On 3 June 2026, the European Commission (“EC”) published a package of measures aimed at strengthening Europe’s digital sovereignty. The package consists of two legislative proposals, namely the proposed Cloud and AI Development Act (“CADA”) and the proposed Chips Act 2.0, in tandem with two non-legislative initiatives namely the ‘EU Open Source Strategy’ and the ‘Strategic Roadmap for Digitalisation and AI in the Energy sector’.
“We cannot afford to depend on others for the technologies that keep our hospitals running, our energy grids stable and our services secure.”
With those words, the EC’s President Ursula von der Leyen captured the concern at the heart of the European Union’s (“EU”) latest turn in digital policy. The sentiment is clear, being that technological dependence is no longer being considered solely as a remote industrial issue but also as aquestion of sovereignty.
This is particularly so where essential services increasingly rely on infrastructure and technologies controlled by a limited number of non-EU providers. In that context, dependence may give rise to practical questions around the continuity of service and the ability of public authorities to maintain control over critical digital systems; a recurring theme across the EU’s recent digital legislative agenda tackled from different angles by instruments such as NIS2, the CER, the Cybersecurity Act and DORA, each of which address such dependency and control.
This article focuses on CADA and its annexes.
What does CADA seek to do?
At its core, CADA is an attempt to strengthen the EU’s cloud and AI ecosystem by intervening at several points in the relevant value chain. The Commission describes the proposal as taking an “ecosystem approach” by combining supply-side measures to boost domestic capabilities, demand-side measures to drive adoption, and further enablers intended to nurture innovation and investment into cloud technologies and AI.
Broadly, CADA may be understood through four main pillars, which reflect the proposal’s stated objectives and structure:
I. Bolstering EU Cloud and AI capabilities with infrastructure
The first pillar concerns the development of European cloud and AI capabilities. CADA would establish the Cloud and AI Leadership Initiatives, which are poised to support the full breadth of the EU’s cloud and AI ecosystem, from research to deployment.
It is said that the EU has strong research capabilities and industrial potential, but lacks sufficient domestic cloud, data centre and AI compute capacity to support large-scale deployment.
CADA’s Annex 1 is salient because it sets out “Grand Challenges” which identify the strategic areas in which the EU wishes to concentrate support
II. Data Centres
On this point. the Commission’s starting point is that AI and cloud services require large amounts of computing power, and that Europe’s current capacity is insufficient, unevenly distributed and too dependent on non-EU infrastructure.
Under its Title III titled “Data Centre Capacity”, CADA would require Member States to designate data centre “acceleration zones”. These are zones which are intended to simplify and accelerate the deployment of data centre projects, that take into account various factors such as energy availability and environmental impact amongst other things.
This pillar is therefore concerned with the physical infrastructure behind cloud and AI services. Both of which require significant compute capacity, ergo data centres becoming directly relevant for this exercise.
III. Sovereign cloud assurance framework
Perhaps the most legally significant, the third pillar would introduce a Union cloud computing sovereignty framework based on four Union assurance levels. These requirements concern matters such as establishment in the EU, the location of infrastructure and relevant assets, subcontracting arrangements and even exposure to third-country laws.
CADA’s Annex II sets out the criteria which cloud computing service providers and their services would need to satisfy in order to be recognised at Union assurance levels 1 to 4. At the lower levels, the focus is on EU establishment, EU-based infrastructure and data localisation. At the higher levels, the requirements become more demanding, including stricter controls on third-country influence, support arrangements and cybersecurity assurance.
Annex III then complements this by setting out the audit evidence which would need to be produced. Pragmatically, Annex II sets out what providers must satisfy with Annex III indicating how such may be evidenced.
IV. Public Procurement
The fourth pillar concerns adoption by the public sector. The sentiment here is that the EU is not only seeking to create more EU cloud capacity, but is also seeking to generate demand for it.
The proposal would require public sector bodies and Union entities procuring cloud computing services to take the aforementioned Union assurance levels into account. For certain public sector activities, especially those deemed critical such as law enforcement, defence and public order, the contracting authorities may be required to procure cloud services recognised at higher assurance levels.
In the same vein, CADA also introduces further measures linked to common procurement, the establishment of the “EuroCloud Federation” and the use of open-source solutions by public sector bodies.
Although CADA remains at proposal stage, it is a useful indication of the EU’s current approach to digital policy and trajectory. The emphasis is evidently no longer only on regulating digital services, but rather the underlying infrastructure. Its final shape remains to be seen, but its potential impact to a myriad of different stakeholders is already apparent.
Author: Dr J.J. Galea
For any additional information or assistance, please contact us at info@gtg.com.mt