The European Commission has proposed the EU Cloud and AI Development Act, a measure that would convert digital sovereignty from a political aspiration into binding procurement rules and infrastructure law for the first time. The proposal, known as CADA, is the centre piece of a broader Tech Sovereignty package and sets the terms under which cloud providers would qualify for EU public-sector contracts terms that could either anchor a genuine European AI ecosystem or push institutions toward certified providers that cannot support serious AI workloads.
The stakes are not abstract. European cloud providers’ combined market share fell from 26% to 10% between 2017 and 2020, even as the EU spent billions on cloud initiatives and built Gaia-X, a federated infrastructure project whose own CEO later acknowledged there was “never a common definition of what digital sovereignty means”, stated a 2024 AI Now Institute report. CADA is the Commission’s attempt to fix that ambiguity in law. Whether the definitions it produces will serve European AI developers depends almost entirely on choices that haven’t been made yet.
What the EU Cloud and AI Development Act proposes
The Commission frames CADA around three objectives: autonomy, competitiveness, and sustainability. Each one does distinct work.
The autonomy objective is the structural core. It would introduce a single EU-wide assessment framework for cloud and AI sovereignty, paired with a public-sector adoption mechanism designed to steer government procurement toward compliant providers, according to the Commission’s proposal. This has been widely characterised as the EU’s first attempt to move sovereignty requirements from voluntary certification into binding legislation, according to legal analysis.
The competitiveness objective is where CADA becomes industrial policy, not just regulation. The Commission says the EU needs to expand cloud and data-centre capacity to support broader AI deployment, and the act is designed to complement the Commission’s Apply AI strategy. AI factories and AI gigafactories are being deployed under this framework to give European businesses and researchers access to high-capacity, next-generation compute.
The sustainability objective would reinforce energy-efficient data-centre capacity a requirement that shapes who can qualify, since large-scale efficient infrastructure takes years and significant capital to build.
CADA sits at the centre of a broader Tech Sovereignty package that also includes Chips Act 2.0 and an EU Open Source Strategy, all framed as contributing to what the Commission calls “a more competitive, secure and resilient European digital economy.” The package is led by Executive Vice President Henna Virkkunen, appointed to a role created specifically for this agenda one that gained urgency after Trump’s re-election accelerated the EU’s push to reduce dependence on US and Chinese technology, according to the Atlantic Council. The revised Chips Act is targeted for adoption in Q2 2027; CADA itself is aimed at Q4 2027.
What the proposal does not yet specify: the thresholds that will determine compliance, whether requirements will differ across infrastructure layers IaaS, PaaS, model APIs, training compute or exactly how the public-sector adoption mechanism will steer procurement in practice. Those details get resolved during the legislative process. That gap is the current story.
Why the CADA proposal’s definition of “sovereign cloud” is so contested
The practical question for any European startup or public agency is straightforward: which providers will qualify, and on what basis. A narrow definition one centred on EU ownership and immunity from foreign legal orders reserves that the procurement market for European-headquartered providers. A broader definition that includes performance and resilience criteria could, in ICLE’s view, encompass a wider range of providers, including joint ventures with US firms.
The narrower version has powerful backers. Twenty-five European cloud executives, coordinated by industry group CISPE, have urged the Commission to import defence-procurement-style “effective control” criteria into CADA reserving procurement shares for European-owned providers and explicitly excluding firms subject to extraterritorial legal orders from non-EU jurisdictions. France has pushed in the same direction; its 2024 SREN law already requires sovereign-cloud hosting for sensitive government workloads. These moves come amid wider scrutiny of how EU restrictions on US cloud services are reshaping the competitive landscape for public-sector procurement.
A recent Commission procurement tender shows what this looks like in practice. The contract, worth up to €180 million over six years, evaluated providers under the SEAL sovereignty framework. The legal protections that sovereignty status is supposed to guarantee are also less reliable than the framework assumes. In September 2024, an Ontario court ordered OVHcloud France-headquartered, widely regarded as Europe’s leading sovereign-cloud provider to disclose subscriber data stored on servers in France, the UK, and Australia. The court applied a “virtual presence” doctrine and treated France’s data-blocking statute as presenting minimal enforcement risk. EU headquarters and EU data location did not shield the provider from a foreign production order.
There’s also a significant cost of getting the definition wrong. Infrastructure analysts at SemiAnalysis rate cloud clusters not by sovereignty status but by the factors that determine whether AI work actually completes: cluster reliability, networking quality, storage throughput, and compute efficiency.
EU cloud AI sovereignty meets a global compute shortage
CADA’s framework is being written during what SemiAnalysis describes as a once-in-four-decades compute supercycle, which is why the definitional choices carry unusual weight right now.
AI demand is on track to consume roughly 60% of leading-edge compute output in 2026, rising to 86% in 2027. Effective utilisation is projected to exceed 100% in the second half of this year, meaning the world’s most advanced chipmaker will be running production lines beyond their nominal capacity. GPU rental capacity across Nvidia’s Hopper and Blackwell generations is fully booked through August to September 2026, with contract prices rising from $1.70 to $2.35 per GPU-hour since October 2025.
The EU remains structurally dependent on third countries for both advanced chip fabrication and semiconductor design, as the Chips Act 2.0 proposal makes clear. The revised act aims to reduce those supply chain vulnerabilities and support domestic advanced production but it operates on a multi-year manufacturing horizon and cannot address compute constraints that are binding today.
For European AI developers and researchers, the scarcity problem is immediate. Sovereignty rules that restrict access to non-EU cloud and compute infrastructure reduce options for people who need GPU capacity now. If CADA’s public-sector adoption mechanism channels institutions toward sovereign-certified providers that cannot match hyperscaler cluster performance. This dynamic is already prompting questions about how organisations should respond to AI systems violating EU law, as compliance requirements collide with operational realities. The Commission’s own proposal acknowledges that expanding data-centre capacity is necessary for broader AI deployment the tension between that goal and the autonomy objective is built into the act itself.
There is a sharper economic concern, however: sovereignty-framed cloud policies function as a de facto tariff on US providers, shielding domestic alternatives behind regulatory requirements rather than competitive performance. The Commission’s goals are broader than pure protectionism, but the structural effect of a control-only definition would be similar.
What to watch in the legislative process
The binding choices ahead are specific: what criteria will constitute a “sovereign cloud” under EU law, whether those criteria will account for infrastructure performance alongside ownership and jurisdiction, and whether the requirements will vary across infrastructure layers or apply uniformly. Those questions will be settled before the Q4 2027 adoption target.
The Gaia-X experience established a clear precedent for what happens when the definition is left vague. Market share fell, billions were spent, and the initiative’s own leadership later said the core concept was never defined consistently. CADA’s drafters are writing against that history, which gives them a clearer target and less excuse for leaving the same gap open.
Watch for whether CISPE’s effective-control framing makes it into the legislative text, how the Commission handles joint ventures like S3NS under the sovereignty assessment framework, and whether performance criteria appear alongside ownership and jurisdiction criteria. If the autonomy objective is written to accommodate only the CISPE and French position, the competitiveness objective built into the same act will be harder to achieve.
The European Commission has proposed the EU Cloud and AI Development Act, a measure that would convert digital sovereignty from a political aspiration into binding procurement rules and infrastructure law for the first time. The proposal, known as CADA, is the centre piece of a broader Tech Sovereignty package and sets the terms under which cloud providers would qualify for EU public-sector contracts terms that could either anchor a genuine European AI ecosystem or push institutions toward certified providers that cannot support serious AI workloads.
The stakes are not abstract. European cloud providers' combined market share fell from 26% to 10% between 2017 and 2020, even as the EU spent billions on cloud initiatives and built Gaia-X, a federated infrastructure project whose own CEO later acknowledged there was "never a common definition of what digital sovereignty means", stated a 2024 AI Now Institute report. CADA is the Commission's attempt to fix that ambiguity in law. Whether the definitions it produces will serve European AI developers depends almost entirely on choices that haven't been made yet.
