Key facts
- The EU's proposed Cloud and AI Development Act (CADA) aims to bolster the European cloud and AI sectors.
- CADA includes pillars for investment, capacity building (tripling data center market in 5-7 years), and an autonomy framework.
- Industry groups criticize CADA for potential discrimination against non-EU vendors and for its categorical approach to sovereignty.
- The act proposes a 12-month maximum permit-granting procedure for data center projects within designated zones.
- New public procurement rules will map demand against four defined sovereignty and security assurance levels.
- Member states must establish enforcement authorities and conduct regular risk assessments for cloud service usage.
The European Commission has proposed the Cloud and AI Development Act (CADA) to bolster the EU's domestic cloud and artificial intelligence industries. The act is structured around three main pillars: increased investment in research, development, and innovation; capacity building aimed at tripling the European data center market within five to seven years; and a comprehensive autonomy framework with new obligations for member states.
However, CADA has encountered a mixed reception. Industry associations like CCIA Europe have labeled the proposal discriminatory, citing requirements for EU member states to assess sovereignty levels that non-EU vendors might be unable to meet. Tech lawyer Mikolaj Barcenciewicz suggested that the act should adopt a risk-based approach rather than a categorical one, preserving member states' individual approaches. Swedish MEP Jörgen Warborn argued that while national security applications warrant strengthened sovereignty, less sensitive areas should welcome foreign direct investment to attract global wealth.
Conversely, Finnish MEP Aura Salla advocated for a more centralized system for stress-testing technological dependencies and assessing risks. Some industry players, such as German software provider Nextcloud, believe the proposal lacks ambition and should extend to the private sector. The act also introduces mechanisms like Data Centre Acceleration Zones and Strategic Projects, aiming for a maximum 12-month permit-granting procedure. However, it imposes demanding compliance requirements, including standardized EU sustainability KPIs and strict resource allocation policing, which critics argue may render the permit cap unrealistic given existing construction bottlenecks.
Furthermore, CADA's Title IV outlines a stringent framework for public procurement of cloud services, mapping demand against four assurance levels of sovereignty and security. These levels range from basic security with third-country corporate ownership allowed, to maximum autonomy where such ownership is completely banned. Member states will need to appoint competent authorities to enforce these rules, audit suppliers, and process applications. They will also be required to conduct risk assessments to determine appropriate security assurance levels for public sector cloud services, fundamentally altering current procurement practices that prioritize price and standard technical specifications.