CADA is a proposal. Not a regulation. That distinction belongs in the first paragraph of every piece of coverage it receives, and it belongs here too. What the European Commission adopted on June 3 is the opening move in a legislative process that requires European Parliament and Council agreement before any provision becomes binding. That process, trilogue, typically takes 12 to 36 months for complex digital legislation.
But proposals reveal intent. And CADA’s intent is structural.
According to the Commission’s proposal, CADA aims to accelerate EU data center permitting with a stated goal of tripling EU infrastructure capacity over the next five to seven years. More consequentially for US providers, the proposal reportedly introduces a four-tier sovereignty assessment framework governing public sector procurement, evaluating cloud and AI services on infrastructure location, software supply chain control, and corporate ownership structure. The Commission published the proposal through DG CONNECT as part of a broader Technological Sovereignty Package.
CADA Stakeholder Positions
The open-source mandate is the provision most likely to reshape procurement behavior early. The proposal reportedly requires that publicly funded software be made available for reuse, aligned with the Free Software Foundation Europe’s “Public Money? Public Code!” principle. FSFE has campaigned for this principle across multiple EU legislative cycles. If adopted as written, it would create a meaningful procurement disadvantage for proprietary software vendors competing for EU public sector contracts.
Industry reaction was immediate. The BSA characterized CADA as protectionist in a June 3 policy filing. CCIA Europe called it discriminatory in a same-day press release. Both organizations represent vendors with direct financial interest in opposing sovereignty-oriented procurement rules, their characterizations are stakeholder positions, not neutral assessments. That said, the substance of their concern maps to a real market question: US-based hyperscalers hold a substantial share of the European cloud market by most analyst estimates, and a four-tier sovereignty framework that evaluates corporate ownership structure could systematically disadvantage non-EU-headquartered providers at the public sector procurement stage.
Three statistics cited in coverage of this proposal require qualified framing. A figure of approximately 70% US hyperscaler market share in European cloud has been widely cited but lacks a named methodology source in available materials. A 15% baseline from 2022 has the same sourcing gap. A figure of approximately €264 billion in annual EU public IT spending appears to reference an EC document but the specific source hasn’t been confirmed in . All three are directionally consistent with publicly available cloud market data but shouldn’t be treated as established figures without named sourcing.
What to Watch
The catch is timing. CADA enters a crowded EU legislative queue. The AI Act is still in implementation. The Digital Omnibus amendments are in progress. Member state governments, particularly those with established hyperscaler relationships, will have opinions about sovereignty procurement mandates that may reshape the proposal during trilogue. As prior hub coverage has documented, compliance teams building for EU digital regulation now operate in a landscape where proposals and their final enacted forms can diverge significantly.
What to watch
whether any EU member state issues an early position on CADA’s sovereignty framework, whether the trilogue pace accelerates given the EC’s Digital Decade timeline pressure, and whether FSFE’s open-source mandate survives contact with Parliament’s industry-aligned blocs. Organizations doing EU public sector work should begin mapping their services against the four-tier framework now, not to comply, but to understand their exposure if CADA passes in current form.