On 3 June 2026, the European Commission (“Commission“) published its proposal for a Regulation establishing a framework of measures for strengthening Europe’s cloud and AI ecosystem—the Cloud and AI Development Act (“CADA Proposal“). The CADA Proposal sits at the heart of the Commission’s broader Tech Sovereignty Package (which we describe at a high level here), and aims to address what the Commission perceives as two critical vulnerabilities in the EU’s digital landscape: a structural deficit in data centre capacity and a dependence on a limited number of non-EU cloud computing service providers.

The Commission’s explanatory notes state that EU-based providers hold a minority share of the European cloud market—which the Commission reports has fallen from approximately 29% in 2017 to around 15% by 2022. At the same time, the Commission’s view is that the EU faces a significant and growing shortage of data centre capacity, which constrains the deployment of AI. The CADA Proposal seeks to tackle both challenges through a combination of EU-based capacity building, procurement rules to encourage the use of localised services, and a novel—likely controversial—cloud sovereignty framework.

Below, we outline in more detail the provisions of the CADA Proposal that are likely to be of greatest interest and significance to organisations doing business (or looking to do business) in Europe.

  1. The Cloud Sovereignty Framework

The Commission’s proposal to create a “cloud sovereignty framework” that will apply to most cloud providers offering services to the public sector is likely to be the most consequential element of the CADA Proposal. It would codify the EU’s current policy aim of reducing strategic dependencies on non-EU cloud providers and is likely to be one of the central political battlegrounds in trilogue negotiations between the Council and the European Parliament.

The cloud sovereignty framework is based around four “Union assurance levels.” All cloud providers wishing to provide services to the public sector (with only very narrow exceptions) will need to meet level 1—the lowest level. Cloud providers that “contribute to the preservation of public order” in the sectors identified by the CADA Proposal may need to meet additional assurance levels following a risk assessment to be conducted by Member States and “Union entities” (such as EU institutions or agencies). These are the same sectors as those regulated by the revised Network and Information Systems Directive (“NIS2”), including energy, healthcare, transport, and water supplies (we describe the sectors covered by NIS2 in more detail in our prior post here), as well as sectors such as national security, border management, law enforcement, and defense.

Turning to what is required for each assurance level:

  • Level 1: imposes a baseline but already substantial set of obligations, including requirements that providers establish and maintain infrastructure, assets, and customer data in the EU. It also requires providers that are controlled in a third country to guarantee that they are not required to report unexploited vulnerabilities to third-country public authorities.
  • Level 2: among other things, requires cloud service providers to ensure that (a) all personnel, infrastructure, and assets involved in the operation of the service be located in the EU, (b) they obtain a certification under the (not-yet-finalised) EU cloud certification scheme, and (c) where they are controlled in a third country, they have implemented legal, technical, and organisational measures to ensure service delivery and continuity, to prevent third-country access to customer data, and to avoid exposure to requirements of third-country sanctions or trade-control regimes.

Providers must also maintain a complete software bill of materials (“SBOM”), subject third-country software components to source code audits, and, where a provider has subsidiaries outside the EU, ensure effective legal, technical, and organisational separation between the EU parent and any such subsidiary.

  • Level 3: requires the provider to be owned and controlled in the EU. The only derogation is where the Commission has adopted secondary legislation recognising that the third country in question meets certain conditions – among them that the third country itself holds an EU “adequacy decision” under the GDPR, cannot compel cloud providers to degrade or disrupt service provision, and maintains an open market to EU cloud computing providers.
  • Level 4: imposes the strictest requirements. Like level 3, it requires that the provider not be controlled in a third country—but without any derogation for “associated” third countries. It also requires (a) a European cybersecurity certificate of at least a “high” assurance level under a European cybersecurity certification scheme covering cloud computing services, (b) that the provider retain effective control over all software components, and (c) that they can demonstrate that no third country or entity in a third country holds or exercises effective control over the design, development, maintenance, or evolution of such software components.

This framework would likely create significant uncertainty for cloud providers until Member States and EU entities have completed their risk assessments and determined the required assurance levels that providers must meet. At least while this process is ongoing, public authorities may be less inclined to move their operations to the cloud, which could slow the adoption of cloud services by the public sector.

In addition, while the Commission will establish a template for Member State risk assessments, this framework creates the potential for significant divergences between Member States when applying the different assurance levels to cloud services covering different activities. (The Commission may, however, adopt secondary legislation specifying particular assurance levels for certain public sector activities.)

Notably, CADA envisages that certain private sector entities – in particular, those entities regulated as “essential entities” under the NIS2 Directive – may also conduct similar risk assessments on cloud service providers. The Commission may, in future, pass secondary legislation requiring entities in certain sectors to do so.

  • EU-Added-Value Criteria in Public Procurement

Beyond the cloud sovereignty framework, the CADA Proposal would require public authorities to consider “Union added value” as a non-price criterion in public procurement for cloud computing and AI services. In other words, when deciding which provider wins a public tender, authorities must consider the extent to which a provider contributes to strengthening the EU’s digital technology supply chain, integrates technologies developed in the EU, conducts innovation within the EU, or delivers services using hardware components designed or manufactured in the EU.

While the CADA Proposal specifies that these criteria must be “ancillary and not decisive” in the award of the contract—the interpretive recitals suggest a maximum weighting of 15 out of 120 points—they nonetheless introduce a structural advantage for providers with significant EU-based R&D, manufacturing, and innovation activities. In theory, this could incentivise global companies to deepen their EU industrial footprint.

  • Data Centre Acceleration Zones and Strategic Projects

Both the cloud sovereignty framework and the “Union added value” public procurement criterion are mechanisms to increase EU cloud capacity by creating public sector demand for European-based cloud and AI services. In addition to these demand-side controls, the CADA Proposal also aims to accelerate the deployment of data centres across the EU through supply-side reforms: by making it easier to build and operate data centres.

Specifically, Member States must designate at least one “data centre acceleration zone”, where data centre projects will benefit from streamlined permitting processes, aggregated baseline permits (essentially, a streamlined administrative authorisation), and a maximum 12-month permit-granting timeline.

The Commission may also designate certain data centre projects as “strategic projects” in certain circumstances. Like other EU-designated strategic projects, these data centre projects may benefit from additional public support measures and preferential access to EU funding instruments.

These provisions present both opportunities and potential constraints for hyperscalers and other cloud / AI service providers. The acceleration zones and streamlined permitting could significantly reduce the time and cost of deploying new facilities. However, the emphasis on sustainability requirements, the preference for brownfield over greenfield sites, and the conditions for grid connection could also shape investment decisions.

  • Open Source and the “Open Source First” Principle

Finally, the CADA Proposal would codify an “open source first” principle for the EU public sector. Union entities and public sector bodies are required to take measures to encourage the use and reuse of open standards and components released under open-source licenses when building their cloud and AI ecosystem. Software developed by or for public bodies must be made available for reuse through a centralised EU Open Source Solutions Catalogue, and a network of Open Source Programme Offices will be established to facilitate cooperation.

This “open source first” principle also aligns with another limb of the EU’s tech sovereignty package—the Open Source Strategy. The strategy notes that the EU “currently spends EUR 264 billion a year on US proprietary IT products and services.” The strategy aims to promote various open-source resources, such as the Open Internet Stack and open source social media tools, and states that the Commission will support open source developers in creating viable businesses through accelerators and public procurement.

*            *            *

Covington’s Technology Regulatory and Public Policy Practices will continue to monitor developments related to the CADA Proposal. If you have any questions about the issues raised in this blog, or are interested in engaging with the legislative process, please do not hesitate to contact us.

Photo of Dita Charanzová Dita Charanzová

Dita Charanzová advises on European policymaking and international regulatory strategy, drawing on more than two decades of experience in EU institutions and diplomacy. She served as a Member of the European Parliament from July 2014 to July 2024 and as Vice President from…

Dita Charanzová advises on European policymaking and international regulatory strategy, drawing on more than two decades of experience in EU institutions and diplomacy. She served as a Member of the European Parliament from July 2014 to July 2024 and as Vice President from July 2019 to July 2024, with responsibilities including cybersecurity and institutional relations, including relations with national parliaments, and parliamentary relations with North and South America. Her work has focused on the digital agenda, consumer protection, the internal market, and international trade.

In her advisory work, Dita, a non-lawyer, helps organizations anticipate and navigate EU policy and legislative developments—particularly at the intersection of digital regulation, internal market rules, consumer protection, and trade. She brings senior‑level insight into how priorities are shaped within the EU institutions and in particular in the European Parliament. Her experience includes high‑visibility leadership roles in the European Parliament and work on major EU digital and internal market files, including the Digital Services Act, the European Electronic Communications Code, the General Product Safety Regulation, and the Web Accessibility Directive. Dita served as a Vice-president of the Alliance of Liberals and Democrats for Europe Party from 2018 to 2023. She also previously served in the Czech diplomatic service, including a posting to the Permanent Representation to the EU, and chaired the Trade Policy Committee of the Council of the European Union during the Czech EU presidency in 2009.

Read more about Dita Charanzová
Show more Show less
Photo of Jadzia Pierce Jadzia Pierce

Jadzia Pierce advises clients developing and deploying technology on a range of regulatory matters, including the intersection of AI governance and data protection. Jadzia draws on her experience in senior in house leadership roles and extensive, hands on engagement with regulators worldwide. Prior…

Jadzia Pierce advises clients developing and deploying technology on a range of regulatory matters, including the intersection of AI governance and data protection. Jadzia draws on her experience in senior in house leadership roles and extensive, hands on engagement with regulators worldwide. Prior to rejoining Covington in 2026, Jadzia served as Global Data Protection Officer at Microsoft, where she oversaw and advised on the company’s GDPR/UK GDPR program and acted as a primary point of contact for supervisory authorities on matters including AI, children’s data, advertising, and data subject rights.

Jadzia previously was Director of Microsoft’s Global Privacy Policy function and served as Associate General Counsel for Cybersecurity at McKinsey & Company. She began her career at Covington, advising Fortune 100 companies on privacy, cybersecurity, incident preparedness and response, investigations, and data driven transactions.

At Covington, Jadzia helps clients operationalize defensible, scalable approaches to AI enabled products and services, aligning privacy and security obligations with rapidly evolving regulatory frameworks across jurisdictions—with a particular focus on anticipating enforcement trends and navigating inter regulator dynamics.

Read more about Jadzia Pierce
Show more Show less
Photo of Fredericka Argent Fredericka Argent

Fredericka Argent advises emerging and leading companies on intellectual property and data protection issues, including copyright, trademarks, e-commerce and piracy.  She has experience advising companies in the technology, pharmaceutical, luxury brands and media sectors.  Her practice encompasses regulatory compliance and advisory work. She…

Fredericka Argent advises emerging and leading companies on intellectual property and data protection issues, including copyright, trademarks, e-commerce and piracy.  She has experience advising companies in the technology, pharmaceutical, luxury brands and media sectors.  Her practice encompasses regulatory compliance and advisory work. She regularly provides strategic advice to global companies on complying with data protection laws in Europe.  Ms. Argent has experience conducting IP enforcement.  She represents right owners, including in the publishing and fashion industries, and helps coordinate an in-house internet investigations team who conduct global monitoring, reporting, notice and takedown programs to combat Internet piracy.

Read more about Fredericka Argent
Show more Show less
Photo of Wolfgang Maschek Wolfgang Maschek

Wolfgang A. Maschek is the Head of the European Public Policy Practice based in the Brussels office. Wolfgang’s practice includes representing both private and public sector clients at EU and national level across various regulated industries and policy matters. With over two decades…

Wolfgang A. Maschek is the Head of the European Public Policy Practice based in the Brussels office. Wolfgang’s practice includes representing both private and public sector clients at EU and national level across various regulated industries and policy matters. With over two decades of experience leading public policy teams across various regulated industries, Wolfgang connects with clients by leveraging his extensive legal and regulatory expertise to overcome complex challenges and seize business opportunities in Europe. His experience includes areas such as international trade, foreign direct investment, technology and AI, financial services, healthcare, and environmental and chemicals policy.

For the last decade, Wolfgang successfully led the Brussels-based public policy team at an international law firm. Earlier in his career, Wolfgang served as Senior Counsel and Head of the European Regulatory and Public Affairs department at a global financial services provider. Between 2002 and 2006, Wolfgang represented the Austrian Central Bank in Brussels, where he was responsible for liaising with European institutions and advising on European developments affecting monetary policy and financial market supervision. Wolfgang’s experience also includes working at the European Commission and at the Oesterreichische Kontrollbank.

Wolfgang has consistently been recognized by Chambers Europe and other ranking platforms as a leading lawyer in the Government and Public Affairs field.

Read more about Wolfgang Maschek
Show more Show less