12JUN

Brussels adopts CADA, narrows its scope

3 min read

09:18UTC

The College of Commissioners adopted the Cloud and AI Development Act on 3 June, reserving its strictest tier for national security and defence after three earlier slips trimmed the scope.

← Back to Trump halts strikes, touts deal Iran denies Jump to analysis ↓

ConflictDeveloping

Key takeaway

CADA passed with a narrowed top tier for security and defence, scaled to fit the EU-US trade relationship.

The College of Commissioners adopted the Cloud and AI Development Act (CADA) on Wednesday 3 June, referenced IP/26/1187, after three earlier adoption dates slipped , , ¹. CADA is a public-procurement sovereignty law: it sets tiers for how EU public bodies buy cloud and AI services, and reserves the strictest tier, which excludes providers under foreign jurisdiction, for a narrow set of workloads. The Act now enters trilogue, the negotiation between The Commission, the European Parliament and the Council that produces the final text.

The adopted scope is far narrower than the version that leaked on 7 May , which would have barred US hyperscalers from all public-sector financial, judicial and health data. The final text limits the top tier to national security, defence, law enforcement and border management ². Law firm Wilson Sonsini reads the obligations as also catching sectors under NIS2, the EU's network-security framework, including energy, healthcare and digital infrastructure, which would pull the practical reach wider than the headline workloads ³.

Commission President Ursula von der Leyen framed the doctrine by saying CADA keeps "most of our market open to like-minded partners" ⁴. That line is the seam in European policy this week: sovereignty where the continent has alternatives, openness where it depends. The same institutions that adopted CADA cleared a $40bn US-chip commitment the same afternoon, and Chips Act II with its new fab-equity authority went through in the same package. Germany's automotive tariff exposure in the EU-US trade talks had drained the appetite for a broad CADA, and the same leverage that forced the three slips shaped what survived into the adopted text.

Deep Analysis

In plain English

CADA, the Cloud and AI Development Act, is a new EU law that says certain sensitive government data must be stored with cloud providers that cannot be forced by a foreign government to hand it over. The United States has a law called the CLOUD Act that lets Washington demand data from American cloud companies no matter where in the world that data is stored. The EU's answer was not to ban American cloud providers from all government work. Instead, CADA creates four tiers. Only the top tier, covering national security, defence, law enforcement and border management, is restricted to providers free of foreign-jurisdiction risk. Everything else stays open. Law firm Wilson Sonsini says the tier below the top will also catch energy companies, hospitals and internet infrastructure operators under existing EU cybersecurity rules, so the real scope is wider than the official estimate of 1% of public services.

Deep Analysis

Root Causes

CADA's three-slip history reflects a single structural cause: Germany's automotive sector faces US retaliatory tariffs under the EU-US trade framework, and any CADA scope that materially disrupted US cloud revenue was read in Berlin as a trigger for those tariffs.

The Commission's internal calculus at every adoption date weighed digital sovereignty against car-sector jobs, and the car-sector jobs won until the scope was narrow enough that Washington signalled non-objection.

The US CLOUD Act compels disclosure of data held anywhere in the world by US-incorporated entities. Any procurement rule that admits AWS, Azure, or Google Cloud to any tier therefore creates a legal exposure at that tier. The Commission's answer was to quarantine the highest-risk workloads (where disclosure would compromise operational security of state) rather than attempt a blanket exclusion that the trade framework could not sustain.

What could happen next?

Meaning
The 1% Commission headline covers only Tier 4 (national security) but Wilson Sonsini's reading of NIS2-sector obligations means energy, healthcare and digital infrastructure providers face Level 2-4 assurance requirements, making the effective scope substantially wider.
Short term · Reported
Consequence
CADA's trilogue will determine whether the Wilson Sonsini NIS2-sector reading is codified or narrowed, with US cloud providers lobbying hard to confine Level 2-4 obligations to explicit Tier 4 workloads only.
Medium term · Assessed
Risk
A CADA scope narrowed under US trade leverage that is then expanded by courts or trilogue creates legal uncertainty for public authorities who made procurement decisions on the 1% headline.
Medium term · Reported
Precedent
CADA establishes the first binding EU public-procurement sovereignty tier system, creating a legal architecture that can be expanded by future regulation without requiring a new legislative instrument.
Long term · Assessed

Source Landscape

This story draws on neutral-leaning sources from Belgium

Belgium

Primary parallel: The 2016 EU-US Privacy Shield negotiations, where Brussels accepted a weaker replacement for Safe Harbour after the Schrems ruling under explicit US diplomatic pressure. The agreement held less than four years before Schrems II invalidated it in 2020.

CADA follows the same pattern: a scope narrowed under US trade leverage, adopted with a political framing that minimises the concession, and with a legal text that analysts read as more restrictive than the press line suggests.

Counter-parallel: The 2023 EU-US Data Privacy Framework (DPF), negotiated after Schrems II, produced a genuinely different structure by creating a US Court of Review for European data-subject complaints. CADA's architectural approach, separating procurement tiers from vendor jurisdiction, is closer to the DPF model than to Privacy Shield: it builds structural insulation into public procurement rather than relying on cross-border legal commitments that courts can strike down.

Consensus view: Stiftung Neue Verantwortung (SNV), a Berlin-based digital policy think tank, assessed the adopted CADA scope as a deliberate recalibration rather than a capitulation: reserving Tier 4 for national security and defence workloads covers the data categories where a CLOUD Act compel would cause irreversible state-sovereignty harm, while leaving enterprise and health data for a second legislative cycle.

Counter-view: The Computer and Communications Industry Association (CCIA Europe), representing US cloud providers, argued the NIS2-sector reading by Wilson Sonsini is technically correct and that energy, healthcare and digital infrastructure operators will face de facto Level 2-4 assurance requirements regardless of The Commission's 1% headline, meaning the scope is wider in practice than the political announcement.

Key tension: Whether the 1% Commission headline is an honest description of Tier 4 coverage or a political framing device that obscures the NIS2-sector obligations that will catch perhaps 15-20% of European public-sector procurement in trilouge.

Sources:European Commission·Wilson Sonsini

Mentions:Cloud and AI Development Act →European Commission →Ursula von der Leyen →Henna Virkkunen →NIS2 →Chips Act II →Washington →CLOUD Act →European Parliament →Brussels →College of Commissioners →Parliament →Germany →Berlin →United States →Wilson Sonsini →

First Reported In

Update #8 · Sovereignty law adopted; $40bn US chip buy

European Commission· 10 Jun 2026

Read original →

Causes and effects

Caused by

CAIDA due before College, scope cut

Commission's fourth adoption date (ID:3865) delivered the CADA adoption on 3 June 2026.

Occurred 3 Jun 2026

Read story →

EU sovereignty law slips a third time

Third slip under US trade pressure (ID:3644) forced scope narrowing that produced the adopted 1% ceiling.

Occurred 27 May 2026

Read story →

Brussels locks 27 May for CAIDA and Chips II

First 27 May adoption date (ID:3367) set the calendar sequence leading to 3 June adoption.

Occurred 27 May 2026

Read story →

CAIDA leak: US clouds barred from EU public data

Leaked scope (ID:3369) barring financial and health data was narrowed in the adopted text to national security and defence workloads only.

Occurred 7 May 2026

Read story →

Chips Act II gives Brussels equity authority

Chips Act II direct fab-equity authority (ID:3368) was confirmed in the same package adopted on 3 June.

Occurred 30 Apr 2026

Read story →

This Event

Brussels adopts CADA, narrows its scope

The adopted text narrows the sovereignty restriction US providers feared most, showing the ambition was scaled to fit the EU-US trade relationship.

Led to

EU joins US chip pact, France objects

The same-day CADA adoption and Pax Silica authorisation define the two-tier doctrine: sovereignty at the cloud layer, dependency at the silicon layer.

Occurred 3 Jun 2026

Read story →

Different Perspectives

Oil markets and Lloyd's of London

Brent fell to $89.25 on ceasefire probability, not new barrels, with traders voting for Trump's deed over Tehran's denial. Lloyd's has not repriced Hormuz war-risk cover because its trigger requires a UN Security Council resolution or government certification, so tanker insurance costs remain elevated regardless of the spot move.

Pakistan and Qatar mediators

Pakistan's Mohsin Naqvi was in Tehran for his second visit in under a week, using the Pakistan-Qatar channel that delivered April's ceasefire after an identical public-denial cycle. The channel carries both civilian and military buy-in from Islamabad, the only configuration Iran's split command cannot dismiss as a partial signal.

India

India summoned the US Deputy Chief of Mission after three Indian sailors were killed aboard MT Settebello, the first formal grievance from a major non-belligerent directed at US enforcement. Indian seafarers supply roughly 12 per cent of the global maritime workforce; their presence on third-flag Gulf tankers is structurally inevitable regardless of bilateral diplomacy.

Islamic Revolutionary Guard Corps (IRGC)

The IRGC declared Hormuz closed on 11 June while civilian negotiators were on the same mediation channel, then issued no public comment on the MoU framework. Its silence on the framework, rather than any foreign ministry statement, is the operative approval signal; the corps' unilateral Hormuz closure shows it did not treat the diplomatic track as binding on its operations.

Iran foreign ministry (Baghaei)

Esmail Baghaei told IRNA that reports of a finalised deal were 'merely speculation' and that Iran had 'not yet made a final decision'. The denial is structurally identical to Iranian foreign ministry statements during the April ceasefire talks, which produced a binding text within 48 hours of the same language.

Trump administration / CENTCOM

Trump cancelled the third strike day and called the MoU 'very strong' and almost ready to sign, while CENTCOM kept tanker enforcement running in the same 24-hour window. The administration is simultaneously withdrawing the military pressure it claims drove the deal and sustaining the enforcement campaign it is trying to trade away.