The European Commission has adopted a new framework designed to give Europe greater control over where and how sensitive data is processed on cloud infrastructure supporting AI systems. The Cloud and AI Development Act (CADA), adopted on June 3, 2026, introduces a graduated certification system that links security requirements to eligibility for public sector use, particularly in defense and national security contexts.

What Problem Is Europe Trying to Solve?

As AI systems increasingly rely on massive cloud infrastructure, the EU is concerned about structural dependencies on non-EU providers, particularly regarding exposure to third-country laws and data access. The framework addresses a real geopolitical tension: Europe wants to use cutting-edge cloud services while ensuring that sensitive government and defense data remains under conditions that prevent unauthorized foreign access.

Unlike outright bans or forced localization, CADA takes a pragmatic approach. It doesn't exclude global cloud providers like Amazon Web Services or Microsoft Azure; instead, it creates incentives for them to meet higher security and sovereignty standards if they want to win contracts for sensitive work. This allows the EU to shape market behavior indirectly while acknowledging that European cloud capacity alone cannot meet current demand.

How Does the Four-Tier Certification System Work?

At the heart of CADA is a new certification mechanism called "Union Assurance Levels," modeled partly on France's existing SecNumCloud scheme. The system works like this:

• Lower Tiers (Levels 1-2): Focus on baseline requirements such as EU establishment, data stored within the EU, and transparency about subcontracting and data flows.
• Intermediate Tier (Level 3): Introduces independent security audits, enhanced cybersecurity controls, and detailed supply chain transparency, including software bills of materials that show exactly what components are in the system.
• Highest Tier (Level 4): Imposes the strictest requirements, designed for defense and national security work. Providers must not be controlled by any third country, must hold a European cybersecurity certificate at the highest assurance level, and must retain complete control over all software components, ensuring no foreign government can influence how the system is designed or maintained.

The innovation lies in linking certification directly to procurement. Public authorities must assess the risk level of their data processing and select cloud services meeting the appropriate tier. Higher-risk activities require higher-tier certified services, effectively limiting the pool of eligible providers and creating market incentives for companies to develop "sovereignty-compliant" offerings.

How Does This Fit Into Europe's Broader AI Rulebook?

CADA doesn't operate in isolation. It layers onto existing EU regulations including the AI Act, the NIS2 Directive (which governs cybersecurity for critical infrastructure), the Cybersecurity Act, and the Data Act (GDPR). Rather than replacing these frameworks, CADA adds a distinct sovereignty dimension focused specifically on reducing exposure to third-country legal regimes like the US CLOUD Act and FISA 702, which allow US authorities to access data held by US companies.

The European Commission has emphasized that this sovereignty focus aligns with broader European values around human dignity and fundamental rights. In recent comments to EWTN News, Thomas Regnier, European Commission spokesperson for tech sovereignty, security, and democracy, stated that Europe's approach to AI regulation reflects core principles already embedded in existing laws.

"We could not agree more with the vision of His Holiness Pope Leo XIV and with the need for a robust legal framework for AI. In the EU, this is not just an aspiration. It is already what we are doing through the AI Act, the Digital Services Act, the Digital Markets Act, the GDPR and much more," said Thomas Regnier.

Thomas Regnier, European Commission Spokesperson for Tech Sovereignty, Security, and Democracy

What Real-World Model Did Europe Copy?

France has already implemented a similar sovereignty-focused certification scheme called SecNumCloud, administered by ANSSI (the French cybersecurity agency). That scheme explicitly incorporates immunity criteria against extraterritorial laws and has become a de facto benchmark for "sovereign cloud" requirements across Europe. France's "cloud at the centre" doctrine, updated in 2023, requires state cloud projects handling sensitive data to use SecNumCloud-qualified offerings.

CADA essentially transposes and generalizes France's model at the EU level, but in binding, EU-wide hard law. This ensures harmonized implementation across all member states rather than fragmented national approaches.

How to Prepare Your Organization for CADA Compliance

While CADA primarily affects public sector procurement and sensitive government workloads, the framework signals a broader shift in how Europe views data sovereignty. Organizations handling sensitive information should begin preparing now:

• Audit Your Cloud Infrastructure: Identify where your sensitive data is currently stored and processed. Determine which cloud providers you use and whether they have EU-based infrastructure or are subject to third-country legal regimes.
• Understand Your Risk Profile: Assess whether your organization handles data that might fall under CADA's scope, such as government contracts, defense-related work, critical infrastructure operations, or highly sensitive personal information.
• Engage with Certification Pathways: If you're a cloud service provider, begin exploring what it would take to achieve Union Assurance Level certification. If you're a customer, ask your providers about their certification roadmap and timeline.

What About Shadow AI and Compliance Risks?

While CADA focuses on cloud infrastructure sovereignty, a parallel compliance challenge is emerging: employees across European organizations are using unapproved AI tools without authorization, creating data exposure risks that conflict with both GDPR and the EU AI Act. Research shows that 98% of companies have employees using unauthorized AI tools in some form, with 71% of employees having used unapproved consumer AI tools at work.

This "shadow AI" problem creates direct conflicts with CADA's governance objectives. When employees feed sensitive corporate data into unregulated external AI systems, they bypass the very sovereignty and security controls that CADA is designed to enforce. Organizations remain legally responsible for how personal data is processed, even if an employee uploads it to an external tool without permission.

The challenge is particularly acute because many organizations still lack clear AI usage policies, approved tools that meet real workflow needs, and training on safe and compliant AI use. Rather than banning tools, which determined employees will work around, organizations need a balanced approach combining governance, technology, and culture.

CADA represents Europe's most ambitious attempt yet to operationalize digital sovereignty at scale. By creating a tiered certification system linked to procurement, the framework avoids categorical bans while still incentivizing providers to develop secure, sovereignty-compliant offerings. The real test will come as member states and public authorities begin conducting risk assessments and selecting cloud services under the new framework, likely over the next 12 to 24 months.