Publication date: July 10, 2026
On June 3, 2026, the European Commission adopted a proposal for the Cloud and AI Development Act (hereinafter: CADA or the draft), which is the centerpiece of the broader European Technological Sovereignty Package. This draft seeks to translate the political concept of digital sovereignty into binding legal standards governing public procurement, the certification of cloud computing providers, and artificial intelligence infrastructure.
CADA focuses on 3 goals:
• Pillar 1 – Research and Innovation: Support for next-generation technologies, frontier, industrial and physical AI; introduction of “grand challenges”; implementation of Experience and Acceleration Centres for AI.
• Pillar 2 – Capacity: target to triple EU data centre capacity within 5-7 years; simplify and speed up construction permitting.
• Pillar 3 – autonomy (core of regulation): a single EU framework for assessing cloud and AI sovereignty, a public sector adoption mechanism; an open source-first principle; and a common public procurement framework.
CADA fits into the broader EU digital policy framework, which includes the AI Act, Data Act, Data Governance Act, Digital Markets Act (DMA) and Digital Services Act (DSA), as well as soft law initiatives such as Gaia-X and the 2020 European Data Strategy. CADA takes a coordinated “ecosystem approach” as it combines supply-side actions to strengthen national capabilities, demand-side actions to drive deployment, and enablers for innovation and investment in cloud computing and AI.
“This initiative will connect networks, cloud, artificial intelligence, and software into cohesive ecosystems to address the following:
(1) future challenges related to energy-efficient computing infrastructure;
(2) autonomy across the entire cloud stack;
(3) advanced EU capabilities in advanced AI technologies, such as frontier AI, physical AI and industrial AI;
(4) implementing cloud and artificial intelligence in the public and private sectors.”
The concept of digital sovereignty (technological sovereignty) entered the vocabulary of the European Commission and the Council of the EU around 2020-2021 as a reaction to three phenomena: (1) the ongoing consolidation of the global cloud market in the hands of hyperscalers from the United States. à”The current situation in the cloud computing and artificial intelligence sector is characterized by a clear dependence on a limited group of third-country providers. Although the EU cloud computing market is growing significantly, the share of EU providers fell from 29% in 2017 to 15% in 2022 and has remained unchanged since then. Currently, three non-EU cloud computing providers control over 70% of the European cloud computing market… This dependency also exposes European users to the risk of disruptions, especially in situations where unilateral decisions by third-country entities could disrupt service provision.”
(2) legal risks related to the extraterritorial application of the US CLOUD Act of 2018, which allows US authorities to access data stored by US-based companies regardless of the location of the servers, and
(3) the CJEU judgments in Schrems I (2015) and Schrems II (2020), questioning the legal basis for transatlantic transfers of personal data. The Court of Justice of the EU (CJEU) invalidated the Privacy Shield Agreement, finding that US regulations did not guarantee EU citizens adequate protection of their personal data against surveillance. This forced the processing of sensitive data in Europe.
The Gaia-X initiative, launched in 2019 by Germany and France, was the first attempt to operationalize cloud sovereignty. The project’s main goals are:
However, the project was criticized for its slow pace and the influence of large American technology companies, which raised doubts about the sovereign nature of the undertaking.
The CADA project does not have a single, closed dictionary definition of “cloud/digital sovereignty.” Instead, the project develops the concept through a system of levels and assessment criteria.
Recital 51 of the Preambleà “it is necessary to establish a Union cloud computing sovereignty framework determining criteria for trusted cloud computing services. To cater for the nuanced and layered nature of sovereignty, the framework should provide for four different levels of trusted offers (‘Union assurance levels’).”
Recital 50 of the Preambleà “The Union and Member States being critically dependent on a limited number of cloud computing service providers subject to the control of a third country or a legal entity established in a third-country may lead to risks such as misuse (ie manipulation, remote access and control, sabotage, weaponization), access to information (ie access to sensitive information, unauthorized communication, technology leakage, data manipulation or exfiltration, espionage) and dependency vulnerabilities (ie political and/or economic coercion, for example by using vendor or technology lock-ins, embargos or sanctions, monopoly pricing damaging the financial interest of the Union and Member States).” – risks to sovereignty
Article 16à “This Chapter establishes a Union cloud computing sovereignty framework comprising four Union assurance levels, the criteria for which are set out in Annex II, that cloud computing service providers shall meet in order to provide their cloud computing services to Union entities and public sector bodies”
Annex IIà contains four cumulative sets of technical, legal and organisational criteria. “Software” within the meaning of the Annex includes Regulation 2024/2847 (Cyber Resilience Act). CADA in Annex II defines sovereignty in the field of cloud computing and artificial intelligence, comprising four levels of guarantees that public sector bodies will benefit from based on their risk assessments. Cloud service providers can be recognised by Member States under this framework after passing an audit. The Commission retains the competence to issue implementing acts identifying third countries whose providers would be subject to audits under the above system.
Level 1 (Basic) – pt. 1
The lowest threshold, covering all public sector services:
Level 2 (Standard) – point 2
It requires an audit (not just a declaration) and adds:
Level 3 (Enhanced) – point 3
Adds important refinements:
Level 4 (Sovereign) – point 4
Highest, most restrictive threshold:
| Level | Name | Key criterion | Accessibility for non-EU entities |
| 1 | Basic Date of residency | Data localization in the EU, GDPR | Accessible – meeting basic data protection requirements |
| 2 | Standard Supply-chain independence | EUCS certification, operational independence | Conditionally available – requires ENISA/EUCS certification |
| 3 | Enhanced EU ownership & control | Supply chain control, no non-EU law | Limited – Commission recognition required; US CLOUD Act disqualifies |
| 4 | Sovereign Defence-grade | Full transparency, technical autonomy, EU ownership | Essentially unavailable to non-EU hyperscalers without restructuring |
The EU Cloud Sovereignty Framework is also a key document defining the “sovereign cloud.” This document is not part of the CADA regulation itself, but a separate DG DIGIT methodological tool used in specific procurement procedures. Compared to the four-level Union Assurance Levels scale in CADA Annex II (levels 1–4, based on cumulative binary criteria—pass/fail), the SEAL framework is more detailed. According to it, digital sovereignty consists of eight elements.
Eight Components of Digital Sovereignty (SOV-1 to SOV-8)
| # | Component | |
| SOV-1 | Strategic sovereignty | The supplier’s embeddedness in the EU legal, financial and industrial ecosystem – ownership stability, influence on governance, compliance with EU strategic priorities |
| SOV-2 | Legal and jurisdictional sovereignty | The legal environment of the service, exposure to foreign authorities, the possibility of pursuing rights in EU jurisdiction – including resistance to extraterritorial acts such as the US CLOUD Act or the Chinese cybersecurity law |
| SOV-3 | Data Sovereignty and AI | Protection, control, and independence of data resources and AI services – where data is processed and what degree of autonomy the customer retains over AI capabilities |
| SOV-4 | Operational sovereignty | Practical ability of EU entities to independently conduct, support and develop technologies without dependence on foreign control – business continuity, availability of competences |
| SOV-5 | Supply chain sovereignty | Geographical origin, transparency and resilience of the technology supply chain – the extent to which key components remain under EU control |
| SOV-6 | Technological sovereignty | The degree of openness, transparency and independence of the technology stack – the ability to interoperate, audit and develop solutions without dependence on closed systems from third-party vendors |
| SOV-7 | Security and Compliance Sovereignty | The extent to which security operations, compliance obligations and resilience activities remain controlled within the EU – independence from foreign jurisdictions |
| SOV-8 | Environmental sustainability | Long-term autonomy and resilience of cloud services in the context of energy consumption, resource dependencies, and material scarcity |
Rating scale: Sovereignty Effectiveness Assurance Levels (SEAL)
Independently of the eight components, the document introduces a five-level maturity scale (SEAL-0 to SEAL-4) used to assess each of the eight objectives separately:
| Level | Name | Description |
| SEAL-0 | Lack of sovereignty | A service entirely controlled by a non-EU entity, managed in a foreign jurisdiction |
| SEAL-1 | Jurisdictional sovereignty | EU law formally applies but has limited enforceability; exclusive control by a non-EU entity |
| SEAL-2 | Data sovereignty | EU law is in force and enforceable, but significant dependencies on non-EU entities remain; indirect control |
| SEAL-3 | Digital resilience | EU law fully enforceable, EU entities have significant but limited influence; non-EU entities have marginal control |
| SEAL-4 | Full digital sovereignty | Technology and operations entirely under EU control, subject only to EU law, with no critical dependencies from outside the EU |
Sovereignty Score
The document also introduces percentage weightings for each of the eight components when calculating the aggregate sovereignty score in the tender process:
The lower weights for SOV-2 and SOV-7 were justified by the fact that these areas are already covered by separate procedural safeguards in the procurement procedure itself.
One of the central mechanisms of CADA is the common EU-level procurement framework.
Recital 64 of the Preambleà The free flow of data within the EU is a prerequisite for the functioning of the internal market – data cannot be artificially limited to the territory of a single Member State. The EU pledges, in principle, open, non-discriminatory market access in accordance with the TFEU and international obligations (including the WTO GPA on Government Procurement).
However, the EU invokes Article III:2(a) of the WTO GPA, which allows for measures necessary to protect public order, public morality, or security. This justifies proportionate restrictions on access to public procurement based on the risk of critical dependencies, unauthorized access to EU data, technology leakage, sabotage, and espionage by third-country entities. Contracting entities whose activities are identified as relevant to public order are required to procure cloud services only at levels 2-4. At the same time, level 1 becomes the mandatory minimum for the entire EU public sector, providing a consistent baseline level of security.
Motif 65à To reduce vendor dependency, EU entities and Member States should consider a multi-vendor/multi-cloud strategy in their procurement processes, based on a contextual risk assessment that takes into account operational, regulatory and resilience circumstances.
Motif 66à Public procurement is treated as a directional signal for the entire market – requirements imposed on the public sector regarding levels of assurance tend to be imitated by the private sector in regulated industries. Article 31 allows private entities from sectors covered by Annex I of the NIS2 Directive to carry out similar assessments.
Article 29 àMember States and EU entities are required (annually or biannually) to carry out risk assessments that:
The Commission has the power to impose the methodology for this assessment by means of implementing acts and, if it considers the Member State’s assessment to be inadequate, to determine the required level itself (Article 29(5)).
Article 30à
Paragraph 2: entities whose activities are not classified as important for public order must use at least level 1 cloud services.
Paragraph 3: contracting entities whose activities have been so qualified (NIS2, national security, defence, justice sectors) may only procure cloud services classified as level 2, 3 or 4 .
Paragraph 4: allows for derogations in exceptional, justified cases (lack of available services on the market, lack of offers in the previous procedure, grossly disproportionate cost).
Art. 32 àIn procurement procedures for innovative cloud services and AI systems, contracting authorities must take into account non-price criteria for the evaluation of offers , including:
Recital 67 clarifies that this criterion cannot be decisive and suggests an indicative maximum weighting of 15 points out of 120 in the tender evaluation methodology – it is intended to be subsidiary to the technical and financial criteria.
Article 33à Member States are to aim to ensure that at least 25% of procurement for cloud services and AI systems goes to innovative SMEs, and report annual data on SME participation in procurement to the Commission.
The AI Act governs the security and fundamental rights of AI systems; the CADA governs the sovereignty of the infrastructure that supports these systems.
Art. 2 point 3 of CADA does not create its own definition of an AI system, but refers directly to the AI Act à”‘AI system’ means an AI system as defined in Article 3, point (1), of Regulation (EU) 2024/1689″
Explanatory memorandumà “The proposal also reinforces key objectives of the AI Act. The AI Act harmonises rules for AI systems and general-purpose AI models to be placed on the EU market, improving the functioning of the internal market and promoting the uptake of human-centric and trustworthy AI along the value chain. The AI Act ensures a high level of protection of health, safety and fundamental rights. It does not cover aspects of sovereignty.” – The Commission explicitly states that the AI Act does not cover the issue of sovereignty – this is the very gap that CADA aims to fill.
CADA entrusts the AI Board (the body established under the AI Act) with a coordinating role beyond its original mandate:
This is an important institutional arrangement: CADA does not create a new, parallel body for AI issues, but extends the remit of the existing body from the AI Act to a new area (cloud as an infrastructure supporting AI).
The Data Act, effective from September 2025, imposes obligations on cloud service providers to facilitate data portability and switching. CADA builds on this foundation by adding a dimension of sovereignty: it’s no longer just about data portability, but also about ensuring that data remains under the sole jurisdiction of the EU throughout its time in the cloud. The two acts create a complementary layer of protection: the Data Act allows for switching providers, and CADA establishes criteria for which alternative cloud services are considered sufficiently sovereign. Without CADA, the Data Act’s switching mechanism would be “blind” to the quality or sovereignty of the target provider.
“”The proposal is consistent with the rules on switching between data processing services introduced by the Data Act. By enabling switching and removing key sources of vendor lock-in, the Data Act seeks to ensure that cloud computing service providers in the EU compete on quality, innovation, and price. It seeks to enable cloud users to freely choose the provider that best meets their needs and combine offers of different providers in a multi-cloud approach.”
“However, the Data Act does not contain elements to shape up a more competitive offer of European cloud computing services or encourage the entry into the market of a more diverse set of cloud computing service providers.”
“The Data Act opens the path towards a possible reduction of dependencies on non-EU providers but does not build the road towards a more sovereign and trusted EU cloud computing sector. […] The Data Act is thus an enabler for the proposal.“
The Data Governance Act, effective from September 2023, establishes a framework for neutral data intermediaries and the reuse of public sector data. The CADA does not explicitly address the DGA in its text. However, it imposes sovereign certification requirements on the infrastructure storing this data, which in practice limits the range of providers deemed suitable for handling data covered by the DGA.
The DMA, effective from May 2023, imposes obligations on gatekeepers, including interoperability requirements and prohibition of self-preferential services. CADA and DMA operate under different logics: DMA regulates market behavior ex ante, while CADA creates positive eligibility criteria for the public sector. There is a risk of conflict between the interoperability obligations with the DMA and the closed architectures required by the highest levels of CADA sovereignty.
The DSA, fully applicable since February 2024, governs the liability of online intermediaries. Although it does not directly address cloud infrastructure, it contributes to a regulatory climate characterized by high levels of EU intervention in the digital market and increasing assertiveness towards global technology providers.
“While certain providers of cloud computing services could be regulated under both this proposal and the DMA, the DMA has different objectives and does not contain measures that would actively promote the uptake of sovereign cloud computing services . The DMA only aims at maintaining and promoting a fair and contestable cloud market in the Union, regulating specific behaviors of companies designated as gatekeepers and thus intervenes at a different level than the proposal, which focuses on the uptake and use of the services provided.”
| Dimension | DMA | CADA |
| The Logic of Intervention | Ex post / behavioral — corrects the market behavior of already dominated entities (gatekeepers) | Ex ante/structural – shapes demand and supply towards trusted/sovereign services |
| Subject of regulation | Fairness and contestability of the market | Uptake and utilization of sovereign services |
| Recipients | Only entities formally designated as gatekeepers | All cloud providers seeking certification at levels 1-4 |
The CADA project, whose legal basis is Article 114 and Article 173(3) TFEU (harmonisation of the internal market and strengthening of the EU’s industrial competitiveness), is consciously constructed by the Commission as a means of removing internal market barriers – the argument justifying the intervention is precisely the divergence of national sovereignty criteria and procurement practices, which hinders suppliers from operating freely between Member States.
Despite this declared harmonisation logic, the practical effect of the sovereignty criteria at levels 3-4 (complete lack of control by a third-country entity, EU citizenship of staff, location of the entire infrastructure in the EU) may in fact restrict the freedom to provide services by non-EU suppliers in the EU internal market. However, the Act itself does not explicitly address this potential tension with Article 56 TFEU – the Commission locates the justification for procurement restrictions not in primary EU law, but in the public policy exception in Article III:2(a) of the WTO GPA (recital 64), consistently using the category of “public order” as the substantive basis for the restrictions (recitals 49-53).
The question whether the criteria thus constructed – despite their declared technological neutrality – in fact constitute a measure having an effect equivalent to a quantitative restriction or infringe the principle of proportionality required for derogations from the internal market freedoms remains open and not determined by the text of the act itself – this would require an assessment by the Court of Justice of the EU in a possible preliminary ruling procedure or an action for annulment.
Application
It is believed that despite the weaknesses identified earlier, the CADA project offers more benefits than threats – especially in the context of growing cyber warfare, where information, not just physical critical infrastructure, becomes the primary weapon.
Data collected by healthcare providers, the banking sector, and digital service providers is strategic in nature – its confidentiality and integrity today determine the security of citizens to a degree comparable to energy or military security. As the Schrems II case demonstrated, no contractual safeguards effectively protect against a situation in which an infrastructure provider is legally obligated to disclose data to third-party authorities – regardless of the physical location of the servers. CADA addresses precisely this gap: it no longer regulates only the method of data processing, but also the structure of control over the entity that manages it. This seems to me a necessary step, not an unnecessary one.
The complete dependence of the European digital economy on external infrastructure providers would limit its ability to fully develop – particularly in the field of artificial intelligence, where control over training data and computing infrastructure is becoming a key factor in competitiveness. The European Union possesses significant research and development resources, which currently remain largely untapped due to the lack of coherent institutional and regulatory support to fully develop their potential. CADA, by combining infrastructure investments with preferential procurement criteria, is attempting to fill this gap.
A mechanism to level the playing field for smaller European providers is also crucial. Automatic recognition of compliance for SMEs at the basic assurance level and the goal of at least a quarter of cloud and AI service contracts going to innovative SMEs create a real stimulus for development—not just a barrier for large entities. Such a competitive boost could, in the long run, motivate European providers to continually improve the quality and innovation of their services, rather than remain permanently in the shadow of foreign hyperscalers.
Finally, the planned tripling of data centre capacity in the EU over the next 5-7 years is an investment not only in sovereignty, but also in the security of the data itself – a distributed, redundant infrastructure located within the EU reduces the risk of systemic failures, service interruptions or abuses resulting from unilateral decisions by foreign entities.