EU tech sovereignty package and Cloud and AI Development Act
On 3 June 2026 the European Commission presented its tech sovereignty package. At its core is the proposed Cloud and AI Development Act (CADA) — a single framework to assess cloud and AI sovereignty, support European datacentres, and boost research.
In short: Four assurance levels, risk assessments, more EU datacentre capacity. Sovereignty moves into law.
What the proposal brings
CADA sits alongside GDPR, NIS2, DORA, and the AI Act. It introduces four assurance levels for cloud — based on control over the service, supply chain, data handling, infrastructure location, and cybersecurity.
Member states and EU institutions would run sovereignty risk assessments and match services to the right level. The Commission may later extend similar assessments to private entities in NIS2-regulated sectors.
Why it matters in practice
The proposal follows April’s SEAL-based cloud procurement and responds to incidents such as the May disclosure of Dutch officials’ names — where data residency was not enough. The goal is not to ban all foreign technology but to set measurable criteria: who operates the service, under which jurisdiction, and with what resilience against third-country interference.
The act still faces the EU legislative process. For business and public sector IT, the signal is already clear: in tenders and renewals, ask the same questions — not only about certificates and price.
What you can do now
You do not need to wait for the final CADA text. European hosting, your own keys, audit logs, and contracts under EU law are available today for smaller organisations too — flat monthly fees, human support.
Comparison with US clouds · Public sector overview · EU and SEAL