On June 3, 2026, the European Commission (EC) released its first draft of a proposed Cloud and AI Development Act (Proposal or CADA), marking a significant step forward in the EU’s efforts to strengthen its digital infrastructure and reduce strategic dependence on non-EU cloud providers.
Through the Proposal, the EC aims to strengthen EU cloud, AI, and computing capabilities, and introduces criteria to help public-sector bodies assess whether third-party cloud services are sufficiently protected from foreign control. The Proposal lays the groundwork for a range of initiatives aimed to triple the EU’s data center capacity within five to seven years, and support EU-developed cloud and AI technology.
Background
Cloud and AI technologies have become critical infrastructure in today’s digital economy. The rapid growth of AI has created unprecedented demand for computing power and data center capacity. Against this backdrop, the EC sees a need to strengthen Europe’s domestic cloud and AI market, reduce public-sector reliance on non-EU cloud services, and expand access to high-capacity computing resources.
The Proposal aims to achieve these goals by stimulating funding for research and innovation in EU cloud and AI technologies, with a focus on the cybersecurity sector, expanding data center and computing capacity across the EU, and introducing procurement selection criteria for cloud services used by public-sector bodies.
The Proposal references a range of existing EU laws, including the EU Data Act, the Cybersecurity Directive (also known as NIS2), the Digital Operational Resilience Act (DORA), the General Data Protection Regulation (GDPR), and the EU Artificial Intelligence Act (AI Act), and must be read alongside them. It also complements the Information and communications technology (ICT) supply chain risk management provisions under the draft revisions to the Cybersecurity Act.
Key Provisions
The Proposal includes:
- Creation of a cloud sovereignty framework. The Proposal would require EU institutions, bodies, and agencies, and national public-sector bodies (together, public bodies) to conduct risk assessments before using cloud services. These assessments would determine what level of protection is needed, with more sensitive public-sector activities requiring stronger safeguards. The Proposal defines “cloud computing services” by reference to NIS2, which covers digital services providing on-demand remote access to scalable and shareable computing resources. According to the Proposal, this also includes remotely hosted and operated AI systems.
- Four levels of selection criteria for public-sector cloud use. The Proposal would require public bodies to use only cloud services that meet certain conditions. The more sensitive the activity (e.g., those related to critical infrastructures or law enforcement), the higher the level of protection required. There are four levels, ranging from basic safeguards to protection against non-EU control, foreign legal risks, and service disruption:
- Assurance level 1 would require a provider to (i) complete a self-assessment which considers whether its service, infrastructure, assets, and customer data are located in the EU, and whether all subcontractors are subject to appropriate due diligence, contractual obligations, and oversight; and (ii) publish an EU statement of conformity.
- Assurance levels 2-4 would require an independent third-party audit that also examines (i) whether all staff are located in the EU; (ii) whether data generated by the provider may be used to train or fine-tune AI models; (iii) whether the provider has adopted software supply chain security measures; and (iv) whether the service has obtained a European cybersecurity certificate rated at least “substantial” under the Cybersecurity Act.
- Non-EU cloud providers may still qualify for certain public-sector contracts. As a general rule, public bodies would only be allowed to use cloud providers established in the EU. However, public bodies may depart from this requirement and rely on non-EU cloud providers, provided they meet at least assurance level 3 and are controlled from a jurisdiction approved by the EC that meets specific safeguards. These jurisdictions include, among other things, those that have a GDPR adequacy decision (e.g., Japan, Brazil, UK (not clear whether the EU-U.S. Data Privacy Framework would be sufficient), have laws preventing unlawful access to data or service disruption, and give EU cloud providers comparable market access.
- Incentivizing similar practices for critical private sector entities. Private entities in high-criticality sectors under NIS2, such as energy, transport, banking, and healthcare, would be allowed to apply similar selection criteria. The Commission may also issue guidance on assurance level assessments for such private entities and, in the future, require certain high-criticality sectors to conduct impact assessments and adopt mitigation measures.
- Incentivizing EU-based cloud and AI investment and procurement. Beyond the assurance levels, public bodies would be encouraged to avoid lock-in through multi-cloud or multi-vendor strategies, consider whether the provider is creating added value for the EU market (e.g., whether software or hardware parts were designed in the EU or research and development results stemmed from EU-funded programs), support innovation procurement and SME participation, and benefit from joint purchasing or shared cloud services. To encourage technology investment in the EU, the Proposal also requires Member States to facilitate the creation of data center acceleration zones (i.e., dedicated areas designed to ensure adequate power capacity for data center development across the EU).
A Potential Blueprint?
Although CADA’s most immediate impact would be on the public sector, it is likely to serve as a broader reference point for companies that offer, procure, or rely on cloud and AI infrastructure in the EU. In particular, it provides an emerging blueprint for assessing the “sovereignty” of digital services, including data localization, exposure to third-country laws, ownership and control, software and hardware supply chains, operational resilience, security and compliance, and the ability to prevent third-country interference.
The details of the proposal will certainly evolve during the legislative process. However, CADA already gives an indication of how EU legislators and, potentially, regulators may evaluate the independence and resilience of cloud and AI solutions. This will matter not only for U.S. and other non-EU providers seeking to serve EU customers, but also for EU companies that rely on non-EU providers for critical infrastructure or sensitive data processing.
Against the current geopolitical backdrop, companies should treat CADA as more than a public procurement initiative. It is an early signal of the criteria that may increasingly shape vendor due diligence, contracting, risk assessments, and strategic cloud architecture decisions in Europe.
Next Steps
The Proposal is in its very early stages and will now go through the standard EU legislative process. The European Parliament and the Council of the EU will examine the provisions and propose amendments. Negotiations will then occur among the EC, European Parliament, and Council of the EU to agree upon a final text.
Companies potentially impacted directly or indirectly by the Proposal should consider monitoring how it will develop and the impact it may have in the future.
For more information or if you have any questions regarding the AI, cloud, or data regulation in the EU, please contact Cédric Burton, Laura De Boel, Yann Padova, or Nikolaos Theodorakis from Wilson Sonsini’s Data, Privacy, and Cybersecurity practice. Additionally, Wilson Sonsini’s AI Working Group assists clients with AI-related matters. Please contact Laura De Boel, Maneesha Mithal, Manja Sachet, or Scott McKinney for more information.
Tom Evans, Laura Brodahl, Claudia Chan, Olga Kosno, and Hattie Watson contributed to the preparation of this alert.
