Skip to content
You can now search across every topic, entity and event.What's new
European Tech Sovereignty
16JUL

Brussels adopts CADA, narrows its scope

3 min read
09:32UTC

The College of Commissioners adopted the Cloud and AI Development Act on 3 June, reserving its strictest tier for national security and defence after three earlier slips trimmed the scope.

TechnologyDeveloping
Key takeaway

CADA passed with a narrowed top tier for security and defence, scaled to fit the EU-US trade relationship.

The College of Commissioners adopted the Cloud and AI Development Act (CADA) on Wednesday 3 June, referenced IP/26/1187, after three earlier adoption dates slipped , , 1. CADA is a public-procurement sovereignty law: it sets tiers for how EU public bodies buy cloud and AI services, and reserves the strictest tier, which excludes providers under foreign jurisdiction, for a narrow set of workloads. The Act now enters trilogue, the negotiation between The Commission, the European Parliament and the Council that produces the final text.

The adopted scope is far narrower than the version that leaked on 7 May , which would have barred US hyperscalers from all public-sector financial, judicial and health data. The final text limits the top tier to national security, defence, law enforcement and border management 2. Law firm Wilson Sonsini reads the obligations as also catching sectors under NIS2, the EU's network-security framework, including energy, healthcare and digital infrastructure, which would pull the practical reach wider than the headline workloads 3.

Commission President Ursula von der Leyen framed the doctrine by saying CADA keeps "most of our market open to like-minded partners" 4. That line is the seam in European policy this week: sovereignty where the continent has alternatives, openness where it depends. The same institutions that adopted CADA cleared a $40bn US-chip commitment the same afternoon, and Chips Act II with its new fab-equity authority went through in the same package. Germany's automotive tariff exposure in the EU-US trade talks had drained the appetite for a broad CADA, and the same leverage that forced the three slips shaped what survived into the adopted text.

Deep Analysis

In plain English

CADA, the Cloud and AI Development Act, is a new EU law that says certain sensitive government data must be stored with cloud providers that cannot be forced by a foreign government to hand it over. The United States has a law called the CLOUD Act that lets Washington demand data from American cloud companies no matter where in the world that data is stored. The EU's answer was not to ban American cloud providers from all government work. Instead, CADA creates four tiers. Only the top tier, covering national security, defence, law enforcement and border management, is restricted to providers free of foreign-jurisdiction risk. Everything else stays open. Law firm Wilson Sonsini says the tier below the top will also catch energy companies, hospitals and internet infrastructure operators under existing EU cybersecurity rules, so the real scope is wider than the official estimate of 1% of public services.

Deep Analysis
Root Causes

CADA's three-slip history reflects a single structural cause: Germany's automotive sector faces US retaliatory tariffs under the EU-US trade framework, and any CADA scope that materially disrupted US cloud revenue was read in Berlin as a trigger for those tariffs.

The Commission's internal calculus at every adoption date weighed digital sovereignty against car-sector jobs, and the car-sector jobs won until the scope was narrow enough that Washington signalled non-objection.

The US CLOUD Act compels disclosure of data held anywhere in the world by US-incorporated entities. Any procurement rule that admits AWS, Azure, or Google Cloud to any tier therefore creates a legal exposure at that tier. The Commission's answer was to quarantine the highest-risk workloads (where disclosure would compromise operational security of state) rather than attempt a blanket exclusion that the trade framework could not sustain.

What could happen next?
  • Meaning

    The 1% Commission headline covers only Tier 4 (national security) but Wilson Sonsini's reading of NIS2-sector obligations means energy, healthcare and digital infrastructure providers face Level 2-4 assurance requirements, making the effective scope substantially wider.

    Short term · Reported
  • Consequence

    CADA's trilogue will determine whether the Wilson Sonsini NIS2-sector reading is codified or narrowed, with US cloud providers lobbying hard to confine Level 2-4 obligations to explicit Tier 4 workloads only.

    Medium term · Assessed
  • Risk

    A CADA scope narrowed under US trade leverage that is then expanded by courts or trilogue creates legal uncertainty for public authorities who made procurement decisions on the 1% headline.

    Medium term · Reported
  • Precedent

    CADA establishes the first binding EU public-procurement sovereignty tier system, creating a legal architecture that can be expanded by future regulation without requiring a new legislative instrument.

    Long term · Assessed
First Reported In

Update #8 · Sovereignty law adopted; $40bn US chip buy

European Commission· 10 Jun 2026
Read original
Causes and effects
This Event
Brussels adopts CADA, narrows its scope
The adopted text narrows the sovereignty restriction US providers feared most, showing the ambition was scaled to fit the EU-US trade relationship.
Different Perspectives
Trump administration
Trump administration
Washington defends the MATCH Act as closing a loophole that lets ASML's DUV tools reach Chinese fabs indirectly, dismissing the Dutch Cabinet's June complaint of being treated with disregard. Officials expect the bill's progress through Congress to keep the DUV cross-subsidy question live regardless of ASML's Q2 numbers.
Bruegel
Bruegel
Brussels-based economists argue this week's deliverables, specialist fab aid and a digital euro that restricts no US firm, prove Europe's sovereignty agenda advances only where it meets no American resistance. They expect the leading-edge fabrication gap and dependence on US frontier AI models to persist absent a policy that directly confronts a named US interest.
German federal government
German federal government
Berlin welcomes the €659m tranche funding jobs across North Rhine-Westphalia, Schleswig-Holstein, Hesse and Bavaria, on top of the ESMC Dresden fab already under construction on TSMC-shipped tooling. Officials treat power and analogue capacity as the achievable near-term win while Dresden remains Germany's only bet on leading-edge logic.
House of Commons Science, Innovation and Technology Committee
House of Commons Science, Innovation and Technology Committee
The committee's 7 July report found the UK has "no coherent strategic framework" for sovereign technology and warns it "risks being cut off at whim", citing the June order that barred foreign access to Anthropic's Fable 5 and Mythos 5 as the trigger case. It expects no domestic hyperscaler or foundry response before the gap widens further.
European Commission
European Commission
The Commission cleared €659m in German state aid on 14 July, taking cumulative Chips Act support to roughly €14.2bn, and let the digital-euro mandate reach trilogue after ECON's floor-vote shortcut was overturned. Brussels presents both as sovereignty delivered, without addressing that neither funds leading-edge logic fabrication.
ASML
ASML
ASML raised FY2026 guidance to €43-45bn on 15 July and, for the first time since Q1, dropped the export-control hedge from its release even with the MATCH Act live in Congress. Fouquet frames the order book, 86 systems against 67 in Q1, as strong enough to outrun the DUV dispute rather than evidence it has cooled.