10JUN

Brussels adopts CADA, narrows its scope

3 min read

10:31UTC

The College of Commissioners adopted the Cloud and AI Development Act on 3 June, reserving its strictest tier for national security and defence after three earlier slips trimmed the scope.

← Back to Sovereignty law adopted; $40bn US chip buy Jump to analysis ↓

TechnologyDeveloping

Key takeaway

CADA passed with a narrowed top tier for security and defence, scaled to fit the EU-US trade relationship.

The College of Commissioners adopted the Cloud and AI Development Act (CADA) on Wednesday 3 June, referenced IP/26/1187, after three earlier adoption dates slipped , , ¹. CADA is a public-procurement sovereignty law: it sets tiers for how EU public bodies buy cloud and AI services, and reserves the strictest tier, which excludes providers under foreign jurisdiction, for a narrow set of workloads. The Act now enters trilogue, the negotiation between the Commission, the European Parliament and the Council that produces the final text.

The adopted scope is far narrower than the version that leaked on 7 May , which would have barred US hyperscalers from all public-sector financial, judicial and health data. The final text limits the top tier to national security, defence, law enforcement and border management ². Law firm Wilson Sonsini reads the obligations as also catching sectors under NIS2, the EU's network-security framework, including energy, healthcare and digital infrastructure, which would pull the practical reach wider than the headline workloads ³.

Commission President Ursula von der Leyen framed the doctrine by saying CADA keeps "most of our market open to like-minded partners" ⁴. That line is the seam in European policy this week: sovereignty where the continent has alternatives, openness where it depends. The same institutions that adopted CADA cleared a $40bn US-chip commitment the same afternoon, and Chips Act II with its new fab-equity authority went through in the same package. Germany's automotive tariff exposure in the EU-US trade talks had drained the appetite for a broad CADA, and the same leverage that forced the three slips shaped what survived into the adopted text.

Deep Analysis

In plain English

CADA, the Cloud and AI Development Act, is a new EU law that says certain sensitive government data must be stored with cloud providers that cannot be forced by a foreign government to hand it over. The United States has a law called the CLOUD Act that lets Washington demand data from American cloud companies no matter where in the world that data is stored. The EU's answer was not to ban American cloud providers from all government work. Instead, CADA creates four tiers. Only the top tier, covering national security, defence, law enforcement and border management, is restricted to providers free of foreign-jurisdiction risk. Everything else stays open. Law firm Wilson Sonsini says the tier below the top will also catch energy companies, hospitals and internet infrastructure operators under existing EU cybersecurity rules, so the real scope is wider than the official estimate of 1% of public services.

Deep Analysis

Root Causes

CADA's three-slip history reflects a single structural cause: Germany's automotive sector faces US retaliatory tariffs under the EU-US trade framework, and any CADA scope that materially disrupted US cloud revenue was read in Berlin as a trigger for those tariffs.

The Commission's internal calculus at every adoption date weighed digital sovereignty against car-sector jobs, and the car-sector jobs won until the scope was narrow enough that Washington signalled non-objection.

The US CLOUD Act compels disclosure of data held anywhere in the world by US-incorporated entities. Any procurement rule that admits AWS, Azure, or Google Cloud to any tier therefore creates a legal exposure at that tier. The Commission's answer was to quarantine the highest-risk workloads (where disclosure would compromise operational security of state) rather than attempt a blanket exclusion that the trade framework could not sustain.

What could happen next?

Meaning
The 1% Commission headline covers only Tier 4 (national security) but Wilson Sonsini's reading of NIS2-sector obligations means energy, healthcare and digital infrastructure providers face Level 2-4 assurance requirements, making the effective scope substantially wider.
Short term · Reported
Consequence
CADA's trilogue will determine whether the Wilson Sonsini NIS2-sector reading is codified or narrowed, with US cloud providers lobbying hard to confine Level 2-4 obligations to explicit Tier 4 workloads only.
Medium term · Assessed
Risk
A CADA scope narrowed under US trade leverage that is then expanded by courts or trilogue creates legal uncertainty for public authorities who made procurement decisions on the 1% headline.
Medium term · Reported
Precedent
CADA establishes the first binding EU public-procurement sovereignty tier system, creating a legal architecture that can be expanded by future regulation without requiring a new legislative instrument.
Long term · Assessed

Source Landscape

This story draws on neutral-leaning sources from Belgium

Belgium

Primary parallel: The 2016 EU-US Privacy Shield negotiations, where Brussels accepted a weaker replacement for Safe Harbour after the Schrems ruling under explicit US diplomatic pressure. The agreement held less than four years before Schrems II invalidated it in 2020.

CADA follows the same pattern: a scope narrowed under US trade leverage, adopted with a political framing that minimises the concession, and with a legal text that analysts read as more restrictive than the press line suggests.

Counter-parallel: The 2023 EU-US Data Privacy Framework (DPF), negotiated after Schrems II, produced a genuinely different structure by creating a US Court of Review for European data-subject complaints. CADA's architectural approach, separating procurement tiers from vendor jurisdiction, is closer to the DPF model than to Privacy Shield: it builds structural insulation into public procurement rather than relying on cross-border legal commitments that courts can strike down.

Consensus view: Stiftung Neue Verantwortung (SNV), a Berlin-based digital policy think tank, assessed the adopted CADA scope as a deliberate recalibration rather than a capitulation: reserving Tier 4 for national security and defence workloads covers the data categories where a CLOUD Act compel would cause irreversible state-sovereignty harm, while leaving enterprise and health data for a second legislative cycle.

Counter-view: The Computer and Communications Industry Association (CCIA Europe), representing US cloud providers, argued the NIS2-sector reading by Wilson Sonsini is technically correct and that energy, healthcare and digital infrastructure operators will face de facto Level 2-4 assurance requirements regardless of the Commission's 1% headline, meaning the scope is wider in practice than the political announcement.

Key tension: Whether the 1% Commission headline is an honest description of Tier 4 coverage or a political framing device that obscures the NIS2-sector obligations that will catch perhaps 15-20% of European public-sector procurement in trilouge.

Sources:European Commission·Wilson Sonsini

Mentions:Cloud and AI Development Act →European Commission →Ursula von der Leyen →Henna Virkkunen →NIS2 →Chips Act II →Washington →CLOUD Act →European Parliament →Brussels →College of Commissioners →Parliament →Germany →Berlin →United States →Wilson Sonsini →

First Reported In

Update #8 · Sovereignty law adopted; $40bn US chip buy

European Commission· 10 Jun 2026

Read original →

Causes and effects

Caused by

CAIDA due before College, scope cut

Commission's fourth adoption date (ID:3865) delivered the CADA adoption on 3 June 2026.

Occurred 3 Jun 2026

Read story →

EU sovereignty law slips a third time

Third slip under US trade pressure (ID:3644) forced scope narrowing that produced the adopted 1% ceiling.

Occurred 27 May 2026

Read story →

Brussels locks 27 May for CAIDA and Chips II

First 27 May adoption date (ID:3367) set the calendar sequence leading to 3 June adoption.

Occurred 27 May 2026

Read story →

CAIDA leak: US clouds barred from EU public data

Leaked scope (ID:3369) barring financial and health data was narrowed in the adopted text to national security and defence workloads only.

Occurred 7 May 2026

Read story →

Chips Act II gives Brussels equity authority

Chips Act II direct fab-equity authority (ID:3368) was confirmed in the same package adopted on 3 June.

Occurred 30 Apr 2026

Read story →

This Event

Brussels adopts CADA, narrows its scope

The adopted text narrows the sovereignty restriction US providers feared most, showing the ambition was scaled to fit the EU-US trade relationship.

Led to

EU joins US chip pact, France objects

The same-day CADA adoption and Pax Silica authorisation define the two-tier doctrine: sovereignty at the cloud layer, dependency at the silicon layer.

Occurred 3 Jun 2026

Read story →

Different Perspectives

European cloud and open-source industry

European cloud providers gain a binding procurement mandate from CADA, confirmed by Gartner's $12.6bn sovereign-cloud figure for 2026. The $40bn Pax Silica commitment signals Brussels will not extend sovereignty discipline to the silicon layer, and the missing €350m Sovereign Tech Fund leaves open-source maintenance infrastructure unfunded beneath those same clouds.

United Kingdom

Science Secretary Kendall's £1.1bn Hardware Plan on 8 June chose demand-side instruments, advancing £150m to British chip startups via the British Business Bank, where Brussels chose supply-side alliance membership. Britain joined Pax Silica before the EU and has no collective EU procurement leverage; the Hardware Plan is the bilateral answer to the same silicon gap.

United States

Pax Silica, a State Department initiative launched in December 2025, secured EU membership the same afternoon Brussels adopted its cloud sovereignty law. Ambassador Puzder had named CADA a red line against the EU-US trade framework; the narrowed CADA scope and the $40bn chip commitment together represent the settlement Washington sought.

France

France was the only EU state to oppose Pax Silica accession at COREPER on 3 June, asking the Commission to clarify the Council's steering role inside the alliance. Paris backed CADA and hosts Mistral AI; a $40bn US-chip commitment contractually narrows the commercial space for the sovereign AI model that France is trying to scale.

European Commission

Von der Leyen framed CADA on 3 June as keeping 'most of our market open to like-minded partners', and the Commission's EVP Virkkunen simultaneously required majority-European ownership for the €4.12bn AI Gigafactories call. Brussels is managing rather than resolving the silicon dependency by asserting regulatory control at the cloud layer while formalising the chip relationship through Pax Silica.

European Central Bank

The ECB's digital euro pilot drew more than 50 PSP applications and is naming 10 to 30 participants in July, advancing on its own monetary mandate without requiring a Commission act. Its trajectory this week is the inverse of CAIDA's: the sovereignty instrument that restricts no US firm is the only one keeping its published calendar.