsibilities. Sovereignty is no longer an optional extra but a core component of value evaluation.

  • Risk Assessments are Mandatory: Under Article 29, you must conduct risk assessments to determine which public sector activities contribute to the preservation of public order. This assessment will dictate the required Union assurance level for the cloud services you procure. The assessment must consider the sensitivity, criticality, and magnitude of data processed, as well as the risk of unlawful access by third countries.
  • Procurement Requirements: Article 30 mandates that contracting authorities whose activities are identified as contributing to public order must only procure cloud computing services recognized as having a Union assurance level 2, 3, or 4. For other activities, a minimum of Union assurance level 1 is required. This creates a clear market signal for providers to achieve these recognitions.
  • European Added Value: Article 32 allows you to include non-price award criteria that evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem. This could include the use of software or hardware designed or manufactured in the Union, or the integration of technologies developed in the Union. The proposal suggests a maximum weighting of 15 out of 120 points for such criteria to ensure proportionality.
  • Strategic Alignment: Your procurement decisions will directly impact the EU's competitive landscape. By choosing sovereign services, you support the growth of European providers, reduce dependencies on third-country actors, and contribute to the Union's strategic autonomy. This aligns with the broader goal of making the EU a global hub for trusted digital infrastructure.

Common misconceptions

"Sovereignty means data localization only." While data localization is a component of the Union assurance levels (e.g., customer data remaining exclusively within the Union), sovereignty under CADA is broader. It includes operational autonomy, control over infrastructure, and protection against extraterritorial access by third-country authorities. It is about ensuring that the EU retains control over its digital infrastructure and data, regardless of where the physical servers are located. The framework also addresses the risk of service disruption and the ability of third countries to compel access to data.

"Sovereignty is anti-competitive." On the contrary, CADA aims to foster a more competitive market by reducing the dominance of a few non-EU hyperscalers and creating opportunities for European providers to scale. The proposal emphasizes that the framework should be open, cooperative, and consistent with the Union's international commitments. It ensures that services from partner countries that meet required levels of Union assurance can access the internal market. The goal is to correct a market failure caused by imperfect information and fragmentation, not to exclude foreign providers arbitrarily.

"Sovereignty is only for the public sector." While CADA focuses heavily on public procurement due to its role as a market shaper, the sovereignty framework and assurance levels are designed to influence the broader market. Private sector entities operating in critical sectors (as defined in Annex I to the NIS2 Directive) are encouraged to conduct similar impact assessments (Article 31), and the demand for sovereign services will likely spill over into the private sector. The proposal notes that private-sector entities often mirror public procurement requirements, leading to broader market realignment.

"CADA replaces existing cybersecurity rules." CADA complements, rather than replaces, existing cybersecurity frameworks like the Cybersecurity Act and NIS2. While those instruments address technical cybersecurity, CADA addresses sovereignty concerns that go beyond technical elements, such as third-country control and extraterritorial access. The proposal states that certification under the Cybersecurity Act can address technical cybersecurity criteria but is not suited for addressing sovereignty concerns.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.