Beyond the headlines: three key questions raised by CADA

The Cloud and AI Development Act (CADA) has finally landed after the publication date was postponed several times. The reaction from Brussels has been markedly different – an association representing US big tech described it as “progressive market shutdown” while an article in Euractiv described its provisions as “keen to keep Americans on side”.
In reality, the proposal is more nuanced. Three themes are likely to shape the debate in the months ahead:
The four tiers of compliance
With regard to the AI and Cloud market, the proposal sets out stringent assurance levels, like EUCS, in four stages. It is no slam dunk to be assured to these levels. Levels 2 to 4 require an external audit and are progressively more difficult to attain for non-European players. Some argue that, without full control of the silicon layer, no provider can reach level 4. There’s particular focus on level 3 and the adequacy provision, as this would keep the market open for most risk levels. Others question whether hyperscalers could even pass an audit for level 3 with the US CLOUD Act. Interestingly, the Commission has retained the right to adjust the criteria every 18 months through an implementing act, which means they can finetune.
One regulation, 27 appetites
The proposal is designed with a significant role at the member state level – appointing national competent authorities to scrutinise local providers and conduct risk assessments on cloud dependencies relating to their critical infrastructure providers – which they are obliged to list.
The question here is whether all member states have the same appetite to pursue hard-line sovereignty. Some member states, particularly on the Eastern border and in the Baltics, may be primarily concerned with the conflict across their borders and very intense nation-state cyber-attacks that occur on a regular basis. The main criterion for them is going to be state-of-the art cyber resilience, increasingly AI driven and the highest levels of global threat intelligence to repel threats. Is CADA really going to up their game in terms of absolute cyber security and resilience from this perspective? They may be more comfortable with global players shielding them than a mandate from Brussels to buy European.
Varying levels of willingness and preparedness to pursue CADA processes at the member state level could lead to a patchwork quilt and forum shopping, a phenomenon we saw in the NIS Directive and slow implementation, with member states being fined.
The capacity question
If the CADA measures really bite and the market supply and demand measures in the proposal don’t kick in quickly enough, this may lead to reduced AI and Cloud capacity in Europe and a slower uptake of cloud and AI for the sectors that are risk-averse, slower in their digital transformation and probably need it most.
The journey towards adoption is a rocky one, and the file is complex – and, like GDPR, likely to go through multiple negotiation rounds before it is finally adopted. With an adoption timeline likely to extend for several years, what happens in the meantime? Will the sovereignty assurance levels be more widely used in procurement, leading to them becoming a de facto standard long before the regulation comes into force? This could be a desirable outcome for the Commission, avoiding the scenario that ex-post regulation is too slow in adoption to tackle the problem at hand.
-
Jonathan is Fleishman Hillard’s senior tech policy advisor in Brussels. He is an expert in technology policy relating to cloud computing, cyber security and artificial intelligence. He also has extensive experience in competition law policy in the EU and intellectual property. Jonathan was until October...
Find Out More
-
What’s Next for Europe’s Chemicals Industry?
June 16, 2026
