Skip to content
You can now search across every topic, entity and event.What's new
Iran Conflict 2026
14MAY

Brussels adopts CADA, narrows its scope

3 min read
10:57UTC

The College of Commissioners adopted the Cloud and AI Development Act on 3 June, reserving its strictest tier for national security and defence after three earlier slips trimmed the scope.

ConflictDeveloping
Key takeaway

CADA passed with a narrowed top tier for security and defence, scaled to fit the EU-US trade relationship.

The College of Commissioners adopted the Cloud and AI Development Act (CADA) on Wednesday 3 June, referenced IP/26/1187, after three earlier adoption dates slipped , , 1. CADA is a public-procurement sovereignty law: it sets tiers for how EU public bodies buy cloud and AI services, and reserves the strictest tier, which excludes providers under foreign jurisdiction, for a narrow set of workloads. The Act now enters trilogue, the negotiation between The Commission, the European Parliament and the Council that produces the final text.

The adopted scope is far narrower than the version that leaked on 7 May , which would have barred US hyperscalers from all public-sector financial, judicial and health data. The final text limits the top tier to national security, defence, law enforcement and border management 2. Law firm Wilson Sonsini reads the obligations as also catching sectors under NIS2, the EU's network-security framework, including energy, healthcare and digital infrastructure, which would pull the practical reach wider than the headline workloads 3.

Commission President Ursula von der Leyen framed the doctrine by saying CADA keeps "most of our market open to like-minded partners" 4. That line is the seam in European policy this week: sovereignty where the continent has alternatives, openness where it depends. The same institutions that adopted CADA cleared a $40bn US-chip commitment the same afternoon, and Chips Act II with its new fab-equity authority went through in the same package. Germany's automotive tariff exposure in the EU-US trade talks had drained the appetite for a broad CADA, and the same leverage that forced the three slips shaped what survived into the adopted text.

Deep Analysis

In plain English

CADA, the Cloud and AI Development Act, is a new EU law that says certain sensitive government data must be stored with cloud providers that cannot be forced by a foreign government to hand it over. The United States has a law called the CLOUD Act that lets Washington demand data from American cloud companies no matter where in the world that data is stored. The EU's answer was not to ban American cloud providers from all government work. Instead, CADA creates four tiers. Only the top tier, covering national security, defence, law enforcement and border management, is restricted to providers free of foreign-jurisdiction risk. Everything else stays open. Law firm Wilson Sonsini says the tier below the top will also catch energy companies, hospitals and internet infrastructure operators under existing EU cybersecurity rules, so the real scope is wider than the official estimate of 1% of public services.

Deep Analysis
Root Causes

CADA's three-slip history reflects a single structural cause: Germany's automotive sector faces US retaliatory tariffs under the EU-US trade framework, and any CADA scope that materially disrupted US cloud revenue was read in Berlin as a trigger for those tariffs.

The Commission's internal calculus at every adoption date weighed digital sovereignty against car-sector jobs, and the car-sector jobs won until the scope was narrow enough that Washington signalled non-objection.

The US CLOUD Act compels disclosure of data held anywhere in the world by US-incorporated entities. Any procurement rule that admits AWS, Azure, or Google Cloud to any tier therefore creates a legal exposure at that tier. The Commission's answer was to quarantine the highest-risk workloads (where disclosure would compromise operational security of state) rather than attempt a blanket exclusion that the trade framework could not sustain.

What could happen next?
  • Meaning

    The 1% Commission headline covers only Tier 4 (national security) but Wilson Sonsini's reading of NIS2-sector obligations means energy, healthcare and digital infrastructure providers face Level 2-4 assurance requirements, making the effective scope substantially wider.

    Short term · Reported
  • Consequence

    CADA's trilogue will determine whether the Wilson Sonsini NIS2-sector reading is codified or narrowed, with US cloud providers lobbying hard to confine Level 2-4 obligations to explicit Tier 4 workloads only.

    Medium term · Assessed
  • Risk

    A CADA scope narrowed under US trade leverage that is then expanded by courts or trilogue creates legal uncertainty for public authorities who made procurement decisions on the 1% headline.

    Medium term · Reported
  • Precedent

    CADA establishes the first binding EU public-procurement sovereignty tier system, creating a legal architecture that can be expanded by future regulation without requiring a new legislative instrument.

    Long term · Assessed
First Reported In

Update #8 · Sovereignty law adopted; $40bn US chip buy

European Commission· 10 Jun 2026
Read original
Causes and effects
This Event
Brussels adopts CADA, narrows its scope
The adopted text narrows the sovereignty restriction US providers feared most, showing the ambition was scaled to fit the EU-US trade relationship.
Different Perspectives
Oil market and P&I insurers
Oil market and P&I insurers
Brent cleared $87 intraday only once CENTCOM's blockade became physical rather than declared, even though P&I Clubs had already excluded Hormuz war risk a week earlier on 7 July: capital hedged ahead of enforcement, but prices moved only after it.
UAE reporting
UAE reporting
UAE reporting placed the Omani tanker deaths at one seafarer against the International Maritime Agency's count of two, the first time in this war that a Gulf state's casualty figures have diverged from an international monitor's.
Jordan
Jordan
Iranian strikes reached Jordan again on 14 July as part of the Gulf-wide retaliation for the Hormuz blockade, extending the conflict's geographic footprint to a state with no direct stake in the strait itself.
Bahrain
Bahrain
Bahrain sounded air-raid sirens on 14 July during Iran's Gulf-wide retaliation, the same day CENTCOM's blockade order and fourth night of strikes pushed the conflict's physical reach into the wider Gulf littoral.
Kuwait
Kuwait
Kuwait intercepted Iranian missiles and drones on 14 July as Tehran's blockade retaliation reached Gulf states beyond Iran's immediate shoreline, confirming Kuwaiti airspace now sits inside Iran's retaliatory envelope.
Oman
Oman
Oman absorbed the war's first tanker casualties in its own waters on 14 July, with two supertankers disabled and seafarers killed, putting the sultanate's shipping lanes directly in the path of the blockade fight for the first time.