EU Cloud and AI Development Act: Sovereignty, AI and US Tech Dependence
By Martyna Chmura | 7 July 2026
Summary
The European Union (EU) Cloud and AI Development Act (CADA), introduced on 3 June 2026, places cloud and AI infrastructure at the centre of the EU’s technology sovereignty agenda.
The proposal addresses dependence on non-EU cloud providers by linking data centre expansion, public procurement and a 4-level sovereignty framework for sensitive public-sector and critical-sector workloads.
CADA strengthens the EU’s strategic autonomy agenda, but its effectiveness is constrained by limited domestic cloud scale, energy pressures, advanced chip dependency and potential tension with United States (US) hyperscalers.
Context
On 3 June 2026, the European Commission unveiled the Tech Sovereignty Package, a digital policy agenda covering semiconductors, cloud infrastructure, open-source software, energy digitalisation and artificial intelligence (AI). The package addresses Europe’s reliance on non-EU suppliers for technologies that support public services, hospitals, energy grids, and financial markets. It includes the Cloud and AI Development Act (CADA), the Chips Act 2.0, the EU Open Source Strategy, and the Strategic Roadmap for Digitalisation and AI in Energy.
CADA is the package’s main cloud and AI infrastructure proposal. It focuses on expanding European data centre capacity, supporting AI deployment and reducing dependency on foreign cloud providers. The proposal is built around 3 pillars: research and innovation, data centre capacity, and autonomy. Its autonomy pillar introduces a 4-level sovereignty framework, ranging from EU-based data processing at Level 1 to stricter requirements on third-country control, EU ownership, supply-chain transparency, personnel clearance and independent audit at higher levels.
CADA also fits into the EU’s wider digital rulebook, including the Data Act, Digital Markets Act (DMA), AI Act, Network and Information Security Directive 2 (NIS2), Digital Operational Resilience Act (DORA) and the pending EU Cloud Services Scheme (EUCS). This makes it a new infrastructure and procurement layer within an already dense regulatory environment.
Implications
CADA turns EU digital sovereignty from a political objective into a procurement and infrastructure policy. Its 4-tier framework gives public authorities and critical sectors measurable criteria for assessing cloud services, including EU-based data processing, independence from third-country control, software supply-chain transparency, EU ownership and independent audit. This shifts sovereignty from a broad policy principle into a compliance standard shaping contracts, supplier eligibility and data-governance decisions.
For the EU, the proposal links AI leadership directly to infrastructure capacity. Advanced AI requires large-scale cloud, high-performance compute, secure data storage and reliable energy supply. CADA identifies this infrastructure gap as a strategic weakness and places data centre expansion at the centre of European industrial policy. The EU’s objective to triple data centre capacity within 5 to 7 years reflects the scale of this deficit. The edge infrastructure gap is also significant: around 2,257 edge nodes were deployed across the EU in 2024, against the Digital Decade target of 10,000 by 2030, equal to roughly 23% of its target. However, this capacity agenda also faces energy and climate constraints, as faster data centre buildout increases pressure on electricity systems and complicates the EU’s climate objectives.
The proposal also responds to market concentration. EU-based cloud providers’ market share fell from around 29% in 2017 to around 15% in 2022, while 3 non-EU hyperscalers control over 70% of the European cloud market. This gives foreign providers structural influence over pricing, technical standards, interoperability, data hosting and service availability. CADA addresses this through public procurement, the EuroCloud Federation and an EU added value criterion, which rewards contributions to the EU supply chain, innovation and hardware. However, industry critics argue that the highest sovereignty levels function as origin-based market restrictions rather than technical safeguards.
CADA also reframes cloud dependency as a foreign-policy and security issue, not only a market-competition problem. Although CADA does not name the United States (US), its effects concentrate on US hyperscalers because of their dominant position in the EU cloud market [9][14]. The proposal therefore adds a sovereignty layer to existing EU-US technology disputes over data transfers, competition enforcement, AI regulation and extraterritorial legal access. Its wider effectiveness is also tied to the rest of the technology stack: the EU produces only around 10% of global semiconductors and remains heavily dependent on the US and East Asia for the most advanced AI chips, limiting the extent to which cloud sovereignty alone can deliver AI autonomy.
Forecast
Short-term (Now - 3 months)
Parliamentary and Council scrutiny is likely to focus on the scope of Article 31, as its possible extension to private critical-sector entities makes it the most politically sensitive part of CADA.
US hyperscalers and industry associations are highly likely to intensify lobbying against Level 3 and Level 4 requirements, framing them as origin-based restrictions rather than technical security safeguards.
Medium-term (3 - 12 months)
It is likely that negotiations produce pressure to make the sovereignty framework more risk-based, particularly by separating sensitive public-sector and national-security workloads from general commercial cloud services.
Member states are likely to divide between sovereignty-focused governments, especially those with existing national cloud-security frameworks, and states prioritising investment, interoperability and access to global cloud capacity.
Long-term (>1 year)
CADA is likely to strengthen EU control over sensitive public-sector and critical-infrastructure workloads, but wider AI deployment is likely to remain dependent on non-EU compute capacity, advanced chips and hyperscaler infrastructure.
Full EU cloud and AI autonomy is unlikely within the next 5 years, as domestic data centre expansion, energy availability and advanced semiconductor capacity remain structural constraints on Europe’s technology sovereignty agenda.