CADA puts EU cloud sovereignty into legislative focus

The Cloud and AI Development Act proposal moves Europe’s cloud sovereignty debate into legislative text, using the DG DIGIT Cloud Sovereignty Framework as a foundation. Its Union Assurance Level model frames sovereignty around legal, operational and technology criteria, including whether providers are anchored in European jurisdiction, free from foreign operational control and able to support interoperability without lock-in.

CADA adds technology sovereignty obligations from UAL 2 upward, including a complete software bill of materials, migration plans for third-country software dependencies and interoperability standards. It also extends the discussion to data and AI sovereignty, where control over training data, model access and EU governance are presented as strategic priorities for European businesses adopting AI at scale.

The proposal’s supply chain provisions are the most sensitive area. At UAL 4, providers would need to show that no third country holds effective control over the design, development or maintenance of software components, but implementation will need to distinguish genuine vulnerabilities from ordinary global dependencies.

The final law is expected to depend on precision: avoiding uniform geographic tests, resisting open source as a shortcut for sovereignty, and keeping IP origin out as a proxy for operational capability. The goal is a framework that strengthens Europe’s digital infrastructure without making cloud deployment unnecessarily costly.