19MAY

Brussels adopts CADA, narrows its scope

3 min read

17:44UTC

The College of Commissioners adopted the Cloud and AI Development Act on 3 June, reserving its strictest tier for national security and defence after three earlier slips trimmed the scope.

← Back to Iran signs Hormuz toll; Trump posts a cancelled strike Jump to analysis ↓

ConflictDeveloping

Key takeaway

CADA passed with a narrowed top tier for security and defence, scaled to fit the EU-US trade relationship.

The College of Commissioners adopted the Cloud and AI Development Act (CADA) on Wednesday 3 June, referenced IP/26/1187, after three earlier adoption dates slipped , , ¹. CADA is a public-procurement sovereignty law: it sets tiers for how EU public bodies buy cloud and AI services, and reserves the strictest tier, which excludes providers under foreign jurisdiction, for a narrow set of workloads. The Act now enters trilogue, the negotiation between the Commission, the European Parliament and the Council that produces the final text.

The adopted scope is FAR narrower than the version that leaked on 7 May , which would have barred US hyperscalers from all public-sector financial, judicial and health data. The final text limits the top tier to national security, defence, law enforcement and border management ². Law firm Wilson Sonsini reads the obligations as also catching sectors under NIS2, the EU's network-security framework, including energy, healthcare and digital infrastructure, which would pull the practical reach wider than the headline workloads ³.

Commission President Ursula von der Leyen framed the doctrine by saying CADA keeps "most of our market open to like-minded partners" ⁴. That line is the seam in European policy this week: sovereignty where the continent has alternatives, openness where it depends. The same institutions that adopted CADA cleared a $40bn US-chip commitment the same afternoon, and Chips Act II with its new fab-equity authority went through in the same package. Germany's automotive tariff exposure in the EU-US trade talks had drained the appetite for a broad CADA, and the same leverage that forced the three slips shaped what survived into the adopted text.

Deep Analysis

In plain English

CADA, the Cloud and AI Development Act, is a new EU law that says certain sensitive government data must be stored with cloud providers that cannot be forced by a foreign government to hand it over. The United States has a law called the CLOUD Act that lets Washington demand data from American cloud companies no matter where in the world that data is stored. The EU's answer was not to ban American cloud providers from all government work. Instead, CADA creates four tiers. Only the top tier, covering national security, defence, law enforcement and border management, is restricted to providers free of foreign-jurisdiction risk. Everything else stays open. Law firm Wilson Sonsini says the tier below the top will also catch energy companies, hospitals and internet infrastructure operators under existing EU cybersecurity rules, so the real scope is wider than the official estimate of 1% of public services.

Deep Analysis

Root Causes

CADA's three-slip history reflects a single structural cause: Germany's automotive sector faces US retaliatory tariffs under the EU-US trade framework, and any CADA scope that materially disrupted US cloud revenue was read in Berlin as a trigger for those tariffs.

The Commission's internal calculus at every adoption date weighed digital sovereignty against car-sector jobs, and the car-sector jobs won until the scope was narrow enough that Washington signalled non-objection.

The US CLOUD Act compels disclosure of data held anywhere in the world by US-incorporated entities. Any procurement rule that admits AWS, Azure, or Google Cloud to any tier therefore creates a legal exposure at that tier. The Commission's answer was to quarantine the highest-risk workloads (where disclosure would compromise operational security of state) rather than attempt a blanket exclusion that the trade framework could not sustain.

What could happen next?

Meaning
The 1% Commission headline covers only Tier 4 (national security) but Wilson Sonsini's reading of NIS2-sector obligations means energy, healthcare and digital infrastructure providers face Level 2-4 assurance requirements, making the effective scope substantially wider.
Short term · Reported
Consequence
CADA's trilogue will determine whether the Wilson Sonsini NIS2-sector reading is codified or narrowed, with US cloud providers lobbying hard to confine Level 2-4 obligations to explicit Tier 4 workloads only.
Medium term · Assessed
Risk
A CADA scope narrowed under US trade leverage that is then expanded by courts or trilogue creates legal uncertainty for public authorities who made procurement decisions on the 1% headline.
Medium term · Reported
Precedent
CADA establishes the first binding EU public-procurement sovereignty tier system, creating a legal architecture that can be expanded by future regulation without requiring a new legislative instrument.
Long term · Assessed

Source Landscape

This story draws on neutral-leaning sources from Belgium

Belgium

Primary parallel: The 2016 EU-US Privacy Shield negotiations, where Brussels accepted a weaker replacement for Safe Harbour after the Schrems ruling under explicit US diplomatic pressure. The agreement held less than four years before Schrems II invalidated it in 2020.

CADA follows the same pattern: a scope narrowed under US trade leverage, adopted with a political framing that minimises the concession, and with a legal text that analysts read as more restrictive than the press line suggests.

Counter-parallel: The 2023 EU-US Data Privacy Framework (DPF), negotiated after Schrems II, produced a genuinely different structure by creating a US Court of Review for European data-subject complaints. CADA's architectural approach, separating procurement tiers from vendor jurisdiction, is closer to the DPF model than to Privacy Shield: it builds structural insulation into public procurement rather than relying on cross-border legal commitments that courts can strike down.

Consensus view: Stiftung Neue Verantwortung (SNV), a Berlin-based digital policy think tank, assessed the adopted CADA scope as a deliberate recalibration rather than a capitulation: reserving Tier 4 for national security and defence workloads covers the data categories where a CLOUD Act compel would cause irreversible state-sovereignty harm, while leaving enterprise and health data for a second legislative cycle.

Counter-view: The Computer and Communications Industry Association (CCIA Europe), representing US cloud providers, argued the NIS2-sector reading by Wilson Sonsini is technically correct and that energy, healthcare and digital infrastructure operators will face de facto Level 2-4 assurance requirements regardless of the Commission's 1% headline, meaning the scope is wider in practice than the political announcement.

Key tension: Whether the 1% Commission headline is an honest description of Tier 4 coverage or a political framing device that obscures the NIS2-sector obligations that will catch perhaps 15-20% of European public-sector procurement in trilouge.

Sources:European Commission·Wilson Sonsini

Mentions:Cloud and AI Development Act →European Commission →Ursula von der Leyen →Henna Virkkunen →NIS2 →Chips Act II →Washington →CLOUD Act →European Parliament →Brussels →College of Commissioners →Parliament →Germany →Berlin →United States →Wilson Sonsini →

First Reported In

Update #8 · Sovereignty law adopted; $40bn US chip buy

European Commission· 10 Jun 2026

Read original →

Causes and effects

Caused by

CAIDA due before College, scope cut

Commission's fourth adoption date (ID:3865) delivered the CADA adoption on 3 June 2026.

Occurred 3 Jun 2026

Read story →

EU sovereignty law slips a third time

Third slip under US trade pressure (ID:3644) forced scope narrowing that produced the adopted 1% ceiling.

Occurred 27 May 2026

Read story →

Brussels locks 27 May for CAIDA and Chips II

First 27 May adoption date (ID:3367) set the calendar sequence leading to 3 June adoption.

Occurred 27 May 2026

Read story →

CAIDA leak: US clouds barred from EU public data

Leaked scope (ID:3369) barring financial and health data was narrowed in the adopted text to national security and defence workloads only.

Occurred 7 May 2026

Read story →

Chips Act II gives Brussels equity authority

Chips Act II direct fab-equity authority (ID:3368) was confirmed in the same package adopted on 3 June.

Occurred 30 Apr 2026

Read story →

This Event

Brussels adopts CADA, narrows its scope

The adopted text narrows the sovereignty restriction US providers feared most, showing the ambition was scaled to fit the EU-US trade relationship.

Led to

EU joins US chip pact, France objects

The same-day CADA adoption and Pax Silica authorisation define the two-tier doctrine: sovereignty at the cloud layer, dependency at the silicon layer.

Occurred 3 Jun 2026

Read story →

Different Perspectives

Markets

Brent crude rose 2.2 per cent to $96.34 on 10 June, reversing a 7 per cent weekly decline built on deal optimism, as the overnight exchange repriced the Strait of Hormuz risk premium in a single session. The move reflects transit-risk repricing rather than supply shock: Iran's exports had already collapsed to below 300,000 barrels per day.

Pakistan

Pakistan's Naqvi channel, the only mediation track carrying both civilian and military buy-in, was stress-tested by live ordnance within 48 hours of the 6-7 June Tehran visit. Whether Washington informed Islamabad of the imminent strike plan while Naqvi was in Tehran remains undisclosed, putting the channel's neutrality under scrutiny.

Kuwait

Kuwait hosted the third Iranian strike on its soil since the 3 June airport drone attack, with Ali Al Salem airbase targeted in the three-country salvo. Its recent $1.98 billion Anduril Anvil counter-drone purchase signals it is rearming rather than reconsidering its hosting posture.

Bahrain

Bahrain absorbed the IRGC barrage via PAC-3 intercepts with its magazine already at 87 per cent depletion and no resupply before 2027. Sounding air-raid sirens over Manama, it faced the intercept burden with the thinnest defensive stack in the Gulf coalition.

Jordan

Jordan reported all five incoming missiles intercepted with no injuries and no damage, a clean defensive performance that strengthens Amman's case for staying in the Western coalition without escalating its own posture. It now sits on Iran's target list for the first time despite not being a party to the Abraham Accords confrontation.

Iran / IRGC

Foreign Minister Araghchi posted on X that US forces should 'leave our region if you want to be safe' and framed the exchange as a US defeat, while the IRGC claimed 21 targets hit and an F-35 hangar destroyed. The claims serve a domestic and Arab-audience framing rather than a verified battle-damage assessment.