Skip to content
You can now search across every topic, entity and event.What's new
European Tech Sovereignty
8JUL

Brussels adopts CADA, narrows its scope

3 min read
09:50UTC

The College of Commissioners adopted the Cloud and AI Development Act on 3 June, reserving its strictest tier for national security and defence after three earlier slips trimmed the scope.

TechnologyDeveloping
Key takeaway

CADA passed with a narrowed top tier for security and defence, scaled to fit the EU-US trade relationship.

The College of Commissioners adopted the Cloud and AI Development Act (CADA) on Wednesday 3 June, referenced IP/26/1187, after three earlier adoption dates slipped , , 1. CADA is a public-procurement sovereignty law: it sets tiers for how EU public bodies buy cloud and AI services, and reserves the strictest tier, which excludes providers under foreign jurisdiction, for a narrow set of workloads. The Act now enters trilogue, the negotiation between The Commission, the European Parliament and the Council that produces the final text.

The adopted scope is far narrower than the version that leaked on 7 May , which would have barred US hyperscalers from all public-sector financial, judicial and health data. The final text limits the top tier to national security, defence, law enforcement and border management 2. Law firm Wilson Sonsini reads the obligations as also catching sectors under NIS2, the EU's network-security framework, including energy, healthcare and digital infrastructure, which would pull the practical reach wider than the headline workloads 3.

Commission President Ursula von der Leyen framed the doctrine by saying CADA keeps "most of our market open to like-minded partners" 4. That line is the seam in European policy this week: sovereignty where the continent has alternatives, openness where it depends. The same institutions that adopted CADA cleared a $40bn US-chip commitment the same afternoon, and Chips Act II with its new fab-equity authority went through in the same package. Germany's automotive tariff exposure in the EU-US trade talks had drained the appetite for a broad CADA, and the same leverage that forced the three slips shaped what survived into the adopted text.

Deep Analysis

In plain English

CADA, the Cloud and AI Development Act, is a new EU law that says certain sensitive government data must be stored with cloud providers that cannot be forced by a foreign government to hand it over. The United States has a law called the CLOUD Act that lets Washington demand data from American cloud companies no matter where in the world that data is stored. The EU's answer was not to ban American cloud providers from all government work. Instead, CADA creates four tiers. Only the top tier, covering national security, defence, law enforcement and border management, is restricted to providers free of foreign-jurisdiction risk. Everything else stays open. Law firm Wilson Sonsini says the tier below the top will also catch energy companies, hospitals and internet infrastructure operators under existing EU cybersecurity rules, so the real scope is wider than the official estimate of 1% of public services.

Deep Analysis
Root Causes

CADA's three-slip history reflects a single structural cause: Germany's automotive sector faces US retaliatory tariffs under the EU-US trade framework, and any CADA scope that materially disrupted US cloud revenue was read in Berlin as a trigger for those tariffs.

The Commission's internal calculus at every adoption date weighed digital sovereignty against car-sector jobs, and the car-sector jobs won until the scope was narrow enough that Washington signalled non-objection.

The US CLOUD Act compels disclosure of data held anywhere in the world by US-incorporated entities. Any procurement rule that admits AWS, Azure, or Google Cloud to any tier therefore creates a legal exposure at that tier. The Commission's answer was to quarantine the highest-risk workloads (where disclosure would compromise operational security of state) rather than attempt a blanket exclusion that the trade framework could not sustain.

What could happen next?
  • Meaning

    The 1% Commission headline covers only Tier 4 (national security) but Wilson Sonsini's reading of NIS2-sector obligations means energy, healthcare and digital infrastructure providers face Level 2-4 assurance requirements, making the effective scope substantially wider.

    Short term · Reported
  • Consequence

    CADA's trilogue will determine whether the Wilson Sonsini NIS2-sector reading is codified or narrowed, with US cloud providers lobbying hard to confine Level 2-4 obligations to explicit Tier 4 workloads only.

    Medium term · Assessed
  • Risk

    A CADA scope narrowed under US trade leverage that is then expanded by courts or trilogue creates legal uncertainty for public authorities who made procurement decisions on the 1% headline.

    Medium term · Reported
  • Precedent

    CADA establishes the first binding EU public-procurement sovereignty tier system, creating a legal architecture that can be expanded by future regulation without requiring a new legislative instrument.

    Long term · Assessed
First Reported In

Update #8 · Sovereignty law adopted; $40bn US chip buy

European Commission· 10 Jun 2026
Read original
Causes and effects
This Event
Brussels adopts CADA, narrows its scope
The adopted text narrows the sovereignty restriction US providers feared most, showing the ambition was scaled to fit the EU-US trade relationship.
Different Perspectives
United States (Google/Alphabet)
United States (Google/Alphabet)
Alphabet lost its final Android appeal on 2 July with no further court to hear it, a result its Computer and Communications Industry Association allies frame as precedent, not deterrence, since the €4.1bn fine changed nothing about Google's Play Store terms across eight years of litigation.
UK Department for Science, Innovation and Technology
UK Department for Science, Innovation and Technology
DSIT opened its £96m second Sovereign AI wave on 3 July, switching from April's equity stakes to fixed-price contracts because Britain has no domestic hyperscaler or Bpifrance-style lender to fund capacity another way. It is betting on buying outcomes it controls alone rather than joining an EU-wide framework.
German federal government
German federal government
Berlin backed both German deliverables this week, Infineon's fab and Aleph Alpha's merger, but is finding one far harder to close than the other. It wants enforceable protective rights inside Cohere's cap table before the merger closes, a legal instrument the Bundeskartellamt has no filing to review yet.
European Commission
European Commission
The Commission banked a clean CJEU win on the eight-year Android case on 2 July, removing Google's last comparator argument before President von der Leyen rules on the far larger DMA self-preferencing fine due 27 July. Brussels treats Infineon's early Dresden delivery as proof the Chips Act mechanism works, at the node Europe already led.
Bruegel (EU industry sceptics)
Bruegel (EU industry sceptics)
Bruegel economist Mario Mariniello argued the EU sovereignty package mimics US and Chinese strategy while EU cloud providers hold roughly 15% of their home market; using nationality as a proxy for security without fixing the underlying capital and energy gaps that drive the dependency creates €86bn of migration cost without the security benefit it is sold as delivering.
France
France
France published a joint sovereignty definition with Germany at VivaTech and mobilised €13bn under Tibi Phase 3, placing SAP's partnership with Mistral as the working proof that a German enterprise-software giant running a French sovereign model inside public administration is what digital sovereignty looks like in practice.