On 3 June 2026, the European Commission formally adopted a legislative proposal for the Cloud and AI Development Act (CADA) - a sovereignty-oriented framework that would restructure how EU public institutions and member states procure cloud and AI services, while accelerating investment in European digital infrastructure. The proposal forms part of the Commission's broader tech sovereignty package, alongside the Chips Act 2.0 and an updated EU Open Source Strategy.
CADA has three stated objectives: to support research, development, and innovation in cutting-edge and sustainable cloud and AI technologies; to accelerate data centre deployment across the EU with the aim of tripling capacity over the next five to seven years; and to introduce a single EU-wide assessment framework for cloud and AI sovereignty. The infrastructure target is ambitious - the Commission's own analysis suggests that current EU data centre capacity will not meet projected demand by 2035 without significant intervention.
The centrepiece of the proposal is the EU Cloud Sovereignty Framework, which establishes four assurance levels for cloud computing services based on criteria including control over the service, control over the supply chain, treatment of data, infrastructure location, and cybersecurity posture. Member states and EU institutions would be required to carry out individual sovereignty risk assessments when procuring cloud services, but the framework allows for national variation - an a la carte approach rather than a fully harmonised mandate. This flexibility is likely to generate debate during the legislative process, with some member states and industry groups expected to push for more prescriptive requirements.
For organisations that process personal data using cloud infrastructure, CADA does not replace existing obligations under the GDPR or NIS2 - but it adds a new layer. The sovereignty assurance levels may influence procurement decisions, contractual requirements, and the risk profile of cloud-based processing activities, particularly for organisations that serve public sector clients or handle data with national security implications.
Acompli perspective: CADA is not a data protection regulation, but its impact on data protection compliance will be real. The sovereignty framework will shape where data is hosted, who controls the infrastructure, and how supply-chain risk is assessed - all of which feed directly into GDPR obligations around international transfers, processor accountability, and security of processing. Organisations should monitor how the assurance levels develop and consider whether their current third-party risk assessments and records of processing adequately capture the sovereignty profile of their cloud providers.