The European Commission has unveiled its Cloud and AI Development Act (CADA), a legislative package designed to reshape Europe's digital infrastructure and reduce reliance on non-EU technology providers. The proposal targets a tripling of the EU's data centre market within five to seven years, alongside new rules for public sector cloud procurement and a four-tier sovereignty framework.
Reactions from industry and political circles have been sharply divided. The Computer & Communications Industry Association (CCIA Europe) criticised the plan as discriminatory, arguing that it would force member states to assess which use cases require sovereignty levels that non-EU vendors "would be unable to meet by default." Polish tech lawyer Mikolaj Barcenciewicz told European Pulse that CADA should adopt a risk-based rather than categorical approach, preserving member states' subsidiarity.
Political Divisions Over Sovereignty and Investment
Swedish MEP Jörgen Warborn argued on LinkedIn that while digital sovereignty goals are valid for national security applications, less sensitive areas should remain open to foreign direct investment. "A vast majority of global wealth is held outside the EU," he wrote, urging Brussels to attract capital rather than repel it. Finnish MEP Aura Salla, by contrast, called for a more centralised approach to stress-testing tech dependencies and assessing risks at the member state level.
German software provider Nextcloud deemed the current proposal insufficient, advocating for its extension to the private sector. The mixed reception underscores a broader tension between the EU's desire for strategic autonomy and the practical need for international capital and expertise.
Permit Reform Meets Structural Bottlenecks
CADA's Title III establishes two mechanisms to accelerate data centre construction: Data Centre Acceleration Zones and Data Centre Strategic Projects. Within six months of the regulation's entry into force, each member state must designate at least one acceleration zone, integrated into local urban plans and prioritising brownfield sites. Projects within these zones or designated as strategic benefit from a "green corridor" capped at a 12-month permit-granting procedure.
However, the compliance checklist is demanding. Infrastructure operators must adopt standardised EU sustainability KPIs, and local resource allocations will be tightly policed to prevent speculative hoarding or anticompetitive blocking. Realistically, this gives member states a tight six-month window to establish compliant zones within complex local planning frameworks, followed by an equally compressed 12-month turnaround for individual permit approvals.
The actual construction of data centres is already bottlenecked by a shortage of specialised builders and rigorous audits. By piling extensive new compliance burdens onto both member states and infrastructure providers, EU policymakers risk rendering their "12-month maximum" permit cap a minor goalpost in a structurally complicated pipeline.
Public Procurement Overhaul
CADA's Title IV and annexes outline a rigid new framework dictating the exact types of cloud computing services EU member states can procure. Public sector demand will be mapped against four assurance levels: Level 1 allows third-country corporate ownership with basic sovereignty; Level 2 requires all operations, infrastructure, and personnel to remain within the EU, backed by substantial cybersecurity certification; Level 3 prohibits third-country corporate control by default, subject to rare exceptions; and Level 4 completely bans non-EU corporate control.
Member states must appoint national competent authorities to enforce the rules, audit suppliers, and process applications for cloud provider recognition. Within one year, they must conduct risk assessments—repeated every two years—to identify which public-sector activities rely on cloud services and determine the appropriate security assurance level.
This represents a fundamental shift from current practice, where public bodies could choose providers based on price, service quality, and organisational needs. Under CADA, non-price criteria such as a provider's contribution to the European digital ecosystem will also be evaluated.
The proposal now enters a period of negotiation among EU institutions, with amendments expected before final adoption. The outcome will shape not only Europe's cloud market but also its broader digital sovereignty ambitions.
