The Cloud AI Development Act (CADA) establishes a four-tier sovereignty framework that bars non-European firms from public contracts in defence and healthcare. It is the first explicit attempt to move from the AI Act’s regulatory oversight toward a structural industrial policy of capacity sovereignty.

The Shift to Structural Autonomy

On June 3, 2026, the European Commission tabled the Cloud AI Development Act (CADA) as the centerpiece of a broader Technological Sovereignty Package. The legislation targets the “kill-switch” risk—the possibility that a foreign government could remotely disable cloud services essential for critical infrastructure, such as hospitals or fighter jets. To mitigate this, CADA introduces a tiered assurance scale for public-sector procurement, escalating from simple data residency (Level 1) to complete supply-chain transparency with zero third-country interference (Level 4).

This framework targets the extraterritorial reach of the US CLOUD Act of 2018, which allows US authorities to access data regardless of its physical location. By aligning with national standards such as Germany’s BSI C5 and France’s SecNumCloud, the Commission is scaling national security requirements into a unified European standard.

The urgency of this transition is anchored to a deadline: Article 57 of the AI Act requires every Member State to have at least one operational AI regulatory sandbox by August 2, 2026. As of May 2026, only four states—Spain, Denmark, Lithuania, and Finland—have documented operational capacity. The legal architecture is in place. The operational reality lags.

The Sovereignty Framework and the Procurement Shift

CADA operates as a structural pivot in EU procurement. It moves beyond the general risk-based approach of the AI Act toward a prescriptive “sovereignty-by-design” model. By establishing four distinct assurance levels, the Commission has created a legal filter for the public sector. While Level 1 focuses on data residency, Level 4 requires complete supply-chain transparency with zero third-country interference. This highest tier is a mandatory baseline for the defence sector, effectively barring non-European firms from high-sensitivity contracts.

The framework is designed to neutralize the US CLOUD Act of 2018. To prevent “sovereignty-washing”—where foreign software is rebranded as European—CADA introduces a supply-chain criterion that weights hardware and corporate-control provenance at 20% of the total scoring. The law targets the contract and cloud layers, though it leaves a structural blind spot in processor firmware and post-quantum readiness. The legal filter is precise. The industrial capacity to fill the resulting void is not.

National Alignment and the Fragmentation of Enforcement

The transition to a unified European standard attempts to scale existing national security regimes into a supra-national framework. CADA formalizes and aligns with established schemes such as Germany’s BSI C5 and France’s SecNumCloud. These national precursors provided the technical blueprint for the four-tier scale, reflecting a shared Franco-German ambition to decouple critical infrastructure from non-EU dependencies.

However, the operationalization of this ambition remains fragmented. Under Article 57 of the AI Act, the August 2, 2026, deadline for AI regulatory sandboxes serves as the primary catalyst for industry compliance. The readiness asymmetry is stark. As of May 2026, only Spain, Denmark, Lithuania, and Finland have documented operational sandboxes. Most Member States possess the legislative intent but lack the technical infrastructure to enforce it. The policy is centralized, but the enforcement remains national.

Regulatory Sovereignty versus Capacity Sovereignty

The Tech Sovereignty Package, including the Chips Act 2.0 and the Open Source Strategy, represents the EU’s adoption of a “protectionist toolkit” previously reserved for its rivals. By utilizing state subsidies and domestic-preference rules, the Commission mimics the strategies of the US CHIPS Act and China’s Big Fund. The strategic objective is to transform Europe into an “AI continent” by reducing structural dependence on non-EU suppliers in semiconductors and cloud infrastructure.

This approach, however, risks prioritizing “regulatory sovereignty”—the use of law to exclude others—over “capacity sovereignty,” the actual ability to produce the technology. Analysis from Bruegel suggests that the dominance of the US and China is not a product of protectionism alone, but of structural advantages: cheap energy, abundant capital, and a non-fragmented market. While the Commission estimates a 5% procurement premium for sovereign cloud, the actual cost of migrating the public sector could reach €86 billion. The EU has built the legal walls. It has not yet built the factories inside them.

The Limits of Regulatory Exclusion

The Cloud AI Development Act provides the legal framework to exclude foreign dependencies, but laws cannot manufacture semiconductors or generate cheap electricity. By prioritizing “regulatory sovereignty,” the EU has created a high-security perimeter around a void in industrial capacity. The structural consequence is a potential procurement crisis: the public sector may be legally barred from using the most efficient global tools without having viable European alternatives ready for deployment.

The tension is no longer between regulation and innovation, but between legal requirements and physical reality. The architecture is ready. The capacity is not.

Sources