The short answer
On 3 June 2026 the European Commission proposed the Cloud and AI Development Act (CADA), the flagship of its Technological Sovereignty Package. The proposal would accelerate data-centre build-out across the EU — aiming to triple capacity over the next five to seven years — and introduce a single EU-wide framework that rates cloud and AI services across four sovereignty assurance levels. Alongside it sit a Chips Act 2.0 and an EU Open Source Strategy.
CADA is a proposal, not yet law: it still has to pass the European Parliament and Council. But the direction is unambiguous. For US software teams that sell into Europe, cloud sovereignty — where data lives, who operates the infrastructure, and whose law reaches it — is moving from a nice-to-have into a formal procurement criterion. The work to answer it starts now, while it is cheap.
What the Sovereignty Package actually contains
The Commission framed the package as its answer to Europe's dependence on non-EU cloud, chips, and AI. CNBC captured the political tone with a quote from Brussels: officials want to be sure "nobody has a kill switch" over Europe's critical digital infrastructure. Setting the rhetoric aside, three concrete workstreams matter to builders:
- Cloud and AI Development Act (CADA). A framework to fund European cloud and AI capacity and to define how the public sector should assess the sovereignty of the services it buys.
- Chips Act 2.0. A second-generation semiconductor push aimed at reducing dependence on third countries for chip design and manufacturing, including a stated intent to prioritise an advanced foundry inside the bloc.
- EU Open Source Strategy. A strategy to promote European open-source solutions and developers, and to weave open-source communities into EU standardisation.
The through-line is control: Europe wants more of the stack — silicon, data centres, models, and the software on top — to be operable independently of any single foreign supplier. That is an industrial-policy ambition, but it lands on engineering teams as concrete questions about where workloads run and who can touch them.
What is CADA, and what would it change?
CADA (formally COM(2026) 502) sets out three objectives. First, to support research, development, and innovation in cutting-edge and sustainable cloud and AI technologies. Second, to accelerate data-centre deployment across the EU, with the explicit aim of tripling capacity over the next five to seven years. Third — and this is the part that reshapes buying decisions — to introduce a single EU-wide assessment framework for cloud and AI sovereignty.
Today, "sovereign cloud" means different things in France, Germany, and the Netherlands, each with its own labels and criteria. CADA's ambition is one common yardstick across the single market. For a vendor, that is actually good news: one framework to satisfy instead of a patchwork. The catch is that the yardstick measures things a lot of US-headquartered SaaS products have never had to expose — the legal jurisdiction over their data and the nationality of the entity operating their infrastructure.
Does CADA apply to US vendors?
Not as a ban, and not as a direct obligation the way the AI Act imposes duties. CADA is procurement and industrial policy. It changes the criteria EU public bodies — and, by gravitational pull, regulated private buyers in FinTech, health, and the public sector — use to choose cloud and AI services. Sovereignty gets added on top of price and features as a scored dimension.
So the practical effect on a US vendor is competitive, not prohibitive. If a European hospital network or bank has to hit a given assurance level, a provider that can demonstrate EU data residency, EU-based operations, and resistance to extraterritorial legal reach will clear the bar; one that cannot will be filtered out before the demo. The uncomfortable subtext for US providers is the reach of laws like the CLOUD Act: EU buyers increasingly ask whether a foreign government could compel access to their data, and a convincing answer now has commercial value.
The four sovereignty assurance levels
CADA defines cloud and AI sovereignty through four assurance levels, which public-sector bodies apply based on their own risk assessment. The proposal frames these as a ladder: higher levels demand stronger guarantees over where data is stored and processed, who operates and controls the infrastructure, and how insulated the service is from non-EU jurisdiction. Lower levels suit low-risk workloads; the top level targets sensitive government and critical-infrastructure data.
The exact technical criteria will be sharpened as the proposal moves through the legislature, so treat the levels as a direction rather than a finished checklist. The design intent, however, is clear and worth internalising: it lets a buyer say "this workload needs level 3" and lets a vendor answer "here is how we meet level 3" in a way that is comparable across all 27 member states.
| Dimension the levels probe | What a buyer is really asking |
|---|---|
| Data location | Is data stored and processed in the EU, including backups and logs? |
| Operational control | Who runs the infrastructure day to day, and under whose corporate control? |
| Jurisdictional insulation | Can a non-EU government compel access to this data or service? |
| Technical autonomy | Can the service keep running if a foreign supplier withdraws? |
Chips Act 2.0 and the Open Source Strategy
Two companion pieces round out the package. Chips Act 2.0 is a renewed semiconductor programme aimed at the layer beneath everything else: it targets Europe's dependence on third countries for chip design and manufacturing, and the Commission signalled it would prioritise building an advanced foundry within the bloc. For most software teams this is background weather rather than a to-do — but it is a reminder that compute supply, and therefore GPU availability and pricing for EU AI workloads, is now a strategic concern at the policy level.
The EU Open Source Strategy is closer to home for engineers. It promotes European open-source solutions and developers and pulls open-source communities into EU standardisation. If your product leans on open-source components or you contribute upstream, expect open source to be treated as a sovereignty asset — a dependency Europe can inspect and control — rather than a liability. That framing can work in your favour when you position a stack that is transparent and portable rather than locked to one proprietary vendor.
What it means for US & EU software teams
Strip away the geopolitics and CADA is a forcing function on architecture. The question it makes every EU buyer ask — "where does my data live, and who can reach it?" — is one that a lot of US SaaS products answer today with an implicit "somewhere in us-east-1." That answer is about to cost deals.
The teams that will do well are the ones that treat data residency as a first-class product capability, not a support-ticket exception. Concretely, that means an EU deployment option with EU-region storage and processing, operations you can describe honestly, and minimal cross-border data flows. Moving or standing up workloads in EU regions is the bulk of the lift, and it is exactly the kind of work our cloud migration team scopes for US/EU products. Regulated verticals feel it first: a FinTech or HealthTech buyer will make assurance level a gating requirement long before a low-risk consumer app does.
There is also an upside worth naming. A common EU-wide sovereignty framework is easier to sell against than a fragmented set of national schemes. If you build the residency and documentation story once — clearly, and to the CADA framing — you can reuse it across the whole single market instead of re-litigating "sovereign cloud" country by country. Early movers turn a compliance cost into a differentiator.
The engineering and go-to-market checklist
Here is the shippable version. Run it as a scoping exercise now, while CADA is still a proposal and you are not under contract pressure.
- Map data residency and jurisdiction. For every dataset, record where it is stored and processed (including backups, logs, and analytics), which entity operates that infrastructure, and under whose law it sits. This single map answers most sovereignty questions.
- Stand up an EU-region deployment path. Even if you do not offer it yet, know what it takes: EU storage and processing, EU-resident encryption keys, and a data-flow diagram with no surprise US round-trips.
- Separate control plane from data plane. Buyers accept some global orchestration; they resist customer data leaving the region. Design so that personal and sensitive data can stay in the EU even when management tooling does not.
- Write the sovereignty posture down. Produce a short, honest document a European procurement team can map to an assurance level: residency, operator, jurisdiction, subprocessors, and continuity if a supplier withdraws.
- Audit subprocessors and vendors. Your sovereignty is only as strong as your weakest dependency. List every third party that touches customer data and where each one sits.
- Treat open source as an asset. Where you rely on or contribute to open source, say so — it reads as portability and inspectability, which aligns with the EU strategy.
- Assign an owner and revisit at adoption. CADA will change during the legislative process. Name someone to track it and to firm up the assurance-level criteria before they become contractual.
None of this is legal advice, and your exact obligations will depend on the final text of CADA and on which buyers you sell to. But the strategic signal is already clear: Europe is making cloud sovereignty a scored purchasing criterion, and the parts that hit ordinary software teams — data residency, EU-region operations, and an honest jurisdiction story — are buildable today. Build them.
Frequently asked questions
What is the EU Cloud and AI Development Act (CADA)?
CADA is a legislative proposal the European Commission presented on 3 June 2026 as part of its Technological Sovereignty Package. It aims to support cloud and AI R&D, accelerate data-centre deployment across the EU with the goal of tripling capacity over the next five to seven years, and introduce a single EU-wide framework to assess the sovereignty of cloud and AI services across four assurance levels. As of July 2026 it is a proposal, not yet law.
Does CADA apply to US cloud and software vendors?
Indirectly but materially. CADA does not ban US providers. It changes how EU public bodies, and over time regulated buyers, evaluate cloud and AI services by adding a sovereignty assessment on top of price and features. A US vendor that can demonstrate EU data residency, EU-based operations, and resistance to foreign legal reach will rate higher and stay eligible for more European contracts.
What are the four cloud sovereignty assurance levels?
CADA defines a single EU-wide framework with four assurance levels that public-sector bodies apply based on their own risk assessment. Higher levels correspond to stronger guarantees over where data is stored and processed, who operates the infrastructure, and how insulated it is from non-EU jurisdiction and control. The exact criteria will be refined during the legislative process.
When does CADA take effect?
There is no enforcement date yet. CADA was proposed on 3 June 2026 and must still be negotiated and adopted by the European Parliament and the Council before it applies. The data-centre capacity goal is a policy target, not a compliance deadline. Treat 2026 as the planning window, not a hard cutover.
What is the difference between CADA and the EU AI Act?
They solve different problems. The EU AI Act regulates how AI systems may be built and used and is already partly enforceable. CADA is industrial and procurement policy: it funds European cloud and AI infrastructure and sets sovereignty criteria for buying those services. A product can be fully AI-Act compliant and still rate low on CADA's sovereignty scale, or vice versa.
What should a US SaaS company do to stay competitive in the EU?
Start with a data-residency and jurisdiction map of your stack: where each dataset lives, who can access it, and under whose law. Offer an EU-region deployment with EU-based operations, minimise cross-border data flows, and document your sovereignty posture so European buyers can slot you into an assurance level. Doing this now is far cheaper than retrofitting under contract pressure.
Sources
European Commission — Tech sovereignty package (press release IP/26/1187), 3 June 2026
European Commission — Cloud and AI Development Act (Shaping Europe's digital future)
CNBC — Europe unveils tech sovereignty package amid U.S. tech reliance concerns, 3 June 2026