Legislative proposals don’t impose compliance obligations. CADA hasn’t passed. The European Parliament and Council haven’t voted. What the European Commission’s proposal, presented June 3, does impose is a planning obligation for every US cloud and AI provider with EU public sector contracts: understand now which tier you’d fall into, because the tier criteria will be negotiated in the open, and the outcome will be shaped by who shows up to the lobbying process.
That’s the strategic reality behind a document the Commission framed as a sovereignty measure. According to Commission materials, the EU currently spends approximately €264 billion annually on non-EU proprietary technology, a figure cited in the Commission’s own press release that this pipeline hasn’t independently verified. Whether that number is exact or directional, the Commission’s intent is clear: EU public sector procurement should favor providers who meet defined sovereignty thresholds.
Four tiers. The structure is confirmed from the Commission proposal (source). Tier placement governs which public sector contracts a provider can compete for. The tiers build on criteria including data residency, operational autonomy, and corporate ownership structure, but the exact thresholds for each criterion are under negotiation and haven’t been finalized. That’s the pivot point. A tier framework with undefined criteria is a lobbying invitation, not a compliance requirement.
CADA Sovereignty Framework, Stakeholder Positions
US hyperscalers face a structural problem. Data residency can be addressed with local infrastructure. Operational autonomy, meaning the ability of European entities to operate the service independently of US-based parent company decisions, is harder to demonstrate through investment alone. Corporate ownership structure is the hardest of all. The higher sovereignty tiers, as currently framed per law firm analysis, are designed around providers where European entities hold genuine operational and legal control. No US-headquartered hyperscaler currently qualifies on all three dimensions.
Don’t expect the Commission to soften its position without pressure. The CADA was presented alongside Chips Act 2.0 provisions granting the Commission emergency powers to prioritize semiconductor production and override commercial contracts during supply crises, confirmed in the EC proposal. These aren’t separate signals. They’re part of a coherent sovereignty architecture the Commission has been building since GDPR.
EU cloud providers are positioned to benefit. European-owned providers meeting the higher tiers gain a structural advantage in public sector procurement that no amount of data center investment by a US hyperscaler can replicate unless the ownership and operational criteria change during negotiation.
Unanswered Questions
- How will 'operational autonomy' be defined, local legal entity control, technical independence, or something else?
- Will the tier framework apply to existing contracts or only new procurement?
- What transition period, if any, will apply once CADA is enacted?
The Commission also places EU semiconductor production at approximately 10% of global output, per Commission proposal text, not independently verified here. CADA and Chips Act 2.0 are designed to move that number. The semiconductor emergency powers give the Commission tools to accelerate domestic production that didn’t exist under the original Chips Act.
The real question is which tier definitions survive the Parliament and Council. US providers should treat the proposal’s tier criteria as a draft, not a final document, and engage the legislative process accordingly. By the time CADA is enacted, the window to shape its definition of “operational autonomy” will have closed. Compliance teams that wait for enactment to begin their gap analysis will find themselves designing programs around criteria they had no hand in writing.