The Commission presented the proposal on June 3 as part of a broader European Technological Sovereignty Package. It arrived alongside Chips Act 2.0, emergency semiconductor provisions granting the Commission authority to prioritize chip production and override commercial contracts during supply crises, confirmed in the EC’s CADA proposal page. Together, they form the most comprehensive European sovereignty infrastructure play since GDPR. GDPR changed data handling globally. CADA, if enacted as proposed, would reshape who can sell cloud and AI services to European governments.
That’s not hyperbole. It’s the structural logic of a four-tier framework applied to public sector procurement.
What CADA Actually Proposes
Tier placement governs contract eligibility. The proposal confirms a four-tier sovereignty trust framework from the EC source (T1). Each tier reflects a different threshold of European operational control. The Commission hasn’t published final tier criteria, that’s the legislative process’s job. What the proposal establishes is the architecture: higher tiers unlock higher-sensitivity public sector contracts, and the criteria governing tier placement will include data residency, operational autonomy, and corporate ownership structure.
The sovereignty assessment framework is also confirmed in the EC proposal: a standardized EU-wide assessment process that will determine where a given provider sits. Think of it as a conformity assessment for sovereignty rather than safety. The assessment methodology is part of what Parliament and Council will negotiate.
Emergency chip powers are confirmed as structural in the proposal. The Commission can compel semiconductor manufacturers to prioritize European production during crises and override existing commercial supply agreements. This is Chips Act 2.0, operating in parallel with CADA, and it matters for US providers whose AI infrastructure depends on global chip supply chains.
The Sovereignty Assessment Test
Three dimensions appear in the proposal as relevant to tier placement: data residency (where data is stored and processed), operational autonomy (whether European entities can operate the service independently of foreign parent company decisions), and corporate ownership structure (who legally controls the entity providing the service).
Data residency is the easiest to address. Build data centers in Europe, route EU public sector data through EU infrastructure. Every major US hyperscaler has done this or is doing it. It’s expensive. It’s tractable.
Operational autonomy is harder. The question isn’t whether a European subsidiary exists. It’s whether that subsidiary can function independently, sustaining operations, making technical decisions, and maintaining service continuity, without decisions made at US headquarters. Export controls, foreign government access laws like CLOUD Act obligations, and corporate governance structures all complicate this claim for US-headquartered providers. Demonstrating true operational autonomy in the way the Commission intends may require structural changes that go beyond creating a European legal entity.
Corporate ownership is the hardest. Higher sovereignty tiers, as proposed, are designed around providers where European entities hold genuine legal and operational control. A US-listed hyperscaler with a European subsidiary doesn’t satisfy this criterion under the proposed framework, regardless of data center investment. This is the structural barrier that lobbying is most actively targeting, because it’s the one that can’t be addressed through infrastructure spend alone.
CADA Tier Framework, Who Wins, Who Lobbies, Who Waits
US Provider Gap Analysis, What to Assess Now
- Map EU public sector contract exposure by sensitivity level and likely tier requirement
- Assess data residency position, EU data center infrastructure vs. proposed tier requirements
- Assess operational autonomy position against Commission's stated intent, not a favorable interpretation
- Assess corporate ownership structure against proposed tier criteria, identify structural gaps
- Engage legislative process through counsel or industry association, criteria being written now
Stakeholder Map: Who Benefits, Who Doesn’t, Who’s Negotiating
EU-owned cloud providers are positioned to qualify for the higher tiers under current proposed criteria. They hold the ownership structure the framework rewards. Scaleway, Deutsche Telekom’s T-Systems, OVHcloud, and similar European-majority-owned providers have a structural advantage that US investment can’t replicate unless the ownership criteria change.
US hyperscalers, AWS, Azure, Google Cloud, face structural tier ceilings under the proposed framework. They can address data residency. Operational autonomy and corporate ownership present harder constraints. Their current tier-ceiling position is likely tier 2 or tier 3 under the proposal as written. Tier 4, the highest sensitivity, appears architecturally inaccessible without structural ownership changes.
Chinese providers are effectively excluded from the higher tiers under the proposed criteria, given both ownership structure and the geopolitical context of the proposal.
EU public sector procurement bodies face the most direct compliance obligation once CADA is enacted. They’ll be required to classify their AI and cloud requirements by sovereignty tier and procure accordingly. The transition from current procurement rules to tier-based rules will require internal assessment and contract review, work that starts when the regulation is enacted, not proposed.
The lobbying battleground is tier criteria, not tier existence. Every major US cloud provider understands the framework structure. What they’re fighting over is what “operational autonomy” means when written into law. A narrow definition, focused on data routing and technical operations, gives US providers a path to higher tiers. A broad definition, encompassing legal independence from foreign parent companies and immunity from US government data access requests, effectively excludes them from tier 3 and above.
What US Providers Can Do Now
The compliance work that’s available today is gap analysis, not remediation. No obligations exist yet. What a well-run compliance program does at this stage:
First, map current EU public sector contract exposure. Which contracts depend on tier 3 or tier 4 eligibility under the proposed criteria? Which accounts are at risk if the current proposed criteria survive Parliament and Council intact?
Second, assess operational autonomy position honestly. Not against a favorable interpretation of the criteria, against the Commission’s stated intent. Where does the honest assessment land? If it’s below the tiers your public sector contracts require, that gap needs to be quantified.
Analysis
CADA's tier framework rewards a structural characteristic, European corporate ownership, that no amount of infrastructure investment can substitute for. US hyperscalers can address data residency with data centers. They can't address ownership with a subsidiary. The lobbying fight is over whether 'operational autonomy' gets defined narrowly enough to give US providers a path to tier 3. If it doesn't, the highest-sensitivity EU public sector market will consolidate around European-owned providers regardless of technical capability or service quality.
Evidence
Third, engage the legislative process. Law firm analysis from Akin Gump and Covington & Burling, both published in the June 4–5 window, treats this as a live compliance planning item despite the proposal stage. That’s the correct posture. The criteria that will govern CADA’s enforcement are being written now. Providers who engage the process shape the outcome. Providers who wait for enactment inherit it.
Timeline and Uncertainty
The legislative process runs from Commission proposal through European Parliament consideration to Council of the EU adoption. That process routinely takes 18 to 36 months for complex technology regulation, GDPR ran for two years between Commission proposal and adoption. The AI Act took longer. CADA’s sovereignty framework is politically complex enough that the timeline is uncertain. Some criteria will change. The question is which ones.
The Commission’s accompanying press release cites approximately €264 billion in annual EU reliance on non-EU proprietary technology, a figure drawn from Commission materials that this pipeline hasn’t independently verified. Whether exact or directional, it signals the scale of the dependency the Commission is trying to address. It also signals the stakes: €264 billion in annual procurement is a market large enough to justify structural compliance investment from any provider for whom EU public sector is a meaningful revenue stream.
The Commission also places EU semiconductor production at approximately 10% of global output per the proposal, again, per Commission materials, not independently confirmed here. Chips Act 2.0 is designed to move that share. The emergency production override powers give the Commission a tool that didn’t exist before.
CADA doesn’t exist yet as enforceable law. But the EU’s direction is clear, and it’s been clear since GDPR established the template: define sovereignty requirements in law, then enforce them. The providers who built GDPR compliance programs before the regulation was enacted were better positioned than those who waited. The lesson applies here.
The real question for compliance strategy isn’t whether CADA passes. It’s whether the tier criteria that survive Parliament and Council look more like the Commission’s proposal or more like the version that emerges from US hyperscaler lobbying. Everything else, budget allocation, structural decisions, contract risk assessment, flows from the answer to that question. Start the gap analysis now. By the time the answer is clear, the window to shape it will have closed.