11JUN

Brussels adopts CADA, narrows its scope

3 min read

09:17UTC

The College of Commissioners adopted the Cloud and AI Development Act on 3 June, reserving its strictest tier for national security and defence after three earlier slips trimmed the scope.

← Back to IRGC declares Hormuz shut; US strikes again Jump to analysis ↓

ConflictDeveloping

Key takeaway

CADA passed with a narrowed top tier for security and defence, scaled to fit the EU-US trade relationship.

The College of Commissioners adopted the Cloud and AI Development Act (CADA) on Wednesday 3 June, referenced IP/26/1187, after three earlier adoption dates slipped , , ¹. CADA is a public-procurement sovereignty law: it sets tiers for how EU public bodies buy cloud and AI services, and reserves the strictest tier, which excludes providers under foreign jurisdiction, for a narrow set of workloads. The Act now enters trilogue, the negotiation between The Commission, the European Parliament and the Council that produces the final text.

The adopted scope is far narrower than the version that leaked on 7 May , which would have barred US hyperscalers from all public-sector financial, judicial and health data. The final text limits the top tier to national security, defence, law enforcement and border management ². Law firm Wilson Sonsini reads the obligations as also catching sectors under NIS2, the EU's network-security framework, including energy, healthcare and digital infrastructure, which would pull the practical reach wider than the headline workloads ³.

Commission President Ursula von der Leyen framed the doctrine by saying CADA keeps "most of our market open to like-minded partners" ⁴. That line is the seam in European policy this week: sovereignty where the continent has alternatives, openness where it depends. The same institutions that adopted CADA cleared a $40bn US-chip commitment the same afternoon, and Chips Act II with its new fab-equity authority went through in the same package. Germany's automotive tariff exposure in the EU-US trade talks had drained the appetite for a broad CADA, and the same leverage that forced the three slips shaped what survived into the adopted text.

Deep Analysis

In plain English

CADA, the Cloud and AI Development Act, is a new EU law that says certain sensitive government data must be stored with cloud providers that cannot be forced by a foreign government to hand it over. The United States has a law called the CLOUD Act that lets Washington demand data from American cloud companies no matter where in the world that data is stored. The EU's answer was not to ban American cloud providers from all government work. Instead, CADA creates four tiers. Only the top tier, covering national security, defence, law enforcement and border management, is restricted to providers free of foreign-jurisdiction risk. Everything else stays open. Law firm Wilson Sonsini says the tier below the top will also catch energy companies, hospitals and internet infrastructure operators under existing EU cybersecurity rules, so the real scope is wider than the official estimate of 1% of public services.

Deep Analysis

Root Causes

CADA's three-slip history reflects a single structural cause: Germany's automotive sector faces US retaliatory tariffs under the EU-US trade framework, and any CADA scope that materially disrupted US cloud revenue was read in Berlin as a trigger for those tariffs.

The Commission's internal calculus at every adoption date weighed digital sovereignty against car-sector jobs, and the car-sector jobs won until the scope was narrow enough that Washington signalled non-objection.

The US CLOUD Act compels disclosure of data held anywhere in the world by US-incorporated entities. Any procurement rule that admits AWS, Azure, or Google Cloud to any tier therefore creates a legal exposure at that tier. The Commission's answer was to quarantine the highest-risk workloads (where disclosure would compromise operational security of state) rather than attempt a blanket exclusion that the trade framework could not sustain.

What could happen next?

Meaning
The 1% Commission headline covers only Tier 4 (national security) but Wilson Sonsini's reading of NIS2-sector obligations means energy, healthcare and digital infrastructure providers face Level 2-4 assurance requirements, making the effective scope substantially wider.
Short term · Reported
Consequence
CADA's trilogue will determine whether the Wilson Sonsini NIS2-sector reading is codified or narrowed, with US cloud providers lobbying hard to confine Level 2-4 obligations to explicit Tier 4 workloads only.
Medium term · Assessed
Risk
A CADA scope narrowed under US trade leverage that is then expanded by courts or trilogue creates legal uncertainty for public authorities who made procurement decisions on the 1% headline.
Medium term · Reported
Precedent
CADA establishes the first binding EU public-procurement sovereignty tier system, creating a legal architecture that can be expanded by future regulation without requiring a new legislative instrument.
Long term · Assessed

Source Landscape

This story draws on neutral-leaning sources from Belgium

Belgium

Primary parallel: The 2016 EU-US Privacy Shield negotiations, where Brussels accepted a weaker replacement for Safe Harbour after the Schrems ruling under explicit US diplomatic pressure. The agreement held less than four years before Schrems II invalidated it in 2020.

CADA follows the same pattern: a scope narrowed under US trade leverage, adopted with a political framing that minimises the concession, and with a legal text that analysts read as more restrictive than the press line suggests.

Counter-parallel: The 2023 EU-US Data Privacy Framework (DPF), negotiated after Schrems II, produced a genuinely different structure by creating a US Court of Review for European data-subject complaints. CADA's architectural approach, separating procurement tiers from vendor jurisdiction, is closer to the DPF model than to Privacy Shield: it builds structural insulation into public procurement rather than relying on cross-border legal commitments that courts can strike down.

Consensus view: Stiftung Neue Verantwortung (SNV), a Berlin-based digital policy think tank, assessed the adopted CADA scope as a deliberate recalibration rather than a capitulation: reserving Tier 4 for national security and defence workloads covers the data categories where a CLOUD Act compel would cause irreversible state-sovereignty harm, while leaving enterprise and health data for a second legislative cycle.

Counter-view: The Computer and Communications Industry Association (CCIA Europe), representing US cloud providers, argued the NIS2-sector reading by Wilson Sonsini is technically correct and that energy, healthcare and digital infrastructure operators will face de facto Level 2-4 assurance requirements regardless of The Commission's 1% headline, meaning the scope is wider in practice than the political announcement.

Key tension: Whether the 1% Commission headline is an honest description of Tier 4 coverage or a political framing device that obscures the NIS2-sector obligations that will catch perhaps 15-20% of European public-sector procurement in trilouge.

Sources:European Commission·Wilson Sonsini

Mentions:Cloud and AI Development Act →European Commission →Ursula von der Leyen →Henna Virkkunen →NIS2 →Chips Act II →Washington →CLOUD Act →European Parliament →Brussels →College of Commissioners →Parliament →Germany →Berlin →United States →Wilson Sonsini →

First Reported In

Update #8 · Sovereignty law adopted; $40bn US chip buy

European Commission· 10 Jun 2026

Read original →

Causes and effects

Caused by

CAIDA due before College, scope cut

Commission's fourth adoption date (ID:3865) delivered the CADA adoption on 3 June 2026.

Occurred 3 Jun 2026

Read story →

EU sovereignty law slips a third time

Third slip under US trade pressure (ID:3644) forced scope narrowing that produced the adopted 1% ceiling.

Occurred 27 May 2026

Read story →

Brussels locks 27 May for CAIDA and Chips II

First 27 May adoption date (ID:3367) set the calendar sequence leading to 3 June adoption.

Occurred 27 May 2026

Read story →

CAIDA leak: US clouds barred from EU public data

Leaked scope (ID:3369) barring financial and health data was narrowed in the adopted text to national security and defence workloads only.

Occurred 7 May 2026

Read story →

Chips Act II gives Brussels equity authority

Chips Act II direct fab-equity authority (ID:3368) was confirmed in the same package adopted on 3 June.

Occurred 30 Apr 2026

Read story →

This Event

Brussels adopts CADA, narrows its scope

The adopted text narrows the sovereignty restriction US providers feared most, showing the ambition was scaled to fit the EU-US trade relationship.

Led to

EU joins US chip pact, France objects

The same-day CADA adoption and Pax Silica authorisation define the two-tier doctrine: sovereignty at the cloud layer, dependency at the silicon layer.

Occurred 3 Jun 2026

Read story →

Different Perspectives

Oil markets / Lloyd's underwriters

Futures markets priced CENTCOM's strikes-complete statement as a de-escalation signal and pushed Brent down 1.7 per cent to $94.71, even as the IRGC declared Hormuz closed. Lloyd's war-risk premiums held elevated because institutional de-listing requires a UN Security Council resolution that Russia and China have just shown they will block.

Pakistan (mediator)

Interior minister Mohsin Naqvi carried dual civilian and military letters to Mojtaba Khamenei in Tehran on 6-7 June with no public response. The IRGC's Hormuz closure on 11 June shows the corps is acting independently of the channel Pakistan is using, making the mediation structurally unable to produce a binding commitment without direct IRGC access.

Russia and China

Russia and China voted against GOV/2026/40 at the IAEA Board, following through on the blocking position coordinated with Grossi in Geneva on 5 June; both states continue to oppose Western institutional pressure on Iran at every multilateral venue.

E3 and IAEA (UK, France, Germany)

The E3 co-sponsored IAEA resolution GOV/2026/40, adopted 21-3-10 on 10 June, demanding Iran disclose 440.9 kg of unaccounted HEU and admit inspectors to four denied facilities. The 10 abstentions and Russia-China noes leave any Security Council referral without a viable enforcement path.

IRGC / Iran military command

The corps declared Hormuz closed to all traffic on 11 June and claimed two vessels struck, overriding the MoU its own civilian negotiators were pursuing through Pakistan. The closure order used the Persian Gulf Strait Authority apparatus to convert a toll mechanism into a military prohibition.

Trump administration / CENTCOM

CENTCOM completed a second day of strikes on Tehran, Sirik and Minab, rejected the IRGC Hormuz closure as inconsistent with observed transit, and said strikes were complete. Hegseth framed the bombing explicitly as the negotiation: the method is coercive deal-making with no stated pause threshold.