The European Commission formally proposed the Cloud and AI Development Act (CADA) on 2 July 2026 as part of the broader Tech Sovereignty Package. CADA is a legislative proposal submitted to the European Parliament and Council under the ordinary legislative procedure and does not yet carry a binding effective date; adoption is expected across the 2026-2027 legislative cycle. The package also includes a Chips Act 2.0 proposal, an Open Source Strategy, and a Strategic Roadmap for Digitalisation and AI in Energy.
CADA proposes two principal regulatory mechanisms. First, it establishes streamlined permitting procedures for deploying sustainable data centre infrastructure across EU member states, aiming to reduce build timelines through faster planning approvals and grid connection processes. Second, it introduces the CADA Assurance Level system, which grades cloud and AI services by degree of EU operational control, data residency, and supply chain transparency. Assurance Levels are designed to function as a market access criterion for public-sector procurement contracts and for buyers in regulated sectors, including financial services, healthcare, and critical infrastructure.
The CADA Assurance Level system directly affects cloud and AI providers supplying EU regulated-sector clients. Providers seeking to serve EU public authorities, financial institutions subject to the Digital Operational Resilience Act (Regulation (EU) 2022/2554), or crypto asset service providers regulated under the Markets in Crypto-Assets Regulation (Regulation (EU) 2023/1114) will need to demonstrate compliance with the applicable Assurance Level. The specific requirements for each level will be defined through delegated acts after CADA is adopted; the proposal establishes the grading system and authorises the Commission to set the detailed technical standards.
Several aspects of the proposal remain open. Draft Assurance Level criteria have not been published; these will emerge through the delegated act process after primary legislation is enacted. The proposal states explicitly that CADA is not designed to exclude non-EU cloud providers: firms from outside the EU that meet the applicable Assurance Level criteria may qualify for public-sector and regulated-sector procurement. The treatment of existing cloud contracts and legacy data processing arrangements during any transitional period is not addressed in the proposal.
Licentium monitors CADA's progress through the EU legislative process and advises regulated firms and technology providers on existing cloud governance and data residency obligations under the Digital Operational Resilience Act, MiCAR, and the EU AI Act. If your firm is making cloud infrastructure decisions that may be affected by the emerging CADA Assurance Level criteria, we can assist with forward planning. Work we undertake includes cloud and data governance reviews for regulated entities, DORA and MiCAR operational resilience compliance, EU AI Act infrastructure requirement analysis, and data sovereignty planning for financial services firms.
Source: European Commission, Proposal for the Cloud and AI Development Act (CADA), 2 July 2026