Discover our new Policy Prototyping report on the EU AI Act's value chain requirement  

Read and download here
A stately building in a classic architectural style with prominent columns and statues, reflecting a court. A white banner with the flag of the European Union is placed over the image, showing that this policy monitor item is about an act or bill in the European Union.

Een statig gebouw in een klassieke bouwstijl met prominente zuilen en standbeelden, die een hof van justitie weerspiegelen. Een witte banner met het de vlag van de Europese Unie is over de afbeelding geplaatst om aan te geven dat dit beleidsmonitor item over een wet of wetsvoorstel in Europa gaat.
06.07.2026

The newly proposed Cloud and AI Development Act - what you need to know

Summary

On 3 June 2026 the European Commission adopted the Tech Sovereignty Package. This package, which includes the Cloud and AI Development Act (CADA), aims to strengthen the EU’s cloud and AI landscape. This policy monitor article provides an overview of the provisions an overview of the provisions relevant to both public and private entities.

Introduction

On 3 June 2026, the European Commission adopted a comprehensive package of measures to strengthen the EU’s digital autonomy. This package consists of two legislative proposals: the Chips Act 2.0 and the Cloud and AI Development Act (CADA). The CADA has three objectives: 

  1. Supporting research, development and innovation; 
  2. Expanding capacity for the deployment of data centres across the EU;  
  3. Introducing a single EU-wide assessment framework for cloud and AI sovereignty. 

The article provides an overview of the following points: (i.) the Cloud and AI Leadership Initiatives, (ii.) the cloud computing sovereignty framework and (iii.) certain demand-side measures.  

Cloud and AI Leadership Initiatives

The Member States and the Commission will be entrusted with the implementation of the Cloud and AI Leadership Initiatives’ operational objectives. This Initiative will pursue the goal of promoting research and innovation activities, as well as achieving large-scale capacity throughout the Union’s cloud and AI ecosystem. One of the manners in which this will happen is through the promotion of the deployment and uptake of cloud and AI technologies across the public and private sectors

The Cloud and AI Development Act refers to eight operational objectives: 

  1. Operational objective 1: supporting the development and deployment of advanced data centre technologies incorporating principles of energy efficiency and resource efficiency by design and throughout operations; 
  2. Operational objective 2: supporting the development and deployment of cloud computing stacks; 
  3. Operational objective 3: advancing the Union’s capabilities in frontier AI; 
  4. Operational objective 4: advancing the Union’s capabilities in physical AI models and systems and fostering their deployment across various strategic sectors; 
  5. Operational objective 5: accelerating the development and uptake of industrial AI across the EU’s strategic sectors; 
  6. Operational objective 6: supporting the development of advanced platforms for the large-scale deployment of AI agents; 
  7. Operational objective 7: increasing the development and adoption of AI models and systems across the EU’s public sectors.

Is your entity part of the public or private sector?

  • Expect future measures through the national cloud and AI strategies 

Article 7 states that Member States shall establish national cloud and AI strategies (‘national strategies’). These strategies should, at least, include the measures to fasten the development and adoption of cloud and AI at national, regional (e.g. Flanders) and local level. This provision puts particular emphasis on these kinds of measures for public sector bodies, SMEs and SMCs. The AI Board will advise the Member States on the coordination of the national strategies. 

  • The possibility of real-world testing environments for physical AI  

Under operational objective 5, the Initiative will support the development, testing and validation of physical AI models and systems (such as robotics, autonomous drones and self-driving vehicles) in real world-environments.  

  • Faster adoption of cloud and AI technology through the Experience and Acceleration Centres for AI (‘Centres for AI’) 

Under operational objective 8 each Member State will need to establish a Centre for AI. These Centres will build further on the European Digital Innovation Hubs. One of the objectives of the Centres will be to accelerate the broad adoption of cloud and AI technology at both regional and local levels, for SMEs, SMCs and public sector bodies.

Is your entity part of the public sector?

Expect the Member States and the Commission to account for the following: 

  1. The technological development and uptake of AI models and systems in critical public sector domains
  2. The development of AI systems and models that increase the effectiveness of public service delivery and accessibility for the general public, improve decision-making and simplify administrative procedures; 
  3. The promotion of both the sharing and re-using of training data and AI models across the Union’s public services; 
  4. The facilitation of privacy enhancing health data reuse for AI models and tools in healthcare; 
  5. The facilitation of the testing, development and deployment of AI models and tools in the automative sector (incl. autonomous driving).

Cloud computing sovereignty framework

Is your entity part of the public or private sector? 

The CADA establishes a framework for cloud and AI sovereignty comprising four assurance levels. If you are a private or public entity that provides cloud computing services you will need to meet the assurance level criteria set out in Annex II of the Act in order to provide your cloud computing services to Union entities and public sector bodies.

Under this framework, cloud service providers can be recognised by Member States after undergoing an audit. The four assurance levels are:

  • Level 1: when data is processed and stored in infrastructure located in the Union;
  • Level 2: providers must demonstrate independence from third countries and transparency over their software supply chain;
  • Level 3: providers must be owned and controlled from the Union, and must meet additional criteria such as personnel citizenship requirements;
  • Level 4: providers have full transparency and control over their software supply chain, with no interference from a third country.

Some similarities and differences between the various assurance levels and their obligations 

Overview of the assurance levels and some of their cumulative criteria  

 

Demand-side measures

Is your entity part of the public sector?

Member States or Union entities will need to carry out risk assessments that identify the public sector activities that use / will make use of cloud computing services in specific or critical sectors preserving the public order. Furthermore, the identified activities are assigned an appropriate assurance level (2, 3 or 4). The European Commission can override the Member States’ choices if the identified assurance levels are deemed inappropriate. 

This risk assessment will create a mandatory link with procurement choices

  • ‘Non-critical’ activities 

If the public sector body’s/Union entity’s activities have not been identified as a contribution to the preservation of public order, the entity or body must only use cloud computing services that have an assurance level 1

  • ‘Critical’ activities 

If the public sector body’s/Union entity’s activities have been identified as a contribution to the preservation of public order, the entity or body must only procure cloud computing services that have an assurance level 2, 3 or 4, unless the exceptions of Article 30 apply. 

In addition, in public procurement procedures relating to innovative cloud computing services and AI systems, contracting authorities are required to incorporate non-price criteria to assess the tenderer’s contribution to the development of a European cloud and AI ecosystem.

Is your entity part of the private sector?

Cloud computing service providers will need to obtain an assurance level between 1 and 4 to remain eligible for public contracts.  

Entities that are not public sector bodies, but fall within the scope of Annex I of the NIS 2 Directive (sectors of high criticality) may still carry out risk assessments similar to the ones mentioned above.  

Comments of the author

While the initial reading is encouraging in terms of Member States being given more tools to strengthen technological sovereignty in a number of areas and reduce their dependence on third-country providers, it remains to be seen whether the text of the CADA, in its current form, can effectively advance the objective of technological sovereignty.  

For instance, the Cloud and AI Leadership Initiatives set out a range of objectives that must also be achieved by Member States. The exact mechanisms, however, remain to be clarified, as the provision refers to the possibility of Member State to either 'support' or ‘advance’ the enhancement of the Union's capabilities in relation to AI deployment. 

While this provides the relevant parties with the opportunity to determine their own form of ‘harmonisation’, it is not unreasonable to suggest that the current text remains vague. With regard to these initiatives, the proposal reads more like a policy paper than a legal text, as it outlines general objectives without providing sufficient detail on the means by which those objectives are to be achieved. 

Furthermore, the text of the proposal states that the Centres on AI will 'build upon' the EDIHs. The precise implications of this are as yet unclear: will the Centres continue the work of the EDIHs, expand their activities or use their structure as a basis? Therefore, it is recommended that the legislator clarifies this matter.  

Finally, the new rules on the cloud sovereignty framework are to be welcomed, particularly as cloud solutions are increasingly being used as a leverage point by political figures, such as the sanctioning of the ICC by President Trump last year which reportedly led to Microsoft removing the ICC’s access to their services.   

At the same time, it appears that the current framework establishes relatively high thresholds for both public and private entities. While these thresholds serve an important protective purpose, it is also well known that many public entities, such as the regional and local authorities in Belgium, continue to rely heavily on third-country providers. Furthermore, providers offering so-called sovereign cloud solutions often remain somewhat of a blackbox. It is yet to be determined how this new proposal will affect the future advice of data protection authorities, including the Flemish VTC. The VTC has already issued an advice on cloud use by Flemish entities, which provides a set of criteria for several cloud service providers, including non-European ones. The Flemish DPA’s advice will need to be examined against the requirements of the new framework. 

Author

Sultan Erdogan

Sultan Erdogan

email hidden; JavaScript is required