The awakening of the European Sovereign Cloud
CADA: The Cloud and AI Development Act and the Vital Role of Local Providers

The European Commission has taken a giant step forward in its digital autonomy strategy with the official presentation of the Cloud and AI Development Act (CADA).

Integrated into the European Union's ambitious Technological Sovereignty Package, this law aims to radically transform the European digital ecosystem, expanding critical infrastructures and combating the suffocating dependence on foreign tech giants.

However, the path toward authentic data sovereignty is riddled with regulatory challenges and legal loopholes. While Brussels celebrates this legislative milestone, the industry —represented by associations such as CISPE (Cloud Infrastructure Services Providers in Europe)— warns that, if its deficiencies are not corrected, the regulation risks becoming a mere declaration of intent.

What is CADA?

CADA was born with the firm purpose of mitigating the alarming gap in computing capacity and data centers that Europe suffers from compared to powers like the United States or China.

The core objective is clear: to triple the EU's computing capacity by the year 2030 and to ensure that the wave of innovation in Artificial Intelligence is built upon European soil and infrastructure.

What are the objectives of CADA?

To articulate this shift, the law is built upon three fundamental pillars:

• Research, Development, and Innovation (R&D+i): Direct support for cutting-edge cloud technologies and industrial and physical AI.
• Capacity: Streamlining the cumbersome procedures for granting licenses, as well as accessing energy and land to build sustainable and efficient data centers.
• Autonomy: Introducing a unique cloud sovereignty assessment framework with four assurance levels to classify the security and legal control of services.

The Pros of CADA: A Necessary Conceptual Framework

A shield against third-country jurisdictions

The greatest success of CADA is the explicit recognition of the political and security risk posed by the commercial dominance of non-EU cloud providers. By establishing robust sovereignty levels (especially Level 3 and above), the Commission aligns its criteria with demanding sector frameworks such as CISPE’s Sovereign and Resilient Cloud Framework, legally shielding data against the interference of foreign laws.

Boosting sustainability and open data

The law proposes unlocking investments and simplifying regulations so that the deployment of critical infrastructure meets high energy efficiency criteria. Furthermore, the creation of a strong local ecosystem will directly impact the future of open data, facilitating secure and interoperable environments so that public administrations and companies can process large-scale strategic information without losing control over it.

The Four Critical Gaps Pointed Out by CISPE

Despite the initial optimism, a detailed analysis of the CADA draft has raised alarms among local cloud providers. CISPE has expressed its concern through a press release detailing major structural "gaps" and omissions in public procurement that threaten to undermine the law.

1. Inertia and lack of obligations in public procurement: CADA fails broadside in the area of procurement. Current regulations do not even oblige public authorities to evaluate European alternatives before awarding multi-million dollar contracts to foreign providers. CISPE points out that requesting a prior market analysis is not a commercial barrier, but pure "due diligence" with taxpayers' money. Without this obligation to look at what the local market offers, IT departments will continue to purchase non-sovereign solutions out of sheer convenience.
2. The danger of "Sovereignty Washing": The draft generates confusion by granting "sovereignty" labels to Levels 1 and 2. According to CISPE, the requirements for these lower levels are so lax that virtually any foreign hyperscaler can meet them. Calling these levels "sovereign" will confuse both the public and private sectors and will foster a deceptive image cleanup for providers from outside the EU.
3. Company-level rather than service-level assessments: CADA proposes auditing companies globally instead of certifying each service individually. This opens the door for a multinational to obtain a generic stamp and market specific services under that banner that have never actually been audited. CISPE demands transparent audits at the service level to provide buyers with real metrics and scores.
4. Legal loopholes and traps through intermediaries: The complexity of the text has left a dangerous structural vacuum: the loophole of local aggregators. A non-sovereign foreign provider could use a European distributor or aggregator (which does formally meet the criteria) as a legal screen to resell its cloud services in Level 2, 3, or 4 tenders, bypassing direct foreign control restrictions. Likewise, there are concerns about loopholes regarding the aggregate control of aligned shareholders holding less than 5% of the capital.

Why a Local Provider Remains the Safest Bet

In this complex regulatory scenario, the true alternative for digital sovereignty will not come from large foreign corporations trying to camouflage their contracts, but from local and regional cloud providers. For the European medium-sized enterprise, which constitutes the region's economic engine, the transition to the sovereign cloud cannot be a bureaucratic headache or a legal compliance risk.

Local providers bring an irreplaceable differential value within the new CADA framework:

• Absolute legal control and European roots: By operating under their own infrastructure located entirely on European soil and exclusively subject to EU laws, they eradicate any geopolitical conflict or data access issues by third powers. They naturally comply with the highest levels of CADA requirements without the need for complex legal engineering architectures.
• Guidance and flexibility against the rigidity of hyperscalers: A medium-sized company does not need standardized, impersonal solutions; it needs flexibility. Local operators offer proximity, specialized support in their language, and the ability to design tailored hybrid and multi-cloud environments. This avoids vendor lock-in and guarantees operational agility.
• A guarantee against the law's loopholes: Given the confusion generated by the European Commission's text regarding audits and intermediaries, contracting with a trusted local provider offers maximum transparency. There is no risk of sovereignty washing; the infrastructure, management, and technical support are carried out from within the territory itself.

Conclusion

The Cloud and AI Development Act (CADA) is a bold declaration and a well-oriented architectural framework to return the reins of Europe's digital destiny to its own hands. However, the Commission cannot allow traps in the fine print or the inertia of public buyers to ruin the spirit of the law.

For technological sovereignty to become a reality and not just a marketing label, Brussels must listen to the industry and close the loopholes for subcontractors and aggregators, as well as strictly mandate the consultation of European alternatives in public tenders.

Meanwhile, the true bastion of European digital resistance will remain with local providers. Relying on national operators like Gigas is the safest and most strategic choice for medium-sized businesses to protect their most valuable asset—their data—while simultaneously boosting the internal economy and innovation of the Union.

© 2026 European Digital Autonomy. Informative Document.