Why was the Cloud and AI Development Act (CADA) proposed?

Summary The Cloud and AI Development Act (CADA) was proposed to fix two linked problems: the EU does not have enough of its own computing capacity, and it relies heavily on a small number of non-European cloud providers. As proposed, the Commission frames this as a risk to economic security, operational autonomy and technological sovereignty. CADA's answer is to build up domestic capacity (especially data centres), set a common sovereignty standard for cloud services, and use public-sector demand to support European options. The proposal (COM(2026) 502 final, 3 June 2026) is explicitly tied to the Draghi report on European competitiveness. It is still a draft, so none of it is in force yet.

Detail

The Commission tabled CADA (COM(2026) 502 final) to tackle the limited and geographically concentrated availability of computing capacity in the EU and the risks of depending on cloud and AI supplied by non-European providers. The explanatory memorandum and the recitals set out the reasoning.

The compute capacity gap

A primary driver is the EU's shortfall in data centre capacity. The memorandum states that the Union's limited data centre capacity poses a significant threat to its ability to benefit from digital transformation and to adopt AI-driven solutions, particularly those needing low-latency compute. Because domestic capacity is insufficient, European enterprises are pushed to route critical workloads through foreign hyperscaler infrastructure, which in turn makes the EU a less attractive destination for tech investment than regions with more abundant, lower-cost compute.

As proposed, CADA aims to triple EU data centre capacity in the next five to seven years and to reach the needed capacity by 2035, while ensuring balanced geographic deployment across Member States. To get there it would simplify and harmonise data centre deployment — notably through "data centre acceleration zones" with streamlined permitting and shared sustainability requirements — and create a mechanism to support data centre strategic projects.

Dependence on non-EU providers

The second driver is market concentration. The memorandum records that the market share of EU providers fell from 29% in 2017 to 15% in 2022 and has been stagnant since, while three non-EU hyperscalers control over 70% of the European cloud market. The concern is not only commercial. Large incumbents are subject to third-country jurisdictions whose laws can have extraterritorial effect, including laws mandating data access or transfer that may conflict with EU fundamental rights and data-protection frameworks. Dependence also exposes users to operational discontinuity — the risk that unilateral decisions by third-country actors could disrupt service provision.

CADA's response to this is the Union cloud computing sovereignty framework: a graded, auditable set of criteria (the four Union assurance levels) against which services can be assessed and formally recognised, so that public bodies can match the level of a service to the sensitivity of the activity it supports.

The Draghi report and the strategic context

The proposal is anchored in the wider competitiveness debate. Mario Draghi's report The Future of European Competitiveness argues that the EU must keep a foothold where technological sovereignty matters — including "sovereign cloud" solutions — and calls on the Commission to take targeted action to regain control over data and cloud services and to expand domestic computational capacity. Recital 4 of the proposal references the Draghi report directly, stating that reinforcing the Union's capacity to develop and deploy cloud and AI technologies within its territory has become a strategic priority for competitiveness, security of supply and technological sovereignty. Recital 5 adds that these dependencies translate into limited EU market shares and into significant risks for operational autonomy, resilience and security, and notes that the Council had called for a Cloud and AI Development Act addressing risks including the extraterritorial effects of third-country legislation.

A whole-ecosystem approach

CADA deliberately combines supply-side and demand-side measures. On the supply side, the Cloud and AI Leadership Initiatives support research and innovation in areas such as frontier AI, physical and industrial AI, and energy-efficient data centre technologies. On the demand side, public procurement is used to drive uptake of sovereign and innovative services, supported by common procurement and the EuroCloud Federation for sharing public-sector capacity. Open source runs through the proposal as a lever for sovereignty and against vendor lock-in, in line with the EU's open-source strategy.

What this means for you

For citizens, businesses and public administrations, the proposal signals a shift in how Europe intends to source and govern its digital infrastructure.

• More European capacity over time. If adopted, CADA would aim to expand and better distribute data centre capacity across Member States, which over time could mean more local, lower-latency options.
• Sovereignty becomes a procurement criterion for the public sector. Public bodies would assess the sensitivity of their activities and procure cloud services at a matching assurance level — level 1 as a baseline, and levels 2 to 4 where an activity has public-order relevance.
• It is not protectionism by another name. The stated aim is autonomy and resilience, not closing the market. Non-EU providers can still compete, subject to the assurance-level criteria.
• Nothing is binding yet. CADA is a proposal. If you run cloud services for a public body, a sensible early step is simply to understand which of your workloads are sensitive or critical, since that is what would eventually drive any obligations.

Common misconceptions

"CADA bans non-EU cloud providers." No. It creates graded assurance levels rather than a ban. The strict criteria at the highest levels are hard for some providers to meet, but lower levels remain broadly open, and Article 18 sets out a route for recognising a third country so that services controlled from it can become eligible for level 3.

"CADA replaces the GDPR or the AI Act." No. It complements them. GDPR governs personal-data protection; the AI Act governs AI systems; CADA addresses cloud and compute sovereignty, capacity and procurement. They operate together.

"Every public-sector activity will need the highest sovereignty level." No. The approach is risk-based. Only activities with public-order relevance would require levels 2, 3 or 4; routine services can run on level 1.

"CADA is only about building data centres." No. Data centre deployment is one of several strands. CADA also covers the sovereignty framework, public procurement, the EuroCloud Federation and open-source measures.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)

Related

• When was the Cloud and AI Development Act (CADA) proposed?
• Who does the Cloud and AI Development Act (CADA) apply to?
• Where can I read the official text of the Cloud and AI Development Act (CADA)?
• What is the one-sentence summary of the Cloud and AI Development Act (CADA)?
• What is the Cloud and AI Development Act (CADA)?

This is general information about a draft EU regulation, not legal advice.