What the draft actually proposes

On 3 June 2026 the European Commission adopted a proposal for the Cloud and AI Development Act, known as CADA. It is a proposal, not a law in force. It still has to pass through negotiation between the European Parliament and the Council, and its wording can change before any part of it becomes binding. So this is a signal about direction, not a rule you must comply with today. The direction, however, is clear enough to plan around.

The part that matters for buyers is a single EU-wide framework that grades cloud and AI providers across four Union assurance levels. The lowest level is intended as the floor for serving the public sector, with narrow exceptions. Higher levels apply where a provider supports functions tied to public order, following a risk assessment by Member States and Union bodies, across sectors such as energy, healthcare, transport, water, law enforcement, border management, national security and defence. In short, the more sensitive the role, the higher the bar a provider has to clear.

Why US hyperscalers hit a ceiling

The higher assurance levels are reported to look past the location of the data centre and into who owns the provider, who controls its operations, and whether the service can be shielded from non-EU law. That last test is where the large US providers run into a structural limit. Under the US CLOUD Act, a US-headquartered company can be compelled to hand over data it controls, regardless of where in the world that data physically sits. A European data region does not remove that reach.

This is not a claim that AWS, Microsoft or Google are insecure or that most workloads are affected. For the great majority of business data, they remain strong, mainstream choices. The point is narrower and it is about the top of the scale. For the most sensitive categories the draft targets, a US-controlled provider cannot fully guarantee legal insulation, because a foreign legal order can still assert a claim over the data. That is a matter of jurisdiction, not engineering, and it is why the exact per-tier criteria in the draft annexes are worth watching as the text is negotiated.

Turn dependency into a procurement check

For years cloud sovereignty was treated as an abstract dependency risk, easy to note and easy to defer. CADA reframes it as something concrete: a gate at the point of signature. If a contract touches regulated or genuinely sensitive data, the jurisdiction your provider answers to becomes a term of the deal, not a footnote. That shift rewards buyers who ask the question early and penalises those who discover it during an audit or a renewal.

The measured response is a jurisdictional-risk assessment before you sign or renew. Map which of your data would fall into the sensitive categories the draft describes, identify who ultimately owns and controls each provider, and check what your contracts say about foreign legal access, data location and exit. Where the risk is real, you can keep everyday workloads where they are and route only the sensitive tier to a provider that can meet a higher assurance level. None of this is legal advice, and the text may move, but the assessment itself costs little and positions you well whichever way the final law lands.