From GDPR to CADA: How the EU's Digital Sovereignty Stack Now Reaches Cloud, AI, and Public Procurement

The EU’s digital sovereignty project has a method. It moves in overlapping waves, each instrument broader than the last, each one building on institutional precedent from the previous. GDPR established data processing rights and extraterritorial reach. The Digital Markets Act constrained platform gatekeepers. The Digital Services Act regulated content and liability. NIS2 hardened cybersecurity baselines across critical sectors. The EU AI Act classified AI systems by risk and imposed conformity obligations. Now CADA proposes to do for cloud infrastructure and public procurement what GDPR did for personal data: establish EU law as the governing layer, regardless of where the provider is headquartered.

Understanding CADA requires placing it in that sequence, not reading it as a standalone infrastructure bill.

What CADA Is, and What It Isn’t

The European Commission adopted CADA as a legislative proposal on June 3, 2026, through DG CONNECT, as part of a broader Technological Sovereignty Package. The proposal formally enters the EU legislative process, which requires European Parliament and Council adoption before any provision becomes binding law. Trilogue, the negotiation process between Parliament, Council, and Commission, typically takes 12 to 36 months for complex digital legislation. The GDPR itself took four years from proposal to application.

CADA is not the EU AI Act. Audiences tracking EU AI regulation should know the distinction clearly: the AI Act governs AI system risk classification and conformity obligations. CADA governs cloud and AI service infrastructure, data center capacity, and public sector procurement. They intersect, an AI system deployed in EU public sector under CADA’s sovereignty framework would also need to satisfy EU AI Act conformity requirements, but they’re separate instruments with separate legal bases and separate implementation tracks.

Critically, CADA is not yet law. Its provisions cannot be enforced. But proposals reveal regulatory intent, and CADA’s intent is sovereignty by procurement. If it passes in something resembling its current form, the EU public sector cloud and AI market, by some estimates among the largest institutional IT procurement markets in the world, operates under rules that systematically evaluate whether a provider’s infrastructure, software supply chain, and corporate ownership structure are under EU control.

The Four-Tier Framework: What Each Level Covers

The proposal reportedly introduces a four-level EU sovereignty assessment framework for evaluating cloud and AI services in public sector procurement. The three reported evaluation criteria, infrastructure location, software supply chain control, and corporate ownership structure, map cleanly onto the compliance exposure points for non-EU-headquartered providers.

Infrastructure location is the most straightforward. Data centers physically located within EU member states, operated by EU-incorporated entities, satisfy this criterion at the highest tier. Co-location arrangements, US-parent-owned EU subsidiaries, and transatlantic data replication architectures each present progressively more complex assessments. EU cloud providers like OVHcloud and Deutsche Telekom’s Open Telekom Cloud are structurally positioned to score higher on this dimension than AWS European regions or Microsoft Azure EU Data Boundary configurations.

Software supply chain control introduces a deeper evaluation question. An AI service running on open-source foundations, Linux, PyTorch, Kubernetes, may satisfy supply chain transparency requirements more readily than one running on proprietary middleware with opaque update chains. The FSFE’s “Public Money? Public Code!” principle, which the proposal reportedly adopts as a mandate for publicly funded software, extends this logic: software built with EU public funds should be auditable, forkable, and reusable. That’s a different standard than “hosted in the EU.”

Corporate ownership structure is the dimension most directly affecting US hyperscalers. AWS, Microsoft Azure, and Google Cloud are subsidiaries of US-headquartered publicly traded companies subject to US law, including the CLOUD Act, which grants US government access to data held by US companies regardless of where that data is stored. As prior hub analysis has documented, EU sovereign AI market competition increasingly turns on exactly this structural question. CADA’s sovereignty tiers would codify that competitive dynamic into procurement law.

The Open-Source Mandate: What “Free Software First” Actually Requires

The “Public Money? Public Code!” mandate deserves more attention than it typically receives in cloud market coverage. FSFE has campaigned for this principle across multiple EU legislative cycles, with varying success. CADA appears to be the most significant legislative vehicle it has attached to.

If adopted as written, the mandate would require that software developed using EU public funds be made available under open-source licenses for reuse by other public bodies. The compliance implication for vendors isn’t just about releasing code. It’s about contract structure: public sector AI contracts that involve custom development would need to be structured to permit open-source release of the deliverable. That changes procurement negotiation terms, intellectual property arrangements, and how vendors price public sector work.

Proprietary AI platform vendors face a structural disadvantage here. A vendor whose core product depends on trade secret protection cannot simply open-source the custom layer built on top of it without exposing proprietary foundations. Open-source AI vendors, those already operating under MIT, Apache, or similar licenses, enter procurement negotiations with a structural advantage under CADA’s proposed mandate.

The Sovereignty Stack: CADA’s Place in EU Digital Law

CADA doesn’t exist in isolation. It’s the seventh major EU digital sovereignty instrument in a decade:

GDPR (2018) → DMA (2022) → DSA (2022) → NIS2 (2022) → EU AI Act (2024, staged application through 2027) → Digital Omnibus amendments (2026, ongoing) → CADA (2026, proposed)

Each instrument has extended EU regulatory jurisdiction further into the operating layer of digital services. For organizations building EU compliance programs, the cumulative picture is a sovereign regulatory stack, one that, taken together, governs data processing, platform behavior, content liability, cybersecurity posture, AI system risk, and now cloud infrastructure and procurement sourcing.

The practical consequence for a US cloud provider doing EU public sector business: compliance isn’t a single audit. It’s a portfolio of overlapping legal obligations, each with different implementation timelines, different enforcement authorities, and different consequences for non-compliance. As hub coverage of the EU AI Act has shown, even compliance professionals who’ve been tracking this landscape find it difficult to map their specific obligation set. CADA adds another layer before the existing layers are fully implemented.

What Happens in Trilogue, and What Can Change

CADA enters trilogue facing several structural pressures that could reshape it significantly before enactment.

Member state governments hold Council positions. Several EU member states, particularly those that have built significant relationships with US hyperscalers for public sector cloud infrastructure, may push back on the ownership structure tier as trade-distorting. France and Germany, both with domestic cloud providers to protect, may support stronger sovereignty tiers. Nordic states with energy-intensive data center sectors may prioritize the infrastructure expansion permitting provisions over the procurement framework.

Parliament’s industry-aligned blocs, particularly those representing software and technology sectors, have historically softened sovereignty mandates during trilogue. The FSFE open-source mandate survived early drafts of NIS2 in weakened form; it could follow the same trajectory in CADA.

The BSA and CCIA Europe filed opposition positions on June 3, the same day the proposal was published. US government trade representatives are likely to characterize CADA’s ownership structure tier as a trade barrier under WTO frameworks. That external pressure creates additional negotiating complexity for EU member states balancing sovereignty goals against transatlantic trade relationships.

What Organizations Should Do Now

CADA won’t be binding law for at least 12 months, and possibly 36. But procurement conversations are happening now, and procurement officers in EU public bodies are already aware the proposal exists.

Three specific actions matter before CADA reaches trilogue conclusion. First: map your current service architecture against the three reported sovereignty criteria, infrastructure location, supply chain transparency, and ownership structure. Identify which tier you’d likely fall into under current form. Second: review existing EU public sector contracts for renewal timing, contracts renewing in 2027 or 2028 could be subject to CADA requirements if trilogue moves quickly. Third: track the Parliament committee assignments for CADA, the rapporteur and shadow rapporteurs will shape how the four-tier framework evolves.

Don’t expect to build a CADA compliance program today. Do expect to start the architecture conversation this quarter. Procurement intent moves faster than legislative timelines.