BLOG · REGULATION

The EU Cloud and AI Development Act: cloud sovereignty becomes a procurement criterion

Regulation
  • #regulation
  • #cloud-sovereignty
  • #cloud
  • #ai-act
  • #eu
  • #procurement
  • #operator-lens

On 3 June 2026 the European Commission proposed the Cloud and AI Development Act — a draft, not law — with a four-level cloud-sovereignty scale for public procurement. For an operator it's a signal that "where and under whose jurisdiction your AI stack sits" is moving into a cell in a tender.

Adam WszendybyłAI operator-architect

What happened

On 3 June 2026 the European Commission presented a draft of the Cloud and AI Development Act (CADA) — the centerpiece of a technological-sovereignty package, announced together with an amendment to the Chips Act, an open-source strategy and a roadmap for digitalization and AI in energy. This is a draft regulation, not binding law: it now enters the ordinary legislative procedure, in which Parliament and the Council will negotiate it — the final text, scope and dates of application may still change.

For an operator, two things are concrete. The first is a four-level scale of "EU assurance" for cloud and AI in public procurement: from a level where the infrastructure simply sits in the Union, through demonstrated independence from third countries and transparency of the software supply chain, up to the highest level — EU ownership and control, criteria on personnel and no possibility of interference from outside the Union (this top of the scale is meant to be reserved for, among other things, defense). The assessment deliberately goes beyond classic cybersecurity and asks about operational autonomy, resilience and exposure to foreign jurisdictions. The second thing is a target of at least tripling the capacity of European data centers within five to seven years.

Our thesis

CADA pulls "cloud sovereignty" out of the discussion about values and puts it into a cell in a request for proposals. Until now, where and under whose jurisdiction your AI stack runs was an argument on a slide. The draft turns that argument into named levels with criteria that public-sector buyers are meant to measure vendors against. Even if the text still changes in negotiations, the direction is clear enough that it's not worth waiting to react until publication in the official journal — that's our read on the trend, not an announcement of specific dates.

CADA doesn't replace the AI Act in doing so; it adds to it alongside: the first asks where and under whose control your cloud comes from, the second — how you govern the AI system itself (we wrote about it in the note "A year of the AI Act"). The practical takeaway, however, is the same as with any dependency on a single vendor: the risk isn't which cloud you run on today, but how expensive it will be to move off it when a client, a regulator or a buyer demands it.

Why it matters

Private Equity

For a fund, this is a new item in the diligence of companies that sell to the public sector or to regulated industries: whether their architecture even reaches the higher assurance levels, or whether it's excluded by definition from part of the tenders. That's a question about market access, not about compliance itself — and it can move the revenue thesis before anything legal moves. A company dependent on a single non-EU cloud with no migration plan has a risk here that is quantifiable, not philosophical.

Enterprise

For a large organization selling to government or operating in a critical sector, this is a signal to map, already now, your AI stack's exposure to jurisdictions outside the Union: where the data physically sits, where the model computes and who technically has access to it. Not to change vendors overnight, but to know what a move would cost if a sovereignty requirement entered the next tender you bid on.

SMB / mid-market

A smaller company rarely bids at the highest assurance level, so CADA doesn't apply to it directly. Indirectly — it does: if you're a subcontractor to someone bidding in such a tender, their sovereignty requirement will flow down into your contract as questions about where you keep data and whose software you use. Better to know the answer in advance than to find it out at signing.

One step you can take this week

Take one AI process that already runs in production for you, and write down three things for it: in which country the infrastructure sits, which jurisdiction the vendor is subject to, and what it would actually take to move that workload elsewhere. If the answer to the third question is "rewrite the product from scratch," you already have a topic for the coming quarter — because it's exactly that cost that turns someone else's pricing or regulatory decision into your problem. The intermediate layer that lets you shift workloads between vendors and locations without rewriting the product is described under products.

Describe your case

If you sell to the public sector or to a regulated industry and don't know which assurance level your AI stack sits at today, bring one process and a list of the vendors it runs on. We start from something concrete. Describe your case: mailto:[email protected]?subject=Rozmowa%20z%20Aurora%20AI.

LET'S START

Bring the process, not the slides.

If you read our blog and spot an area you want to improve in your own organization — write to us. We start every conversation from something concrete.

Describe your case