While the initial reading is encouraging in terms of Member States being given more tools to strengthen technological sovereignty in a number of areas and reduce their dependence on third-country providers, it remains to be seen whether the text of the CADA, in its current form, can effectively advance the objective of technological sovereignty.
For instance, the Cloud and AI Leadership Initiatives set out a range of objectives that must also be achieved by Member States. The exact mechanisms, however, remain to be clarified, as the provision refers to the possibility of Member State to either 'support' or ‘advance’ the enhancement of the Union's capabilities in relation to AI deployment.
While this provides the relevant parties with the opportunity to determine their own form of ‘harmonisation’, it is not unreasonable to suggest that the current text remains vague. With regard to these initiatives, the proposal reads more like a policy paper than a legal text, as it outlines general objectives without providing sufficient detail on the means by which those objectives are to be achieved.
Furthermore, the text of the proposal states that the Centres on AI will 'build upon' the EDIHs. The precise implications of this are as yet unclear: will the Centres continue the work of the EDIHs, expand their activities or use their structure as a basis? Therefore, it is recommended that the legislator clarifies this matter.
Finally, the new rules on the cloud sovereignty framework are to be welcomed, particularly as cloud solutions are increasingly being used as a leverage point by political figures, such as the sanctioning of the ICC by President Trump last year which reportedly led to Microsoft removing the ICC’s access to their services.
At the same time, it appears that the current framework establishes relatively high thresholds for both public and private entities. While these thresholds serve an important protective purpose, it is also well known that many public entities, such as the regional and local authorities in Belgium, continue to rely heavily on third-country providers. Furthermore, providers offering so-called sovereign cloud solutions often remain somewhat of a blackbox. It is yet to be determined how this new proposal will affect the future advice of data protection authorities, including the Flemish VTC. The VTC has already issued an advice on cloud use by Flemish entities, which provides a set of criteria for several cloud service providers, including non-European ones. The Flemish DPA’s advice will need to be examined against the requirements of the new framework.