sota.io
2026-04-09·9 min read·sota.io team

EU CADA 2026: What the Cloud and AI Development Act Means for European Developers

On May 27, 2026, the European Commission is expected to table the Cloud and AI Development Act — CADA. The proposal has been in preparation since mid-2025 as the EU's structural response to the United States' $500 billion Stargate AI infrastructure initiative. CADA targets two things simultaneously: tripling European datacenter capacity by 2030, and establishing mandatory EU-native infrastructure requirements for AI workloads above defined risk and scale thresholds.

Most EU developers have not heard of it. Most who have assume it is a future concern. Both assumptions are costly.

What CADA Is Responding To

The context matters for understanding the proposal's scope.

In January 2025, the incoming US administration announced the Stargate initiative — a $500 billion commitment to AI infrastructure buildout in the United States, coordinated between Microsoft, OpenAI, Oracle, SoftBank, and the US government. The initiative included explicit language about establishing US dominance in AI infrastructure and making US cloud capacity the global default for large-scale AI workloads.

The European Commission's immediate response was a working paper cataloguing the strategic risk: if EU public institutions, healthcare systems, financial regulators, and critical infrastructure operators migrate large AI workloads to US-hosted infrastructure to access Stargate-scale capacity, the EU loses effective data sovereignty over a category of processing that is both economically critical and legally regulated under GDPR, the EU AI Act, NIS2, and DORA.

CADA is the legislative answer to that risk.

The Three Pillars of the CADA Proposal

Based on the Commission's preparatory documentation and the positions of member states as of Q1 2026, the CADA proposal is structured around three interconnected pillars.

Pillar 1 — Mandatory EU Infrastructure for High-Risk AI

The first and most directly operational pillar extends the EU AI Act's risk management framework to include infrastructure jurisdiction as a mandatory compliance factor.

For high-risk AI systems within the scope of EU AI Act Annex III — including biometric identification, critical infrastructure management, educational assessment, employment screening, credit scoring, law enforcement, and border control applications — CADA would require that:

The enforcement mechanism is conformity assessment: Annex III systems that cannot demonstrate EU-jurisdiction infrastructure will fail the technical documentation requirements that notified bodies check before CE marking.

The practical consequence: a high-risk AI system trained on AWS or Azure — both US-incorporated — cannot receive conformity assessment certification under CADA. This is a harder requirement than current EU AI Act guidance, which treats US cloud exposure as a "foreseeable risk" requiring documentation but not necessarily avoidance.

Pillar 2 — EU Datacenter Capacity Tripling by 2030

The second pillar is the supply-side complement to Pillar 1. You cannot mandate EU infrastructure for AI workloads without ensuring that EU infrastructure exists at the required scale.

European datacenter capacity in 2025 is approximately 18% of global capacity. The United States accounts for approximately 40%. CADA's tripling target — reaching roughly 54% of current global capacity in EU jurisdiction by 2030 — would require an investment of €150–200 billion in European hyperscale and edge infrastructure over four years.

The mechanisms proposed include:

This pillar creates the infrastructure capacity that Pillars 1 and 3 depend on. Without it, mandatory EU infrastructure requirements would simply be unenforceable — there would not be enough compliant capacity to absorb regulated workloads.

Pillar 3 — EU Sovereign Cloud Certification Scheme

The third pillar creates a certification framework that extends and harmonises the existing EUCS (EU Cybersecurity Certification Scheme for Cloud Services) under ENISA into a more comprehensive EU sovereignty standard.

The current EUCS distinguishes between Basic, Substantial, and High assurance levels. CADA adds a fourth level: Sovereign. EU Sovereign certification requires:

Providers holding EU Sovereign certification would be the only providers eligible to host Pillar 1 mandatory workloads. This effectively creates a regulated market segment for EU AI infrastructure — one that AWS, Azure, and Google Cloud cannot participate in under their current corporate structures, regardless of how many EU-located data centres they operate.

What CADA Does Not Do

Understanding the proposal's limits is as important as understanding its scope.

CADA does not affect non-AI cloud workloads immediately. The mandatory EU infrastructure requirements in Pillar 1 apply specifically to EU AI Act Annex III high-risk AI systems. General-purpose cloud hosting — static sites, standard web applications, databases without AI processing — is not in scope for the mandatory requirements in the initial proposal.

CADA does not require existing systems to migrate immediately. The proposal includes transition periods: existing Annex III AI systems have 24 months from CADA's entry into force to demonstrate compliance. New systems deployed after CADA's entry into force must comply from day one.

CADA does not create new data localisation requirements for GDPR purposes. GDPR's data localisation rules remain unchanged. CADA's infrastructure requirements are EU AI Act compliance requirements, not GDPR amendments — though the two frameworks are increasingly aligned in practice.

CADA is not yet law. The May 27 proposal is the start of EU's ordinary legislative procedure. Typical timelines: 18–36 months from Commission proposal to Council and Parliament agreement, followed by an entry-into-force period. Realistically, CADA will not bind anyone before Q4 2027 at the earliest.

Why EU Developers Need to Act Before CADA Passes

The 24-month transition period in the CADA proposal sounds generous. It is not.

Infrastructure migration timelines are longer than compliance windows. Moving a production AI system from AWS to EU-sovereign infrastructure is not a weekend task. It involves re-training or re-qualifying model artifacts, rebuilding data pipelines on EU infrastructure, re-certifying under the new EUCS Sovereign scheme, and updating technical documentation for notified body review. Teams that start this migration when CADA passes will run out of transition time.

CADA's requirements align with requirements that are already in force. EU AI Act Article 9's risk management obligations — including the Schrems II-derived argument that CLOUD Act exposure is a foreseeable risk to fundamental rights — already apply to Annex III systems from August 2, 2026. NIS2's supply chain risk requirements for operators of essential services already apply. DORA's ICT third-party risk requirements for financial entities already apply.

CADA does not create new compliance obligations for EU-law-compliant organisations. It codifies and hardens obligations that already exist as best-practice requirements.

The supply side is already moving. Hetzner announced a 30–37% price increase in April 2026, reflecting EU datacenter demand outpacing supply. OVHcloud, Scaleway, and Clever Cloud all reported capacity waitlists for GPU instances in Q1 2026. If CADA's datacenter buildout subsidies create 150–200 billion euros of new EU capacity, that will take 3–5 years to come online. The demand-supply imbalance is the present reality.

Early adopters get better pricing and better support. EU-sovereign cloud providers are small enough today that enterprise customers get direct engineering relationships. That changes at scale.

The Infrastructure Architecture CADA Compliance Requires

For EU developers building AI systems that will be subject to CADA's Pillar 1 requirements, the architectural question is: what does a CADA-compliant infrastructure stack look like?

At minimum:

Compute: EU-incorporated cloud provider for training and inference. Providers incorporated in non-EU jurisdictions but operating EU data centres — AWS EU, Azure Germany, Google Frankfurt — do not qualify. EU-incorporated providers include OVHcloud 🇫🇷, Scaleway 🇫🇷, Clever Cloud 🇫🇷, Hetzner 🇩🇪, IONOS 🇩🇪, and platform-as-a-service providers like sota.io 🇩🇪 built on EU-native infrastructure.

Storage: EU-jurisdiction object storage and block storage. Same incorporation requirement applies.

Container and orchestration layer: If you are using a managed Kubernetes or container platform, the management plane must be operated by an EU-incorporated entity. Using AWS EKS or Azure AKS routes management API traffic through US-jurisdiction systems even if worker nodes are in EU regions.

CI/CD pipeline: Build and test infrastructure must also be EU-jurisdiction. Training runs that pass through US-jurisdiction CI systems expose training artifacts to CLOUD Act compelled disclosure.

Model registry: Model weights, training artifacts, and evaluation datasets must be stored in EU-jurisdiction storage with access controls that prevent foreign government access.

The pattern is clear: it is not sufficient to use an EU-located data centre. Every layer of the stack needs to be operated by an EU-incorporated entity. The US CLOUD Act obligation travels with the company's incorporation, not with the physical location of its servers.

How This Intersects With EU AI Act and GDPR Today

The three frameworks — GDPR, EU AI Act, and the coming CADA — are converging on the same requirement from different directions.

GDPR Article 44 prohibits transfers of personal data to countries without adequate protection (Chapter V). The US-EU Data Privacy Framework (2023) provides adequacy for companies that self-certify under it, but self-certification is voluntary and the framework is subject to the same Court of Justice challenges that struck down Safe Harbor (2015) and Privacy Shield (2020). Organisations that are risk-averse about a third CJEU ruling build on EU-incorporated infrastructure rather than relying on adequacy decisions.

EU AI Act Article 9 requires management of foreseeable legal risks for high-risk AI systems. CLOUD Act exposure on US infrastructure is a foreseeable legal risk. EU AI Act hosting compliance is not theoretical — the August 2026 deadline for Annex III systems is less than four months away.

CADA (proposed May 27) will harden this from "foreseeable risk requiring documentation" to "disqualifying factor for conformity assessment."

The direction of travel is unambiguous. The question is whether you build compliant infrastructure now — on your timeline, with room for testing and migration — or whether you build it under pressure during a compliance window.

What EU Developers Who Are Not Building AI Systems Should Know

CADA's mandatory EU infrastructure requirements target high-risk AI systems. But CADA's second-order effects apply to all EU developers.

The Sovereign certification scheme (Pillar 3) will become a procurement requirement. EU public sector entities — hospitals, municipalities, government agencies — are already under political pressure to use EU-sovereign cloud providers. CADA's Sovereign certification creates the standard that public procurement frameworks will reference. If you build software for EU public sector clients, your infrastructure choices will need to match the Sovereign certification requirements of your clients' procurement frameworks, whether or not your application is itself an AI system.

The datacenter buildout (Pillar 2) will shift the price and performance balance. EU-native cloud providers currently have a price premium over US hyperscalers for comparable compute. CADA's €150–200 billion capacity buildout, combined with permitting acceleration and state aid authorisation, will compress that premium over the 2027–2030 timeframe. Organisations that adopt EU-native infrastructure today will have established EU-sovereign operating practices before the price inflection arrives.

Practical Starting Points

For teams who want to move ahead of the CADA proposal:

Map your AI system stack against Annex III. If any of your systems fall within the EU AI Act's high-risk categories, map where your training data, compute, inference, and audit infrastructure currently sits. Identify which components are operated by US-incorporated entities.

Evaluate EU-native alternatives at each layer. For PaaS/container deployment: sota.io, Clever Cloud, Scaleway App Engine. For storage: OVHcloud Object Storage, Scaleway Object Storage, Hetzner Storage Box. For managed databases: Aiven 🇫🇮 (EU-incorporated), Supabase EU-hosted, ElephantSQL.

Start with non-sensitive workloads. Migration risk is lowest on stateless applications and static APIs. Moving these to EU-native infrastructure first gives your team experience with the operational differences before you migrate training pipelines.

Build EU infrastructure requirements into new projects. Projects starting today that use EU-native infrastructure from day one have zero migration cost. Projects that take the expedient path and start on AWS or Azure will pay the migration cost later, under compliance pressure.

The EU CADA proposal will land May 27, 2026. By the time it passes into law, the teams that start now will have been running on CADA-compliant infrastructure for 18–24 months. That is the compliance buffer that matters.

sota.io deploys your containers on EU-incorporated infrastructure in Germany. No CLOUD Act exposure. No US parent company. Compliant with GDPR, EU AI Act Article 9 risk management requirements, and the coming CADA sovereign infrastructure standard. Free tier available.