The EU’s Cloud and AI Development Act (CADA): Towards a sovereignty-focused framework for cloud and AI services

1. Background: strategic autonomy and the cloud-AI nexus

CADA sits at the intersection of two core policy priorities: secure data processing and scalable AI deployment. As AI systems increasingly rely on large-scale cloud infrastructure, the Commission is seeking to address perceived structural dependencies on non-EU providers.

This initiative must be understood in the context of the EU’s wider digital regulatory framework. While instruments such as the AI Act and NIS2 focus on risk management, cybersecurity and fundamental rights, they do not directly address jurisdictional exposure to third-country laws or the broader question of operational sovereignty.

Against this backdrop, CADA introduces a more explicit policy objective: ensuring that certain categories of data processing - particularly in the public sector and in sensitive sectors such as defence, critical infrastructure and security services - are carried out under conditions that mitigate extraterritorial access risks. In light of current geopolitical developments, including heightened concerns around supply chain security and state access to data, these considerations have gained additional urgency.

At the same time, the proposal reflects a pragmatic compromise. It does not impose outright localisation or exclusion requirements but instead relies on graduated safeguards, acknowledging both the current market reality and the importance of maintaining competitive cloud offerings within the EU.

2. Structure and scope of the CADA

CADA takes the form a proposed directly applicable Regulation, ensuring harmonised implementation across Member States and avoiding fragmentation in national approaches.

The proposal is structured around three main building blocks:

• Infrastructure and capacity development, including measures to facilitate the expansion of EU-based data centre capacity and support AI-related compute resources;
• Research and innovation support, aimed at fostering EU-based cloud and AI ecosystems; and
• A cloud and AI sovereignty framework, which introduces substantive requirements for service providers and governs access to public sector procurement.

From a scope perspective, CADA applies to providers of cloud and AI infrastructure services, building on definitions already established under NIS2 and related legislation. The framework is particularly relevant for:

• Providers offering services to public sector entities;
• Services used in sensitive or high-risk contexts, including defence-related use cases; and
• Potentially, operators of critical infrastructure.

The proposal does not operate in isolation. Instead, it creates horizontal linkages with existing compliance obligations (e.g. cybersecurity certification, incident reporting, AI risk classification), effectively layering sovereignty requirements onto an already complex regulatory landscape.

3. Union Assurance Levels: a new certification mechanism

At the core of CADA is the introduction of four Union Assurance Levels, a tiered system designed to operationalise sovereignty and security requirements.

The mechanism follows a graduated approach, broadly aligned with existing EU cybersecurity certification logic, but with an expanded focus:

• Lower levels focus on baseline requirements, such as EU establishment, data localisation within the EU, and transparency regarding subcontracting and data flows;
• Intermediate levels introduce independent verification, enhanced cybersecurity controls, and increased supply chain transparency (including artefacts such as software bills of materials);
• Higher levels incorporate stringent sovereignty criteria, including restrictions relating to ownership, control, and exposure to third-country legal regimes.

At the top end of the framework, level 4 imposes the strictest requirements and is the tier most likely to apply, after a risk assessment, to mission-critical and highly sensitive activities, in particular in the defence and national security sectors. This level is designed to ensure effective immunity from third-country interference, including strict requirements on ownership, governance, and operational control within the EU. Concretely, level 4 requires that the provider not be controlled by a third country (without the derogation for “associated” third countries available at level 3, which is itself conditioned on, among other things, a GDPR adequacy decision), that it hold a European cybersecurity certificate of at least “high” assurance level, and that it retain effective control over all software components, demonstrating that no third country exercises effective control over their design, development, maintenance or evolution.

From a legal and practical perspective, the key innovation lies in the link to procurement and use cases:

• Public authorities will be required to conduct risk-based assessments and select cloud services that meet the appropriate Assurance Level;
• Higher-risk or more sensitive processing activities will require higher-tier certified services, potentially limiting the pool of eligible providers;
• Certification thus becomes not only a compliance tool, but a market access condition.

This approach allows the Commission to shape market behaviour indirectly, without imposing categorical bans, while still incentivising providers to develop “sovereign-compliant” service offerings, including tailored solutions for highly regulated sectors such as defence.

4. A closer look: France’s SecNumCloud regime

The CADA framework bears clear similarities to France’s SecNumCloud certification scheme, administered by ANSSI (a security visa whose current referential, v3.2, dates from 2022 and incorporates explicit immunity criteria against extraterritorial laws such as the US CLOUD Act and FISA 702), which has served as a de facto benchmark for “sovereign cloud” requirements in Europe.

At national level, SecNumCloud has already been turned into a procurement mandate: the “cloud at the centre” doctrine (DINUM circular of May 2021, updated 2023) and Article 31 of the SREN Act require State cloud projects handling sensitive data to use an offering immune from extraterritorial laws, in practice a SecNumCloud-qualified one.

SecNumCloud combines:

• Robust cybersecurity requirements;
• Strict data localisation obligations; and
• Limitations relating to foreign ownership or control, aimed at mitigating exposure to non-EU legal regimes.

In practice, the scheme has driven the emergence of trusted cloud offerings tailored to public sector and sensitive workloads, including use cases with heightened national security relevance.

CADA transposes and generalises elements of this model at EU level. Crucially, it does so in binding, EU-wide hard law, reinstating the sovereignty and extraterritorial-immunity criteria that were removed from the EU cloud certification scheme (EUCS) after Member States failed to agree, while still relying on that scheme (a level 2 certification requirement, and a “high” cybersecurity certificate at level 4). Key points of convergence include:

• The use of certification as a gatekeeper for sensitive use cases;
• The integration of sovereignty considerations into technical and organisational requirements; and
• The reliance on independent auditing and verification.

At the same time, an EU-wide framework introduces additional complexity. Unlike SecNumCloud, CADA must operate across diverse legal systems and market conditions, increasing the importance of clear guidance and consistent enforcement. A further lesson from the French experience is that capital-based immunity is not absolute: ANSSI itself has acknowledged the limits of qualifications granted to French-law entities that remain technologically dependent on US hyperscalers (for example S3NS, built on Google, and Bleu, on Microsoft). This is precisely the gap that level 4 of CADA seeks to close through its requirement of effective control over the software supply chain.

5. Initial assessment and outlook

CADA represents a significant evolution in the EU’s approach to regulating digital infrastructure. By embedding sovereignty considerations into a structured certification and procurement framework, the Commission is moving beyond traditional cybersecurity regulation.

For providers, the proposal is likely to result in:

• Increased compliance burdens, particularly in relation to documentation, auditing, and supply chain transparency;
• The need to develop segmented or “sovereign” service offerings, including high-assurance environments capable of meeting Level 4 requirements for sectors such as defence; and
• Greater scrutiny of corporate structure, governance, and international data exposure.

For customers - particularly in the public sector - CADA introduces:

• More formalised risk assessment obligations; and
• Potential constraints on provider selection for certain use cases.

From a practical perspective, organisations should begin to assess the potential impact of CADA on existing and planned cloud and AI deployments, including contractual, technical and governance implications.

Hogan Lovells’ Privacy and Cybersecurity team is closely monitoring the development of CADA and its interaction with the wider EU digital framework. We support clients in:

• Assessing regulatory exposure under emerging sovereignty requirements;
• Designing compliant cloud and AI service offerings, including structuring “sovereign” solutions aligned with the application Union Assurance Levels; and
• Navigating the intersection of CADA with existing obligations under the AI Act, NIS2, DORA and data protection law.

Looking ahead, several issues will be critical in the legislative process:

• The precise definition and calibration of the Union Assurance Levels;
• The consistency of application across Member States;
• The interaction with international trade and competition law; and
• The overall workability of the framework in light of existing regulatory overlap.

CADA has the potential to become a central pillar of the EU’s digital policy architecture. Its ultimate impact, however, will depend on whether it can strike a workable balance between sovereignty objectives, market realities, and regulatory coherence.

Authored by Dr. Stefan Schuppet and Rémy Schlich.