The European Commission has recently unveiled its proposal for the Cloud and AI Development Act (CADA), which aims to boost the local cloud and AI industry by reshaping infrastructure, the European cloud market, and how public sector bodies can operate in the future.
CADA focuses on three major pillars: investment in research, development and innovation, capacity building — tripling the European data centre market within the next five to seven years — and a comprehensive autonomy framework, which entails four levels of sovereignty and security and new obligations for EU member states.
CADA met with a mixed reception
Thus far, the proposal has received mixed reviews. Industry associations such as CCIA Europe have called the proposal discriminatory, as the CADA would require EU member states to assess which use cases require specific sovereignty levels that non-EU vendors “would be unable to meet by default”.
Polish tech lawyer Mikolaj Barcenciewicz has previously stated that CADA should be risk-based rather than categorical, where member states’ individual approach and subsidiarity should be preserved rather than generalised.
Swedish MEP Jörgen Warborn has recently shared his thoughts on the CADA proposal on LinkedIn, arguing that the European digital sovereignty goals must be complemented by further simplification and improved business conditions, with a strengthened “prospect of return on investment”.
He also said that while the EU’s sovereignty goals should indeed be strengthened in national applications that relate to national security, less sensitive areas should be open to foreign direct investments, as “a vast majority of global wealth is held outside the EU” and the EU should work towards attracting these investments, not vice versa.
Finnish MEP Aura Salla, however, called for an even more centralised approach to testing booth-stress-testing tech dependencies and assessing risks at the member state level.
Finally, some interested parties — such as the German software provider Nextcloud — have stated that the current proposal is not ambitious enough and should be extended to the private sector as well.
A 12-month ceiling for permits, but more requirements to meet
CADA’s Title III establishes two primary mechanisms to rapidly expand EU data centre capacity: Data Centre Acceleration Zones and Data Centre Strategic Projects.
Within six months of the regulation entering into force, each member state must designate at least one acceleration zone, integrated into local urban and district plans, while taking into account grid availability, network capacity and a clear preference for brownfield sites.
Whether a development sits within these pre-approved zones or receives an individual strategic project designation, it benefits from a “green corridor” capped at a maximum 12-month permit-granting procedure.
However, CADA’s compliance checklist is demanding: infrastructure operators must adopt standardised EU sustainability KPIs, and local resource allocations will be tightly policed to prevent speculative hoarding or anticompetitive blocking.
Realistically, this gives member states a tight six-month window to establish compliant zones within complex local planning frameworks, followed by an equally compressed 12-month turnaround for individual permit approvals.
The actual construction of data centres is already heavily bottlenecked by the physical world: only a handful of specialised builders hold the required certifications, every development phase faces rigorous audits, and even modest facilities sometimes take years to build.
By piling extensive new compliance burdens onto both member states and infrastructure providers, EU policymakers risk rendering their “12-month maximum” permit cap a minor, meaningless goalpost in a structurally complicated pipeline.
Major changes in public procurement
CADA’s Title IV and supporting annexes outline a rigid new framework dictating the exact types of cloud computing software and services EU member states can procure.
Public sector demand will be rigidly mapped against the four assurance levels set out in CADA’s Annex II.
Level 1 covers basic sovereignty and security, with third-country corporate ownership allowed.
Level 2 relates to substantial digital sovereignty, where third-country corporate ownership is still allowed, provided that all operations, infrastructure, personnel, and support remain strictly within the EU, are backed by a ‘substantial’ cybersecurity certification, and that customer data cannot be used for third-country AI training.
Level 3 means high sovereignty and national security, with third-country corporate control prohibited by default, subject to rare exceptions granted by the European Commission, while level 4 represents maximum autonomy and critical security, with third-country corporate control completely banned.
How are EU member states supposed to operationalise the new CADA framework? First, by appointing one or more national competent authorities to enforce the rules, audit suppliers, and process applications for cloud provider recognition.
Within one year, member states must conduct risk assessments (to be repeated every 2 years) to identify which public-sector activities rely on cloud services and to determine the appropriate security assurance level.
The current proposal for CADA would completely upend how public procurement for cloud services has functioned until now.
Previously, member states’ public sector bodies could freely choose cloud service providers based on price, service quality, organisational needs and sovereign risk-based data management legislation.
Where public procurement awards were once heavily dominated by price and standard technical specifications, member states would now also have to evaluate non-price criteria, such as the extent to which a provider contributes to the European digital ecosystem.
This article was first published on EU Tech Loop and has been shared on Euronews as part of an agreement.